debug

Reviewed-on: #1

.env

@@ -1,6 +1,8 @@
 PROD_URL=matrix.gmoker.com
 SERVER_NAME=gmoker.com
-IMAGEAPP=ghcr.io/element-hq/synapse:v1.106.0
+IMAGEAPP=ghcr.io/element-hq/synapse:v1.121.1
 
-TURN_URL=turn.test.gmoker.com
-IMAGECOTURN=docker.io/coturn/coturn:4.6.2
+#TURN_URL=turn.test.gmoker.com
+#IMAGECOTURN=docker.io/coturn/coturn:4.6.2-r12
+
+MAX_UPLOAD_SIZE=50M

.gitea/workflows/deploy.yaml

@@ -12,10 +12,11 @@ jobs:
             BASE_URL="$PROD_URL"
           else
             BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
+            SERVER_NAME="$BASE_URL"
           fi
           cat <<EOF >> .env
           BASE_URL="$BASE_URL"
-          PUBLIC_URL="${PUBLIC_URL:-$BASE_URL}"
+          SERVER_NAME="$SERVER_NAME"
           EOF
           cat .env
 

compose.yaml

@@ -1,12 +1,12 @@
 ---
 services:
   db:
-    image: docker.io/postgres:15
+    image: docker.io/postgres:17
     restart: unless-stopped
     environment:
-      - POSTGRES_DB
-      - POSTGRES_USER
-      - POSTGRES_PASSWORD
+      - POSTGRES_DB=db
+      - POSTGRES_USER=db
+      - POSTGRES_PASSWORD=db
     volumes:
       - db:/var/lib/postgresql/data/
 
@@ -16,6 +16,11 @@ services:
     ports:
       - "8080:8008"
       - "8448:8448"
+    environment:
+      - POSTGRES_HOST=db
+      - POSTGRES_DB=db
+      - POSTGRES_USER=db
+      - POSTGRES_PASSWORD=db
     volumes:
       - synapse_config:/config/
       - synapse_data:/data/

config/homeserver.yaml

@@ -1,16 +1,16 @@
 server_name: "$SERVER_NAME"
 public_baseurl: "https://$BASE_URL"
 pid_file: /homeserver.pid
-web_client: false
+web_client: False
 soft_file_limit: 0
 log_config: "/config/log.config"
 
 listeners:
   - port: 8008
-    tls: false
-    type: http
-    x_forwarded: true
+    tls: False
     bind_addresses: ['::']
+    type: http
+    x_forwarded: False
     resources:
       - names: [client, federation]
         compress: true
@@ -39,7 +39,7 @@ federation_rc_concurrent: 3
 media_store_path: "/data/media"
 max_upload_size: "50M"
 max_image_pixels: "32M"
-dynamic_thumbnails: false
+dynamic_thumbnails: False
 
 thumbnail_sizes:
 - width: 32
@@ -58,24 +58,23 @@ thumbnail_sizes:
   height: 600
   method: scale
 
-url_preview_enabled: false
+url_preview_enabled: False
 max_spider_size: "10M"
 
-enable_registration_captcha: false
+enable_registration_captcha: False
 
 turn_uris: [ "turn:$TURN_URL?transport=tcp", "turn:$TURN_URL?transport=udp" ]
 turn_shared_secret: "$TURN_SHARED_SECRET"
 turn_user_lifetime: "1h"
-turn_allow_guests: true
+turn_allow_guests: True
 
-enable_registration: false
+enable_registration: False
 registration_shared_secret: "$REGISTRATION_SECRET"
 
