commit 54c90b1caf8c4e5d0bd5f58a196b6edffed3e475
Author: ange <ange@yw5n.com>
Date:   Wed May 1 11:29:32 2024 +0200

    first commit

diff --git a/.env b/.env
new file mode 100644
index 0000000..8f896fa
--- /dev/null
+++ b/.env
@@ -0,0 +1,4 @@
+IMAGEAPP=ghcr.io/element-hq/synapse:v1.105.0
+IMAGECOTURN=docker.io/coturn/coturn:4.6.2
+
+TURN_URL=turn.test.gmoker.com
diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
new file mode 100644
index 0000000..84fd1f6
--- /dev/null
+++ b/.gitea/workflows/deploy.yaml
@@ -0,0 +1,18 @@
+on: push
+
+jobs:
+  build:
+    name: test
+    runs-on: debian
+    steps:
+      - uses: actions/checkout@v1
+      - name: setup env
+        run: |
+          cat <<EOF >> .env
+          BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
+          EOF
+          cat .env
+
+      - uses: actions/k8sdeploy@v1
+        with:
+          kubeconfig: "${{ secrets.K8S }}"
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..a055664
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+# Synapse
diff --git a/compose.yaml b/compose.yaml
new file mode 100644
index 0000000..c7e182c
--- /dev/null
+++ b/compose.yaml
@@ -0,0 +1,26 @@
+---
+services:
+  db:
+    image: docker.io/postgres:15
+    restart: unless-stopped
+    environment:
+      - POSTGRES_DB
+      - POSTGRES_USER
+      - POSTGRES_PASSWORD
+    volumes:
+      - db:/var/lib/postgresql/data/
+
+  synapse:
+    image: "$IMAGEAPP"
+    restart: unless-stopped
+    ports:
+      - "8080:8008"
+      - "8448:8448"
+    volumes:
+      - synapse_config:/config/
+      - synapse_data:/data/
+
+volumes:
+  db: {}
+  synapse_config: {}
+  synapse_data: {}
diff --git a/homeserver.yaml b/homeserver.yaml
new file mode 100644
index 0000000..e8d1db8
--- /dev/null
+++ b/homeserver.yaml
@@ -0,0 +1,92 @@
+server_name: "$BASE_URL"
+pid_file: /homeserver.pid
+web_client: false
+soft_file_limit: 0
+log_config: "/config/log.config"
+
+listeners:
+  - port: 8008
+    tls: false
+    bind_addresses: ['::']
+    type: http
+    x_forwarded: false
+    resources:
+      - names: [client]
+        compress: true
+      - names: [federation]
+        compress: false
+
+database:
+  name: "psycopg2"
+  args:
+    host: "$POSTGRES_HOST"
+    port: "$POSTGRES_PORT"
+    database: "$POSTGRES_DB"
+    user: "$POSTGRES_USER"
+    password: "$POSTGRES_PASSWORD"
+    cp_min: 5
+    cp_max: 10
+
+event_cache_size: "10K"
+
+rc_messages_per_second: 0.2
+rc_message_burst_count: 10.0
+federation_rc_window_size: 1000
+federation_rc_sleep_limit: 10
+federation_rc_sleep_delay: 500
+federation_rc_reject_limit: 50
+federation_rc_concurrent: 3
+
+media_store_path: "/data/media"
+max_upload_size: "50M"
+max_image_pixels: "32M"
+dynamic_thumbnails: false
+
+thumbnail_sizes:
+- width: 32
+  height: 32
+  method: crop
+- width: 96
+  height: 96
+  method: crop
+- width: 320
+  height: 240
+  method: scale
+- width: 640
+  height: 480
+  method: scale
+- width: 800
+  height: 600
+  method: scale
+
+url_preview_enabled: false
+max_spider_size: "10M"
+
+enable_registration_captcha: false
+
+turn_uris: [ "turn:$TURN_URL?transport=tcp", "turn:$TURN_URL?transport=udp" ]
+turn_shared_secret: "$TURN_SHARED_SECRET"
+turn_user_lifetime: "1h"
+turn_allow_guests: true
+
+enable_registration: false
+registration_shared_secret: "$REGISTRATION_SECRET"
+
+enable_metrics: true
+report_stats: true
+
+macaroon_secret_key: "$API_SECRET"
+expire_access_token: false
+
+signing_key_path: "/keys/signing.key"
+key_refresh_interval: "1d"
+
+trusted_key_servers:
+  - server_name: matrix.org
+    verify_keys:
+      "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+
+password_config:
+   enabled: true
+
+encryption_enabled_by_default_for_room_type: "all"
diff --git a/log.config b/log.config
new file mode 100644
index 0000000..9b5ae3a
--- /dev/null
+++ b/log.config
@@ -0,0 +1,22 @@
+# vim: ft=yaml
+
+version: 1
+
+formatters:
+  precise:
+    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        level: INFO
+
+root:
+    level: INFO
+    handlers: [console]
+
+disable_existing_loggers: false
diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh
new file mode 100755
index 0000000..dc78e44
--- /dev/null
+++ b/manifests/bin/deploy.sh
@@ -0,0 +1,56 @@
+#!/bin/bash -e
+set -o pipefail
+
+function kapply() {
+    for f in "$@"; do
+        kubectl apply -f \
+            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+    done
+}
+
+function kcreatesec() {
+    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kcreatecm() {
+    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kgseckey() {
+    local sec="$1"; shift
+    local key="$1"; shift
+
+    kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
+}
+
+function kgcmkey() {
+    local cm="$1"; shift
+    local key="$1"; shift
+
+    kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
+}
+
+function get_synapse_key() {
+    kgcmkey synapse-config 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32
+}
+
+
+kapply common/db.yaml
+
+export POSTGRES_HOST;     POSTGRES_HOST="$(kgseckey postgres-app host)"
+export POSTGRES_PORT;     POSTGRES_PORT="$(kgseckey postgres-app port)"
+export POSTGRES_DB;       POSTGRES_DB="$(kgseckey postgres-app dbname)"
+export POSTGRES_USER;     POSTGRES_USER="$(kgseckey postgres-app user)"
+export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
+
+export API_SECRET;                   API_SECRET="$(get_synapse_key macaroon_secret_key)"
+export TURN_SHARED_SECRET;   TURN_SHARED_SECRET="$(get_synapse_key turn_shared_secret)"
+export REGISTRATION_SECRET; REGISTRATION_SECRET="$(get_synapse_key registration_shared_secret)"
+
+kcreatecm synapse-config \
+    --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < homeserver.yaml) \
+    --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < log.config)
+
+kapply common/keys.yaml common/app.yaml
+
+kubectl rollout restart statefulset app
diff --git a/manifests/bin/devel.sh b/manifests/bin/devel.sh
new file mode 100755
index 0000000..464c4d0
--- /dev/null
+++ b/manifests/bin/devel.sh
@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=1
+
+. ./manifests/bin/deploy.sh
diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh
new file mode 100755
index 0000000..c97fc9e
--- /dev/null
+++ b/manifests/bin/prod.sh
@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=3
+
+. ./manifests/bin/deploy.sh
diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml
new file mode 100644
index 0000000..7db7c30
--- /dev/null
+++ b/manifests/common/app.yaml
@@ -0,0 +1,95 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: app
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: tls-app
+      hosts:
+        - "$BASE_URL"
+  rules:
+    - host: "$BASE_URL"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: app
+                port:
+                  name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  selector:
+    app: app
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  replicas: $NB_REPLICAS
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: app
+          image: "$IMAGEAPP"
+          ports:
+            - name: http
+              containerPort: 8008
+          env:
+            - name: SYNAPSE_CONFIG_PATH
+              value: /config/homeserver.yaml
+            - name: SYNAPSE_CONFIG_DIR
+              value: /keys/
+          volumeMounts:
+            - name: config
+              mountPath: /config/
+              readOnly: true
+            - name: data
+              mountPath: /data/
+            - name: keys
+              mountPath: /keys/
+      securityContext:
+        fsGroup: 991
+      volumes:
+        - name: config
+          configMap:
+            name: synapse-config
+        - name: keys
+          persistentVolumeClaim:
+            claimName: keys
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: nfs-csi
+        resources:
+          requests:
+            storage: 10Gi
diff --git a/manifests/common/db.yaml b/manifests/common/db.yaml
new file mode 100644
index 0000000..4661288
--- /dev/null
+++ b/manifests/common/db.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+spec:
+  instances: $NB_REPLICAS
+  storage:
+    size: 10Gi
diff --git a/manifests/common/keys.yaml b/manifests/common/keys.yaml
new file mode 100644
index 0000000..a1463ad
--- /dev/null
+++ b/manifests/common/keys.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: keys
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-csi
+  resources:
+    requests:
+      storage: 10Mi
diff --git a/manifests/devel/.gitkeep b/manifests/devel/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/manifests/prod/.gitkeep b/manifests/prod/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/new_user.sh b/new_user.sh
new file mode 100755
index 0000000..93e8ca0
--- /dev/null
+++ b/new_user.sh
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+kubectl exec -it -n synapse svc/app -- register_new_matrix_user -c /config/homeserver.yaml