chore(refactor): move NGINX to Synapse rock (#541)

* chore(refactor): move NGINX to Synapse rock

* fix: remove synapse-nginx-image param

* fix: change rock version just in case

docs/explanation/charm-architecture.md

@@ -16,7 +16,7 @@ Pebble `services` are configured through [layers](https://github.com/canonical/p
 and the following containers represent each one a layer forming the effective
 Pebble configuration, or `plan`:
 
-1. An [NGINX](https://www.nginx.com/) container, which can be used to
+1. An [NGINX](https://www.nginx.com/) Pebble layer, which can be used to
 efficiently serve static resources, as well as be the incoming point for all web
 traffic to the pod.
 2. The [Synapse](https://github.com/matrix-org/synapse) container itself, which
@@ -40,31 +40,27 @@ processes startup as explained above.
 ## OCI images
 
 We use [Rockcraft](https://canonical-rockcraft.readthedocs-hosted.com/en/latest/)
-to build OCI Images for Synapse and NGINX.
-The images are defined in [NGINX rock](https://github.com/canonical/synapse-operator/tree/main/nginx_rock/)
-and [Synapse rock](https://github.com/canonical/synapse-operator/tree/main/synapse_rock).
-They are published to [Charmhub](https://charmhub.io/), the official repository
+to build OCI Image for Synapse.
+The image is defined in [Synapse rock](https://github.com/canonical/synapse-operator/tree/main/synapse_rock) and is published to [Charmhub](https://charmhub.io/), the official repository
 of charms.
 This is done by publishing a resource to Charmhub as described in the
 [Juju SDK How-to guides](https://juju.is/docs/sdk/publishing).
 
-## Containers
+## Container
 
-Configuration files for the containers can be found in the respective
-directories that define the rocks, see the section above.
+Configuration files for the container can be found in the respective
+directory that define the rock, see the section above.
 
 ### NGINX
 
-This container is the entry point for all web traffic to the pod (on port
-`8080`). Serves static files directly and forwards non-static requests to
-the Synapse container (on port `8008`).
+NGINX is configured as a Pebble Layer and is the entry point for all web traffic
+to the pod (on port `8080`). Serves static files directly and forwards
+non-static requests to the Synapse container (on port `8008`).
 
 NGINX provides static content cache, reverse proxy, and load balancer among 
 multiple application servers, as well as other features. It can be used in front of
 Synapse server to significantly reduce server and network load.
 
-The workload that this container is running is defined in the [NGINX rock](https://github.com/canonical/synapse-operator/tree/main/nginx_rock/).
-
 ### Synapse
 
 Synapse is a Python application run by the `start.py` script.

docs/how-to/contribute.md

@@ -41,12 +41,11 @@ source .tox/unit/bin/activate
 
 ### Testing
 
-Note that the [Synapse](synapse_rock/rockcraft.yaml) and [Synapse NGINX](synapse_nginx_rock/rockcraft.yaml)
-images need to be built and pushed to microk8s for the tests to run. They should
-be tagged as `localhost:32000/synapse:latest` and
-`localhost:32000/synapse-nginx:latest` so that Kubernetes knows how to pull them
+Note that the [Synapse](synapse_rock/rockcraft.yaml) image need to be built and
+pushed to microk8s for the tests to run. It should be tagged as
+`localhost:32000/synapse:latest`so that Kubernetes knows how to pull them
 from the MicroK8s repository. Note that the MicroK8s registry needs to be
-enabled using `microk8s enable registry`. More details regarding the OCI images
+enabled using `microk8s enable registry`. More details regarding the OCI image
 below. The following commands can then be used to run the tests:
 
 * `tox`: Runs all of the basic checks (`lint`, `unit`, `static`, and `coverage-report`).
@@ -73,7 +72,7 @@ Build the charm in this git repository using:
 charmcraft pack
 ```
 For the integration tests (and also to deploy the charm locally), the synapse
-and synapse-nginx images are required in the microk8s registry. To enable it:
+image is required in the microk8s registry. To enable it:
 
     microk8s enable registry
 
@@ -82,8 +81,6 @@ the registry:
 
     cd [project_dir]/synapse_rock && rockcraft pack
     skopeo --insecure-policy copy --dest-tls-verify=false oci-archive:synapse_1.0_amd64.rock docker://localhost:32000/synapse:latest
-    cd [project_dir]/nginx_rock && rockcraft pack
-    skopeo --insecure-policy copy --dest-tls-verify=false oci-archive:synapse-nginx_1.0_amd64.rock docker://localhost:32000/synapse-nginx:latest
 
 ### Deploy
 
@@ -94,8 +91,7 @@ juju add-model synapse-dev
 juju model-config logging-config="<root>=INFO;unit=DEBUG"
 # Deploy the charm (assuming you're on amd64)
 juju deploy ./synapse_ubuntu-22.04-amd64.charm \
-  --resource synapse-image=localhost:32000/synapse:latest \
-  --resource synapse-nginx-image=localhost:32000/synapse-nginx:latest
+  --resource synapse-image=localhost:32000/synapse:latest
 ```
 
