mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-11 20:25:32 +03:00
4f0dadbf38
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
248 lines
8 KiB
Nix
248 lines
8 KiB
Nix
import ../make-test-python.nix (
|
|
{ pkgs, ... }:
|
|
let
|
|
|
|
ca_key = mailerCerts.ca.key;
|
|
ca_pem = mailerCerts.ca.cert;
|
|
|
|
bundle =
|
|
pkgs.runCommand "bundle"
|
|
{
|
|
nativeBuildInputs = [ pkgs.minica ];
|
|
}
|
|
''
|
|
minica -ca-cert ${ca_pem} -ca-key ${ca_key} \
|
|
-domains localhost
|
|
install -Dm444 -t $out localhost/{key,cert}.pem
|
|
'';
|
|
|
|
mailerCerts = import ../common/acme/server/snakeoil-certs.nix;
|
|
mailerDomain = mailerCerts.domain;
|
|
registrationSharedSecret = "unsecure123";
|
|
testUser = "alice";
|
|
testPassword = "alicealice";
|
|
testEmail = "alice@example.com";
|
|
|
|
listeners = [
|
|
{
|
|
port = 8448;
|
|
bind_addresses = [
|
|
"127.0.0.1"
|
|
"::1"
|
|
];
|
|
type = "http";
|
|
tls = true;
|
|
x_forwarded = false;
|
|
resources = [
|
|
{
|
|
names = [
|
|
"client"
|
|
];
|
|
compress = true;
|
|
}
|
|
{
|
|
names = [
|
|
"federation"
|
|
];
|
|
compress = false;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
in
|
|
{
|
|
|
|
name = "matrix-synapse";
|
|
meta = with pkgs.lib; {
|
|
maintainers = teams.matrix.members;
|
|
};
|
|
|
|
nodes = {
|
|
# Since 0.33.0, matrix-synapse doesn't allow underscores in server names
|
|
serverpostgres =
|
|
{
|
|
pkgs,
|
|
nodes,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
mailserverIP = nodes.mailserver.config.networking.primaryIPAddress;
|
|
in
|
|
{
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
settings = {
|
|
inherit listeners;
|
|
database = {
|
|
name = "psycopg2";
|
|
args.password = "synapse";
|
|
};
|
|
redis = {
|
|
enabled = true;
|
|
host = "localhost";
|
|
port = config.services.redis.servers.matrix-synapse.port;
|
|
};
|
|
tls_certificate_path = "${bundle}/cert.pem";
|
|
tls_private_key_path = "${bundle}/key.pem";
|
|
registration_shared_secret = registrationSharedSecret;
|
|
public_baseurl = "https://example.com";
|
|
email = {
|
|
smtp_host = mailerDomain;
|
|
smtp_port = 25;
|
|
require_transport_security = true;
|
|
notif_from = "matrix <matrix@${mailerDomain}>";
|
|
app_name = "Matrix";
|
|
};
|
|
};
|
|
};
|
|
services.postgresql = {
|
|
enable = true;
|
|
|
|
# The database name and user are configured by the following options:
|
|
# - services.matrix-synapse.database_name
|
|
# - services.matrix-synapse.database_user
|
|
#
|
|
# The values used here represent the default values of the module.
|
|
initialScript = pkgs.writeText "synapse-init.sql" ''
|
|
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
|
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
|
TEMPLATE template0
|
|
LC_COLLATE = "C"
|
|
LC_CTYPE = "C";
|
|
'';
|
|
};
|
|
|
|
services.redis.servers.matrix-synapse = {
|
|
enable = true;
|
|
port = 6380;
|
|
};
|
|
|
|
networking.extraHosts = ''
|
|
${mailserverIP} ${mailerDomain}
|
|
'';
|
|
|
|
security.pki.certificateFiles = [
|
|
mailerCerts.ca.cert
|
|
ca_pem
|
|
];
|
|
|
|
environment.systemPackages =
|
|
let
|
|
sendTestMailStarttls = pkgs.writeScriptBin "send-testmail-starttls" ''
|
|
#!${pkgs.python3.interpreter}
|
|
import smtplib
|
|
import ssl
|
|
|
|
ctx = ssl.create_default_context()
|
|
|
|
with smtplib.SMTP('${mailerDomain}') as smtp:
|
|
smtp.ehlo()
|
|
smtp.starttls(context=ctx)
|
|
smtp.ehlo()
|
|
smtp.sendmail('matrix@${mailerDomain}', '${testEmail}', 'Subject: Test STARTTLS\n\nTest data.')
