Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / f26286875391f13feb9f4d3f5c6dd5cd64b544dc^! / . / app / matrix / lib
commitf26286875391f13feb9f4d3f5c6dd5cd64b544dc[log] [tgz]
authorSerge Bazanski <q3k@hackerspace.pl>Sun Mar 26 21:56:09 2023 +0200
committerinformatic <informatic@hackerspace.pl>Tue Mar 28 20:33:26 2023 +0000
tree5b92c7f61794c4318e750c3c128940530772bb49
parent26a7f5bb56c4cf8c9c1b9ae34441a02f7dcc4ac0 [diff]
matrix.hackerspace.pl: use external postgres

Change-Id: Ie0bb76a4200f905bfd0c065cde81283271f8397a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1483
Reviewed-by: informatic <informatic@hackerspace.pl>

diff --git a/app/matrix/lib/matrix-ng.libsonnet b/app/matrix/lib/matrix-ng.libsonnet
index 91c92d2..a807a1a 100644
--- a/app/matrix/lib/matrix-ng.libsonnet
+++ b/app/matrix/lib/matrix-ng.libsonnet

@@ -212,6 +212,23 @@
                 authSecret: { secretKeyRef: { name: "coturn", key: "auth_secret" } },
             },
         },
+
+        postgres: {
+            # Deploy on-cluster postgres: a postgres instance backed by Ceph.
+            # Okay for tiny baby synapses, not okay for chonkers. If not
+            # enabled, bring your own external postgres.
+            enable: true,
+
+            # If not deploying on-cluster postgres, the following needs to be
+            # set.
+            host: error "host must be set with off-cluster postgres",
+            username: "synapse",
+            database: "synapse",
+            port: 5432,
+            # Default to the same password secret ref that is used for
+            # on-cluster postgres.
+            password: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
+        },
     },
 
     # DEPRECATED: this needs to be removed in favor of namespace.Contain() in
@@ -227,7 +244,8 @@
 
     namespace: kube.Namespace(cfg.namespace),
 
-    postgres3: postgres {
+    postgres3: if cfg.postgres.enable then postgres {
+        local psql = self,
         cfg+: {
             namespace: cfg.namespace,
             appName: "synapse",
@@ -239,13 +257,18 @@
             storageSize: "100Gi",
             initdbArgs: "--encoding='UTF8' --lc-collate='C' --lc-ctype='C'",
 
+            # Doesn't influence postgres instance, but used by synapse
+            # libsonnet. Do not override.
+            port: psql.svc.port,
+            host: psql.svc.host,
+
             opts: {
                 max_connections: "300",
                 shared_buffers: "80MB",
                 wal_level: "logical",
             },
         },
-    },
+    } else {},
 
     redis: redis {
         cfg+: {
@@ -312,8 +335,13 @@
 
     synapse: synapse {
         ns: app.namespace,
-        postgres: app.postgres3,
-        redis: app.redis,
+        postgres: if cfg.postgres.enable then app.postgres3 else {
+            # If not using on-cluster postgres, pass the config postgres object
+            # as the postgres object into the synapse lib. It's a bit ugly (we
+            # should have some common 'config' type instead) but it's good
+            # enough.
+            cfg: cfg.postgres,
+        }, redis: app.redis,
         appservices: app.appservices,
         cfg+: app.cfg {
             image: app.cfg.images.synapse,

diff --git a/app/matrix/lib/synapse.libsonnet b/app/matrix/lib/synapse.libsonnet
index 0d8ef8a..6bf6144 100644
--- a/app/matrix/lib/synapse.libsonnet
+++ b/app/matrix/lib/synapse.libsonnet

@@ -117,7 +117,7 @@
             mountData: false,
 
             resources: {
-                requests: { cpu: "300m", memory: "1Gi" },
+                requests: { cpu: "300m", memory: "2Gi" },
                 limits: { cpu: "1500m", memory: "2Gi" },
             },
         },
@@ -158,7 +158,13 @@
                                 SYNAPSE_MACAROON_SECRET_KEY: cfg.macaroonSecretKey,
                                 SYNAPSE_REGISTRATION_SHARED_SECRET: cfg.registrationSharedSecret,
                                 WORKER_REPLICATION_SECRET: cfg.workerReplicationSecret,
+
                                 POSTGRES_PASSWORD: app.postgres.cfg.password,
+                                POSTGRES_USER: app.postgres.cfg.username,
+                                POSTGRES_DB: app.postgres.cfg.database,
+                                POSTGRES_HOST: app.postgres.cfg.host,
+                                POSTGRES_PORT: app.postgres.cfg.port,
+
                                 REDIS_PASSWORD: app.redis.cfg.password,
                                 POD_NAME: { fieldRef: { fieldPath: "metadata.name" } },
                                 OIDC_CLIENT_SECRET: if cfg.oidc.enable then cfg.oidc.config.client_secret else "",
@@ -322,7 +328,7 @@
             "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/",
             "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)",
             "/_matrix/client/(api/v1|r0|v3|unstable)/join/",
-            "/_matrix/client/(api/v1|r0|v3|unstable)/profile/",
+            "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
 
             # These need to be handled by stream writers, not supported yet
             # "/_matrix/client/(r0|v3|unstable)/sendToDevice/",

diff --git a/app/matrix/lib/synapse/homeserver-secrets.yaml b/app/matrix/lib/synapse/homeserver-secrets.yaml
index c7af6f3..8670043 100644
--- a/app/matrix/lib/synapse/homeserver-secrets.yaml
+++ b/app/matrix/lib/synapse/homeserver-secrets.yaml

@@ -8,11 +8,11 @@
   name: "psycopg2"
   allow_unsafe_locale: true
   args:
-    user: "synapse"
+    user: "$(POSTGRES_USER)"
     password: "$(POSTGRES_PASSWORD)"
-    database: "synapse"
-    host: "waw3-postgres"
-    port: "5432"
+    database: "$(POSTGRES_DB)"
+    host: "$(POSTGRES_HOST)"
+    port: "$(POSTGRES_PORT)"
     cp_min: 5
     cp_max: 10