[apps/matrix] Begin cleanup for single worker approach
This commit is contained in:
parent
52bec8f0c5
commit
58be88f40a
3 changed files with 129 additions and 123 deletions
|
@ -1,3 +1,65 @@
|
||||||
|
## Todos / missing 2021-12-21
|
||||||
|
|
||||||
|
* Splitting / checking postgresql
|
||||||
|
* Setting up element-web + config
|
||||||
|
* Defining the homeserver.yaml
|
||||||
|
* Integration with certbot
|
||||||
|
|
||||||
|
|
||||||
|
## Components
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
* Need switches for element-web (?)
|
||||||
|
* Or always deploy
|
||||||
|
|
||||||
|
### element-web
|
||||||
|
|
||||||
|
* Needs config: /app/config.json
|
||||||
|
* Needs FQDN for HTTPS / nginx
|
||||||
|
* Maybe limit the builtin webserver to localhost?
|
||||||
|
|
||||||
|
To add:
|
||||||
|
|
||||||
|
```
|
||||||
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||||
|
```
|
||||||
|
|
||||||
|
### matrix-synapse
|
||||||
|
|
||||||
|
* Requires homeserver.yaml for starting
|
||||||
|
* Need to overwrite the entrypoint
|
||||||
|
* How/where do we specifiy the postgresql password?
|
||||||
|
* Maybe in our own init container using alpine?
|
||||||
|
|
||||||
|
Need to generate for postgresql:
|
||||||
|
|
||||||
|
```
|
||||||
|
database:
|
||||||
|
# The database engine name
|
||||||
|
name: "psycopg2"
|
||||||
|
# Arguments to pass to the engine
|
||||||
|
args:
|
||||||
|
database: "matrix-synapse"
|
||||||
|
host: "/var/run/postgresql"
|
||||||
|
user: "matrix-synapse"
|
||||||
|
password: ""
|
||||||
|
cp_min: 10
|
||||||
|
cp_min: 5
|
||||||
|
```
|
||||||
|
|
||||||
|
For configuration set/do not set:
|
||||||
|
|
||||||
|
* SYNAPSE_CONFIG_DIR=/config (this contains generated files from us)
|
||||||
|
* SYNAPSE_DATA_DIR is by default /data, keep as is
|
||||||
|
|
||||||
|
Save under:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Missing
|
## Missing
|
||||||
|
|
||||||
- db secret generation (sops?)
|
- db secret generation (sops?)
|
||||||
|
@ -6,9 +68,12 @@
|
||||||
- Exposing sizes in value.yaml (db, gitea)
|
- Exposing sizes in value.yaml (db, gitea)
|
||||||
- Maybe reducing to 1 PVC?
|
- Maybe reducing to 1 PVC?
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## TODOs
|
## TODOs
|
||||||
|
|
||||||
- Maybe move postgres into own service -> stays running by default
|
- Move postgres into own service -> stays running by default
|
||||||
|
|
||||||
## Reset
|
## Reset
|
||||||
|
|
||||||
|
|
|
@ -2,22 +2,60 @@
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Release.Name }}-matrix
|
name: {{ .Release.Name }}-matrix-element-web
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: {{ .Release.Name }}-matrix
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: matrix-element-web
|
||||||
replicas: 1
|
replicas: 1
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: {{ .Release.Name }}-matrix
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
use-as-service: {{ .Release.Name }}
|
app.kubernetes.io/component: matrix-element-web
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: element-web
|
||||||
|
image: vectorim/element-web:{{ .Values.elementWebVersion }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 80
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-element-web
|
||||||
|
labels:
|
||||||
|
app: {{ .Release.Name }}-element-web
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
# Required for letsencrypt
|
||||||
|
- port: 80
|
||||||
|
name: http
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: matrix-element-web
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-matrix-synapse
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: matrix-synapse
|
||||||
|
replicas: 1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/component: matrix-synapse
|
||||||
spec:
|
spec:
|
||||||
initContainers:
|
initContainers:
|
||||||
- name: generate-matrix-signing-key
|
- name: generate-matrix-signing-key
|
||||||
image: ungleich/ungleich-matrix-synapse:{{ .Values.synapseVersion }}
|
image: matrixdotorg/synapse:{{ .Values.synapseVersion }}
|
||||||
imagePullPolicy: Always
|
|
||||||
command:
|
command:
|
||||||
- "python"
|
- "python"
|
||||||
- "-m"
|
- "-m"
|
||||||
|
@ -33,61 +71,6 @@ spec:
|
||||||
- name: matrix-config
|
