--- apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }}-matrix spec: selector: matchLabels: app: {{ .Release.Name }}-matrix replicas: 1 template: metadata: labels: app: {{ .Release.Name }}-matrix use-as-service: {{ .Release.Name }} spec: initContainers: - name: wait-for-cert image: busybox command: - sh - -c - until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" containers: # This container will only start *after* the cert has been placed - name: nginx image: nginx:1.21-alpine ports: - containerPort: 443 volumeMounts: - name: nginx-config mountPath: "/etc/nginx/conf.d/" - name: etcletsencrypt mountPath: "/etc/letsencrypt" - name: postgres image: postgres:13 ports: - containerPort: 5432 envFrom: - configMapRef: name: {{ tpl .Values.identifier . }}-postgres-config # Use subpath to avoid lost+found error volumeMounts: - name: postgres-data mountPath: "/var/lib/postgresql/data" subPath: postgres - name: matrix image: matrixdotorg/synapse:v1.37.1 ports: - containerPort: 8008 env: - name: SYNAPSE_CONFIG_PATH value: "/config/homeserver.yaml" volumeMounts: - name: data mountPath: "/data" - name: matrix-config mountPath: "/config" volumes: - name: etcletsencrypt persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs - name: data persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-data - name: postgres-data persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-postgres-data - name: nginx-config configMap: name: {{ tpl .Values.identifier . }}-nginx-config - name: matrix-config configMap: name: {{ tpl .Values.identifier . }}-matrix-config --- apiVersion: v1 kind: Service metadata: name: {{ tpl .Values.identifier . }} labels: app: {{ tpl .Values.identifier . }} spec: type: ClusterIP ports: - port: 22 name: ssh # Required for letsencrypt - port: 80 name: http - port: 443 name: https selector: use-as-service: {{ .Release.Name }} # --- # apiVersion: v1 # kind: ConfigMap # metadata: # name: {{ tpl .Values.identifier . }}-matrixconfig # data: # {{ tpl (.Files.Glob "matrix/*").AsConfig . | indent 2 }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ tpl .Values.identifier . }}-letsencrypt-certs spec: accessModes: - ReadWriteMany resources: requests: storage: 50Mi storageClassName: rook-cephfs --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ tpl .Values.identifier . }}-data spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: rook-cephfs --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ tpl .Values.identifier . }}-postgres-data spec: accessModes: - ReadWriteOnce resources: requests: storage: 500Mi storageClassName: rook-ceph-block --- apiVersion: batch/v1 kind: Job metadata: name: {{ tpl .Values.identifier . }}-getcert spec: template: metadata: labels: app: certbot-letsencrypt-getcert use-as-service: {{ .Release.Name }} spec: restartPolicy: Never containers: - name: certbot image: ungleich/ungleich-certbot ports: - containerPort: 80 env: - name: DOMAIN value: "{{ tpl .Values.fqdn . }}" - name: EMAIL value: "{{ .Values.email }}" {{ if eq .Values.letsencryptStaging "no" }} - name: STAGING value: "no" {{ end }} volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" volumes: - name: etcletsencrypt persistentVolumeClaim: claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs backoffLimit: 3 --- apiVersion: v1 kind: ConfigMap metadata: name: {{ tpl .Values.identifier . }}-nginx-config data: default.conf: | server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ tpl .Values.fqdn . }}; ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem; client_max_body_size 256m; location ~ /_matrix|/_synapse { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://localhost:8008; } } --- apiVersion: v1 kind: ConfigMap metadata: name: {{ tpl .Values.identifier . }}-postgres-config data: POSTGRES_USER: matrix-synapse POSTGRES_DB: matrix-synapse --- apiVersion: v1 kind: ConfigMap metadata: name: {{ tpl .Values.identifier . }}-matrix-config data: homeserver.yaml: | server_name: "{{ .Values.server_name }}" web_client_location: "{{ .Values.web_client_location }}" public_baseurl: "{{ tpl .Values.fqdn . }}" allow_public_rooms_without_auth: true allow_public_rooms_over_federation: false pid_file: "/var/run/matrix/homeserver.pid" listeners: - port: 8008 tls: false type: http x_forwarded: true bind_addresses: - '::1' - '127.0.0.1' resources: - names: [federation,client,metrics] compress: false - port: 9093 bind_addresses: - '::1' - '127.0.0.1' type: http resources: - names: [replication] database: name: "psycopg2" args: database: "matrix-synapse" host: "localhost" user: "matrix-synapse" password: "" cp_min: 10 cp_min: 5 log_config: "/config/log.yaml" enable_media_repo: true media_store_path: "/data" max_upload_size: "100M" enable_registration: false log.yaml: | version: 1 formatters: fmt: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' filters: context: (): synapse.logging.context.LoggingContextFilter request: "" handlers: console: class: logging.StreamHandler formatter: fmt filters: [context] root: level: INFO handlers: [console] # to use file handler instead, switch to [file] loggers: synapse: level: INFO synapse.storage.SQL: level: INFO # example of enabling debugging for a component: # # synapse.federation.transport.server: # level: DEBUG