Merge branch 'pr-55320'

* pr-55320:
  nixos/release-notes: mention breaking changes with matrix-synapse update
  nixos/matrix-synapse: reload service with SIGHUP
  nixos/tests/matrix-synapse: generate ca and certificates
  nixos/matrix-synapse: use python to launch synapse
  pythonPackages.pymacaroons-pynacl: remove unmaintained fork
  matrix-synapse: 0.34.1.1 -> 0.99.0
  pythonPackages.pymacaroons: init at 0.13.0

nixos/doc/manual/release-notes/rl-1903.xml

@@ -378,6 +378,15 @@
     (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
    </para>
   </listitem>
+  <listitem>
+   <para>
+    <literal>matrix-synapse</literal> has been updated to version 0.99. It will
+    <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no longer generate a self-signed certificate on first launch</link>
+    and will be <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>.
+    As such, it is now recommended to use a proper certificate verified by a
+    root CA (for example Let's Encrypt).
+   </para>
+  </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/misc/matrix-synapse.nix

@@ -651,12 +651,16 @@ in {
 
     services.postgresql.enable = mkIf usePostgresql (mkDefault true);
 
-    systemd.services.matrix-synapse = {
+    systemd.services.matrix-synapse =
+    let
+      python = (pkgs.python3.withPackages (ps: with ps; [ (ps.toPythonModule cfg.package) ]));
+    in
+    {
       description = "Synapse Matrix homeserver";
       after = [ "network.target" "postgresql.service" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
-        ${cfg.package}/bin/homeserver \
+        ${python.interpreter} -m synapse.app.homeserver \
           --config-path ${configFile} \
           --keys-directory ${cfg.dataDir} \
           --generate-keys
@@ -687,10 +691,11 @@ in {
         WorkingDirectory = cfg.dataDir;
         PermissionsStartOnly = true;
         ExecStart = ''
-          ${cfg.package}/bin/homeserver \
+          ${python.interpreter} -m synapse.app.homeserver \
             ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
             --keys-directory ${cfg.dataDir}
         '';
+        ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
         Restart = "on-failure";
       };
     };

nixos/tests/matrix-synapse.nix

@@ -1,4 +1,32 @@
-import ./make-test.nix ({ pkgs, ... } : {
+import ./make-test.nix ({ pkgs, ... } : let
+
+
+  runWithOpenSSL = file: cmd: pkgs.runCommand file {
+    buildInputs = [ pkgs.openssl ];
+  } cmd;
+
+
+  ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048";
+  ca_pem = runWithOpenSSL "ca.pem" ''
+    openssl req \
+      -x509 -new -nodes -key ${ca_key} \
+      -days 10000 -out $out -subj "/CN=snakeoil-ca"
+  '';
+  key = runWithOpenSSL "matrix_key.pem" "openssl genrsa -out $out 2048";
+  csr = runWithOpenSSL "matrix.csr" ''
+    openssl req \
+       -new -key ${key} \
+       -out $out -subj "/CN=localhost" \
+  '';
+  cert = runWithOpenSSL "matrix_cert.pem" ''
+    openssl x509 \
+      -req -in ${csr} \
+      -CA ${ca_pem} -CAkey ${ca_key} \
+      -CAcreateserial -out $out \
+      -days 365
+  '';
+
+in {
 
   name = "matrix-synapse";
   meta = with pkgs.stdenv.lib.maintainers; {
@@ -8,23 +36,31 @@ import ./make-test.nix ({ pkgs, ... } : {
   nodes = {
     # Since 0.33.0, matrix-synapse doesn't allow underscores in server names
     serverpostgres = args: {
-      services.matrix-synapse.enable = true;
-      services.matrix-synapse.database_type = "psycopg2";
+      services.matrix-synapse = {
+        enable = true;
+        database_type = "psycopg2";
+        tls_certificate_path = "${cert}";
+        tls_private_key_path = "${key}";
+      };
     };
 
     serversqlite = args: {
-      services.matrix-synapse.enable = true;
-      services.matrix-synapse.database_type = "sqlite3";
+      services.matrix-synapse = {
+        enable = true;
+        database_type = "sqlite3";
+        tls_certificate_path = "${cert}";
+        tls_private_key_path = "${key}";
+      };
     };
   };
 
