diff --git a/k8s/matrix/config-janky.solutions/homeserver.yaml b/k8s/matrix/config-janky.solutions/homeserver.yaml index 5db5058..9fa474d 100644 --- a/k8s/matrix/config-janky.solutions/homeserver.yaml +++ b/k8s/matrix/config-janky.solutions/homeserver.yaml @@ -26,18 +26,18 @@ trusted_key_servers: - server_name: "matrix.org" public_baseurl: https://matrix.janky.solutions ip_range_whitelist: [10.5.1.245,10.5.1.1] -oidc_providers: - - idp_id: keycloak - idp_name: "Janky Solutions Auth" - issuer: "https://auth.janky.solutions/realms/janky.solutions" - client_id: "synapse" - client_secret: SECRET_oidc_secret - scopes: ["openid", "profile"] - user_mapping_provider: - config: - localpart_template: "{{ user.preferred_username }}" - display_name_template: "{{ user.name }}" - backchannel_logout_enabled: true # Optional +# oidc_providers: +# - idp_id: keycloak +# idp_name: "Janky Solutions Auth" +# issuer: "https://auth.janky.solutions/realms/janky.solutions/" +# client_id: "synapse" +# client_secret: SECRET_oidc_secret +# scopes: ["openid", "profile"] +# user_mapping_provider: +# config: +# localpart_template: "{{ user.preferred_username }}" +# display_name_template: "{{ user.name }}" +# backchannel_logout_enabled: true # Optional password_config: enabled: false app_service_config_files: @@ -77,3 +77,22 @@ media_storage_providers: # to S3. Each thread manages a single connection. Default is 40. # #threadpool_size: 20 +experimental_features: + msc3861: + enabled: true + + # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration + issuer: https://matrix-auth.janky.solutions/ + + # Matches the `client_id` in the auth service config + client_id: 01J5VH0VE08DMM5TMNSS9A4J31 + # Matches the `client_auth_method` in the auth service config + client_auth_method: client_secret_basic + # Matches the `client_secret` in the auth service config + client_secret: "SECRET_CLIENT_SECRET" + + # Matches the `matrix.secret` in the auth service config + admin_token: "SECRET_ADMIN_SECRET" + + # URL to advertise to clients where users can self-manage their account + account_management_url: "https://matrix-auth.janky.solutions/account" diff --git a/k8s/matrix/janky.solutions-homeserver.yaml b/k8s/matrix/janky.solutions-homeserver.yaml index eca9a5b..afcb213 100644 --- a/k8s/matrix/janky.solutions-homeserver.yaml +++ b/k8s/matrix/janky.solutions-homeserver.yaml @@ -24,7 +24,7 @@ spec: fsGroupChangePolicy: "OnRootMismatch" initContainers: - name: initialize-homeserver-secrets - image: library/python + image: docker.io/library/python:3 command: ["python", "/init/initialize-secrets.py", "homeserver.yaml"] volumeMounts: - name: init @@ -37,7 +37,7 @@ spec: - secretRef: name: synapse-janky-solutions - name: initialize-bridge-secrets - image: library/python + image: docker.io/library/python:3 command: ["python", "/init/initialize-secrets.py", "facebook.yaml", "telegram.yaml", "signal.yaml"] volumeMounts: - name: init @@ -118,22 +118,190 @@ spec: app: synapse instance: janky.solutions --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sliding-sync-janky-solutions +spec: + replicas: 1 + selector: + matchLabels: + app: sliding-sync-janky-solutions + template: + metadata: + labels: + app: sliding-sync-janky-solutions + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8081" + spec: + containers: + - name: sliding-sync + image: ghcr.io/matrix-org/sliding-sync:v0.99.19 + env: + - name: SYNCV3_DB + value: user=slidingsync dbname=syncv3 host=janky-solutions-homeserver-database + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: slidingsync.janky-solutions-homeserver-database.credentials.postgresql.acid.zalan.do + key: password + - name: SYNCV3_SERVER + value: https://matrix.janky.solutions + - name: SYNCV3_PROM + value: :8081 + envFrom: + - secretRef: + name: sliding-sync-janky-solutions + ports: + - containerPort: 8008 + name: http + - containerPort: 8081 + name: metrics + resources: + limits: + cpu: 500m + memory: 500Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: sliding-sync-janky-solutions +spec: + selector: + app: sliding-sync-janky-solutions + ports: + - port: 8008 + name: http +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: homeserver-janky-solutions +spec: + routes: + - kind: Rule + match: Host(`matrix.janky.solutions`) && PathPrefix(`/_synapse/client`) + services: + - kind: Service + name: homeserver-janky-solutions + port: 8008 + - kind: Rule + match: Host(`matrix.janky.solutions`) && PathPrefix(`/_matrix`) + services: + - kind: Service + name: homeserver-janky-solutions + port: 8008 + - kind: Rule + match: Host(`matrix.janky.solutions`) && PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`) + services: + - kind: Service + name: sliding-sync-janky-solutions + port: 8008 + - kind: Rule + match: Host(`matrix.janky.solutions`) && PathPrefix(`/client`) + services: + - kind: Service + name: sliding-sync-janky-solutions + port: 8008 + - kind: Rule + match: Host(`matrix.janky.solutions`) && PathRegexp(`^/_matrix/client/(.*)/(login|logout|refresh)$`) + services: + - kind: Service + name: mas-janky-solutions + port: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mas-janky-solutions +spec: + selector: + matchLabels: + app: mas-janky-solutions + template: + metadata: + labels: + app: mas-janky-solutions + spec: + initContainers: + - name: initialize-secrets + image: docker.io/library/python:3 + command: ["python", "/init/initialize-secrets.py", "config.yaml"] + volumeMounts: + - name: init + mountPath: /init + - name: data + mountPath: /data + - name: config + mountPath: /config + envFrom: + - secretRef: + name: mas-janky-solutions + containers: + - name: mas-janky-solutions + image: ghcr.io/matrix-org/matrix-authentication-service:0.10 + args: ["server", "-c", "/data/config.yaml"] + env: + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: mas.janky-solutions-homeserver-database.credentials.postgresql.acid.zalan.do + key: password + resources: + limits: + memory: "128Mi" + cpu: "500m" + ports: + - name: http + containerPort: 8080 + - name: health + containerPort: 8081 + volumeMounts: + - name: data + mountPath: /data + - name: debug + image: library/debian:latest + command: ["bash", "-c", "while true; do sleep 300; done"] + resources: {} + volumeMounts: + - name: data + mountPath: /data + volumes: + - name: config + configMap: + name: mas-janky-solutions + - name: init + configMap: + name: secrets-init + - name: data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: mas-janky-solutions +spec: + selector: + app: mas-janky-solutions + ports: + - port: 8080 + name: http +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: homeserver-janky-solutions - annotations: - cert-manager.io/cluster-issuer: letsencrypt + name: mas-janky-solutions spec: rules: - - host: matrix.janky.solutions + - host: matrix-auth.janky.solutions http: paths: - path: / pathType: Prefix backend: service: - name: homeserver-janky-solutions + name: mas-janky-solutions port: name: http --- @@ -144,49 +312,38 @@ metadata: spec: teamId: matrix volume: - size: 10Gi + size: 50Gi numberOfInstances: 2 users: superuser: - superuser - createdb matrix: [] + slidingsync: [] + mas: [] databases: matrix: matrix + syncv3: slidingsync + mas: mas patroni: initdb: encoding: UTF8 locale: C - pg_hba: - - local all all trust - - hostssl all +zalandos 127.0.0.1/32 pam - - host all all 127.0.0.1/32 md5 - - hostssl all +zalandos ::1/128 pam - - host all all ::1/128 md5 - - local replication standby trust - - hostssl replication standby all md5 - - hostnossl all all all reject - - hostssl