commit 8ec865728eea47d5c39606c6d65b11be5d0d6c81
author Piotr Dobrowolski <informatic@hackerspace.pl> Sat Jan 30 13:06:07 2021 +0100
committer Piotr Dobrowolski <informatic@hackerspace.pl> Sat Jan 30 21:18:51 2021 +0100
tree ecbe3b1c933d8e9b6d22e42088cb4a858640dba6
parent 1816f58448eca7d15172df29076cc66893e822e7

app/matrix: matrix-ng - synapse deployment cleanup

This is a major revamp of our matrix/synapse deployment as a separate
.libsonnet module.

* synapse version bump to 1.25.0
* riot-web version bump to 1.7.18
* Replaced synapse migration hack we used to template configuration with
environment variable replacement done by Kubernetes itself
* Implemented support for OpenID Connect, migration from CAS has been
verified to be working with some additional configuration options
* Moved homeserver signing key into k8s secret, thus making it possible
to run synapse processes without a single data volume
* Split synapse into main process, generic worker and media repository
worker. (latter is the only container using data volume) Both generic
worker and media repository worker is running on a single replica, until
we get proper HTTP routing/loadbalancing
* Riot nginx.conf has been extracted into an external file loaded using
importstr.

Change-Id: I6c4d34bf41e148a302d1cbe725608a5aeb7b87ba

app/matrix/lib/synapse/homeserver-ng.yaml

diff --git a/app/matrix/lib/synapse/homeserver-ng.yaml b/app/matrix/lib/synapse/homeserver-ng.yaml
new file mode 100644
index 0000000..c57d650
--- /dev/null
+++ b/app/matrix/lib/synapse/homeserver-ng.yaml
@@ -0,0 +1,134 @@
+# vim:ft=yaml

+

+## Server ##

+

+server_name: "example.com"

+public_baseurl: "https://example.com"

+pid_file: /homeserver.pid

+web_client: False

+soft_file_limit: 0

+log_config: "/conf/log.config"

+worker_log_config: "/conf/log.config"

+

+## Ports ##

+

+listeners:

+  - port: 8008

+    tls: false

+    bind_addresses: ['::']

+    type: http

+    x_forwarded: true

+

+    resources:

+      - names: [client]

+        compress: true

+      - names: [federation]

+        compress: false

+

+  # Metrics

+  - port: 9092

+    type: metrics

+    bind_address: '0.0.0.0'

+

+  # The HTTP replication port

+  - port: 9093

+    bind_addresses: ['::']

+    type: http

+    resources:

+     - names: [replication]

+

+## Performance ##

+

+event_cache_size: "10K"

+

+## Ratelimiting ##

+

+rc_messages_per_second: 0.2

+rc_message_burst_count: 10.0

+federation_rc_window_size: 1000

+federation_rc_sleep_limit: 10

+federation_rc_sleep_delay: 500

+federation_rc_reject_limit: 50

+federation_rc_concurrent: 3

+

+## Files ##

+

+media_store_path: "/data/media"

+uploads_path: "/data/uploads"

+max_upload_size: "10M"

+max_image_pixels: "32M"

+dynamic_thumbnails: false

+

+# List of thumbnail to precalculate when an image is uploaded.

+thumbnail_sizes:

+- width: 32

+  height: 32

+  method: crop

+- width: 96

+  height: 96

+  method: crop

+- width: 320

+  height: 240

+  method: scale

+- width: 640

+  height: 480

+  method: scale

+- width: 800

+  height: 600

+  method: scale

+

+url_preview_enabled: False

+max_spider_size: "10M"

+

+

+## Registration ##

+

+enable_registration: False

+bcrypt_rounds: 12

+allow_guest_access: True

+enable_group_creation: true

+

+# The list of identity servers trusted to verify third party

+# identifiers by this server.

+#

+# Also defines the ID server which will be called when an account is

+# deactivated (one will be picked arbitrarily).

+trusted_third_party_id_servers:

+    - matrix.org

+    - vector.im

+

+## Metrics ###

+

+enable_metrics: True

+report_stats: False

+

+

+## API Configuration ##

+

+room_invite_state_types:

+    - "m.room.join_rules"

+    - "m.room.canonical_alias"

+    - "m.room.avatar"

+    - "m.room.name"

+

+expire_access_token: False

+

+## Signing Keys ##

+

+signing_key_path: "/data/hackerspace.pl.signing.key"

+old_signing_keys: {}

+key_refresh_interval: "1d" # 1 Day.

+

+# The trusted servers to download signing keys from.

+perspectives:

+  servers:

+    "matrix.org":

+      verify_keys:

+        "ed25519:auto":

+          key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"

+suppress_key_server_warning: true

+

+password_config:

+   enabled: false

+

+enable_media_repo: False

app/matrix/lib/synapse/homeserver-secrets.yaml

diff --git a/app/matrix/lib/synapse/homeserver-secrets.yaml b/app/matrix/lib/synapse/homeserver-secrets.yaml
new file mode 100644
index 0000000..1f6221f
--- /dev/null
+++ b/app/matrix/lib/synapse/homeserver-secrets.yaml
@@ -0,0 +1,22 @@
+## Common secrets ##
+registration_shared_secret: "$(SYNAPSE_REGISTRATION_SHARED_SECRET)"
+macaroon_secret_key: "$(SYNAPSE_MACAROON_SECRET_KEY)"
+worker_replication_secret: "$(WORKER_REPLICATION_SECRET)"
+
+## Database ##
+database:
+  name: "psycopg2"
+  args:
+    user: "synapse"
+    password: "$(POSTGRES_PASSWORD)"
+    database: "synapse"
+    host: "waw3-postgres"
+    port: "5432"
+    cp_min: 5
+    cp_max: 10
+
+## Replication Redis ##
+redis:
+  enabled: true
+  host: "redis"
+  password: "$(REDIS_PASSWORD)"