JankySolutions/infra
2
0
Fork 0
Code Issues Pull requests 5 Projects Releases Packages 12 Wiki Activity Actions

matrix: add services required for ElementX to work (sliding-sync + MAS)

Browse source
This commit is contained in:
Finn 2024-08-22 12:33:10 -07:00
parent afe3974f2f
commit b8e56eab20
5 changed files with 318 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
k8s/matrix/config-janky.solutions/homeserver.yaml
View file

@ -26,18 +26,18 @@ trusted_key_servers:
- server_name: "matrix.org" - server_name: "matrix.org"
public_baseurl: https://matrix.janky.solutions public_baseurl: https://matrix.janky.solutions
ip_range_whitelist: [10.5.1.245,10.5.1.1] ip_range_whitelist: [10.5.1.245,10.5.1.1]
oidc_providers: # oidc_providers:
- idp_id: keycloak # - idp_id: keycloak
idp_name: "Janky Solutions Auth" # idp_name: "Janky Solutions Auth"
issuer: "https://auth.janky.solutions/realms/janky.solutions" # issuer: "https://auth.janky.solutions/realms/janky.solutions/"
client_id: "synapse" # client_id: "synapse"
client_secret: SECRET_oidc_secret # client_secret: SECRET_oidc_secret
scopes: ["openid", "profile"] # scopes: ["openid", "profile"]
user_mapping_provider: # user_mapping_provider:
config: # config:
localpart_template: "{{ user.preferred_username }}" # localpart_template: "{{ user.preferred_username }}"
display_name_template: "{{ user.name }}" # display_name_template: "{{ user.name }}"
backchannel_logout_enabled: true # Optional # backchannel_logout_enabled: true # Optional
password_config: password_config:
enabled: false enabled: false
app_service_config_files: app_service_config_files:
@ -77,3 +77,22 @@ media_storage_providers:
# to S3. Each thread manages a single connection. Default is 40. # to S3. Each thread manages a single connection. Default is 40.
# #
#threadpool_size: 20 #threadpool_size: 20
experimental_features:
msc3861:
enabled: true
# Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
issuer: https://matrix-auth.janky.solutions/
# Matches the `client_id` in the auth service config
client_id: 01J5VH0VE08DMM5TMNSS9A4J31
# Matches the `client_auth_method` in the auth service config
client_auth_method: client_secret_basic
# Matches the `client_secret` in the auth service config
client_secret: "SECRET_CLIENT_SECRET"
# Matches the `matrix.secret` in the auth service config
admin_token: "SECRET_ADMIN_SECRET"
# URL to advertise to clients where users can self-manage their account
account_management_url: "https://matrix-auth.janky.solutions/account"

227
k8s/matrix/janky.solutions-homeserver.yaml
View file

@ -24,7 +24,7 @@ spec:
fsGroupChangePolicy: "OnRootMismatch" fsGroupChangePolicy: "OnRootMismatch"
initContainers: initContainers:
- name: initialize-homeserver-secrets - name: initialize-homeserver-secrets
image: library/python image: docker.io/library/python:3
command: ["python", "/init/initialize-secrets.py", "homeserver.yaml"] command: ["python", "/init/initialize-secrets.py", "homeserver.yaml"]
volumeMounts: volumeMounts:
- name: init - name: init
@ -37,7 +37,7 @@ spec:
- secretRef: - secretRef:
name: synapse-janky-solutions name: synapse-janky-solutions
- name: initialize-bridge-secrets - name: initialize-bridge-secrets
image: library/python image: docker.io/library/python:3
command: ["python", "/init/initialize-secrets.py", "facebook.yaml", "telegram.yaml", "signal.yaml"] command: ["python", "/init/initialize-secrets.py", "facebook.yaml", "telegram.yaml", "signal.yaml"]
volumeMounts: volumeMounts:
- name: init - name: init
@ -118,22 +118,190 @@ spec:
app: synapse app: synapse
instance: janky.solutions instance: janky.solutions
--- ---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sliding-sync-janky-solutions
spec:
replicas: 1
selector:
matchLabels:
app: sliding-sync-janky-solutions
template:
metadata:
labels:
app: sliding-sync-janky-solutions
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8081"
spec:
containers:
- name: sliding-sync
image: ghcr.io/matrix-org/sliding-sync:v0.99.19
env:
- name: SYNCV3_DB
value: user=slidingsync dbname=syncv3 host=janky-solutions-homeserver-database
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: slidingsync.janky-solutions-homeserver-database.credentials.postgresql.acid.zalan.do
key: password
- name: SYNCV3_SERVER
value: https://matrix.janky.solutions
- name: SYNCV3_PROM
value: :8081
envFrom:
- secretRef:
name: sliding-sync-janky-solutions
ports:
- containerPort: 8008
name: http
- containerPort: 8081
name: metrics
resources:
limits:
cpu: 500m
memory: 500Mi
---
apiVersion: v1
kind: Service
metadata:
name: sliding-sync-janky-solutions
spec:
selector:
app: sliding-sync-janky-solutions
ports:
- port: 8008
name: http
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: homeserver-janky-solutions
spec:
routes:
- kind: Rule
match: Host(`matrix.janky.solutions`) && PathPrefix(`/_synapse/client`)
services:
- kind: Service
name: homeserver-janky-solutions
port: 8008
- kind: Rule
match: Host(`matrix.janky.solutions`) && PathPrefix(`/_matrix`)
services:
- kind: Service
name: homeserver-janky-solutions
port: 8008
- kind: Rule
match: Host(`matrix.janky.solutions`) && PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`)
services:
- kind: Service
name: sliding-sync-janky-solutions
port: 8008
- kind: Rule
match: Host(`matrix.janky.solutions`) && PathPrefix(`/client`)
services:
- kind: Service
name: sliding-sync-janky-solutions
port: 8008
- kind: Rule
match: Host(`matrix.janky.solutions`) && PathRegexp(`^/_matrix/client/(.*)/(login|logout|refresh)$`)
services:
- kind: Service
name: mas-janky-solutions
port: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mas-janky-solutions
spec:
selector:
matchLabels:
app: mas-janky-solutions
template:
metadata:
labels:
app: mas-janky-solutions
spec:
initContainers:
- name: initialize-secrets
image: docker.io/library/python:3
command: ["python", "/init/initialize-secrets.py", "config.yaml"]
volumeMounts:
- name: init
mountPath: /init
- name: data
mountPath: /data
- name: config
mountPath: /config
envFrom:
- secretRef:
name: mas-janky-solutions
containers:
- name: mas-janky-solutions
image: ghcr.io/matrix-org/matrix-authentication-service:0.10
args: ["server", "-c", "/data/config.yaml"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: mas.janky-solutions-homeserver-database.credentials.postgresql.acid.zalan.do
key: password
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- name: http
containerPort: 8080
- name: health
containerPort: 8081
volumeMounts:
- name: data
mountPath: /data
- name: debug
image: library/debian:latest
command: ["bash", "-c", "while true; do sleep 300; done"]
resources: {}
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: config
configMap:
name: mas-janky-solutions
- name: init
configMap:
name: secrets-init
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: mas-janky-solutions
spec:
selector:
app: mas-janky-solutions
ports:
- port: 8080
name: http
---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: homeserver-janky-solutions name: mas-janky-solutions
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec: spec:
rules: rules:
- host: matrix.janky.solutions - host: matrix-auth.janky.solutions
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: homeserver-janky-solutions name: mas-janky-solutions
port: port:
name: http name: http
--- ---
@ -144,49 +312,38 @@ metadata:
spec: spec:
teamId: matrix teamId: matrix
volume: volume:
size: 10Gi size: 50Gi
numberOfInstances: 2 numberOfInstances: 2
users: users:
superuser: superuser:
- superuser - superuser
- createdb - createdb
matrix: [] matrix: []
slidingsync: []
mas: []
databases: databases:
matrix: matrix matrix: matrix
syncv3: slidingsync
mas: mas
patroni: patroni:
initdb: initdb:
encoding: UTF8 encoding: UTF8
locale: C locale: C
pg_hba: # pg_hba:
- local all all trust # - local all all trust
- hostssl all +zalandos 127.0.0.1/32 pam # - hostssl all +zalandos 127.0.0.1/32 pam
- host all all 127.0.0.1/32 md5 # - host all all 127.0.0.1/32 md5
- hostssl all +zalandos ::1/128 pam # - hostssl all +zalandos ::1/128 pam
- host all all ::1/128 md5 # - host all all ::1/128 md5
- local replication standby trust # - local replication standby trust
- hostssl replication standby all md5 # - hostssl replication standby all md5
- hostnossl all all all reject # - hostnossl all all all md5
- hostssl all +zalandos all pam # - hostssl all +zalandos all pam
- hostssl all all all md5 # - hostssl all all all md5
- host all all all md5 # - host all all all md5
resources: resources:
limits: limits:
cpu: "4" cpu: "4"
memory: 4Gi memory: 4Gi
postgresql: postgresql:
version: "16" version: "16"
---
apiVersion: v1
kind: Service
metadata:
name: janky-solutions-homeserver-database-nodeport
namespace: matrix
spec:
type: NodePort
ports:
- name: postgresql
port: 5432
nodePort: 30003
selector:
k8s.home.finn.io: janky-solutions-homeserver-database
spilo-role: master