 ### Configure `server_name`

metadata.yaml

@@ -22,16 +22,11 @@ containers:
     mounts:
       - storage: data
         location: /data
-  synapse-nginx:
-    resource: synapse-nginx-image
 
 resources:
   synapse-image:
     type: oci-image
     description: OCI image for Synapse
-  synapse-nginx-image:
-    type: oci-image
-    description: OCI image for Synapse NGINX
 
 storage:
   data:

src-docs/charm.py.md

@@ -74,7 +74,7 @@ Unit that this execution is responsible for.
 
 ---
 
-<a href="../src/charm.py#L105"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L102"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `build_charm_state`
 
@@ -91,7 +91,7 @@ Build charm state.
 
 ---
 
-<a href="../src/charm.py#L342"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L336"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `get_main_unit`
 
@@ -108,7 +108,7 @@ Get main unit.
 
 ---
 
-<a href="../src/charm.py#L357"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L351"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `get_main_unit_address`
 
@@ -125,7 +125,7 @@ Get main unit address. If main unit is None, use unit name.
 
 ---
 
-<a href="../src/charm.py#L409"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L403"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `get_signing_key`
 
@@ -142,7 +142,7 @@ Get signing key from secret.
 
 ---
 
-<a href="../src/charm.py#L129"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L126"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `get_unit_number`
 
@@ -166,7 +166,7 @@ Get unit number from unit name.
 
 ---
 
-<a href="../src/charm.py#L149"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L146"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `instance_map`
 
@@ -183,7 +183,7 @@ Build instance_map config.
 
 ---
 
-<a href="../src/charm.py#L121"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L118"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `is_main`
 
@@ -201,7 +201,7 @@ Verify if this unit is the main.
 
 ---
 
-<a href="../src/charm.py#L318"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L312"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `peer_units_total`
 
@@ -218,7 +218,7 @@ Get peer units total.
 
 ---
 
-<a href="../src/charm.py#L192"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L189"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `reconcile`
 
@@ -238,7 +238,7 @@ This is the main entry for changes that require a restart.
 
 ---
 
-<a href="../src/charm.py#L369"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L363"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `set_main_unit`
 
@@ -256,7 +256,7 @@ Create/Renew an admin access token and put it in the peer relation.
 
 ---
 
-<a href="../src/charm.py#L385"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm.py#L379"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `set_signing_key`
 

src/charm.py

@@ -93,9 +93,6 @@ def __init__(self, *args: typing.Any) -> None:
             self.on[synapse.SYNAPSE_PEER_RELATION_NAME].relation_changed, self._on_relation_changed
         )
         self.framework.observe(self.on.synapse_pebble_ready, self._on_synapse_pebble_ready)
-        self.framework.observe(
-            self.on.synapse_nginx_pebble_ready, self._on_synapse_nginx_pebble_ready
-        )
         self.framework.observe(self.on.register_user_action, self._on_register_user_action)
         self.framework.observe(
             self.on.promote_user_admin_action, self._on_promote_user_admin_action
@@ -224,6 +221,7 @@ def reconcile(self, charm_state: CharmState) -> None:
         except (pebble.PebbleServiceError, FileNotFoundError) as exc:
             self.model.unit.status = ops.BlockedStatus(str(exc))
             return
+        pebble.restart_nginx(container, self.get_main_unit_address())
         self._set_unit_status()
 
