matrix.hackerspace.pl: use external postgres
Change-Id: Ie0bb76a4200f905bfd0c065cde81283271f8397a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1483
Reviewed-by: informatic <informatic@hackerspace.pl>
diff --git a/app/matrix/lib/matrix-ng.libsonnet b/app/matrix/lib/matrix-ng.libsonnet
index 91c92d2..a807a1a 100644
--- a/app/matrix/lib/matrix-ng.libsonnet
+++ b/app/matrix/lib/matrix-ng.libsonnet
@@ -212,6 +212,23 @@
authSecret: { secretKeyRef: { name: "coturn", key: "auth_secret" } },
},
},
+
+ postgres: {
+ # Deploy on-cluster postgres: a postgres instance backed by Ceph.
+ # Okay for tiny baby synapses, not okay for chonkers. If not
+ # enabled, bring your own external postgres.
+ enable: true,
+
+ # If not deploying on-cluster postgres, the following needs to be
+ # set.
+ host: error "host must be set with off-cluster postgres",
+ username: "synapse",
+ database: "synapse",
+ port: 5432,
+ # Default to the same password secret ref that is used for
+ # on-cluster postgres.
+ password: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
+ },
},
# DEPRECATED: this needs to be removed in favor of namespace.Contain() in
@@ -227,7 +244,8 @@
namespace: kube.Namespace(cfg.namespace),
- postgres3: postgres {
+ postgres3: if cfg.postgres.enable then postgres {
+ local psql = self,
cfg+: {
namespace: cfg.namespace,
appName: "synapse",
@@ -239,13 +257,18 @@
storageSize: "100Gi",
initdbArgs: "--encoding='UTF8' --lc-collate='C' --lc-ctype='C'",
+ # Doesn't influence postgres instance, but used by synapse
+ # libsonnet. Do not override.
+ port: psql.svc.port,
+ host: psql.svc.host,
+
opts: {
max_connections: "300",
shared_buffers: "80MB",
wal_level: "logical",
},
},
- },
+ } else {},
redis: redis {
cfg+: {
@@ -312,8 +335,13 @@
synapse: synapse {
ns: app.namespace,
- postgres: app.postgres3,
- redis: app.redis,
+ postgres: if cfg.postgres.enable then app.postgres3 else {
+ # If not using on-cluster postgres, pass the config postgres object
+ # as the postgres object into the synapse lib. It's a bit ugly (we
+ # should have some common 'config' type instead) but it's good
+ # enough.
+ cfg: cfg.postgres,
+ }, redis: app.redis,
appservices: app.appservices,
cfg+: app.cfg {
image: app.cfg.images.synapse,
diff --git a/app/matrix/lib/synapse.libsonnet b/app/matrix/lib/synapse.libsonnet
index 0d8ef8a..6bf6144 100644
--- a/app/matrix/lib/synapse.libsonnet
+++ b/app/matrix/lib/synapse.libsonnet
@@ -117,7 +117,7 @@
mountData: false,
resources: {
- requests: { cpu: "300m", memory: "1Gi" },
+ requests: { cpu: "300m", memory: "2Gi" },
limits: { cpu: "1500m", memory: "2Gi" },
},
},
@@ -158,7 +158,13 @@
SYNAPSE_MACAROON_SECRET_KEY: cfg.macaroonSecretKey,
SYNAPSE_REGISTRATION_SHARED_SECRET: cfg.registrationSharedSecret,
WORKER_REPLICATION_SECRET: cfg.workerReplicationSecret,
+
POSTGRES_PASSWORD: app.postgres.cfg.password,
+ POSTGRES_USER: app.postgres.cfg.username,
+ POSTGRES_DB: app.postgres.cfg.database,
+ POSTGRES_HOST: app.postgres.cfg.host,
+ POSTGRES_PORT: app.postgres.cfg.port,
+
REDIS_PASSWORD: app.redis.cfg.password,
POD_NAME: { fieldRef: { fieldPath: "metadata.name" } },
OIDC_CLIENT_SECRET: if cfg.oidc.enable then cfg.oidc.config.client_secret else "",
@@ -322,7 +328,7 @@
"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/",
"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)",
"/_matrix/client/(api/v1|r0|v3|unstable)/join/",
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/",
+ "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
# These need to be handled by stream writers, not supported yet
# "/_matrix/client/(r0|v3|unstable)/sendToDevice/",
diff --git a/app/matrix/lib/synapse/homeserver-secrets.yaml b/app/matrix/lib/synapse/homeserver-secrets.yaml
index c7af6f3..8670043 100644
--- a/app/matrix/lib/synapse/homeserver-secrets.yaml
+++ b/app/matrix/lib/synapse/homeserver-secrets.yaml
@@ -8,11 +8,11 @@
name: "psycopg2"
allow_unsafe_locale: true
args:
- user: "synapse"
+ user: "$(POSTGRES_USER)"
password: "$(POSTGRES_PASSWORD)"
- database: "synapse"
- host: "waw3-postgres"
- port: "5432"
+ database: "$(POSTGRES_DB)"
+ host: "$(POSTGRES_HOST)"
+ port: "$(POSTGRES_PORT)"
cp_min: 5
cp_max: 10
diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet
index 931901a..bf7f5bf 100644
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@@ -35,6 +35,7 @@
},
db+: {
password: std.strReplace(importstr "secrets/plain/media-repo-matrix-postgres", "\n", ""),
+ host: "bc01n05.hswaw.net",
},
},
coturn+: {
@@ -44,6 +45,11 @@
loadBalancerIP: "185.236.240.59",
},
},
+
+ postgres+: {
+ enable: false,
+ host: "bc01n05.hswaw.net",
+ },
},
riot+: {
@@ -91,55 +97,6 @@
},
},
- // Bump up storage to 200Gi from default 100Gi, use different name. The
- // new name corresponds to a manually migrated and sized-up PVC that
- // contains data from the original waw3-postgres PVC.
- postgres3+: {
- local psql = self,
- volumeClaim+: {
- metadata+: {
- name: "waw3-postgres-2",
- },
- spec+: {
- resources+: {
- requests+: {
- storage: "200Gi",
- },
- },
- },
- },
- tempVC: kube.PersistentVolumeClaim(psql.makeName("tempvc")) {
- metadata+: psql.metadata,
- spec+: {
- storageClassName: psql.cfg.storageClassName,
- accessModes: [ "ReadWriteOnce" ],
- resources: {
- requests: {
- storage: "200Gi",
- },
- },
- },
- },
- deployment+: {
- spec+: {
- template+: {
- spec+: {
- volumes_+: {
- temp: kube.PersistentVolumeClaimVolume(psql.tempVC),
- },
- containers_+: {
- postgres+: {
- volumeMounts_+: {
- temp: { mountPath: "/mnt/tmp/" },
- },
- },
- },
- },
- },
- },
- },
- },
-
appservices: {
"irc-freenode": irc.AppServiceIrc("freenode") {
cfg+: {