3
k8s/matrix/kustomization.yaml
View file

@ -24,3 +24,6 @@ configMapGenerator:
- appservices-janky.solutions/facebook.yaml - appservices-janky.solutions/facebook.yaml
- appservices-janky.solutions/telegram.yaml - appservices-janky.solutions/telegram.yaml
- appservices-janky.solutions/signal.yaml - appservices-janky.solutions/signal.yaml
- name: mas-janky-solutions
files:
- mas/config.yaml

89
k8s/matrix/mas/config.yaml Normal file
View file

@ -0,0 +1,89 @@
http:
listeners:
- name: web
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
- name: assets
binds:
- address: "[::]:8080"
proxy_protocol: false
- name: internal
resources:
- name: health
binds:
- host: "0.0.0.0"
port: 8081
proxy_protocol: false
trusted_proxies:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/10
- 127.0.0.1/8
- fd00::/8
- ::1/128
public_base: https://matrix-auth.janky.solutions/
# issuer: http://[::]:8080/
database:
uri: postgresql://mas@janky-solutions-homeserver-database.matrix.svc.cluster.local/mas
max_connections: 10
min_connections: 0
connect_timeout: 30
idle_timeout: 600
max_lifetime: 1800
email:
from: '"Matrix Authentication Service" <matrix@janky.solutions>'
reply_to: '"Matrix Authentication Service" <matrix@janky.solutions>'
transport: blackhole
secrets:
encryption: SECRET_ENCRYPTION
keys:
- kid: fjm6GxWLms
key: |
SECRET_KEY_0
- kid: SszPRpg6Lm
key: |
SECRET_KEY_1
- kid: f3dAhzd5lq
key: |
SECRET_KEY_2
- kid: yLREYJJQV4
key: |
SECRET_KEY_3
passwords:
enabled: false
matrix:
homeserver: janky.solutions
secret: SECRET_ADMIN_SECRET
endpoint: http://homeserver-janky-solutions:8008/
clients:
- client_id: 01J5VH0VE08DMM5TMNSS9A4J31
client_auth_method: client_secret_basic
client_secret: SECRET_CLIENT_SECRET
metrics:
exporter: prometheus
upstream_oauth2:
providers:
- id: 01J5VF4J9NQQP1E2MAWQFHPMG8
human_name: Janky Solutions
issuer: https://auth.janky.solutions/realms/janky.solutions
token_endpoint_auth_method: client_secret_basic
client_id: matrix
client_secret: "SECRET_oidc_secret"
scope: "openid profile email"
claims_imports:
localpart:
action: require
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
account:
email_change_allowed: false

3
k8s/matrix/secrets-init.yaml
View file

@ -20,5 +20,8 @@ data:
c = c.replace(k, v) c = c.replace(k, v)
print("replaced", k) print("replaced", k)
if os.getenv("DEBUG_PRINT_SECRETS_IN_PLAINTEXT") == "i promise to rotate the secrets after I do this":
print(c)
with open(f"/data/{f}", 'w') as w: with open(f"/data/{f}", 'w') as w:
w.write(c) w.write(c)