Merge remote-tracking branch 'origin/master' into staging

* origin/master: (693 commits)
  buildGoModule: use go_1_12 instead of go_1_11 (#58103)
  gitAndTools.lab: 0.15.2 -> 0.15.3 (#58091)
  signal-desktop: 1.22.0 -> 1.23.0
  added missing semicolon to documentation
  terminus_font_ttf: 4.46.0 -> 4.47.0
  buildGoModule: remove SSL env vars in favor of cacert in buildInputs (#58071)
  dav1d: init at 0.2.1
  dropbox-cli: 2018.11.28 -> 2019.02.14
  atlassian-confluence: 6.14.1 -> 6.14.2
  maintainers: update email for dywedir
  python.pkgs.hglib: use patch to specify hg path (#57926)
  chkrootkit: 0.52 -> 0.53
  radare2-cutter: 1.7.2 -> 1.8.0
  autorandr: 1.7 -> 1.8
  pythonPackages.pyhepmc: fix build
  llvm-polly/clang-polly: use latest llvm
  apulse: 0.1.11.1 -> 0.1.12, cleanup
  factorio: experimental 0.17.14 → 0.17.16 (#58000)
  sequeler: 0.6.7 -> 0.6.8
  nasc: 0.5.1 -> 0.5.2
  ...

5 files changed, 212 insertions, 3 deletions

diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml
index 507d28814ead..5961209bc13a 100644
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -21,6 +21,7 @@
  <xi:include href="xfce.xml" />
  <xi:include href="networking.xml" />
  <xi:include href="linux-kernel.xml" />
+ <xi:include href="matrix.xml" />
  <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
  <xi:include href="profiles.xml" />
  <xi:include href="kubernetes.xml" />
diff --git a/nixos/doc/manual/configuration/matrix.xml b/nixos/doc/manual/configuration/matrix.xml
new file mode 100644
index 000000000000..a9a5d6de1f1d
--- /dev/null
+++ b/nixos/doc/manual/configuration/matrix.xml
@@ -0,0 +1,197 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="module-services-matrix">
+ <title>Matrix</title>
+ <para>
+  <link xlink:href="https://matrix.org/">Matrix</link>
+  is an open standard for interoperable, decentralised, real-time communication over IP.
+  It can be used to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things communication -
+  or anywhere you need a standard HTTP API for publishing and subscribing to data whilst tracking the conversation history.
+ </para>
+ <para>
+  This chapter will show you how to set up your own, self-hosted Matrix homeserver using the Synapse reference homeserver,
+  and how to serve your own copy of the Riot web client.
+  See the <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try Matrix Now!</link>
+  overview page for links to Riot Apps for Android and iOS, desktop clients,
+  as well as bridges to other networks and other projects around Matrix.
+ </para>
+
+ <section xml:id="module-services-matrix-synapse">
+  <title>Synapse Homeserver</title>
+  <para>
+   <link xlink:href="https://github.com/matrix-org/synapse">Synapse</link>
+   is the reference homeserver implementation of Matrix from the core development team at matrix.org.
+   The following configuration example will set up a synapse server for the <literal>example.org</literal>
+   domain, served from the host <literal>myhostname.example.org</literal>.
+   For more information, please refer to the
+   <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation">
+    installation instructions of Synapse
+   </link>.
+   <programlisting>
+    let
+      fqdn =
+        let
+          join = hostName: domain: hostName + optionalString (domain != null) ".${domain}";
+        in join config.networking.hostName config.networking.domain;
+    in {
+      networking = {
+        hostName = "myhostname";
+        domain = "example.org";
+      };
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+      services.nginx = {
+        enable = true;
+        # only recommendedProxySettings and recommendedGzipSettings are strictly required,
+        # but the rest make sense as well
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedProxySettings = true;
+
+        virtualHosts = {
+          # This host section can be placed on a different host than the rest,
+          # i.e. to delegate from the host being accessible as ${config.networking.domain}
+          # to another host actually running the Matrix homeserver.