     def _set_unit_status(self) -> None:
@@ -250,10 +248,6 @@ def _set_unit_status(self) -> None:
             self.unit.status = ops.MaintenanceStatus("Waiting for Synapse")
             return
         # NGINX checks
-        container = self.unit.get_container(synapse.SYNAPSE_NGINX_CONTAINER_NAME)
-        if not container.can_connect():
-            self.unit.status = ops.MaintenanceStatus("Waiting for Synapse NGINX pebble")
-            return
         nginx_service = container.get_services(synapse.SYNAPSE_NGINX_SERVICE_NAME)
         nginx_not_active = [
             service for service in nginx_service.values() if not service.is_running()
@@ -475,26 +469,6 @@ def _on_relation_changed(self, _: ops.HookEvent, charm_state: CharmState) -> Non
         """
         logger.debug("_on_relation_changed emitting reconcile")
         self.reconcile(charm_state)
-        # Reload NGINX configuration with new main address
-        nginx_container = self.unit.get_container(synapse.SYNAPSE_NGINX_CONTAINER_NAME)
-        if not nginx_container.can_connect():
-            logger.warning(
-                "Relation changed received but NGINX container is not available for reloading."
-            )
-            return
-        pebble.restart_nginx(nginx_container, self.get_main_unit_address())
-
-    def _on_synapse_nginx_pebble_ready(self, _: ops.HookEvent) -> None:
-        """Handle synapse nginx pebble ready event."""
-        container = self.unit.get_container(synapse.SYNAPSE_NGINX_CONTAINER_NAME)
-        if not container.can_connect():
-            logger.debug("synapse_nginx_pebble_ready failed to connect")
-            self.unit.status = ops.MaintenanceStatus("Waiting for Synapse NGINX pebble")
-            return
-        logger.debug("synapse_nginx_pebble_ready replanning nginx")
-        # Replan pebble layer
-        pebble.restart_nginx(container, self.get_main_unit_address())
-        self._set_unit_status()
 
     def _on_register_user_action(self, event: ActionEvent) -> None:
         """Register user and report action result.

src/synapse/__init__.py

@@ -51,7 +51,6 @@
     SYNAPSE_EXPORTER_PORT,
     SYNAPSE_FEDERATION_SENDER_SERVICE_NAME,
     SYNAPSE_GROUP,
-    SYNAPSE_NGINX_CONTAINER_NAME,
     SYNAPSE_NGINX_PORT,
     SYNAPSE_NGINX_SERVICE_NAME,
     SYNAPSE_PEER_RELATION_NAME,

src/synapse/workload.py

@@ -38,7 +38,6 @@
 SYNAPSE_DEFAULT_MEDIA_STORE_PATH = "/media_store"
 SYNAPSE_FEDERATION_SENDER_SERVICE_NAME = "synapse-federation-sender"
 SYNAPSE_GROUP = "synapse"
-SYNAPSE_NGINX_CONTAINER_NAME = "synapse-nginx"
 SYNAPSE_NGINX_PORT = 8080
 SYNAPSE_NGINX_SERVICE_NAME = "synapse-nginx"
 SYNAPSE_PEER_RELATION_NAME = "synapse-peers"

synapse_rock/rockcraft.yaml

@@ -4,7 +4,7 @@
 name: synapse
 summary: Synapse rock
 description: Synapse OCI image for the Synapse charm
-version: "1.0"
+version: "2.0"
 base: [email protected]
 # renovate: base: ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe
 build-base: [email protected]
@@ -41,6 +41,31 @@ parts:
         overlay-script: |
           groupadd -R $CRAFT_OVERLAY --gid 991 synapse
           useradd -R $CRAFT_OVERLAY --system --gid 991 --uid 991 --home /srv/synapse -m synapse
+          chmod 755 $CRAFT_OVERLAY/etc
+          groupadd -R $CRAFT_OVERLAY --gid 2000 nginx
+          useradd -R $CRAFT_OVERLAY --system --gid 2000 --uid 2000 --no-create-home nginx
+    nginx-conf:
+      plugin: dump
+      source: etc
+      organize:
+        nginx.conf: etc/nginx/nginx.conf
+        worker_location.conf: etc/nginx/worker_location.conf
+        abuse_report_location.conf.template: etc/nginx/abuse_report_location.conf.template
+        abuse_report_location.conf: etc/nginx/abuse_report_location.conf
+        main_location.conf.template: etc/nginx/main_location.conf.template
+        main_location.conf: etc/nginx/main_location.conf
+    nginx:
+      stage-packages:
+        - logrotate
+        - nginx
+        - sed
+      plugin: nil
+      override-build: |
+        craftctl default
+        rm $CRAFT_PART_INSTALL/etc/nginx/nginx.conf
+      override-prime: |
+        craftctl default
+        mkdir run
     synapse:
         build-packages:
             - build-essential

tests/conftest.py

@@ -6,7 +6,6 @@
 from pytest import Parser
 
 SYNAPSE_IMAGE_PARAM = "--synapse-image"
-SYNAPSE_NGINX_IMAGE_PARAM = "--synapse-nginx-image"
 
 
 def pytest_addoption(parser: Parser) -> None:
@@ -16,9 +15,6 @@ def pytest_addoption(parser: Parser) -> None:
         parser: Pytest parser.
     """
     parser.addoption(SYNAPSE_IMAGE_PARAM, action="store", help="Synapse image to be deployed")
-    parser.addoption(
-        SYNAPSE_NGINX_IMAGE_PARAM, action="store", help="Synapse NGINX image to be deployed"
-    )
     parser.addoption("--charm-file", action="store", help="Charm file to be deployed")
     parser.addoption(
         "--use-existing",