diff --git a/.env b/.env index 5df369c..ee88b05 100644 --- a/.env +++ b/.env @@ -1,6 +1,8 @@ PROD_URL=matrix.gmoker.com SERVER_NAME=gmoker.com -IMAGEAPP=ghcr.io/element-hq/synapse:v1.106.0 +IMAGEAPP=ghcr.io/element-hq/synapse:v1.121.1 -TURN_URL=turn.test.gmoker.com -IMAGECOTURN=docker.io/coturn/coturn:4.6.2 +#TURN_URL=turn.test.gmoker.com +#IMAGECOTURN=docker.io/coturn/coturn:4.6.2-r12 + +MAX_UPLOAD_SIZE=50M diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index f6d29c0..df9623a 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -12,10 +12,11 @@ jobs: BASE_URL="$PROD_URL" else BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com" + SERVER_NAME="$BASE_URL" fi cat <> .env BASE_URL="$BASE_URL" - PUBLIC_URL="${PUBLIC_URL:-$BASE_URL}" + SERVER_NAME="$SERVER_NAME" EOF cat .env diff --git a/compose.yaml b/compose.yaml index c7e182c..71a3b09 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,12 +1,12 @@ --- services: db: - image: docker.io/postgres:15 + image: docker.io/postgres:17 restart: unless-stopped environment: - - POSTGRES_DB - - POSTGRES_USER - - POSTGRES_PASSWORD + - POSTGRES_DB=db + - POSTGRES_USER=db + - POSTGRES_PASSWORD=db volumes: - db:/var/lib/postgresql/data/ @@ -16,6 +16,11 @@ services: ports: - "8080:8008" - "8448:8448" + environment: + - POSTGRES_HOST=db + - POSTGRES_DB=db + - POSTGRES_USER=db + - POSTGRES_PASSWORD=db volumes: - synapse_config:/config/ - synapse_data:/data/ diff --git a/homeserver.yaml b/config/homeserver.yaml similarity index 84% rename from homeserver.yaml rename to config/homeserver.yaml index 6073075..61abe1b 100644 --- a/homeserver.yaml +++ b/config/homeserver.yaml @@ -1,16 +1,16 @@ server_name: "$SERVER_NAME" public_baseurl: "https://$BASE_URL" pid_file: /homeserver.pid -web_client: false +web_client: False soft_file_limit: 0 log_config: "/config/log.config" listeners: - port: 8008 - tls: false - type: http - x_forwarded: true + tls: False bind_addresses: ['::'] + type: http + x_forwarded: False resources: - names: [client, federation] compress: true @@ -39,7 +39,7 @@ federation_rc_concurrent: 3 media_store_path: "/data/media" max_upload_size: "50M" max_image_pixels: "32M" -dynamic_thumbnails: false +dynamic_thumbnails: False thumbnail_sizes: - width: 32 @@ -58,24 +58,23 @@ thumbnail_sizes: height: 600 method: scale -url_preview_enabled: false +url_preview_enabled: False max_spider_size: "10M" -enable_registration_captcha: false +enable_registration_captcha: False turn_uris: [ "turn:$TURN_URL?transport=tcp", "turn:$TURN_URL?transport=udp" ] turn_shared_secret: "$TURN_SHARED_SECRET" turn_user_lifetime: "1h" -turn_allow_guests: true +turn_allow_guests: True -enable_registration: false +enable_registration: False registration_shared_secret: "$REGISTRATION_SECRET" -enable_metrics: true -report_stats: true +enable_metrics: True +report_stats: True macaroon_secret_key: "$API_SECRET" -expire_access_token: false signing_key_path: "/keys/signing.key" key_refresh_interval: "1d" @@ -86,6 +85,6 @@ trusted_key_servers: "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" password_config: - enabled: true + enabled: True encryption_enabled_by_default_for_room_type: "all" diff --git a/log.config b/config/log.config similarity index 100% rename from log.config rename to config/log.config diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh index 31c4fac..2e8c599 100755 --- a/manifests/bin/deploy.sh +++ b/manifests/bin/deploy.sh @@ -3,35 +3,38 @@ set -o pipefail function kapply() { for f in "$@"; do - kubectl apply -f \ - <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f") + kubectl apply -f <(envsubst < "manifests/$f") done -} +}; export -f kapply function kcreatesec() { - kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f- -} + kubectl create secret generic --dry-run=client -oyaml "$@" | kubectl replace -f- +}; export -f kcreatesec function kcreatecm() { - kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f- -} + kubectl create configmap --dry-run=client -oyaml "$@" | kubectl replace -f- +}; export -f kcreatecm function kgseckey() { local sec="$1"; shift local key="$1"; shift - kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d -} + if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then + return 1 + fi +}; export -f kgseckey function kgcmkey() { - local cm="$1"; shift + local cm="$1"; shift local key="$1"; shift - kubectl get configmap "$cm" -o jsonpath="{.data.$key}" -} + if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then + return 1 + fi +}; export -f kgcmkey function get_synapse_key() { - kgcmkey synapse-config 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32 + kgcmkey synapse 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32 } @@ -47,11 +50,10 @@ export API_SECRET; API_SECRET="$(get_synapse_key macaroon_secr export TURN_SHARED_SECRET; TURN_SHARED_SECRET="$(get_synapse_key turn_shared_secret)" export REGISTRATION_SECRET; REGISTRATION_SECRET="$(get_synapse_key registration_shared_secret)" -kcreatecm synapse-config \ - --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < homeserver.yaml) \ - --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < log.config) +kcreatecm synapse \ + --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < config/homeserver.yaml) \ + --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < config/log.config) -kapply common/keys.yaml common/app.yaml common/delegation.yaml +kapply common/keys.yaml common/app.yaml -kubectl rollout restart deployment delegation kubectl rollout restart statefulset app diff --git a/manifests/bin/devel.sh b/manifests/bin/devel.sh index 464c4d0..65675aa 100755 --- a/manifests/bin/devel.sh +++ b/manifests/bin/devel.sh @@ -1,4 +1,5 @@ #!/bin/bash -e +set -o pipefail export NB_REPLICAS=1 diff --git a/manifests/bin/prod.sh b/manifests/bin/prod.sh index db50906..f70a7f1 100755 --- a/manifests/bin/prod.sh +++ b/manifests/bin/prod.sh @@ -1,6 +1,13 @@ #!/bin/bash -e +set -o pipefail # TODO: 3 export NB_REPLICAS=1 . ./manifests/bin/deploy.sh + +if [ "$GITHUB_REF_NAME" = prod ]; then + kapply common/delegation.yaml + + kubectl rollout restart deployment delegation +fi diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml index 7db7c30..3d6b23f 100644 --- a/manifests/common/app.yaml +++ b/manifests/common/app.yaml @@ -4,6 +4,7 @@ kind: Ingress metadata: name: app annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "$MAX_UPLOAD_SIZE" cert-manager.io/cluster-issuer: letsencrypt-prod spec: ingressClassName: nginx @@ -53,8 +54,6 @@ spec: labels: app: app spec: - imagePullSecrets: - - name: regcred containers: - name: app image: "$IMAGEAPP" @@ -69,7 +68,6 @@ spec: volumeMounts: - name: config mountPath: /config/ - readOnly: true - name: data mountPath: /data/ - name: keys @@ -79,7 +77,7 @@ spec: volumes: - name: config configMap: - name: synapse-config + name: synapse - name: keys persistentVolumeClaim: claimName: keys diff --git a/manifests/common/turn.yaml b/manifests/common/turn.yaml new file mode 100644 index 0000000..2be3987 --- /dev/null +++ b/manifests/common/turn.yaml @@ -0,0 +1 @@ +# https://element-hq.github.io/synapse/latest/setup/turn/coturn.html diff --git a/manifests/common/delegation.yaml b/manifests/prod/delegation.yaml similarity index 98% rename from manifests/common/delegation.yaml rename to manifests/prod/delegation.yaml index fe5dfd6..995c478 100644 --- a/manifests/common/delegation.yaml +++ b/manifests/prod/delegation.yaml @@ -85,7 +85,6 @@ spec: volumeMounts: - name: delegation mountPath: /etc/nginx/conf.d/ - readOnly: true volumes: - name: delegation configMap: