13 files changed, 54 insertions, 108 deletions

diff --git a/cluster/prod/app/cryptpad/build/README.md b/cluster/prod/app/cryptpad/build/README.md
index 13c6ea2..f97fce4 100644
--- a/cluster/prod/app/cryptpad/build/README.md
+++ b/cluster/prod/app/cryptpad/build/README.md
@@ -1,6 +1,24 @@
 # CryptPad for NixOS with Deuxfleurs flavour
 
-## Building
+## Basic Usage
+
+### Building
+
+To build and load the Docker image used in our Deuxfleurs deployment, run:
+
+``` shell
+docker load -i $(nix-build deuxfleurs.nix -A docker)
+```
+
+### Updating Cryptpad to a newer version
+
+- Check whether the cryptpad build instructions and the `install-onlyoffice.sh`
+  script has changed. If yes, then update `default.nix` accordingly.
+- In `default.nix`, update the `version` field for cryptpad
+- In `default.nix`, change the hash (any change works) of the release and `npmDepsHash` to trigger a rebuild
+- Run `nix-build deuxfleurs.nix`. This will fail because the hashes have changed, but tell you the correct hash to insert in `default.nix`. 
+
+## More info
 
 The `default.nix` file follows the nixpkgs `callPackage` convention for fetching dependencies, so you need to either:
 
diff --git a/cluster/prod/app/cryptpad/build/default.nix b/cluster/prod/app/cryptpad/build/default.nix
index 458253a..fffbd91 100644
--- a/cluster/prod/app/cryptpad/build/default.nix
+++ b/cluster/prod/app/cryptpad/build/default.nix
@@ -71,16 +71,16 @@
   });
 in buildNpmPackage rec {
   pname = "cryptpad";
-  version = "2024.9.0";
+  version = "2024.12.0";
 
   src = fetchFromGitHub {
     owner = "cryptpad";
     repo = "cryptpad";
     rev = version;
-    hash = "sha256-OUtWaDVLRUbKS0apwY0aNq4MalGFv+fH9VA7LvWWYRs=";
+    hash = "sha256-oSrDajaCEc7I2AsDzKoO34ffd4OeXDwFDGm45yQDSvE=";
   };
 
-  npmDepsHash = "sha256-pK0b7q1kJja9l8ANwudbfo3jpldwuO56kuulS8X9A5s=";
+  npmDepsHash = "sha256-1EwxAe+8FOrngZx5+FEeu9uHKWZNBpsECEGrsyiZ2GU=";
 
   inherit nodejs;
 
diff --git a/cluster/prod/app/cryptpad/build/npins/sources.json b/cluster/prod/app/cryptpad/build/npins/sources.json
index 3372fd0..1f513ad 100644
--- a/cluster/prod/app/cryptpad/build/npins/sources.json
+++ b/cluster/prod/app/cryptpad/build/npins/sources.json
@@ -3,8 +3,8 @@
     "nixpkgs": {
       "type": "Channel",
       "name": "nixos-24.05",
-      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5385.1719f27dd95f/nixexprs.tar.xz",
-      "hash": "0f7i315g1z8kjh10hvj2zv7y2vfqxmwvd96hwlcrr8aig6qq5gzm"
+      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.7376.b134951a4c9f/nixexprs.tar.xz",
+      "hash": "1f8j7fh0nl4qmqlxn6lis8zf7dnckm6jri4rwmj0qm1qivhr58lv"
     }
   },
   "version": 3
diff --git a/cluster/prod/app/cryptpad/build_docker/README.md b/cluster/prod/app/cryptpad/build_docker/README.md
new file mode 100644
index 0000000..03e11bb
--- /dev/null
+++ b/cluster/prod/app/cryptpad/build_docker/README.md
@@ -0,0 +1,4 @@
+# Dockerfile for Cryptpad
+
+This was an experiment but is not used or maintained currently.
+The docker image we use is the one build using nix; see the `build/` directory.
diff --git a/cluster/prod/app/cryptpad/deploy/cryptpad.hcl b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl
index 8ea8b5d..5e19919 100644
--- a/cluster/prod/app/cryptpad/deploy/cryptpad.hcl
+++ b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl
@@ -26,7 +26,7 @@ job "cryptpad" {
       }
 
       config {
-        image = "kokakiwi/cryptpad:2024.9.0"
+        image = "armael/cryptpad:2024.12.0"
         ports = [ "http" ]
 
         volumes = [
diff --git a/cluster/prod/app/matrix/build/docker-compose.yml b/cluster/prod/app/matrix/build/docker-compose.yml
index b61fb39..4f2c573 100644
--- a/cluster/prod/app/matrix/build/docker-compose.yml
+++ b/cluster/prod/app/matrix/build/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3.4'
 services:
   # Instant Messaging
   riot:
@@ -6,18 +5,18 @@ services:
       context: ./riotweb
       args:
         # https://github.com/vector-im/element-web/releases
-        VERSION: v1.11.78
-    image: particallydone/amd64_elementweb:v36
+        VERSION: v1.11.90
+    image: superboum/amd64_elementweb:v37
 
   synapse:
     build:
       context: ./matrix-synapse
       args:
-        # https://github.com/matrix-org/synapse/releases
-        VERSION: v1.104.0
+        # https://github.com/element-hq/synapse/releases
+        VERSION: v1.122.0
         # https://github.com/matrix-org/synapse-s3-storage-provider/commits/main
         # Update with the latest commit on main each time you update the synapse version
         # otherwise synapse may fail to launch due to incompatibility issues
         # see this issue for an example: https://github.com/matrix-org/synapse-s3-storage-provider/issues/64
-        S3_VERSION: 2c46a764f700e6439afa11c00db827ddf21a9e89
-    image: particallydone/amd64_synapse:v60
+        S3_VERSION: bdc46a71aa16bcbcf8ed1b157ca6756ddb0131ef
+    image: superboum/amd64_synapse:v61
diff --git a/cluster/prod/app/matrix/build/riotweb/Dockerfile b/cluster/prod/app/matrix/build/riotweb/Dockerfile
index ec4f5dd..0bb408a 100644
--- a/cluster/prod/app/matrix/build/riotweb/Dockerfile
+++ b/cluster/prod/app/matrix/build/riotweb/Dockerfile
@@ -1,4 +1,4 @@
-FROM amd64/debian:trixie as builder
+FROM amd64/debian:trixie AS builder
 
 ARG VERSION
 WORKDIR /root
diff --git a/cluster/prod/app/matrix/config/synapse/homeserver.yaml b/cluster/prod/app/matrix/config/synapse/homeserver.yaml
index fb223eb..41241f0 100644
--- a/cluster/prod/app/matrix/config/synapse/homeserver.yaml
+++ b/cluster/prod/app/matrix/config/synapse/homeserver.yaml
@@ -110,6 +110,7 @@ federation_rc_concurrent: 3
 # Directory where uploaded images and attachments are stored.
 media_store_path: "/var/lib/matrix-synapse/media"
 uploads_path: "/var/lib/matrix-synapse/uploads"
+enable_authenticated_media: False
 
 media_storage_providers:
 - module: s3_storage_provider.S3StorageProviderBackend
@@ -121,7 +122,7 @@ media_storage_providers:
     # All of the below options are optional, for use with non-AWS S3-like
     # services, or to specify access tokens here instead of some external method.
     region_name: garage
-    endpoint_url: https://garage.deuxfleurs.fr
+    endpoint_url: http://localhost:3900
     access_key_id: {{ key "secrets/chat/synapse/s3_access_key" | trimSpace }}
     secret_access_key: {{ key "secrets/chat/synapse/s3_secret_key" | trimSpace }}
 
diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl
index c348131..c0f3a1a 100644
--- a/cluster/prod/app/matrix/deploy/im.hcl
+++ b/cluster/prod/app/matrix/deploy/im.hcl
@@ -15,7 +15,7 @@ job "matrix" {
       driver = "docker"
 
       config {
-        image = "particallydone/amd64_synapse:v60"
+        image = "superboum/amd64_synapse:v61"
         network_mode = "host"
         readonly_rootfs = true
         ports = [ "api_port" ]
@@ -101,7 +101,7 @@ job "matrix" {
       driver = "docker"
 
       config {
-        image = "particallydone/amd64_synapse:v60"
+        image = "superboum/amd64_synapse:v61"
         readonly_rootfs = true
         command = "/usr/local/bin/matrix-s3-async"
         work_dir = "/tmp"
@@ -126,7 +126,7 @@ AWS_DEFAULT_REGION=garage
 PG_USER={{ key "secrets/chat/synapse/postgres_user" | trimSpace }}
 PG_PASS={{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }}
 PG_DB={{ key "secrets/chat/synapse/postgres_db" | trimSpace }}
-PG_HOST={{ env "meta.site" }}.psql-proxy.service.2.cluster.deuxfleurs.fr
+PG_HOST={{ env "meta.site" }}.psql-proxy.service.prod.consul
 PG_PORT=5432
 EOH
         destination = "secrets/env"
@@ -137,7 +137,7 @@ EOH
     task "riotweb" {
       driver = "docker"
       config {
-        image = "particallydone/amd64_elementweb:v36"
+        image = "superboum/amd64_elementweb:v37"
         ports = [ "web_port" ]
         volumes = [
           "secrets/config.json:/srv/http/config.json"
@@ -177,70 +177,5 @@ EOH
       }
     }
   }
-
-  group "syncv3" {
-    count = 1
-
-    network {
-      port "syncv3_api" { to = 8009 }
-      port "syncv3_metrics" { to = 2112 }
-    }
-
-    task "syncv3" {
-      driver = "docker"
-
-      config {
-        image = "ghcr.io/matrix-org/sliding-sync:v0.99.16"
-        ports = [ "syncv3_api", "syncv3_metrics" ]
-      }
-
-      resources {
-        cpu = 1000
-        memory = 500
-        memory_max = 1000
-      }
-
-      template {
-        data = <<EOH
-SYNCV3_SERVER=http://synapse.service.prod.consul:8008
-SYNCV3_DB=postgresql://{{ key "secrets/chat/syncv3/postgres_user"|trimSpace }}:{{ key "secrets/chat/syncv3/postgres_pwd"|trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul/{{ key "secrets/chat/syncv3/postgres_db"|trimSpace }}?sslmode=disable
-SYNCV3_SECRET={{ key "secrets/chat/syncv3/secret"|trimSpace }}
-SYNCV3_BINDADDR=0.0.0.0:8009
-SYNCV3_PROM=0.0.0.0:2112
-EOH
-        destination = "secrets/env"
-        env = true
-      }
-
-      service {
-        name = "matrix-syncv3"
-        port = "syncv3_api"
-        address_mode = "host"
-        tags = [
-          "matrix",
-          "tricot im-syncv3.deuxfleurs.fr 100",
-          "tricot-add-header Access-Control-Allow-Origin *",
-          "d53-cname im-syncv3.deuxfleurs.fr",
-        ]
-        check {
-          type = "tcp"
-          port = "syncv3_api"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-
-      service {
-        name = "matrix-syncv3-metrics"
-        port = "syncv3_metrics"
-        address_mode = "host"
-      }
-    }
-  }
 }
 
