comms: fix matrix login routing and prune guests

services/comms/guest-name-job.yaml

@@ -123,6 +123,7 @@ spec:
                   SEEDER_USER = os.environ["SEEDER_USER"]
                   ROOM_ALIAS = "#othrys:live.bstein.dev"
                   SERVER_NAME = "live.bstein.dev"
+                  STALE_GUEST_MS = 7 * 24 * 60 * 60 * 1000
 
                   def mas_admin_token():
                       with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f:
@@ -235,6 +236,35 @@ spec:
                               break
                       return users
 
+                  def should_prune_guest(entry, now_ms):
+                      if not entry.get("is_guest"):
+                          return False
+                      last_seen = entry.get("last_seen_ts")
+                      if last_seen is None:
+                          return False
+                      try:
+                          last_seen = int(last_seen)
+                      except (TypeError, ValueError):
+                          return False
+                      return now_ms - last_seen > STALE_GUEST_MS
+
+                  def prune_guest(token, user_id):
+                      headers = {"Authorization": f"Bearer {token}"}
+                      try:
+                          r = requests.delete(
+                              f"{BASE}/_synapse/admin/v2/users/{urllib.parse.quote(user_id)}",
+                              headers=headers,
+                              params={"erase": "true"},
+                              timeout=30,
+                          )
+                      except Exception as exc:  # noqa: BLE001
+                          print(f"guest prune failed for {user_id}: {exc}")
+                          return False
+                      if r.status_code in (200, 202, 204, 404):
+                          return True
+                      print(f"guest prune failed for {user_id}: {r.status_code} {r.text}")
+                      return False
+
                   def user_id_for_username(username):
                       return f"@{username}:live.bstein.dev"
 
@@ -404,6 +434,7 @@ spec:
                       except Exception as exc:  # noqa: BLE001
                           print(f"synapse admin list skipped: {exc}")
                           entries = []
+                      now_ms = int(time.time() * 1000)
                       for entry in entries:
                           user_id = entry.get("name") or ""
                           if not user_id.startswith("@"):
@@ -412,6 +443,9 @@ spec:
                           if localpart in mas_usernames:
                               continue
                           is_guest = entry.get("is_guest")
+                          if is_guest and should_prune_guest(entry, now_ms):
+                              if prune_guest(seeder_token, user_id):
+                                  continue
                           if not (is_guest or needs_rename_username(localpart)):
                               continue
                           display = get_displayname_admin(seeder_token, user_id)
@@ -432,3 +466,4 @@ spec:
                   finally:
                       mas_revoke_session(admin_token, seeder_session)
                   PY
+

services/comms/helmrelease.yaml

@@ -130,24 +130,7 @@ spec:
                     values: ["rpi5", "rpi4"]
 
     ingress:
-      enabled: true
+      enabled: false
-      className: traefik
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      csHosts:
-        - matrix.live.bstein.dev
-      hosts:
-        - matrix.live.bstein.dev
-      wkHosts:
-        - live.bstein.dev
-        - bstein.dev
-      tls:
-        - secretName: matrix-live-tls
-          hosts:
-            - matrix.live.bstein.dev
-            - live.bstein.dev
 
     extraConfig:
       allow_guest_access: true