- name: matrix-config
|
||||||
mountPath: "/baseconfig"
|
mountPath: "/baseconfig"
|
||||||
containers:
|
containers:
|
||||||
- name: certbot
|
|
||||||
image: ungleich/ungleich-certbot
|
|
||||||
imagePullPolicy: Always
|
|
||||||
ports:
|
|
||||||
- containerPort: 80
|
|
||||||
env:
|
|
||||||
- name: DOMAIN
|
|
||||||
value: "{{ tpl .Values.fqdn . }}"
|
|
||||||
- name: EMAIL
|
|
||||||
value: "{{ .Values.email }}"
|
|
||||||
{{ if eq .Values.letsencryptStaging "no" }}
|
|
||||||
- name: STAGING
|
|
||||||
value: "no"
|
|
||||||
{{ end }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: etcletsencrypt
|
|
||||||
mountPath: "/etc/letsencrypt"
|
|
||||||
# This container will only start *after* the cert has been placed
|
|
||||||
- name: debug
|
|
||||||
image: alpine:latest
|
|
||||||
volumeMounts:
|
|
||||||
- name: nginx-config
|
|
||||||
mountPath: "/etc/nginx/conf.d/"
|
|
||||||
- name: etcletsencrypt
|
|
||||||
mountPath: "/etc/letsencrypt"
|
|
||||||
- name: data
|
|
||||||
mountPath: "/data"
|
|
||||||
- name: matrix-config
|
|
||||||
mountPath: "/baseconfig"
|
|
||||||
- name: postgres-vars
|
|
||||||
mountPath: "/postgres"
|
|
||||||
args:
|
|
||||||
- sleep
|
|
||||||
- "1000000"
|
|
||||||
- name: nginx
|
|
||||||
image: nginx:1.21-alpine
|
|
||||||
ports:
|
|
||||||
- containerPort: 443
|
|
||||||
volumeMounts:
|
|
||||||
- name: nginx-config
|
|
||||||
mountPath: "/etc/nginx/conf.d/"
|
|
||||||
- name: etcletsencrypt
|
|
||||||
mountPath: "/etc/letsencrypt"
|
|
||||||
- name: postgres
|
|
||||||
image: postgres:13
|
|
||||||
ports:
|
|
||||||
- containerPort: 5432
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: {{ tpl .Values.identifier . }}-postgres-config
|
|
||||||
volumeMounts:
|
|
||||||
- name: postgres-data
|
|
||||||
mountPath: "/var/lib/postgresql/data"
|
|
||||||
# Use subpath to avoid lost+found error
|
|
||||||
subPath: postgres
|
|
||||||
- name: matrix
|
- name: matrix
|
||||||
# SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml
|
# SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml
|
||||||
# SYNAPSE_CONFIG_PATH: the initial config
|
# SYNAPSE_CONFIG_PATH: the initial config
|
||||||
|
@ -111,22 +94,22 @@ spec:
|
||||||
volumes:
|
volumes:
|
||||||
- name: etcletsencrypt
|
- name: etcletsencrypt
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
|
claimName: {{ .Release.Name }}-letsencrypt-certs
|
||||||
- name: data
|
- name: data
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: {{ tpl .Values.identifier . }}-data
|
claimName: {{ .Release.Name }}-data
|
||||||
- name: postgres-data
|
- name: postgres-data
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: {{ tpl .Values.identifier . }}-postgres-data
|
claimName: {{ .Release.Name }}-postgres-data
|
||||||
- name: postgres-vars
|
- name: postgres-vars
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ tpl .Values.identifier . }}-postgres-config
|
secretName: {{ .Release.Name }}-postgres-config
|
||||||
- name: nginx-config
|
- name: nginx-config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ tpl .Values.identifier . }}-nginx-config
|
name: {{ .Release.Name }}-nginx-config
|
||||||
- name: matrix-config
|
- name: matrix-config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ tpl .Values.identifier . }}-matrix-config
|
name: {{ .Release.Name }}-matrix-config
|
||||||
items:
|
items:
|
||||||
- key: homeserver.yaml
|
- key: homeserver.yaml
|
||||||
path: homeserver.yaml
|
path: homeserver.yaml
|
||||||
|
@ -137,9 +120,9 @@ spec:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}
|
name: {{ .Release.Name }}
|
||||||
labels:
|
labels:
|
||||||
app: {{ tpl .Values.identifier . }}
|
app: {{ .Release.Name }}
|
||||||
spec:
|
spec:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
|
@ -154,9 +137,9 @@ spec:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-web
|
name: {{ .Release.Name }}-web
|
||||||
labels:
|
labels:
|
||||||
app: {{ tpl .Values.identifier . }}-web
|
app: {{ .Release.Name }}-web
|
||||||
spec:
|
spec:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
|
@ -171,7 +154,7 @@ spec:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: PersistentVolumeClaim
|
kind: PersistentVolumeClaim
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
|
name: {{ .Release.Name }}-letsencrypt-certs
|
||||||
spec:
|
spec:
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteMany
|
- ReadWriteMany
|
||||||
|
@ -183,7 +166,7 @@ spec:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: PersistentVolumeClaim
|
kind: PersistentVolumeClaim
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-data
|
name: {{ .Release.Name }}-data
|
||||||
spec:
|
spec:
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteMany
|
- ReadWriteMany
|
||||||
|
@ -195,7 +178,7 @@ spec:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: PersistentVolumeClaim
|
kind: PersistentVolumeClaim
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-postgres-data
|
name: {{ .Release.Name }}-postgres-data
|
||||||
spec:
|
spec:
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteOnce
|
- ReadWriteOnce
|
||||||
|
@ -204,45 +187,10 @@ spec:
|
||||||
storage: 500Mi
|
storage: 500Mi
|
||||||
storageClassName: rook-ceph-block
|
storageClassName: rook-ceph-block
|
||||||
---
|
---
|
||||||
# apiVersion: batch/v1
|
|
||||||
# kind: Job
|
|
||||||
# metadata:
|
|
||||||
# name: {{ tpl .Values.identifier . }}-getcert
|
|
||||||
# spec:
|
|
||||||
# template:
|
|
||||||
# metadata:
|
|
||||||
# labels:
|
|
||||||
# app: certbot-letsencrypt-getcert
|
|
||||||
# use-as-service: {{ .Release.Name }}
|
|
||||||
# spec:
|
|
||||||
# restartPolicy: Never
|
|
||||||
# containers:
|
|
||||||
# - name: certbot
|
|
||||||
# image: ungleich/ungleich-certbot
|
|
||||||
# ports:
|
|
||||||
# - containerPort: 80
|
|
||||||
# env:
|
|
||||||
# - name: DOMAIN
|
|
||||||
# value: "{{ tpl .Values.fqdn . }}"
|
|
||||||
# - name: EMAIL
|
|
||||||
# value: "{{ .Values.email }}"
|
|
||||||
# {{ if eq .Values.letsencryptStaging "no" }}
|
|
||||||
# - name: STAGING
|
|
||||||
# value: "no"
|
|
||||||
# {{ end }}
|
|
||||||
# volumeMounts:
|
|
||||||
# - name: etcletsencrypt
|
|
||||||
# mountPath: "/etc/letsencrypt"
|
|
||||||
# volumes:
|
|
||||||
# - name: etcletsencrypt
|
|
||||||
# persistentVolumeClaim:
|
|
||||||
# claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
|
|
||||||
# backoffLimit: 3
|
|
||||||
#---
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-nginx-config
|
name: {{ .Release.Name }}-nginx-config
|
||||||
data:
|
data:
|
||||||
default.conf: |
|
default.conf: |
|
||||||
server {
|
server {
|
||||||
|
@ -268,7 +216,7 @@ data:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-postgres-config
|
name: {{ .Release.Name }}-postgres-config
|
||||||
annotations:
|
annotations:
|
||||||
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
|
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
|
||||||
stringData:
|
stringData:
|
||||||
|
@ -279,7 +227,7 @@ stringData:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ tpl .Values.identifier . }}-matrix-config
|
name: {{ .Release.Name }}-matrix-config
|
||||||
data:
|
data:
|
||||||
homeserver.yaml: |
|
homeserver.yaml: |
|
||||||
server_name: "{{ .Values.server_name }}"
|
server_name: "{{ .Values.server_name }}"
|
||||||
|
@ -360,8 +308,3 @@ data:
|
||||||
|
|
||||||
synapse.storage.SQL:
|
synapse.storage.SQL:
|
||||||
level: INFO
|
level: INFO
|
||||||
|
|
||||||
# example of enabling debugging for a component:
|
|
||||||
#
|
|
||||||
# synapse.federation.transport.server:
|
|
||||||
# level: DEBUG
|
|
||||||
|
|
|
@ -2,9 +2,7 @@ clusterDomain: c2.k8s.ooo
|
||||||
email: technik@ungleich.ch
|
email: technik@ungleich.ch
|
||||||
letsencryptStaging: "yes"
|
letsencryptStaging: "yes"
|
||||||
|
|
||||||
# This is how the service and the data volumes are named - i.e. the
|
|
||||||
# persistent thing
|
|
||||||
identifier: "{{ .Release.Name }}"
|
|
||||||
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
|
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
|
||||||
|
|
||||||
# This needs delegation / configuration on fn.nf
|
# This needs delegation / configuration on fn.nf
|
||||||
|
@ -18,5 +16,5 @@ enable_registration: false
|
||||||
# Maximum size of one particular file
|
# Maximum size of one particular file
|
||||||
max_filesize_in_mb: 100
|
max_filesize_in_mb: 100
|
||||||
|
|
||||||
elementVersion: "1.7.32"
|
elementWebVersion: "v1.9.8"
|
||||||
synapseVersion: "v1.48.0"
|
synapseVersion: "v1.49.0"
|
||||||
|
|
Loading…
Reference in a new issue