matrix.hackerspace.pl: use external postgres

Change-Id: Ie0bb76a4200f905bfd0c065cde81283271f8397a Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1483 Reviewed-by: informatic <informatic@hackerspace.pl>
2023-03-26 21:56:09 +02:00 · 2023-03-26 21:56:09 +02:00 · f262868753
commit f262868753
parent 26a7f5bb56
4 changed files with 50 additions and 59 deletions
--- a/app/matrix/lib/matrix-ng.libsonnet
+++ b/app/matrix/lib/matrix-ng.libsonnet
@ -212,6 +212,23 @@ local coturn = import "./coturn.libsonnet";
                authSecret: { secretKeyRef: { name: "coturn", key: "auth_secret" } },
            },
        },
+
+        postgres: {
+            # Deploy on-cluster postgres: a postgres instance backed by Ceph.
+            # Okay for tiny baby synapses, not okay for chonkers. If not
+            # enabled, bring your own external postgres.
+            enable: true,
+
+            # If not deploying on-cluster postgres, the following needs to be
+            # set.
+            host: error "host must be set with off-cluster postgres",
+            username: "synapse",
+            database: "synapse",
+            port: 5432,
+            # Default to the same password secret ref that is used for
+            # on-cluster postgres.
+            password: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
+        },
    },

    # DEPRECATED: this needs to be removed in favor of namespace.Contain() in
@ -227,7 +244,8 @@ local coturn = import "./coturn.libsonnet";

    namespace: kube.Namespace(cfg.namespace),

-    postgres3: postgres {
+    postgres3: if cfg.postgres.enable then postgres {
+        local psql = self,
        cfg+: {
            namespace: cfg.namespace,
            appName: "synapse",
@ -239,13 +257,18 @@ local coturn = import "./coturn.libsonnet";
            storageSize: "100Gi",
            initdbArgs: "--encoding='UTF8' --lc-collate='C' --lc-ctype='C'",

+            # Doesn't influence postgres instance, but used by synapse
+            # libsonnet. Do not override.
+            port: psql.svc.port,
+            host: psql.svc.host,
+
            opts: {
                max_connections: "300",
                shared_buffers: "80MB",
                wal_level: "logical",
            },
        },
-    },
+    } else {},

    redis: redis {
        cfg+: {
@ -312,8 +335,13 @@ local coturn = import "./coturn.libsonnet";

    synapse: synapse {
        ns: app.namespace,
-        postgres: app.postgres3,
-        redis: app.redis,
+        postgres: if cfg.postgres.enable then app.postgres3 else {
+            # If not using on-cluster postgres, pass the config postgres object
+            # as the postgres object into the synapse lib. It's a bit ugly (we
+            # should have some common 'config' type instead) but it's good
+            # enough.
+            cfg: cfg.postgres,
+        }, redis: app.redis,
        appservices: app.appservices,
        cfg+: app.cfg {
            image: app.cfg.images.synapse,
--- a/app/matrix/lib/synapse.libsonnet
+++ b/app/matrix/lib/synapse.libsonnet
@ -117,7 +117,7 @@ local kube = import "../../../kube/kube.libsonnet";
            mountData: false,

            resources: {
-                requests: { cpu: "300m", memory: "1Gi" },
+                requests: { cpu: "300m", memory: "2Gi" },
                limits: { cpu: "1500m", memory: "2Gi" },
            },
        },
@ -158,7 +158,13 @@ local kube = import "../../../kube/kube.libsonnet";
                                SYNAPSE_MACAROON_SECRET_KEY: cfg.macaroonSecretKey,
                                SYNAPSE_REGISTRATION_SHARED_SECRET: cfg.registrationSharedSecret,
                                WORKER_REPLICATION_SECRET: cfg.workerReplicationSecret,
+
                                POSTGRES_PASSWORD: app.postgres.cfg.password,
+                                POSTGRES_USER: app.postgres.cfg.username,
+                                POSTGRES_DB: app.postgres.cfg.database,
+                                POSTGRES_HOST: app.postgres.cfg.host,
+                                POSTGRES_PORT: app.postgres.cfg.port,
+
                                REDIS_PASSWORD: app.redis.cfg.password,
                                POD_NAME: { fieldRef: { fieldPath: "metadata.name" } },
                                OIDC_CLIENT_SECRET: if cfg.oidc.enable then cfg.oidc.config.client_secret else "",
@ -322,7 +328,7 @@ local kube = import "../../../kube/kube.libsonnet";
            "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/",
            "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)",
            "/_matrix/client/(api/v1|r0|v3|unstable)/join/",
-            "/_matrix/client/(api/v1|r0|v3|unstable)/profile/",
+            "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"

            # These need to be handled by stream writers, not supported yet
            # "/_matrix/client/(r0|v3|unstable)/sendToDevice/",
--- a/app/matrix/lib/synapse/homeserver-secrets.yaml
+++ b/app/matrix/lib/synapse/homeserver-secrets.yaml
@ -8,11 +8,11 @@ database:
  name: "psycopg2"
  allow_unsafe_locale: true
  args:
-    user: "synapse"
+    user: "$(POSTGRES_USER)"
    password: "$(POSTGRES_PASSWORD)"
-    database: "synapse"
-    host: "waw3-postgres"
-    port: "5432"
+    database: "$(POSTGRES_DB)"
+    host: "$(POSTGRES_HOST)"
+    port: "$(POSTGRES_PORT)"
    cp_min: 5
    cp_max: 10

--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@ -35,6 +35,7 @@ matrix {
            },
            db+: {
                password: std.strReplace(importstr "secrets/plain/media-repo-matrix-postgres", "\n", ""),
+                host: "bc01n05.hswaw.net",
            },
        },
        coturn+: {
@ -44,6 +45,11 @@ matrix {
                loadBalancerIP: "185.236.240.59",
            },
        },
+
+        postgres+: {
+            enable: false,
+            host: "bc01n05.hswaw.net",
+        },
    },

    riot+: {
@ -91,55 +97,6 @@ matrix {
        },
    },

-    // Bump up storage to 200Gi from default 100Gi, use different name.  The
-    // new name corresponds to a manually migrated and sized-up PVC that
-    // contains data from the original waw3-postgres PVC.
-    postgres3+: {
-        local psql = self,
-        volumeClaim+: {
-            metadata+: {
-                name: "waw3-postgres-2",
-            },
-            spec+: {
-                resources+: {
-                    requests+: {
-                        storage: "200Gi",
-                    },
-                },
-            },
-        },
-        tempVC: kube.PersistentVolumeClaim(psql.makeName("tempvc")) {
-            metadata+: psql.metadata,
-            spec+: {
-                storageClassName: psql.cfg.storageClassName,
-                accessModes: [ "ReadWriteOnce" ],
-                resources: {
-                    requests: {
-                        storage: "200Gi",
-                    },
-                },
-            },
-        },
-        deployment+: {
-            spec+: {
-                template+: {
-                    spec+: {
-                        volumes_+: {
-                            temp: kube.PersistentVolumeClaimVolume(psql.tempVC),
-                        },
-                        containers_+: {
-                            postgres+: {
-                                volumeMounts_+: {
-                                    temp: { mountPath: "/mnt/tmp/" },
-                                },
-                            },
-                        },
-                    },
-                },
-            },
-        },
-    },
-
    appservices: {
        "irc-freenode": irc.AppServiceIrc("freenode") {
            cfg+: {