.env

@@ -1,8 +1,6 @@
 PROD_URL=matrix.gmoker.com
 SERVER_NAME=gmoker.com
-IMAGEAPP=ghcr.io/element-hq/synapse:v1.115.0
+IMAGEAPP=ghcr.io/element-hq/synapse:v1.106.0
 
 TURN_URL=turn.test.gmoker.com
-IMAGECOTURN=docker.io/coturn/coturn:4.6.2-r12
-
-MAX_UPLOAD_SIZE=50M
+IMAGECOTURN=docker.io/coturn/coturn:4.6.2

.gitea/workflows/deploy.yaml

@@ -12,11 +12,10 @@ jobs:
             BASE_URL="$PROD_URL"
           else
             BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
-            SERVER_NAME="$BASE_URL"
           fi
           cat <<EOF >> .env
           BASE_URL="$BASE_URL"
-          SERVER_NAME="$SERVER_NAME"
+          PUBLIC_URL="${PUBLIC_URL:-$BASE_URL}"
           EOF
           cat .env
 

homeserver.yaml

@@ -1,16 +1,16 @@
 server_name: "$SERVER_NAME"
 public_baseurl: "https://$BASE_URL"
 pid_file: /homeserver.pid
-web_client: False
+web_client: false
 soft_file_limit: 0
 log_config: "/config/log.config"
 
 listeners:
   - port: 8008
-    tls: False
-    bind_addresses: ['::']
+    tls: false
     type: http
-    x_forwarded: False
+    x_forwarded: true
+    bind_addresses: ['::']
     resources:
       - names: [client, federation]
         compress: true
@@ -39,7 +39,7 @@ federation_rc_concurrent: 3
 media_store_path: "/data/media"
 max_upload_size: "50M"
 max_image_pixels: "32M"
-dynamic_thumbnails: False
+dynamic_thumbnails: false
 
 thumbnail_sizes:
 - width: 32
@@ -58,23 +58,24 @@ thumbnail_sizes:
   height: 600
   method: scale
 
-url_preview_enabled: False
+url_preview_enabled: false
 max_spider_size: "10M"
 
-enable_registration_captcha: False
+enable_registration_captcha: false
 
 turn_uris: [ "turn:$TURN_URL?transport=tcp", "turn:$TURN_URL?transport=udp" ]
 turn_shared_secret: "$TURN_SHARED_SECRET"
 turn_user_lifetime: "1h"
-turn_allow_guests: True
+turn_allow_guests: true
 
-enable_registration: False
+enable_registration: false
 registration_shared_secret: "$REGISTRATION_SECRET"
 
-enable_metrics: True
-report_stats: True
+enable_metrics: true
+report_stats: true
 
 macaroon_secret_key: "$API_SECRET"
+expire_access_token: false
 
 signing_key_path: "/keys/signing.key"
 key_refresh_interval: "1d"
@@ -85,6 +86,6 @@ trusted_key_servers:
       "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
 
 password_config:
-   enabled: True
+   enabled: true
 
 encryption_enabled_by_default_for_room_type: "all"

manifests/bin/deploy.sh

@@ -31,7 +31,7 @@ function kgcmkey() {
 }
 
 function get_synapse_key() {
-    kgcmkey synapse 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32
+    kgcmkey synapse-config 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32
 }
 
 
@@ -47,10 +47,11 @@ export API_SECRET;                   API_SECRET="$(get_synapse_key macaroon_secr
 export TURN_SHARED_SECRET;   TURN_SHARED_SECRET="$(get_synapse_key turn_shared_secret)"
 export REGISTRATION_SECRET; REGISTRATION_SECRET="$(get_synapse_key registration_shared_secret)"
 
-kcreatecm synapse \
-    --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < config/homeserver.yaml) \
-    --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < config/log.config)
+kcreatecm synapse-config \
+    --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < homeserver.yaml) \
+    --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < log.config)
 
-kapply common/keys.yaml common/app.yaml
+kapply common/keys.yaml common/app.yaml common/delegation.yaml
 
+kubectl rollout restart deployment delegation
 kubectl rollout restart statefulset app

manifests/bin/prod.sh

@@ -4,9 +4,3 @@
 export NB_REPLICAS=1
 
 . ./manifests/bin/deploy.sh
-
-if [ "$GITHUB_REF_NAME" = prod ]; then
-    kapply common/delegation.yaml
-
-    kubectl rollout restart deployment delegation
-fi

manifests/common/app.yaml

@@ -4,7 +4,6 @@ kind: Ingress
 metadata:
   name: app
   annotations:
-    nginx.ingress.kubernetes.io/proxy-body-size: "$MAX_UPLOAD_SIZE"
     cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: nginx
@@ -54,6 +53,8 @@ spec:
       labels:
         app: app
     spec:
+      imagePullSecrets:
+        - name: regcred
       containers:
         - name: app
           image: "$IMAGEAPP"
@@ -68,6 +69,7 @@ spec:
           volumeMounts:
             - name: config
               mountPath: /config/
+              readOnly: true
             - name: data
               mountPath: /data/
             - name: keys
@@ -77,7 +79,7 @@ spec:
       volumes:
         - name: config
           configMap:
-            name: synapse
+            name: synapse-config
         - name: keys
           persistentVolumeClaim:
             claimName: keys

manifests/common/delegation.yaml

@@ -85,6 +85,7 @@ spec:
           volumeMounts:
             - name: delegation
               mountPath: /etc/nginx/conf.d/
+              readOnly: true
       volumes:
         - name: delegation
           configMap:

manifests/common/turn.yaml

@@ -1 +0,0 @@
-# https://element-hq.github.io/synapse/latest/setup/turn/coturn.html