app/matrix: matrix-ng - synapse deployment cleanup
This is a major revamp of our matrix/synapse deployment as a separate
.libsonnet module.
* synapse version bump to 1.25.0
* riot-web version bump to 1.7.18
* Replaced synapse migration hack we used to template configuration with
environment variable replacement done by Kubernetes itself
* Implemented support for OpenID Connect, migration from CAS has been
verified to be working with some additional configuration options
* Moved homeserver signing key into k8s secret, thus making it possible
to run synapse processes without a single data volume
* Split synapse into main process, generic worker and media repository
worker. (latter is the only container using data volume) Both generic
worker and media repository worker is running on a single replica, until
we get proper HTTP routing/loadbalancing
* Riot nginx.conf has been extracted into an external file loaded using
importstr.
Change-Id: I6c4d34bf41e148a302d1cbe725608a5aeb7b87ba
diff --git a/app/matrix/lib/synapse/homeserver-ng.yaml b/app/matrix/lib/synapse/homeserver-ng.yaml
new file mode 100644
index 0000000..c57d650
--- /dev/null
+++ b/app/matrix/lib/synapse/homeserver-ng.yaml
@@ -0,0 +1,134 @@
+# vim:ft=yaml
+
+## Server ##
+
+server_name: "example.com"
+public_baseurl: "https://example.com"
+pid_file: /homeserver.pid
+web_client: False
+soft_file_limit: 0
+log_config: "/conf/log.config"
+worker_log_config: "/conf/log.config"
+
+## Ports ##
+
+listeners:
+ - port: 8008
+ tls: false
+ bind_addresses: ['::']
+ type: http
+ x_forwarded: true
+
+ resources:
+ - names: [client]
+ compress: true
+ - names: [federation]
+ compress: false
+
+ # Metrics
+ - port: 9092
+ type: metrics
+ bind_address: '0.0.0.0'
+
+ # The HTTP replication port
+ - port: 9093
+ bind_addresses: ['::']
+ type: http
+ resources:
+ - names: [replication]
+
+## Performance ##
+
+event_cache_size: "10K"
+
+## Ratelimiting ##
+
+rc_messages_per_second: 0.2
+rc_message_burst_count: 10.0
+federation_rc_window_size: 1000
+federation_rc_sleep_limit: 10
+federation_rc_sleep_delay: 500
+federation_rc_reject_limit: 50
+federation_rc_concurrent: 3
+
+## Files ##
+
+media_store_path: "/data/media"
+uploads_path: "/data/uploads"
+max_upload_size: "10M"
+max_image_pixels: "32M"
+dynamic_thumbnails: false
+
+# List of thumbnail to precalculate when an image is uploaded.
+thumbnail_sizes:
+- width: 32
+ height: 32
+ method: crop
+- width: 96
+ height: 96
+ method: crop
+- width: 320
+ height: 240
+ method: scale
+- width: 640
+ height: 480
+ method: scale
+- width: 800
+ height: 600
+ method: scale
+
+url_preview_enabled: False
+max_spider_size: "10M"
+
+
+## Registration ##
+
+enable_registration: False
+bcrypt_rounds: 12
+allow_guest_access: True
+enable_group_creation: true
+
+# The list of identity servers trusted to verify third party
+# identifiers by this server.
+#
+# Also defines the ID server which will be called when an account is
+# deactivated (one will be picked arbitrarily).
+trusted_third_party_id_servers:
+ - matrix.org
+ - vector.im
+
+## Metrics ###
+
+enable_metrics: True
+report_stats: False
+
+
+## API Configuration ##
+
+room_invite_state_types:
+ - "m.room.join_rules"
+ - "m.room.canonical_alias"
+ - "m.room.avatar"
+ - "m.room.name"
+
+expire_access_token: False
+
+## Signing Keys ##
+
+signing_key_path: "/data/hackerspace.pl.signing.key"
+old_signing_keys: {}
+key_refresh_interval: "1d" # 1 Day.
+
+# The trusted servers to download signing keys from.
+perspectives:
+ servers:
+ "matrix.org":
+ verify_keys:
+ "ed25519:auto":
+ key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+suppress_key_server_warning: true
+
+password_config:
+ enabled: false
+
+enable_media_repo: False
diff --git a/app/matrix/lib/synapse/homeserver-secrets.yaml b/app/matrix/lib/synapse/homeserver-secrets.yaml
new file mode 100644
index 0000000..1f6221f
--- /dev/null
+++ b/app/matrix/lib/synapse/homeserver-secrets.yaml
@@ -0,0 +1,22 @@
+## Common secrets ##
+registration_shared_secret: "$(SYNAPSE_REGISTRATION_SHARED_SECRET)"
+macaroon_secret_key: "$(SYNAPSE_MACAROON_SECRET_KEY)"
+worker_replication_secret: "$(WORKER_REPLICATION_SECRET)"
+
+## Database ##
+database:
+ name: "psycopg2"
+ args:
+ user: "synapse"
+ password: "$(POSTGRES_PASSWORD)"
+ database: "synapse"
+ host: "waw3-postgres"
+ port: "5432"
+ cp_min: 5
+ cp_max: 10
+
+## Replication Redis ##
+redis:
+ enabled: true
+ host: "redis"
+ password: "$(REDIS_PASSWORD)"