Mostly working synapse/matrix/mas

dezendorf/homelab/k3s/matrix/Dockerfile

@@ -0,0 +1,5 @@
+FROM ghcr.io/element-hq/matrix-authentication-service:latest
+
+ADD sh /bin/sh
+
+CMD ["/bin/sh"]

dezendorf/homelab/k3s/matrix/config.yaml

@@ -0,0 +1,104 @@
+http:
+  listeners:
+  - name: web
+    resources:
+    - name: discovery
+    - name: human
+    - name: oauth
+    - name: compat
+    - name: graphql
+    - name: assets
+    binds:
+    - address: '[::]:8080'
+    proxy_protocol: false
+  - name: internal
+    resources:
+    - name: health
+    binds:
+    - host: localhost
+      port: 8081
+    proxy_protocol: false
+  trusted_proxies:
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 10.0.0.0/10
+  - 127.0.0.1/8
+  - fd00::/8
+  - ::1/128
+  public_base: http://[::]:8080/
+  issuer: http://[::]:8080/
+database:
+  uri: postgresql://
+  max_connections: 10
+  min_connections: 0
+  connect_timeout: 30
+  idle_timeout: 600
+  max_lifetime: 1800
+email:
+  from: '"Authentication Service" <root@localhost>'
+  reply_to: '"Authentication Service" <root@localhost>'
+  transport: blackhole
+secrets:
+  encryption: 3c181674eb46ae497285dae790f6db7a4c2e8844b00d8ae643fd135c85032d63
+  keys:
+  - kid: Lg9L19ltKs
+    key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEowIBAAKCAQEA0Hx3fsKShaNEz3JLmeGMoHPK46lOJMUqtAi/4c0I4+Dl/sy+
+      M0B8+6qUD9R5+KR0Lheohfq0o1HnWtwRv3drh7hkGl1CSfV28qOen9USEzAckxwq
+      Yak/hMzeQLXnmlKNKjtolBBdGoQC6DfC8wqrvoJ8Qfopy4oPC5096GYaQrPgfji6
+      2JARDMoclstK/0ms4VH8E44RkTl+aMu8SFkaPIpKYZZ+tqifYjNQfa43BB02QZVm
+      Khz6eS/w0f/wOjybP+EBajvsYgfQDSHhNVAS5TkrfJlUnfxF1jEGxsoHc6E0pevW
+      Fc+EAll2ZHr9MDYLIze8hQLZcGXVzQXRaa9hbQIDAQABAoIBAGsuUdBc/y6szQdI
+      3wzxI3apkLiRpZbJtjZv+RWAbv2X9SWU5IM8uAQ5oXyx4zKseP3pM74NMSh1Rtcz
+      I/ymzCUt6miTYSzcgJYk/7tzsqMirM4EQNWMSRdgqzHhUnvHzMLVX+Iet36WN1hi
+      slp4Neru8iqJDUuSYkG6SMVdGEsJeEBGnOlX0UANIGDzx+d0xqfyKlqCd3iucqc9
+      rIl5pKogqHCbww+AY4F60A5fqZRlVOliZybFKzODXmYJbsT2nHXNUKmdpRaw/UAq
+      X4253k/cZ+PhJ1l9TzYPuGSfLpLIedyfmEP8FuTD0nk+wZuR1bTVOmLYxAc59cPu
+      gHa6dRECgYEA1mdWmqW3RxnevPY0UQ7M36SmmLpzyyuH//alXQ0VMKzRfOsw1Yvu
+      tKfguqzyf9Sl/bQQPoadtrRRz2cN2mtZTyUAfnI+umQraXDgo6Garwp/p3NzQbcb
+      CFHB/1gKwW9XJxdQsDdFsJDL5eav/augwjKwNtRrSgtlH1OZR6Eo6SMCgYEA+O86
+      psduumOB4FNj8KUblsRtu9EeRZVGLnBS5j5ZSvE2ZbD2fF+NrBqmlGiElUQztUua
+      XXSovHROiiQpZO7pXXTL2yWXY3/ONS7Ad7fN+klVna9rtcH6TyZn7cdBNaaA99ke
+      WP5TpNBzGRG8kfbGFhotBJR0X6WxvotiWoNMXC8CgYAWdx+A9so8ff5zyEx1Ddrz
+      uBnouOi3KimG7X4oQN2uiv0sXKxyQ8ZQUaLfjI2gTVTTP5HQK2TNJxnHZKHz9/mU
+      rGjf1vKxrxtJYhV3r9A4dR4pGpTCFwCTH5X3Pm9qE1OLegrvW+tGc/WZclGQf/JJ
+      Ruxl4l4XlRgUbzsJYV6bBwKBgQCILP4tvA1jowmqOJQEUZ3dBQluZAAmWnlw7/s5
+      fsQEDh4O1RaRhQgQLOgRaXeV3CBZPcls9GNV7F4Gja+jSlqYyEq4UEEXqhOY3kFl
+      fEQOdc2DHDJU1I9kewMBfS279qC4dKp4TnBdSbac8Snxw0grURhtV/StWgv4y3D7
+      SLYd+wKBgHXJhL3lu4mFkg1ZXdDnlnGwsN26uIVLO38kgFx4VUVzXMkyNEenj4qi
+      Ah7Lqh7I0kYcbeU03N+YPCGhRw7J5VCfH2PfpaG/OYBrD5EDqUhXEcqKHF58DKuL
+      CZWqwhnlyPETPr01Cw+Ew7CHLtWQDsRmP7fOf0jBEGPnT0D/4mLJ
+      -----END RSA PRIVATE KEY-----
+  - kid: VlpwvY6SAD
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHcCAQEEIIZmVwBwGDR+9/tqIcbjt6rTQ/8Bw78N7vkCoh8bsvC7oAoGCCqGSM49
+      AwEHoUQDQgAE6Cg0wMq2xaXRUQJd5JsDycuJzDsUq/2n+XLnyjEr3eUIxVzSYv+a
+      BN7y0dHUINthfc0TaTeS5RhXe8GcM2Albw==
+      -----END EC PRIVATE KEY-----
+  - kid: W3O3m4ayPx
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MIGkAgEBBDBbjf34M6QuUQ8+u7VouyRXeW4oJn+FjPx8obOYW/8FbJIZkNCgxnKN
+      wdR+LMulXjKgBwYFK4EEACKhZANiAASKeEoUVrElar/cN2iuUg/8Qf0KgoUnRBWI
+      Jx1doGFjAzb+HUr5KkPNaGQcbeIPqYPIOSYY27PgPBexBtb/NLjhFaK8w6qUVDOK
+      CU2Mb8op7dH+4cfe7l0ZBGy+lhY0jOQ=
+      -----END EC PRIVATE KEY-----
+  - kid: 3Rhruz5OEl
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHQCAQEEIN8MzvjgVLEWxi32tKjgY9/bMUYpqdnQ4A6iO6o2ufTnoAcGBSuBBAAK
+      oUQDQgAEWvxNlx7qxzIyMIyGsltEuXAnnJ4NoYyUQoZzGaAgOAqeuRMg+qvb3tHC
+      aW9EU5Vc7RkqugaLUF2K2jcFMbxGPw==
+      -----END EC PRIVATE KEY-----
+passwords:
+  enabled: true
+  schemes:
+  - version: 1
+    algorithm: argon2id
+  minimum_complexity: 3
+matrix:
+  homeserver: localhost:8008
+  secret: yvuN4UMz6ZHWWp4WVNxWbBneWSlNLwYy
+  endpoint: http://localhost:8008/