|
|
smtp.quit()
|
|
'';
|
|
|
|
obtainTokenAndRegisterEmail =
|
|
let
|
|
# adding the email through the API is quite complicated as it involves more than one step and some
|
|
# client-side calculation
|
|
insertEmailForAlice = pkgs.writeText "alice-email.sql" ''
|
|
INSERT INTO user_threepids (user_id, medium, address, validated_at, added_at) VALUES ('${testUser}@serverpostgres', 'email', '${testEmail}', '1629149927271', '1629149927270');
|
|
'';
|
|
in
|
|
pkgs.writeScriptBin "obtain-token-and-register-email" ''
|
|
#!${pkgs.runtimeShell}
|
|
set -o errexit
|
|
set -o pipefail
|
|
set -o nounset
|
|
su postgres -c "psql -d matrix-synapse -f ${insertEmailForAlice}"
|
|
curl --fail -XPOST 'https://localhost:8448/_matrix/client/r0/account/password/email/requestToken' -d '{"email":"${testEmail}","client_secret":"foobar","send_attempt":1}' -v
|
|
'';
|
|
in
|
|
[
|
|
sendTestMailStarttls
|
|
pkgs.matrix-synapse
|
|
obtainTokenAndRegisterEmail
|
|
];
|
|
};
|
|
|
|
# test mail delivery
|
|
mailserver =
|
|
args:
|
|
let
|
|
in
|
|
{
|
|
security.pki.certificateFiles = [
|
|
mailerCerts.ca.cert
|
|
];
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
services.postfix = {
|
|
enable = true;
|
|
hostname = "${mailerDomain}";
|
|
# open relay for subnet
|
|
networksStyle = "subnet";
|
|
enableSubmission = true;
|
|
tlsTrustedAuthorities = "${mailerCerts.ca.cert}";
|
|
sslCert = "${mailerCerts.${mailerDomain}.cert}";
|
|
sslKey = "${mailerCerts.${mailerDomain}.key}";
|
|
|
|
# blackhole transport
|
|
transport = "example.com discard:silently";
|
|
|
|
config = {
|
|
debug_peer_level = "10";
|
|
smtpd_relay_restrictions = [
|
|
"permit_mynetworks"
|
|
"reject_unauth_destination"
|
|
];
|
|
|
|
# disable obsolete protocols, something old versions of twisted are still using
|
|
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
|
smtp_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
|
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
|
smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
|
};
|
|
};
|
|
};
|
|
|
|
serversqlite = args: {
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
settings = {
|
|
inherit listeners;
|
|
database.name = "sqlite3";
|
|
tls_certificate_path = "${bundle}/cert.pem";
|
|
tls_private_key_path = "${bundle}/key.pem";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
mailserver.wait_for_unit("postfix.service")
|
|
serverpostgres.succeed("send-testmail-starttls")
|
|
serverpostgres.wait_for_unit("matrix-synapse.service")
|
|
serverpostgres.wait_until_succeeds(
|
|
"curl --fail -L --cacert ${ca_pem} https://localhost:8448/"
|
|
)
|
|
serverpostgres.wait_until_succeeds(
|
|
"journalctl -u matrix-synapse.service | grep -q 'Connected to redis'"
|
|
)
|
|
serverpostgres.require_unit_state("postgresql.service")
|
|
serverpostgres.succeed("REQUESTS_CA_BUNDLE=${ca_pem} register_new_matrix_user -u ${testUser} -p ${testPassword} -a -k ${registrationSharedSecret} https://localhost:8448/")
|
|
serverpostgres.succeed("obtain-token-and-register-email")
|
|
serversqlite.wait_for_unit("matrix-synapse.service")
|
|
serversqlite.wait_until_succeeds(
|
|
"curl --fail -L --cacert ${ca_pem} https://localhost:8448/"
|
|
)
|
|
serversqlite.succeed("[ -e /var/lib/matrix-synapse/homeserver.db ]")
|
|
'';
|
|
|
|
}
|
|
)
|