matrix: add services required for ElementX to work (sliding-sync + MAS)

2024-08-22 12:33:10 -07:00 · 2024-08-22 12:33:10 -07:00 · b8e56eab20
commit b8e56eab20
parent afe3974f2f
5 changed files with 318 additions and 47 deletions
--- a/k8s/matrix/config-janky.solutions/homeserver.yaml
+++ b/k8s/matrix/config-janky.solutions/homeserver.yaml
@ -26,18 +26,18 @@ trusted_key_servers:
  - server_name: "matrix.org"
 public_baseurl: https://matrix.janky.solutions
 ip_range_whitelist: [10.5.1.245,10.5.1.1]
-oidc_providers:
-  - idp_id: keycloak
-    idp_name: "Janky Solutions Auth"
-    issuer: "https://auth.janky.solutions/realms/janky.solutions"
-    client_id: "synapse"
-    client_secret: SECRET_oidc_secret
-    scopes: ["openid", "profile"]
-    user_mapping_provider:
-      config:
-        localpart_template: "{{ user.preferred_username }}"
-        display_name_template: "{{ user.name }}"
-    backchannel_logout_enabled: true # Optional
+# oidc_providers:
+#   - idp_id: keycloak
+#     idp_name: "Janky Solutions Auth"
+#     issuer: "https://auth.janky.solutions/realms/janky.solutions/"
+#     client_id: "synapse"
+#     client_secret: SECRET_oidc_secret
+#     scopes: ["openid", "profile"]
+#     user_mapping_provider:
+#       config:
+#         localpart_template: "{{ user.preferred_username }}"
+#         display_name_template: "{{ user.name }}"
+#     backchannel_logout_enabled: true # Optional
 password_config:
  enabled: false
 app_service_config_files:
@ -77,3 +77,22 @@ media_storage_providers:
    # to S3. Each thread manages a single connection. Default is 40.
    #
    #threadpool_size: 20
+experimental_features:
+  msc3861:
+    enabled: true
+
+    # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
+    issuer: https://matrix-auth.janky.solutions/
+
+    # Matches the `client_id` in the auth service config
+    client_id: 01J5VH0VE08DMM5TMNSS9A4J31
+    # Matches the `client_auth_method` in the auth service config
+    client_auth_method: client_secret_basic
+    # Matches the `client_secret` in the auth service config
+    client_secret: "SECRET_CLIENT_SECRET"
+
+    # Matches the `matrix.secret` in the auth service config
+    admin_token: "SECRET_ADMIN_SECRET"
+
+    # URL to advertise to clients where users can self-manage their account
+    account_management_url: "https://matrix-auth.janky.solutions/account"
--- a/k8s/matrix/janky.solutions-homeserver.yaml
+++ b/k8s/matrix/janky.solutions-homeserver.yaml
@ -24,7 +24,7 @@ spec:
        fsGroupChangePolicy: "OnRootMismatch"
      initContainers:
        - name: initialize-homeserver-secrets
-          image: library/python
+          image: docker.io/library/python:3
          command: ["python", "/init/initialize-secrets.py", "homeserver.yaml"]
          volumeMounts:
            - name: init
@ -37,7 +37,7 @@ spec:
            - secretRef:
                name: synapse-janky-solutions
        - name: initialize-bridge-secrets
-          image: library/python
+          image: docker.io/library/python:3
          command: ["python", "/init/initialize-secrets.py", "facebook.yaml", "telegram.yaml", "signal.yaml"]
          volumeMounts:
            - name: init
@ -118,22 +118,190 @@ spec:
    app: synapse
    instance: janky.solutions
 ---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sliding-sync-janky-solutions
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sliding-sync-janky-solutions
+  template:
+    metadata:
+      labels:
+        app: sliding-sync-janky-solutions
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8081"
+    spec:
+      containers:
+      - name: sliding-sync
+        image: ghcr.io/matrix-org/sliding-sync:v0.99.19
+        env:
+        - name: SYNCV3_DB
+          value: user=slidingsync dbname=syncv3 host=janky-solutions-homeserver-database
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: slidingsync.janky-solutions-homeserver-database.credentials.postgresql.acid.zalan.do
+              key: password
+        - name: SYNCV3_SERVER
+          value: https://matrix.janky.solutions
+        - name: SYNCV3_PROM
+          value: :8081
+        envFrom:
+        - secretRef:
+            name: sliding-sync-janky-solutions
+        ports:
+        - containerPort: 8008
+          name: http
+        - containerPort: 8081
+          name: metrics
+        resources:
+          limits:
+            cpu: 500m
+            memory: 500Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sliding-sync-janky-solutions
+spec:
+  selector:
+    app: sliding-sync-janky-solutions
+  ports:
+  - port: 8008
+    name: http
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: homeserver-janky-solutions
+spec:
+  routes:
+  - kind: Rule
+    match: Host(`matrix.janky.solutions`) && PathPrefix(`/_synapse/client`)
+    services:
+    - kind: Service
+      name: homeserver-janky-solutions
+      port: 8008
+  - kind: Rule
+    match: Host(`matrix.janky.solutions`) && PathPrefix(`/_matrix`)
+    services:
+    - kind: Service
+      name: homeserver-janky-solutions
+      port: 8008
+  - kind: Rule
+    match: Host(`matrix.janky.solutions`) && PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`)
+    services:
+    - kind: Service
+      name: sliding-sync-janky-solutions
+      port: 8008
+  - kind: Rule
+    match: Host(`matrix.janky.solutions`) && PathPrefix(`/client`)
+    services:
+    - kind: Service
+      name: sliding-sync-janky-solutions
+      port: 8008
+  - kind: Rule
+    match: Host(`matrix.janky.solutions`) && PathRegexp(`^/_matrix/client/(.*)/(login|logout|refresh)$`)
+    services:
+    - kind: Service
+      name: mas-janky-solutions
+      port: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mas-janky-solutions
+spec:
+  selector:
+    matchLabels:
+      app: mas-janky-solutions
+  template:
+    metadata:
+      labels:
+        app: mas-janky-solutions
+    spec:
+      initContainers:
+      - name: initialize-secrets
+        image: docker.io/library/python:3
+        command: ["python", "/init/initialize-secrets.py", "config.yaml"]
+        volumeMounts:
+          - name: init
+            mountPath: /init
+          - name: data
+            mountPath: /data
+          - name: config
+            mountPath: /config
+        envFrom:
+          - secretRef:
+              name: mas-janky-solutions
+      containers:
+      - name: mas-janky-solutions
+        image: ghcr.io/matrix-org/matrix-authentication-service:0.10
+        args: ["server", "-c", "/data/config.yaml"]
+        env:
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mas.janky-solutions-homeserver-database.credentials.postgresql.acid.zalan.do
+              key: password
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - name: http
+          containerPort: 8080
+        - name: health
+          containerPort: 8081
+        volumeMounts:
+          - name: data
+            mountPath: /data
+      - name: debug
+        image: library/debian:latest
+        command: ["bash", "-c", "while true; do sleep 300; done"]
+        resources: {}
+        volumeMounts:
+          - name: data
+            mountPath: /data
+      volumes:
+        - name: config
+          configMap:
+            name: mas-janky-solutions
+        - name: init
+          configMap:
+            name: secrets-init
+        - name: data
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mas-janky-solutions
+spec:
+  selector:
+    app: mas-janky-solutions
+  ports:
+  - port: 8080
+    name: http
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: homeserver-janky-solutions
-  annotations:
-     cert-manager.io/cluster-issuer: letsencrypt
+  name: mas-janky-solutions
 spec:
  rules:
-    - host: matrix.janky.solutions
+    - host: matrix-auth.janky.solutions
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
-                name:  homeserver-janky-solutions
+                name:  mas-janky-solutions
                port:
                  name: http
 ---
@ -144,49 +312,38 @@ metadata:
 spec:
  teamId: matrix
  volume:
-    size: 10Gi
+    size: 50Gi
  numberOfInstances: 2
  users:
    superuser:
    - superuser
    - createdb
    matrix: []
+    slidingsync: []
+    mas: []
  databases:
    matrix: matrix
+    syncv3: slidingsync
+    mas: mas
  patroni:
    initdb:
      encoding: UTF8
      locale: C
-    pg_hba:
-      - local     all             all                                   trust
-      - hostssl   all             +zalandos          127.0.0.1/32       pam
-      - host      all             all                127.0.0.1/32       md5
-      - hostssl   all             +zalandos          ::1/128            pam
-      - host      all             all                ::1/128            md5
-      - local     replication     standby                               trust
-      - hostssl   replication     standby            all                md5
-      - hostnossl all             all                all                reject
