From 4133ad8f24896a29c0698625db5b0cfa91c66411 Mon Sep 17 00:00:00 2001
From: Felix Wolf <felix.wolf@blueworld-gmbh.de>
Date: Mon, 4 May 2026 20:33:32 +0200
Subject: [PATCH] fix(matrix): raise rc_login burst limit to stop
 M_LIMIT_EXCEEDED

---
 .../matrix-synapse/helm/matrix-synapse.ytt.yaml    | 14 ++++++++++++++
 .../matrix-synapse/configmap-matrix-synapse.yaml   |  2 +-
 .../matrix-synapse/deployment-matrix-synapse.yaml  |  2 +-
 .../matrix-synapse/configmap-matrix-synapse.yaml   |  2 +-
 .../matrix-synapse/deployment-matrix-synapse.yaml  |  2 +-
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml b/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml
index 05005a0..5ac12e0 100644
--- a/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml
+++ b/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml
@@ -20,6 +20,20 @@ config:
   registrationSharedSecret: overridden-by-zz-overrides
   macaroonSecretKey: overridden-by-zz-overrides
 
+#! Relax login rate limits. Defaults (per_second 0.17, burst 3) trip
+#! Element on normal use — every retry/refresh hits POST /login.
+extraConfig:
+  rc_login:
+    address:
+      per_second: 0.17
+      burst_count: 10
+    account:
+      per_second: 0.17
+      burst_count: 10
+    failed_attempts:
+      per_second: 0.17
+      burst_count: 10
+
 signingkey:
   job:
     enabled: false
diff --git a/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml
index e230b30..a783882 100644
--- a/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml
+++ b/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"matrix.minikube\"\npublic_baseurl: \"https://matrix.minikube\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n  main:\n    host: matrix-synapse-replication\n    port: 9093\n\n## Ports ##\n\nlisteners:\n  - port: 8008\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n    x_forwarded: true\n\n    resources:\n      - names: \n          - client\n          - federation\n        compress: false\n\n  - port: 9090\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [metrics]\n        compress: false\n\n  - port: 9093\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [replication]\n        compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n  - server_name: matrix.org\n\n## Workers ##\n"
+  homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"matrix.minikube\"\npublic_baseurl: \"https://matrix.minikube\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n  main:\n    host: matrix-synapse-replication\n    port: 9093\n\n## Ports ##\n\nlisteners:\n  - port: 8008\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n    x_forwarded: true\n\n    resources:\n      - names: \n          - client\n          - federation\n        compress: false\n\n  - port: 9090\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [metrics]\n        compress: false\n\n  - port: 9093\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [replication]\n        compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n  - server_name: matrix.org\n\n## Workers ##\n\n## Extra config ##\n\nrc_login:\n  account:\n    burst_count: 10\n    per_second: 0.17\n  address:\n    burst_count: 10\n    per_second: 0.17\n  failed_attempts:\n    burst_count: 10\n    per_second: 0.17\n"
   log.yaml: |
     version: 1
     formatters:
diff --git a/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml
index ffc5013..9120aaf 100644
--- a/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml
+++ b/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml
@@ -24,7 +24,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 0750c2f14986445e44cd32eddbea80ce9ef5c78ba14041b3e6a6a0be971d04f1
+        checksum/config: b3e92fce9a7e5897b6fc2e70062c6e23d2c266b55272de2993799c85b3e94952
         checksum/secrets: 54091df516cd7bf15484597ec0c9613cd969341f977e3228b5416997dc9b8c95
       labels:
         app.kubernetes.io/component: synapse
diff --git a/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml
index da566ac..628c363 100644
--- a/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml
+++ b/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"matrix.tr1ceracop.de\"\npublic_baseurl: \"https://matrix.tr1ceracop.de\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n  main:\n    host: matrix-synapse-replication\n    port: 9093\n\n## Ports ##\n\nlisteners:\n  - port: 8008\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n    x_forwarded: true\n\n    resources:\n      - names: \n          - client\n          - federation\n        compress: false\n\n  - port: 9090\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [metrics]\n        compress: false\n\n  - port: 9093\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [replication]\n        compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n  - server_name: matrix.org\n\n## Workers ##\n"
+  homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"matrix.tr1ceracop.de\"\npublic_baseurl: \"https://matrix.tr1ceracop.de\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n  main:\n    host: matrix-synapse-replication\n    port: 9093\n\n## Ports ##\n\nlisteners:\n  - port: 8008\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n    x_forwarded: true\n\n    resources:\n      - names: \n          - client\n          - federation\n        compress: false\n\n  - port: 9090\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [metrics]\n        compress: false\n\n  - port: 9093\n    tls: false\n    bind_addresses: [\"::\"]\n    type: http\n\n    resources:\n      - names: [replication]\n        compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n  - server_name: matrix.org\n\n## Workers ##\n\n## Extra config ##\n\nrc_login:\n  account:\n    burst_count: 10\n    per_second: 0.17\n  address:\n    burst_count: 10\n    per_second: 0.17\n  failed_attempts:\n    burst_count: 10\n    per_second: 0.17\n"
   log.yaml: |
     version: 1
     formatters:
diff --git a/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml
index 472bacb..1abf4ae 100644
--- a/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml
+++ b/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml
@@ -24,7 +24,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: e9410364225cc447e9ce6b06ef65e4740011fa188b0a8ebab877ea04a1d100d7
+        checksum/config: 3b44c54503e7886c0326cd9d205e0141776ccac38a2d64656d25d0c9b285ff22
         checksum/secrets: 54091df516cd7bf15484597ec0c9613cd969341f977e3228b5416997dc9b8c95
       labels:
         app.kubernetes.io/component: synapse