Replace the cramped Synapse deployment with tuwunel v1.7.1: embedded RocksDB drops the CNPG dependency (both init-containers, the db ESO, the Reloader annotation all gone), env-var config, fsGroup-owned encrypted PVC, federation on, tuwunel-served well-known delegation to :443. server_name unchanged (matrix.viktorbarzin.me); fresh start (no Synapse->RocksDB migration path). Registered @viktor admin then disabled registration (403). Cleanup: removed the orphaned pg-matrix Vault static role and dropped the matrix Postgres DB/role; updated service-catalog, upgrade-config, CLAUDE.md PG-rotation list, and the Matrix OIDC->orphaned auth notes. Design+plan in docs/plans/2026-06-08-matrix-synapse-to-tuwunel-*. Already applied via scripts/tg (matrix tier-1 + targeted vault tier-0), so [ci skip] to avoid CI reconciling an unrelated pre-existing vault OIDC tune-TTL drift. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.3 KiB
3.3 KiB
Matrix: Synapse → tuwunel migration — Plan (executed)
Date: 2026-06-08 · Companion: 2026-06-08-matrix-synapse-to-tuwunel-design.md
Executed steps
- Vault — generated a 32-byte
registration_token, stored atsecret/matrix. stacks/matrixrewrite — replaced Synapse with tuwunel: removed thematrix-db-credsExternalSecret, both init-containers (install-psycopg2,inject-db-password), theextra-packagesvolume, and the Reloader annotation; added thematrix-secretsExternalSecret (vault-kvdataFrom), theTUWUNEL_*env,securityContext1000, and the tuwunel image. Encrypted PVC, Service (80→8008), and ingress (auth="none", proxied) unchanged.- The image is in the deployment's
ignore_changes(KEEL_IGNORE_IMAGE); it was temporarily un-ignored for this base-image swap, then re-added at step 4 so Keel resumes tag management. tg init -reconfigurewas required first (Tier-1 PG-backend creds rotate weekly → "Backend configuration block has changed").
- The image is in the deployment's
- Apply —
Plan: 1 to add, 2 to change, 1 to destroy. tuwunel 1.7.1 came up 1/1, created a fresh RocksDB on the encrypted PVC (no permission errors — fsGroup worked). - Verify — all
200:/_tuwunel/server_version,.well-known/matrix/ {client,server},/_matrix/client/versions,/_matrix/federation/v1/version. Registered@viktor:matrix.viktorbarzin.me(first user → admin) via the token flow;whoamiconfirmed. Creds stored atsecret/matrix(admin_user,admin_password). - Lock down —
TUWUNEL_ALLOW_REGISTRATION=false+ re-added imageignore_changes; applied. Registration now returns403 M_FORBIDDEN. - Cleanup —
stacks/vault: removed thepg_matrixstatic role + itsallowed_rolesentry (targeted apply — the full plan also wanted an unrelated OIDCtune-TTL change, deliberately NOT applied; see residual items).- Dropped the orphaned
matrixPostgres DB (16 MB) +matrixrole on the CNPG primary (pg-cluster-2). - Docs updated:
.claude/CLAUDE.md(PG-rotation list),service-catalog.md,upgrade-config.json(removed synapse image-rename + matrix PG entry),authentication.md+authentik-state.md(Matrix OIDC → orphaned).
Rollback
Fresh start was confirmed, so there is no Synapse data to preserve. To revert the
service: restore the Synapse main.tf from git, re-add the pg_matrix Vault
role, and restore the matrix Postgres DB from the daily per-db dump
(/backup/per-db/matrix/). The reused encrypted PVC still holds Synapse's old
homeserver.yaml / signing key / media at the volume root alongside the new
RocksDB dir.
Residual / follow-up items (flagged to user)
- Authentik Matrix OAuth2 app is now orphaned — tuwunel uses native password auth (OIDC SSO not wired). Harmless; can be removed from the authentik stack later if desired.
- Pre-existing drift in
stacks/vault:vault_jwt_auth_backend.oidcshows atunediff (explicit768hdefault/max lease TTLs being dropped). This predates this migration and was not applied. Resolve separately. - Synapse leftover files remain on the encrypted PVC volume root (unused by
tuwunel). Can be
rm'd after confidence in the new server.