Any details what is wrong with the tests at the moment?

@Mic92 it seems /bin/homeserver no longer exists and python -m synapse.app.homeserver is used instead

@nyanloutre ok. so our nixos service also needs to be adapted.
I mark this as WIP.

I had to rewrote the test a bit because synapse will not generate self signed certificates anymore.
I did something similar to the etcd-cluster test where a CA and a rsa key are generated.

EDIT: the "removing the certificate generation from prestart" was a mistake, it is still generating useful keys

@Mic92 my PR should be ready to merge, what do you think ?

While we are at updating the NixOS service, as synapse will require a valid certificate soon, might be a good idea to add the new certificate reloading via SIGHUP as ExecReload for the service for easy use with letsencrypt.

I think this needs to be backported to stable. They announcde that they are going to break downwards compatiblity in one month. That's too soon to wait for nixos-19.03

Oh, and…

@GrahamcOfBorg build matrix-synapse nixosTests.matrix-synapse

What about backporting it to a new package? Then users would have a choice of having the pain now or just waiting for 19.03.

What about backporting it to a new package? Then users would have a choice of having the pain now or just waiting for 19.03.

What's the advantage over simply using the package from the unstable channel on a stable system?

@7c6f434c for automatic ACME to work it needs an optional library that is not yet packaged in nixpkgs

Note that 0.99 and 1.0 can still talk to 0.34.1 if 0.34.1 is equipped with a valid certificate, so while manual intervention is always required, the backport is not actually necessary to stay compatible, as you can use the usual nixos machinery for getting certificates.

This is roughly what I use with 0.34.1 to stay compatible with 0.99 and 1.0, without actually needing to update to 0.99 yet. While I'll personally updated to 0.99 by using the unstable package & module, this code is the same what you will need to do for 0.99 anyway, if you don't plan to use the integrated ACME support or want to use a tls terminating reverse proxy for port 8448.

services.matrix-synapse = {
    …
    tls_private_key_path = "${config.security.acme.directory}/${config.networking.hostName}.${config.networking.domain}/key.pem";                                                    
    tls_certificate_path = "${config.security.acme.directory}/${config.networking.hostName}.${config.networking.domain}/fullchain.pem";
};

# group used for permission to get and use the fqdn certificate (in contrast to subdomains of this host)
users.groups.domaincertificate = {};
users.users."matrix-synapse".extraGroups = [ "domaincertificate" ];
users.users."nginx".extraGroups = [ "domaincertificate" ];

services.nginx = {
  enable = true;
  virtualHosts = {
    "${config.networking.hostName}.${config.networking.domain}" = {
      default = true;
      enableACME = true;
  };
};
security.acme.certs."${config.networking.hostName}.${config.networking.domain}" = {
    group = "domaincertificate";
    allowKeysForGroup = true;
    # TODO: use reload: https://github.com/NixOS/nixpkgs/pull/55320#issuecomment-461056137
    postRun = "systemctl restart matrix-synapse.service";
};

EDIT: My current proposal is now at #57699

@florianjacob Could you consider submitting this code as a PR to the NixOS manual? It sounds like it'd be pretty useful for people :)

@nyanloutre Upon second review I think this is missing release notes (nixos/doc/manual/release-notes/rl-1903.xml). Could you consider adding a line there pointing to the need for a non-self-signed certificate? Then @florianjacob's PR, if he feels like it, would be able to add a link to this line pointing to the NixOS manual section for how to actually do it.

@Ekleog done

@nyanloutre Thank you! Merged :)

@pstn Backporting to a separate package sounds against the spirit of release-18.09 to me, especially as there is no actual need to upgrade to keep federation working. However, feel free to add the updated package to your NUR for others to be able to use, if you really want to stay on 18.09 but upgrade without taking the package from unstable :)

@florianjacob If you decide to send your configuration excerpt as a PR to the manual and add a link to it from the release notes, feel free to ping me. :)

@florianjacob You might be interested in the systemctl reload-or-restart action, which just does the right thing here.

I've attempted running this on NixOS 18.09 by importing the module and package from the unstable channel.

The service refuses to start with the following error due to a Python version mismatch (probably in a similar way as in matrix-org/synapse#4431):

Feb 09 06:37:50 matrix anw2ll0dqfkyql2gmfhsi4ccwc212nrp-unit-script-matrix-synapse-pre-start[451]: /nix/store/99p0nyqgayic2ipqx2x4lr4njl8f5nrz-python3-3.6.8/bin/python3.6m: Error while finding module specification for 'synapse.app.homeserver' (ModuleNotFoundError: No module named 'synapse')

Setting the version properly to python37 in the service configuration here allows the synapse python module to be found, but not its runtime dependencies:

Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]: Traceback (most recent call last):
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:   File "/nix/store/5jy6nkhccr8j2bycl6qi404zwnq0swak-python3-3.7.2-env/lib/python3.7/runpy.py", line 183, in _run_module_as_main
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:     mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:   File "/nix/store/5jy6nkhccr8j2bycl6qi404zwnq0swak-python3-3.7.2-env/lib/python3.7/runpy.py", line 109, in _get_module_details
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:     __import__(pkg_name)
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:   File "/nix/store/5jy6nkhccr8j2bycl6qi404zwnq0swak-python3-3.7.2-env/lib/python3.7/site-packages/synapse/app/__init__.py", line 18, in <module>
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:     from synapse import python_dependencies  # noqa: E402
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:   File "/nix/store/5jy6nkhccr8j2bycl6qi404zwnq0swak-python3-3.7.2-env/lib/python3.7/site-packages/synapse/python_dependencies.py", line 19, in <module>
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]:     from pkg_resources import DistributionNotFound, VersionConflict, get_distribution
Feb 09 06:43:33 matrix jk958mp32snk3rdx9xf8yjslk8prbxim-unit-script-matrix-synapse-pre-start[665]: ModuleNotFoundError: No module named 'pkg_resources'

@pacien Try this: https://github.com/dotlambda/nixpkgs/commits/matrix-synapse-correct-python. It might be a little overcomplicated but I think it's the correct way to do this.

@dotlambda This works great, thanks!
Though wouldn't it be simpler to re-create bin/homeserver as a wrapper in the synapse package to bind the right interpreter and environment to the application instead of exposing the internal interpreter?

Though wouldn't it be simpler to re-create bin/homeserver as a wrapper in the synapse package to bind the right interpreter and environment to the application instead of exposing the internal interpreter?

It would and I have no clue what hinders upstream from doing this.

@Ekleog working on a manual section, I actually now switched to a different, easier and more robust setup.

@dotlambda your changes seem very sensible to me, the nixos module shouldn't use whatever is in pkgs.python but the actual python from matrix-synapse.package, I started using them as well to test synapse from unstable on 18.09. Do you intend to upstream them?

@dotlambda your changes seem very sensible to me, the nixos module shouldn't use whatever is in pkgs.python but the actual python from matrix-synapse.package, I started using them as well to test synapse from unstable on 18.09. Do you intend to upstream them?

I leave that up to the module maintainers.

@Ekleog Guide is finished: #57699