+          "${config.networking.domain}" = {
+            locations."= /.well-known/matrix/server".extraConfig =
+              let
+                # use 443 instead of the default 8448 port to unite
+                # the client-server and server-server port for simplicity
+                server = { "m.server" = "${fqdn}:443"; };
+              in ''
+                add_header Content-Type application/json;
+                return 200 '${builtins.toJSON server}';
+              '';
+            locations."= /.well-known/matrix/client".extraConfig =
+              let
+                client = {
+                  "m.homeserver" =  { "base_url" = "https://${fqdn}"; };
+                  "m.identity_server" =  { "base_url" = "https://vector.im"; };
+                };
+              # ACAO required to allow riot-web on any URL to request this json file
+              in ''
+                add_header Content-Type application/json;
+                add_header Access-Control-Allow-Origin *;
+                return 200 '${builtins.toJSON client}';
+              '';
+          };
+
+          # Reverse proxy for Matrix client-server and server-server communication
+          ${fqdn} = {
+            enableACME = true;
+            forceSSL = true;
+
+            # Or do a redirect instead of the 404, or whatever is appropriate for you.
+            # But do not put a Matrix Web client here! See the Riot Web section below.
+            locations."/".extraConfig = ''
+              return 404;
+            '';
+
+            # forward all Matrix API calls to the synapse Matrix homeserver
+            locations."/_matrix" = {
+              proxyPass = "http://[::1]:8008";
+            };
+          };
+        };
+      };
+      services.matrix-synapse = {
+        enable = true;
+        server_name = config.networking.domain;
+        listeners = [
+          {
+            port = 8008;
+            bind_address = "::1";
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [
+              { names = [ "client" "federation" ]; compress = false; }
+            ];
+          }
+        ];
+      };
+    };
+   </programlisting>
+  </para>
+  <para>
+   If the <code>A</code> and <code>AAAA</code> DNS records on <literal>example.org</literal>
+   do not point on the same host as the records for <code>myhostname.example.org</code>,
+   you can easily move the <code>/.well-known</code> virtualHost section of the code
+   to the host that is serving <literal>example.org</literal>,
+   while the rest stays on <literal>myhostname.example.org</literal>
+   with no other changes required.
+   This pattern also allows to seamlessly move the homeserver from <literal>myhostname.example.org</literal>
+   to <literal>myotherhost.example.org</literal> by only changing the <code>/.well-known</code> redirection target.
+  </para>
+
+  <para>
+   If you want to run a server with public registration by anybody,
+   you can then enable
+   <option>services.matrix-synapse.enable_registration = true;</option>.
+   Otherwise, or you can generate a registration secret with <command>pwgen -s 64 1</command>
+   and set it with
+   <option>services.matrix-synapse.registration_shared_secret</option>.
+   To create a new user or admin,
+   run the following after you have set the secret and have rebuilt NixOS:
+
+   <programlisting>
+    $ nix run nixpkgs.matrix-synapse
+    $ register_new_matrix_user -k &lt;your-registration-shared-secret&gt; http://localhost:8008
+    New user localpart: &lt;your-username&gt;
+    Password:
+    Confirm password:
+    Make admin [no]:
+    Success!
+   </programlisting>
+   In the example, this would create a user with the Matrix Identifier
+   <literal>@your-username:example.org</literal>.
+   Note that the registration secret ends up in the nix store and therefore is world-readable
+   by any user on your machine, so it makes sense to only temporarily activate the
+   <option>registration_shared_secret</option> option until a better solution for NixOS is in place.
+  </para>
+ </section>
+
+ <section xml:id="module-services-matrix-riot-web">
+  <title>Riot Web Client</title>
+  <para>
+   <link xlink:href="https://github.com/vector-im/riot-web/">Riot Web</link>
+   is the reference web client for Matrix and developed by the core team at matrix.org.
+   The following snippet can be optionally added to the code before to complete the synapse
+   installation with a web client served at
+   <code>https://riot.myhostname.example.org</code> and <code>https://riot.example.org</code>.