all +zalandos all pam - - hostssl all all all md5 - - host all all all md5 + # pg_hba: + # - local all all trust + # - hostssl all +zalandos 127.0.0.1/32 pam + # - host all all 127.0.0.1/32 md5 + # - hostssl all +zalandos ::1/128 pam + # - host all all ::1/128 md5 + # - local replication standby trust + # - hostssl replication standby all md5 + # - hostnossl all all all md5 + # - hostssl all +zalandos all pam + # - hostssl all all all md5 + # - host all all all md5 resources: limits: cpu: "4" memory: 4Gi postgresql: version: "16" ---- -apiVersion: v1 -kind: Service -metadata: - name: janky-solutions-homeserver-database-nodeport - namespace: matrix -spec: - type: NodePort - ports: - - name: postgresql - port: 5432 - nodePort: 30003 - selector: - k8s.home.finn.io: janky-solutions-homeserver-database - spilo-role: master diff --git a/k8s/matrix/kustomization.yaml b/k8s/matrix/kustomization.yaml index deb12be..d9522ef 100644 --- a/k8s/matrix/kustomization.yaml +++ b/k8s/matrix/kustomization.yaml @@ -24,3 +24,6 @@ configMapGenerator: - appservices-janky.solutions/facebook.yaml - appservices-janky.solutions/telegram.yaml - appservices-janky.solutions/signal.yaml + - name: mas-janky-solutions + files: + - mas/config.yaml diff --git a/k8s/matrix/mas/config.yaml b/k8s/matrix/mas/config.yaml new file mode 100644 index 0000000..50dff66 --- /dev/null +++ b/k8s/matrix/mas/config.yaml @@ -0,0 +1,89 @@ +http: + listeners: + - name: web + resources: + - name: discovery + - name: human + - name: oauth + - name: compat + - name: graphql + - name: assets + binds: + - address: "[::]:8080" + proxy_protocol: false + - name: internal + resources: + - name: health + binds: + - host: "0.0.0.0" + port: 8081 + proxy_protocol: false + trusted_proxies: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/10 + - 127.0.0.1/8 + - fd00::/8 + - ::1/128 + public_base: https://matrix-auth.janky.solutions/ + # issuer: http://[::]:8080/ +database: + uri: postgresql://mas@janky-solutions-homeserver-database.matrix.svc.cluster.local/mas + max_connections: 10 + min_connections: 0 + connect_timeout: 30 + idle_timeout: 600 + max_lifetime: 1800 +email: + from: '"Matrix Authentication Service" ' + reply_to: '"Matrix Authentication Service" ' + transport: blackhole +secrets: + encryption: SECRET_ENCRYPTION + keys: + - kid: fjm6GxWLms + key: | + SECRET_KEY_0 + - kid: SszPRpg6Lm + key: | + SECRET_KEY_1 + - kid: f3dAhzd5lq + key: | + SECRET_KEY_2 + - kid: yLREYJJQV4 + key: | + SECRET_KEY_3 +passwords: + enabled: false +matrix: + homeserver: janky.solutions + secret: SECRET_ADMIN_SECRET + endpoint: http://homeserver-janky-solutions:8008/ +clients: + - client_id: 01J5VH0VE08DMM5TMNSS9A4J31 + client_auth_method: client_secret_basic + client_secret: SECRET_CLIENT_SECRET +metrics: + exporter: prometheus +upstream_oauth2: + providers: + - id: 01J5VF4J9NQQP1E2MAWQFHPMG8 + human_name: Janky Solutions + issuer: https://auth.janky.solutions/realms/janky.solutions + token_endpoint_auth_method: client_secret_basic + client_id: matrix + client_secret: "SECRET_oidc_secret" + scope: "openid profile email" + claims_imports: + localpart: + action: require + template: "{{ user.preferred_username }}" + displayname: + action: suggest + template: "{{ user.name }}" + email: + action: suggest + template: "{{ user.email }}" + set_email_verification: always +account: + email_change_allowed: false diff --git a/k8s/matrix/secrets-init.yaml b/k8s/matrix/secrets-init.yaml index cf4da1b..5941904 100644 --- a/k8s/matrix/secrets-init.yaml +++ b/k8s/matrix/secrets-init.yaml @@ -20,5 +20,8 @@ data: c = c.replace(k, v) print("replaced", k) + if os.getenv("DEBUG_PRINT_SECRETS_IN_PLAINTEXT") == "i promise to rotate the secrets after I do this": + print(c) + with open(f"/data/{f}", 'w') as w: w.write(c)