dotfiles/terranix/containers/matrix/matrix-synapse.hcl
2023-10-07 17:34:09 +02:00

964 lines
21 KiB
HCL

variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
variable "store_path" {
type = object({
synapseClient = string
synapseSync = string
synapseFederationSender = string
synapseFederationReceiver = string
synapse = string
postgresql = string
redis = string
})
}
job "matrix-synapse" {
datacenters = [ "homelab-1" ]
type = "service"
group "redis" {
count = 1
volume "matrix-redis" {
type = "csi"
source = "matrix-redis"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
service {
name = "matrix-redis"
port = "6379"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/health"
# port = "6167"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {}
}
}
task "redis" {
driver = "docker"
volume_mount {
volume = "matrix-redis"
destination = "/var/lib/redis"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapseRedis.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.redis
entrypoint = [ "init" ]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" -}}
{{ .Data.data.redis_password }}
{{ end -}}
EOF
destination = "/secrets/redis_password"
}
}
}
group "synapse-client" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-client"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-client" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapseClient.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.synapseClient
entrypoint = [ "init" ]
labels {
grok_type = "synapse"
}
}
resources {
cpu = 1024
memory = 2048
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
http_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
https_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
{{ end }}
EOF
destination = "/secrets/env"
env = true
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-client-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "synapse-sync" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-sync"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-sync" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapseSync.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.synapseSync
entrypoint = [ "init" ]
labels {
grok_type = "synapse"
}
}
resources {
cpu = 1024
memory = 1024
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
http_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
https_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
{{ end }}
EOF
destination = "/secrets/env"
env = true
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-sync-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "synapse-federation-receiver" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-federation-receiver"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-federation-receiver" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapseFederationReceiver.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.synapseFederationReceiver
entrypoint = [ "init" ]
labels {
grok_type = "synapse"
}
}
resources {
cpu = 1024
memory = 1024
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
http_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
https_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
{{ end }}
EOF
destination = "/secrets/env"
env = true
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-federation-receiver-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "synapse-federation-sender" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-federation-sender"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-federation-sender" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapseFederationSender.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.synapseFederationSender
entrypoint = [ "init" ]
labels {
grok_type = "synapse"
}
}
resources {
cpu = 1024
memory = 2048
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
http_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
https_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
{{ end }}
EOF
destination = "/secrets/env"
env = true
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-federation-sender-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "postgresql" {
count = 1
volume "matrix-postgresql" {
type = "csi"
source = "matrix-postgresql"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-postgresql"
port = "5432"
# check {
# }
connect {
sidecar_service {}
}
}
task "postgresql" {
driver = "docker"
volume_mount {
volume = "matrix-postgresql"
destination = "/var/lib/postgresql"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapsePostgreSQL.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.postgresql
entrypoint = [ "init" ]
}
resources {
cpu = 500
memory = 1024
memory_max = 1536
}
template {
data = <<EOF
alter user "synapse" with password '{{ with secret "kv/data/cluster/matrix/synapse" }}{{ .Data.data.pgpass }}{{ end }}';
alter user "mautrix-facebook" with password '{{ with secret "kv/data/cluster/matrix/mautrix-facebook/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
alter user "mautrix-signal" with password '{{ with secret "kv/data/cluster/matrix/mautrix-signal/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
alter user "mautrix-discord" with password '{{ with secret "kv/data/cluster/matrix/mautrix-discord/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
EOF
destination = "secrets/init.sql"
change_mode = "noop"
}
vault {
policies = ["matrix-postgresql-policy"]
}
}
}
group "synapse" {
count = 1
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-synapse"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
}
}
}
}
service {
name = "matrix-synapse-replication"
port = "9093"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/"
# port = "9093"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {}
}
}
task "synapse" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngConfigurations.synapse.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
nix_flake_store_path = var.store_path.synapse
entrypoint = [ "init" ]
labels {
grok_type = "synapse"
}
}
resources {
cpu = 2048
memory = 768
}
vault {
policies = ["matrix-synapse-policy"]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
http_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
https_proxy=https://synapse:{{ .Data.data.proxy_pass }}@synapse-proxy.in.redalder.org:8883/
{{ end }}
EOF
destination = "/secrets/env"
env = true
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
}