+   Alternatively, you can use the hosted copy at
+   <link xlink:href="https://riot.im/app">https://riot.im/app</link>,
+   or use other web clients or native client applications.
+   Due to the <literal>/.well-known</literal> urls set up done above,
+   many clients should fill in the required connection details automatically
+   when you enter your Matrix Identifier.
+   See <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try Matrix Now!</link>
+   for a list of existing clients and their supported featureset.
+
+   <programlisting>
+     services.nginx.virtualHosts."riot.${fqdn}" = {
+       enableACME = true;
+       forceSSL = true;
+       serverAliases = [
+        "riot.${config.networking.domain}"
+       ];
+
+       root = pkgs.riot-web;
+     };
+   </programlisting>
+  </para>
+  <para>
+   Note that the Riot developers do not recommend running Riot and your Matrix homeserver
+   on the same fully-qualified domain name for security reasons.
+   In the example, this means that you should not reuse the <literal>myhostname.example.org</literal>
+   virtualHost to also serve Riot, but instead serve it on a different subdomain,
+   like <literal>riot.example.org</literal> in the example.
+   See the
+   <link xlink:href="https://github.com/vector-im/riot-web#important-security-note">Riot Important Security Notes</link>
+   for more information on this subject.
+  </para>
+ </section>
+</chapter>
diff --git a/nixos/doc/manual/configuration/wireless.xml b/nixos/doc/manual/configuration/wireless.xml
index dda2193dd93a..96b0a44f840a 100644
--- a/nixos/doc/manual/configuration/wireless.xml
+++ b/nixos/doc/manual/configuration/wireless.xml
@@ -23,7 +23,7 @@
     psk = "abcdefgh";
   };
   "free.wifi" = {};
-}
+};
 </programlisting>
   Be aware that keys will be written to the nix store in plaintext! When no
   networks are set, it will default to using a configuration file at
diff --git a/nixos/doc/manual/development/option-types.xml b/nixos/doc/manual/development/option-types.xml
index d993e47bc914..069cc36573d8 100644
--- a/nixos/doc/manual/development/option-types.xml
+++ b/nixos/doc/manual/development/option-types.xml
@@ -512,7 +512,7 @@ config.mod.two = { foo = 2; bar = "two"; };</screen>
       The function to type check the value. Takes a value as parameter and
       return a boolean. It is possible to extend a type check with the
       <literal>addCheck</literal> function
-      (<xref 
+      (<xref
           linkend='ex-extending-type-check-1' />), or to fully
       override the check function
       (<xref linkend='ex-extending-type-check-2' />).
@@ -522,7 +522,7 @@ config.mod.two = { foo = 2; bar = "two"; };</screen>
 <screen>
 byte = mkOption {
   description = "An integer between 0 and 255.";
-  type = addCheck types.int (x: x &gt;= 0 &amp;&amp; x &lt;= 255);
+  type = types.addCheck types.int (x: x &gt;= 0 &amp;&amp; x &lt;= 255);
 };</screen>
      </example>
      <example xml:id='ex-extending-type-check-2'>
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml
index 931c3be5913b..fab5b5aecb94 100644
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -476,6 +476,8 @@
     and will be <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>.
     As such, it is now recommended to use a proper certificate verified by a
     root CA (for example Let's Encrypt).
+    The new <link linkend="module-services-matrix">manual chapter on Matrix</link> contains a working example of using nginx as a reverse proxy
+    in front of <literal>matrix-synapse</literal>, using Let's Encrypt certificates.
    </para>
   </listitem>
    <listitem>
@@ -561,6 +563,15 @@
      </para>
    </listitem>
    <listitem>
+    <para>
+     The manual gained a
+     <link linkend="module-services-matrix">
+      new chapter on self-hosting <literal>matrix-synapse</literal> and <literal>riot-web</literal>
+     </link>, the most prevalent server and client implementations for the
+     <link xlink:href="https://matrix.org/">Matrix</link> federated communication network.
+    </para>
+   </listitem>
+   <listitem>
      <para>
        The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.
      </para>