-enable_metrics: true
-report_stats: true
+enable_metrics: True
+report_stats: True
 
 macaroon_secret_key: "$API_SECRET"
-expire_access_token: false
 
 signing_key_path: "/keys/signing.key"
 key_refresh_interval: "1d"
@@ -86,6 +85,6 @@ trusted_key_servers:
       "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
 
 password_config:
-   enabled: true
+   enabled: True
 
 encryption_enabled_by_default_for_room_type: "all"

manifests/bin/deploy.sh

@@ -1,37 +1,40 @@
-#!/bin/bash -e
-set -o pipefail
+#!/bin/bash
+set -xeo pipefail
 
 function kapply() {
     for f in "$@"; do
-        kubectl apply -f \
-            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+        kubectl apply -f <(envsubst < "manifests/$f")
     done
-}
+}; export -f kapply
 
 function kcreatesec() {
-    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+    kubectl create secret generic --dry-run=client -oyaml "$@" | kubectl replace -f-
+}; export -f kcreatesec
 
 function kcreatecm() {
-    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
-}
+    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl replace -f-
+}; export -f kcreatecm
 
 function kgseckey() {
     local sec="$1"; shift
     local key="$1"; shift
 
-    kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
-}
+    if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
+        return 1
+    fi
+}; export -f kgseckey
 
 function kgcmkey() {
-    local cm="$1"; shift
+    local cm="$1";  shift
     local key="$1"; shift
 
-    kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
-}
+    if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
+        return 1
+    fi
+}; export -f kgcmkey
 
 function get_synapse_key() {
-    kgcmkey synapse-config 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32
+    kgcmkey synapse homeserver.yaml | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32
 }
 
 
@@ -47,11 +50,10 @@ export API_SECRET;                   API_SECRET="$(get_synapse_key macaroon_secr
 export TURN_SHARED_SECRET;   TURN_SHARED_SECRET="$(get_synapse_key turn_shared_secret)"
 export REGISTRATION_SECRET; REGISTRATION_SECRET="$(get_synapse_key registration_shared_secret)"
 
-kcreatecm synapse-config \
-    --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < homeserver.yaml) \
-    --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < log.config)
+kcreatecm synapse \
+    --from-file=homeserver.yaml=<(envsubst < config/homeserver.yaml) \
+    --from-file=log.config=<(envsubst < config/log.config)
 
-kapply common/keys.yaml common/app.yaml common/delegation.yaml
+kapply common/keys.yaml common/app.yaml
 
-kubectl rollout restart deployment delegation
 kubectl rollout restart statefulset app

manifests/bin/devel.sh

@@ -1,4 +1,5 @@
-#!/bin/bash -e
+#!/bin/bash
+set -eo pipefail
 
 export NB_REPLICAS=1
 

manifests/bin/prod.sh

@@ -1,6 +1,13 @@
-#!/bin/bash -e
+#!/bin/bash
+set -eo pipefail
 
 # TODO: 3
 export NB_REPLICAS=1
 
 . ./manifests/bin/deploy.sh
+
+if [ "$GITHUB_REF_NAME" = prod ]; then
+    kapply common/delegation.yaml
+
+    kubectl rollout restart deployment delegation
+fi

manifests/common/app.yaml

@@ -4,6 +4,7 @@ kind: Ingress
 metadata:
   name: app
   annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "$MAX_UPLOAD_SIZE"
     cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: nginx
@@ -53,8 +54,6 @@ spec:
       labels:
         app: app
     spec:
-      imagePullSecrets:
-        - name: regcred
       containers:
         - name: app
           image: "$IMAGEAPP"
@@ -69,7 +68,6 @@ spec:
           volumeMounts:
             - name: config
               mountPath: /config/
-              readOnly: true
             - name: data
               mountPath: /data/
             - name: keys
@@ -79,7 +77,7 @@ spec:
       volumes:
         - name: config
           configMap:
-            name: synapse-config
+            name: synapse
         - name: keys
           persistentVolumeClaim:
             claimName: keys

manifests/common/turn.yaml

@@ -0,0 +1 @@
+# https://element-hq.github.io/synapse/latest/setup/turn/coturn.html

manifests/prod/delegation.yaml

@@ -85,7 +85,6 @@ spec:
           volumeMounts:
             - name: delegation
               mountPath: /etc/nginx/conf.d/
-              readOnly: true
       volumes:
         - name: delegation
           configMap: