ungleich-k8s/apps/matrix/README.md

## Todos / missing 2021-12-21

* Splitting / checking postgresql
* Setting up element-web + config
* Defining the homeserver.yaml
* Integration with certbot

## Next

* create db.yaml with

```
#database:
#  name: psycopg2
#  args:
#    user: synapse_user
#    password: secretpassword
#    database: synapse
#    host: localhost
#    port: 5432
#    cp_min: 5
#    cp_max: 10
```

* create log.config
* put pvc at /media_store

## Components

### General

* Need switches for element-web (?)
  * Or always deploy

### element-web

* Needs config: /app/config.json
* Needs FQDN for HTTPS / nginx
* Maybe limit the builtin webserver to localhost?
  * Configmap to /etc/nginx/conf.d/default.conf
  * Entrypoint `nginx -g daemon off`D

To add:

```
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
```

    # Whether to create the two federation files on the web client
    # - /.well-known/matrix/server containing {"m.server":
    # "homeserver:443"}.
    #  - /.well-known/matrix/client containing { "m.homeserver": {
    # "base_url": "https://homeserver" } }. Example:


### matrix-synapse

* Requires homeserver.yaml for starting
* Need to overwrite the entrypoint
* How/where do we specifiy the postgresql password?
  * Maybe in our own init container using alpine?

Need to generate for postgresql:

```
database:
  # The database engine name
  name: "psycopg2"
  # Arguments to pass to the engine
  args:
    database: "matrix-synapse"
    host: "/var/run/postgresql"
    user: "matrix-synapse"
    password: ""
    cp_min: 10
    cp_min: 5
```

For configuration set/do not set:

* SYNAPSE_CONFIG_DIR=/config (this contains generated files from us)
* SYNAPSE_DATA_DIR is by default /data, keep as is

Save under:



## Missing

- db secret generation (sops?)
  - done via mittwald
- SMTP settings / secrets (ungleich mail + sops?)
- Exposing sizes in value.yaml (db, gitea)
  - Maybe reducing to 1 PVC?




## TODOs

- Move postgres into own service -> stays running by default

## Reset

What I want:

- Easy access to latest matrix version
  - Based on the official container makes sense
- Being able to inject postgres secret
- Postgres not restarting if synapse is getting updated
  - 2nd service could nicely solve that

## input / image

/data

SYNAPSE_CONFIG_DIR: where additional config files are stored. Defaults
to /data.

SYNAPSE_CONFIG_PATH: path to the config file. Defaults to
<SYNAPSE_CONFIG_DIR>/homeserver.yaml

TZ: the timezone the container will run with. Defaults to UTC.

docker run -d --name synapse \
    --mount type=volume,src=synapse-data,dst=/data \
    -p 8008:8008 \
    matrixdotorg/synapse:latest run \
    -m synapse.app.generic_worker \
    --config-path=/data/homeserver.yaml \
    --config-path=/data/generic_worker.yaml

# admin user

docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml --help

# Setup in terms of functionality

## Synapse

* Base, clear

## Element

* Another FQDN
* If set, another nginx instance

## Usage

### Element-Web

* Includes config.json that is being populated by values.yaml
* Includes nginx on port localhost:8080 (http)
* Includes nginx proxy on port 80+443 (http redirect, https)