   testScript = ''
     startAll;
     $serverpostgres->waitForUnit("matrix-synapse.service");
-    $serverpostgres->waitUntilSucceeds("curl -Lk https://localhost:8448/");
+    $serverpostgres->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/");
     $serverpostgres->requireActiveUnit("postgresql.service");
     $serversqlite->waitForUnit("matrix-synapse.service");
-    $serversqlite->waitUntilSucceeds("curl -Lk https://localhost:8448/");
+    $serversqlite->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/");
     $serversqlite->mustSucceed("[ -e /var/lib/matrix-synapse/homeserver.db ]");
   '';
 

pkgs/development/python-modules/pymacaroons-pynacl/default.nix

@@ -1,24 +0,0 @@
-{ lib, buildPythonPackage, fetchFromGitHub, pynacl, six }:
-
-buildPythonPackage rec {
-  pname = "pymacaroons-pynacl";
-  version = "0.9.3";
-
-  src = fetchFromGitHub {
-    owner = "matrix-org";
-    repo = "pymacaroons";
-    rev = "v${version}";
-    sha256 = "0bykjk01zdndp6gjr30x46blsn0cvxa7j0zh5g8raxwaawchjhii";
-  };
-
-  propagatedBuildInputs = [ pynacl six ];
-
-  # Tests require an old version of hypothesis
-  doCheck = false;
-
-  meta = with lib; {
-    description = "Macaroon library for Python";
-    homepage = https://github.com/matrix-org/pymacaroons;
-    license = licenses.mit;
-  };
-}

pkgs/development/python-modules/pymacaroons/default.nix

@@ -0,0 +1,25 @@
+{ lib, buildPythonPackage, fetchPypi, six, pynacl }:
+
+buildPythonPackage rec {
+  pname = "pymacaroons";
+  version = "0.13.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "1e6bba42a5f66c245adf38a5a4006a99dcc06a0703786ea636098667d42903b8";
+  };
+
+  propagatedBuildInputs = [
+    six
+    pynacl
+  ];
+
+  # Tests require an old version of hypothesis
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Macaroon library for Python";
+    homepage = https://github.com/ecordell/pymacaroons;
+    license = licenses.mit;
+  };
+}

pkgs/servers/matrix-synapse/default.nix

@@ -23,29 +23,24 @@ let
 
 in buildPythonApplication rec {
   pname = "matrix-synapse";
-  version = "0.34.1.1";
+  version = "0.99.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "13jmbcabll3gk0b6yqwfwpc7aymqhpv6iririzskhm4pgbjcp3yk";
+    sha256 = "1xsp60172zvgyjgpjmzz90rj1din8d65ffg73nzid4nd875p45kh";
   };
 
-  patches = [
-    ./matrix-synapse.patch
-  ];
-
   propagatedBuildInputs = [
     bcrypt
     bleach
     canonicaljson
     daemonize
-    dateutil
     frozendict
     jinja2
     jsonschema
     lxml
     matrix-synapse-ldap3
-    msgpack-python
+    msgpack
     netaddr
     phonenumbers
     pillow
@@ -59,8 +54,7 @@ in buildPythonApplication rec {
     psutil
     psycopg2
     pyasn1
-    pydenticon
-    pymacaroons-pynacl
+    pymacaroons
     pynacl
     pyopenssl
     pysaml2

pkgs/servers/matrix-synapse/matrix-synapse.patch

@@ -1,20 +0,0 @@
-diff --git a/homeserver b/homeserver
-new file mode 120000
-index 0000000..2f1d413
---- /dev/null
-+++ b/homeserver
-@@ -0,0 +1,1 @@
-+synapse/app/homeserver.py
-\ No newline at end of file
-diff --git a/setup.py b/setup.py
-index b00c2af..c7f6e0a 100755
---- a/setup.py
-+++ b/setup.py
-@@ -92,6 +92,6 @@ setup(
-     include_package_data=True,
-     zip_safe=False,
-     long_description=long_description,
--    scripts=["synctl"] + glob.glob("scripts/*"),
-+    scripts=["synctl", "homeserver"] + glob.glob("scripts/*"),
-     cmdclass={'test': TestCommand},
- )

pkgs/top-level/python-packages.nix

@@ -4742,7 +4742,7 @@ in {
 
   pygccxml = callPackage ../development/python-modules/pygccxml {};
 
-  pymacaroons-pynacl = callPackage ../development/python-modules/pymacaroons-pynacl { };
+  pymacaroons = callPackage ../development/python-modules/pymacaroons { };
 
   pynacl = callPackage ../development/python-modules/pynacl { };