diff --git a/apps/matrix/README.md b/apps/matrix/README.md index 10f5192..1599f6c 100644 --- a/apps/matrix/README.md +++ b/apps/matrix/README.md @@ -1,3 +1,65 @@ +## Todos / missing 2021-12-21 + +* Splitting / checking postgresql +* Setting up element-web + config +* Defining the homeserver.yaml +* Integration with certbot + + +## Components + +### General + +* Need switches for element-web (?) + * Or always deploy + +### element-web + +* Needs config: /app/config.json +* Needs FQDN for HTTPS / nginx +* Maybe limit the builtin webserver to localhost? + +To add: + +``` +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header Content-Security-Policy "frame-ancestors 'none'"; +``` + +### matrix-synapse + +* Requires homeserver.yaml for starting +* Need to overwrite the entrypoint +* How/where do we specifiy the postgresql password? + * Maybe in our own init container using alpine? + +Need to generate for postgresql: + +``` +database: + # The database engine name + name: "psycopg2" + # Arguments to pass to the engine + args: + database: "matrix-synapse" + host: "/var/run/postgresql" + user: "matrix-synapse" + password: "" + cp_min: 10 + cp_min: 5 +``` + +For configuration set/do not set: + +* SYNAPSE_CONFIG_DIR=/config (this contains generated files from us) +* SYNAPSE_DATA_DIR is by default /data, keep as is + +Save under: + + + ## Missing - db secret generation (sops?) @@ -6,9 +68,12 @@ - Exposing sizes in value.yaml (db, gitea) - Maybe reducing to 1 PVC? + + + ## TODOs -- Maybe move postgres into own service -> stays running by default +- Move postgres into own service -> stays running by default ## Reset diff --git a/apps/matrix/templates/deployment.yaml b/apps/matrix/templates/deployment.yaml index 2121b8e..1a8c13c 100644 --- a/apps/matrix/templates/deployment.yaml +++ b/apps/matrix/templates/deployment.yaml @@ -2,22 +2,60 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-matrix + name: {{ .Release.Name }}-matrix-element-web spec: selector: matchLabels: - app: {{ .Release.Name }}-matrix + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: matrix-element-web replicas: 1 template: metadata: labels: - app: {{ .Release.Name }}-matrix - use-as-service: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: matrix-element-web + spec: + containers: + - name: element-web + image: vectorim/element-web:{{ .Values.elementWebVersion }} + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-element-web + labels: + app: {{ .Release.Name }}-element-web +spec: + type: ClusterIP + ports: + # Required for letsencrypt + - port: 80 + name: http + selector: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: matrix-element-web +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-matrix-synapse +spec: + selector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: matrix-synapse + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: matrix-synapse spec: initContainers: - name: generate-matrix-signing-key - image: ungleich/ungleich-matrix-synapse:{{ .Values.synapseVersion }} - imagePullPolicy: Always + image: matrixdotorg/synapse:{{ .Values.synapseVersion }} command: - "python" - "-m" @@ -33,61 +71,6 @@ spec: - name: matrix-config mountPath: "/baseconfig" containers: - - name: certbot - image: ungleich/ungleich-certbot - imagePullPolicy: Always - ports: - - containerPort: 80 - env: - - name: DOMAIN - value: "{{ tpl .Values.fqdn . }}" - - name: EMAIL - value: "{{ .Values.email }}" - {{ if eq .Values.letsencryptStaging "no" }} - - name: STAGING - value: "no" - {{ end }} - volumeMounts: - - name: etcletsencrypt - mountPath: "/etc/letsencrypt" - # This container will only start *after* the cert has been placed - - name: debug - image: alpine:latest - volumeMounts: - - name: nginx-config - mountPath: "/etc/nginx/conf.d/" - - name: etcletsencrypt - mountPath: "/etc/letsencrypt" - - name: data - mountPath: "/data" - - name: matrix-config - mountPath: "/baseconfig" - - name: postgres-vars - mountPath: "/postgres" - args: - - sleep - - "1000000" - - name: nginx - image: nginx:1.21-alpine - ports: - - containerPort: 443 - volumeMounts: - - name: nginx-config - mountPath: "/etc/nginx/conf.d/" - - name: etcletsencrypt - mountPath: "/etc/letsencrypt" - - name: postgres - image: postgres:13 - ports: - - containerPort: 5432 - envFrom: - - secretRef: - name: {{ tpl .Values.identifier . }}-postgres-config - volumeMounts: - - name: postgres-data - mountPath: "/var/lib/postgresql/data" - # Use subpath to avoid lost+found error - subPath: postgres - name: matrix # SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml # SYNAPSE_CONFIG_PATH: the initial config @@ -111,22 +94,22 @@ spec: volumes: - name: etcletsencrypt persistentVolumeClaim: - claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs + claimName: {{ .Release.Name }}-letsencrypt-certs - name: data persistentVolumeClaim: - claimName: {{ tpl .Values.identifier . }}-data + claimName: {{ .Release.Name }}-data - name: postgres-data persistentVolumeClaim: - claimName: {{ tpl .Values.identifier . }}-postgres-data + claimName: {{ .Release.Name }}-postgres-data - name: postgres-vars secret: - secretName: {{ tpl .Values.identifier . }}-postgres-config + secretName: {{ .Release.Name }}-postgres-config - name: nginx-config configMap: - name: {{ tpl .Values.identifier . }}-nginx-config + name: {{ .Release.Name }}-nginx-config - name: matrix-config configMap: - name: {{ tpl .Values.identifier . }}-matrix-config + name: {{ .Release.Name }}-matrix-config items: - key: homeserver.yaml path: homeserver.yaml @@ -137,9 +120,9 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ tpl .Values.identifier . }} + name: {{ .Release.Name }} labels: - app: {{ tpl .Values.identifier . }} + app: {{ .Release.Name }} spec: type: ClusterIP ports: @@ -154,9 +137,9 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ tpl .Values.identifier . }}-web + name: {{ .Release.Name }}-web labels: - app: {{ tpl .Values.identifier . }}-web + app: {{ .Release.Name }}-web spec: type: ClusterIP ports: @@ -171,7 +154,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ tpl .Values.identifier . }}-letsencrypt-certs + name: {{ .Release.Name }}-letsencrypt-certs spec: accessModes: - ReadWriteMany @@ -183,7 +166,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ tpl .Values.identifier . }}-data + name: {{ .Release.Name }}-data spec: accessModes: - ReadWriteMany @@ -195,7 +178,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ tpl .Values.identifier . }}-postgres-data + name: {{ .Release.Name }}-postgres-data spec: accessModes: - ReadWriteOnce @@ -204,45 +187,10 @@ spec: storage: 500Mi storageClassName: rook-ceph-block --- -# apiVersion: batch/v1 -# kind: Job -# metadata: -# name: {{ tpl .Values.identifier . }}-getcert -# spec: -# template: -# metadata: -# labels: -# app: certbot-letsencrypt-getcert -# use-as-service: {{ .Release.Name }} -# spec: -# restartPolicy: Never -# containers: -# - name: certbot -# image: ungleich/ungleich-certbot -# ports: -# - containerPort: 80 -# env: -# - name: DOMAIN -# value: "{{ tpl .Values.fqdn . }}" -# - name: EMAIL -# value: "{{ .Values.email }}" -# {{ if eq .Values.letsencryptStaging "no" }} -# - name: STAGING -# value: "no" -# {{ end }} -# volumeMounts: -# - name: etcletsencrypt -# mountPath: "/etc/letsencrypt" -# volumes: -# - name: etcletsencrypt -# persistentVolumeClaim: -# claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs -# backoffLimit: 3 -#--- apiVersion: v1 kind: ConfigMap metadata: - name: {{ tpl .Values.identifier . }}-nginx-config + name: {{ .Release.Name }}-nginx-config data: default.conf: | server { @@ -268,7 +216,7 @@ data: apiVersion: v1 kind: Secret metadata: - name: {{ tpl .Values.identifier . }}-postgres-config + name: {{ .Release.Name }}-postgres-config annotations: secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD stringData: @@ -279,7 +227,7 @@ stringData: apiVersion: v1 kind: ConfigMap metadata: - name: {{ tpl .Values.identifier . }}-matrix-config + name: {{ .Release.Name }}-matrix-config data: homeserver.yaml: | server_name: "{{ .Values.server_name }}" @@ -360,8 +308,3 @@ data: synapse.storage.SQL: level: INFO - - # example of enabling debugging for a component: - # - # synapse.federation.transport.server: - # level: DEBUG diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index b0a6bac..7c72424 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -2,9 +2,7 @@ clusterDomain: c2.k8s.ooo email: technik@ungleich.ch letsencryptStaging: "yes" -# This is how the service and the data volumes are named - i.e. the -# persistent thing -identifier: "{{ .Release.Name }}" + fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" # This needs delegation / configuration on fn.nf @@ -18,5 +16,5 @@ enable_registration: false # Maximum size of one particular file max_filesize_in_mb: 100 -elementVersion: "1.7.32" -synapseVersion: "v1.48.0" +elementWebVersion: "v1.9.8" +synapseVersion: "v1.49.0"