matrix: deploy hookshot

2025-03-31 00:38:56 -07:00 · 2025-03-31 00:38:56 -07:00 · e0d12d622e
commit e0d12d622e
parent c68e807056
7 changed files with 187 additions and 26 deletions
--- a/k8s/matrix/bridge-hookshot.yaml
+++ b/k8s/matrix/bridge-hookshot.yaml
@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: hookshot
+  name: bridge-hookshot
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hookshot
+  template:
+    metadata:
+      labels:
+        app: hookshot
+    spec:
+      containers:
+      - image: halfshot/matrix-hookshot:6.0.0
+        name: hookshot
+        ports:
+        - containerPort: 9000
+          name: webhook
+          protocol: TCP
+        - containerPort: 9001
+          name: metrics
+          protocol: TCP
+        - containerPort: 9002
+          name: appservice
+          protocol: TCP
+        readinessProbe: null
+        resources: {}
+        volumeMounts:
+        - mountPath: /data
+          name: config
+      volumes:
+      - secret:
+          secretName: bridge-hookshot-config
+        name: config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    app: hookshot
+    app.kubernetes.io/version: 4.2.0
+    helm.sh/chart: hookshot-0.1.13
+  name: hookshot
+spec:
+  ports:
+  - name: webhook
+    port: 9000
+    protocol: TCP
+    targetPort: webhook
+  - name: metrics
+    port: 9001
+    protocol: TCP
+    targetPort: metrics
+  - name: appservice
+    port: 9002
+    protocol: TCP
+    targetPort: appservice
+  selector:
+    app: hookshot
+  type: ClusterIP
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: bridge-hookshot
+spec:
+  secretStoreRef:
+    kind: SecretStore
+    name: openbao
+  target:
+    name: bridge-hookshot-config
+    template:
+      engineVersion: v2
+      templateFrom:
+      - target: Data
+        configMap:
+          name: bridge-hookshot
+          items:
+          - key: config.yml
+          - key: passkey.pem
+          - key: registration.yml
+  dataFrom:
+    - extract:
+        key: matrix/default/bridge-hookshot
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bridge-hookshot
+  labels:
+    name: bridge-hookshot
+spec:
+  rules:
+  - host: hookshot.janky.bot
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: bridge-hookshot
+            port: 
+              number: 9000
--- a/k8s/matrix/config-janky.bot/appservice-hookshot.yaml
+++ b/k8s/matrix/config-janky.bot/appservice-hookshot.yaml
@ -0,0 +1,14 @@
+id: hookshot
+url: http://bridge-hookshot:9002
+as_token: {{ .hookshotASToken }}
+hs_token: {{ .hookshotHSToken }}
+sender_localpart: hookshot
+rate_limited: false
+namespaces:
+    users:
+        - regex: ^@hookshot:janky\.bot$
+          exclusive: true
+        - regex: ^@hookshot_.*:janky\.bot$
+          exclusive: true
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
--- a/k8s/matrix/config-janky.bot/homeserver.yaml
+++ b/k8s/matrix/config-janky.bot/homeserver.yaml
@ -17,12 +17,14 @@ database:
    database: /data/homeserver.db
 log_config: "/config/log.yaml"
 media_store_path: /data/media_store
-registration_shared_secret: "SECRET_registration_shared_secret"
+registration_shared_secret: "{{ .registration_shared_secret }}"
 report_stats: false
-macaroon_secret_key: "SECRET_macaroon_secret_key"
-form_secret: "SECRET_form_secret"
-signing_key_path: "/secrets/janky.bot.signing.key"
+macaroon_secret_key: "{{ .macaroon_secret_key }}"
+form_secret: "{{ .form_secret }}"
+signing_key_path: "/config/janky.bot.signing.key"
 trusted_key_servers:
  - server_name: "matrix.org"
 public_baseurl: https://matrix.janky.bot
 ip_range_whitelist: [10.5.1.245,10.5.1.1]
+app_service_config_files:
+  - /config/appservice-hookshot.yaml
--- a/k8s/matrix/config-janky.bot/janky.bot.signing.key
+++ b/k8s/matrix/config-janky.bot/janky.bot.signing.key
@ -0,0 +1 @@
+{{ .signingKey }}
--- a/k8s/matrix/janky.bot-homeserver.yaml
+++ b/k8s/matrix/janky.bot-homeserver.yaml
@ -22,20 +22,6 @@ spec:
      securityContext:
        fsGroup: 991
        fsGroupChangePolicy: "OnRootMismatch"
-      initContainers:
-        - name: initialize-secrets
-          image: library/python
-          command: ["python", "/init/initialize-secrets.py", "homeserver.yaml"]
-          volumeMounts:
-            - name: init
-              mountPath: /init
-            - name: data
-              mountPath: /data
-            - name: config
-              mountPath: /config
-          envFrom:
-            - secretRef:
-                name: synapse-janky-bot
      containers:
      - image: matrixdotorg/synapse:v1.127.1
        name: synapse
@ -45,8 +31,6 @@ spec:
            mountPath: /data
          - name: config
            mountPath: /config
-          - name: secrets
-            mountPath: /secrets
        env:
          - name: SYNAPSE_SERVER_NAME
            value: matrix.janky.bot
@ -54,14 +38,10 @@ spec:
            value: "no"
          - name: TZ
            value: America/Los_Angeles
+          - name: SYNAPSE_CONFIG_DIR
+            value: /config
      volumes:
        - name: config
-          configMap:
-            name: synapse-janky-bot
-        - name: init
-          configMap:
-            name: secrets-init
-        - name: secrets
          secret:
            secretName: synapse-janky-bot
  volumeClaimTemplates:
@ -106,3 +86,30 @@ spec:
                name:  homeserver-janky-bot
                port:
                  name: http
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: synapse-janky-bot
+spec:
+  secretStoreRef:
+    kind: SecretStore
+    name: openbao
+  target:
+    name: synapse-janky-bot
+    template:
+      engineVersion: v2
+      templateFrom:
+      - target: Data
+        configMap:
+          name: synapse-janky-bot
+          items:
+          - key: appservice-hookshot.yaml
+          - key: homeserver.yaml
+          - key: janky.bot.signing.key
+          - key: log.yaml
+  dataFrom:
+    - extract:
+        key: matrix/default/synapse-janky.bot
+    - extract:
+        key: matrix/default/bridge-hookshot
--- a/k8s/matrix/kustomization.yaml
+++ b/k8s/matrix/kustomization.yaml
@ -4,15 +4,21 @@ namespace: matrix
 resources:
 - namespace.yaml
 #  - bridge-facebook.yaml
+ - bridge-hookshot.yaml
 - bridge-signal.yaml
 - janky.bot-homeserver.yaml
 - janky.solutions-homeserver.yaml
 - secrets.yaml
+ - secret-store.yaml
 - secrets-init.yaml
 configMapGenerator:
  - name: synapse-janky-bot
+    options:
+      disableNameSuffixHash: true
    files:
+      - config-janky.bot/appservice-hookshot.yaml
      - config-janky.bot/homeserver.yaml
+      - config-janky.bot/janky.bot.signing.key
      - config-janky.bot/log.yaml
  - name: synapse-janky-solutions
    files:
@ -25,3 +31,10 @@ configMapGenerator:
  - name: mas-janky-solutions
    files:
      - mas/config.yaml
+  - name: bridge-hookshot
+    options:
+      disableNameSuffixHash: true
+    files:
+      - hookshot/config.yml
+      - hookshot/passkey.pem
+      - hookshot/registration.yml
--- a/k8s/matrix/secret-store.yaml
+++ b/k8s/matrix/secret-store.yaml
@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openbao
+spec:
+  provider:
+    vault:
+      server: http://openbao.openbao:8200
+      path: static-secrets
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: kubernetes-default
+          serviceAccountRef:
+            name: default