-      - hostssl   all             +zalandos          all                pam
-      - hostssl   all             all                all                md5
-      - host      all             all                all                md5
+    # pg_hba:
+    #   - local     all             all                                   trust
+    #   - hostssl   all             +zalandos          127.0.0.1/32       pam
+    #   - host      all             all                127.0.0.1/32       md5
+    #   - hostssl   all             +zalandos          ::1/128            pam
+    #   - host      all             all                ::1/128            md5
+    #   - local     replication     standby                               trust
+    #   - hostssl   replication     standby            all                md5
+    #   - hostnossl all             all                all                md5
+    #   - hostssl   all             +zalandos          all                pam
+    #   - hostssl   all             all                all                md5
+    #   - host      all             all                all                md5
  resources:
    limits:
      cpu: "4"
      memory: 4Gi
  postgresql:
    version: "16"
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: janky-solutions-homeserver-database-nodeport
-  namespace: matrix
-spec:
-  type: NodePort
-  ports:
-  - name: postgresql
-    port: 5432
-    nodePort: 30003
-  selector:
-    k8s.home.finn.io: janky-solutions-homeserver-database
-    spilo-role: master
--- a/k8s/matrix/kustomization.yaml
+++ b/k8s/matrix/kustomization.yaml
@ -24,3 +24,6 @@ configMapGenerator:
      - appservices-janky.solutions/facebook.yaml
      - appservices-janky.solutions/telegram.yaml
      - appservices-janky.solutions/signal.yaml
+  - name: mas-janky-solutions
+    files:
+      - mas/config.yaml
--- a/k8s/matrix/mas/config.yaml
+++ b/k8s/matrix/mas/config.yaml
@ -0,0 +1,89 @@
+http:
+  listeners:
+  - name: web
+    resources:
+    - name: discovery
+    - name: human
+    - name: oauth
+    - name: compat
+    - name: graphql
+    - name: assets
+    binds:
+    - address: "[::]:8080"
+    proxy_protocol: false
+  - name: internal
+    resources:
+    - name: health
+    binds:
+    - host: "0.0.0.0"
+      port: 8081
+    proxy_protocol: false
+  trusted_proxies:
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 10.0.0.0/10
+  - 127.0.0.1/8
+  - fd00::/8
+  - ::1/128
+  public_base: https://matrix-auth.janky.solutions/
+  # issuer: http://[::]:8080/
+database:
+  uri: postgresql://mas@janky-solutions-homeserver-database.matrix.svc.cluster.local/mas
+  max_connections: 10
+  min_connections: 0
+  connect_timeout: 30
+  idle_timeout: 600
+  max_lifetime: 1800
+email:
+  from: '"Matrix Authentication Service" <matrix@janky.solutions>'
+  reply_to: '"Matrix Authentication Service" <matrix@janky.solutions>'
+  transport: blackhole
+secrets:
+  encryption: SECRET_ENCRYPTION
+  keys:
+  - kid: fjm6GxWLms
+    key: |
+      SECRET_KEY_0
+  - kid: SszPRpg6Lm
+    key: |
+      SECRET_KEY_1
+  - kid: f3dAhzd5lq
+    key: |
+      SECRET_KEY_2
+  - kid: yLREYJJQV4
+    key: |
+      SECRET_KEY_3
+passwords:
+  enabled: false
+matrix:
+  homeserver: janky.solutions
+  secret: SECRET_ADMIN_SECRET
+  endpoint: http://homeserver-janky-solutions:8008/
+clients:
+  - client_id: 01J5VH0VE08DMM5TMNSS9A4J31
+    client_auth_method: client_secret_basic
+    client_secret: SECRET_CLIENT_SECRET
+metrics:
+  exporter: prometheus
+upstream_oauth2:
+  providers:
+    - id: 01J5VF4J9NQQP1E2MAWQFHPMG8
+      human_name: Janky Solutions
+      issuer: https://auth.janky.solutions/realms/janky.solutions
+      token_endpoint_auth_method: client_secret_basic
+      client_id: matrix
+      client_secret: "SECRET_oidc_secret"
+      scope: "openid profile email"
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ user.preferred_username }}"
+        displayname:
+          action: suggest
+          template: "{{ user.name }}"
+        email:
+          action: suggest
+          template: "{{ user.email }}"
+          set_email_verification: always
+account:
+  email_change_allowed: false
--- a/k8s/matrix/secrets-init.yaml
+++ b/k8s/matrix/secrets-init.yaml
@ -20,5 +20,8 @@ data:
          c = c.replace(k, v)
          print("replaced", k)

+      if os.getenv("DEBUG_PRINT_SECRETS_IN_PLAINTEXT") == "i promise to rotate the secrets after I do this":
+        print(c)
+
      with open(f"/data/{f}", 'w') as w:
        w.write(c)