diff --git a/cluster/prod/app/plume/deploy/plume.hcl b/cluster/prod/app/plume/deploy/plume.hcl
index 26bc6db..d9e276e 100644
--- a/cluster/prod/app/plume/deploy/plume.hcl
+++ b/cluster/prod/app/plume/deploy/plume.hcl
@@ -26,8 +26,8 @@ job "plume-blog" {
       }
 
       resources {
-        memory = 200
-        memory_max = 800
+        memory = 1024
+        memory_max = 1024
         cpu = 100
       }
 
diff --git a/cluster/prod/app/woodpecker-ci/deploy/server.hcl b/cluster/prod/app/woodpecker-ci/deploy/server.hcl
index 982de68..e0788de 100644
--- a/cluster/prod/app/woodpecker-ci/deploy/server.hcl
+++ b/cluster/prod/app/woodpecker-ci/deploy/server.hcl
@@ -93,6 +93,10 @@ EOH
         name = "woodpecker-grpc"
         tags = [
           "woodpecker-grpc",
+          # The tricot tag is necessary for tricot to get us a tls certificate,
+          # but it will not make the grpc endpoint work as tricot cannot
+          # proxy grpc traffic by itself.
+          "tricot woodpecker-grpc.deuxfleurs.fr",
         ]
         port = "grpc_port"
         address_mode = "host"
@@ -120,7 +124,7 @@ http {
     listen 0.0.0.0:14453 ssl;
     listen [::]:14453 ssl;
     http2 on;
-    server_name woodpecker.deuxfleurs.fr;
+    server_name woodpecker-grpc.deuxfleurs.fr;
     resolver 127.0.0.1 valid=30s;
 
     ssl_certificate "/etc/ssl/certs/woodpecker.cert";
@@ -128,6 +132,8 @@ http {
 
     location / {
         grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090;
+        grpc_read_timeout 1800s;
+        grpc_send_timeout 1800s;
     }
   }
 }
@@ -136,11 +142,11 @@ EOH
       }
 
       template {
-        data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
+        data = "{{ with $d := key \"tricot/certs/woodpecker-grpc.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
         destination = "secrets/ssl/certs/woodpecker.key"
       }
       template {
-        data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
+        data = "{{ with $d := key \"tricot/certs/woodpecker-grpc.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
         destination = "secrets/ssl/certs/woodpecker.cert"
       }
 
diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix
index 386a0f9..080b258 100644
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@@ -7,24 +7,6 @@
   deuxfleurs.clusterPrefix = "10.83.0.0/16";
 
   deuxfleurs.clusterNodes = {
-    "concombre" = {
-      siteName = "neptune";
-      publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
-      address = "10.83.1.1";
-      endpoint = "82.67.87.112:33731";
-    };
-    "courgette" = {
-      siteName = "neptune";
-      publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
-      address = "10.83.1.2";
-      endpoint = "82.67.87.112:33732";
-    };
-    "celeri" = {
-      siteName = "neptune";
-      publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
-      address = "10.83.1.3";
-      endpoint = "82.67.87.112:33733";
-    };
     "df-ykl" = {
       siteName = "bespin";
       publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
diff --git a/cluster/prod/known_hosts b/cluster/prod/known_hosts
index 2bce50f..938b7b8 100644
--- a/cluster/prod/known_hosts
+++ b/cluster/prod/known_hosts
@@ -15,3 +15,4 @@ io.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvgCJ7Jew7ou1RZuaT
 ortie.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqtfIPLk8a5tM6Upj7GQwlIS16nBPrZYVXE2FVlO2Yn
 pamplemousse.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA
 2001:912:1ac0:2200::201 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA
+2001:912:1ac0:2200::202 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmngRvteIMEcy9UcRX6hcSsO7Pq+gY2dfLvhcUUciEZ