dezendorf/homelab/k3s/matrix/configsync

@@ -0,0 +1 @@
+kubectl exec -it $(kubectl get pods | grep matrix | awk '{print $1}') -c matrix-id-service -- mas-cli config sync --prune

dezendorf/homelab/k3s/matrix/matrix-sleep.yaml

@@ -0,0 +1,210 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: matrix
+  labels:
+    app: matrix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matrix
+  template:
+    metadata:
+      labels:
+        app: matrix
+    spec:
+      containers:
+      - name: matrix
+        image: ghcr.io/element-hq/synapse
+        command: ["/bin/bash", "-c", "--"]
+        args: ["while true; do sleep 3; done;"] 
+        env:
+        - name: SYNAPSE_SERVER_NAME
+          value: "matrix.dezendorf.net"
+        - name: SYNAPSE_CONFIG_PATH
+          value: "/data/homeserver.yaml"
+        ports:
+        - name: web
+          containerPort: 8008
+        volumeMounts:
+          - name: "matrix-homeserver-yaml"
+            mountPath: "/data/homeserver.yaml"
+            subPath: "homeserver-yaml"
+            readOnly: no
+          - name: "matrix-homeserver-yaml"
+            mountPath: "/homeserver.log"
+            subPath: "homeserver-log"
+            readOnly: no
+          - name: "matrix-homeserver-yaml"
+            mountPath: "/data/matrix.dezendorf.net.log.config"
+            subPath: "homeserver-log-config"
+            readOnly: no
+          - name: "matrix-data-volume"
+            mountPath: "/data"
+            readOnly: no
+          - name: "matrix-media-volume"
+            mountPath: "/data/media_store"
+      volumes:
+        - name: "matrix-media-volume"
+          persistentVolumeClaim:
+            claimName: "matrix-media-pvc"
+        - name: "matrix-data-volume"
+          persistentVolumeClaim:
+            claimName: "matrix-data-pvc"
+        - name: "matrix-homeserver-yaml"
+          configMap:
+            defaultMode: 0777
+            name: "matrix-homeserver-yaml"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: matrix-data-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 50G
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: matrix-media-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs
+  resources:
+    requests:
+      storage: 100G
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix
+spec:
+  type: ClusterIP
+  ports:
+    - name: web
+      port: 8008
+  selector:
+    app: matrix
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-ingress-route
+  namespace: default
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: ((Host(`matrix`)||Host(`matrix.dezendorf.net`)))
+    kind: Rule
+    priority: 1
+    services:
+    - name: matrix
+      port: 8008
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-websecure-route
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`matrix.dezendorf.net`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 8008
+  tls:
+    certResolver: myresolver
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-homeserver-yaml
+  namespace: default
+data:
+  homeserver-log: |
+
+  homeserver-yaml: |
+    # Configuration file for Synapse.
+    #
+    # This is a YAML file: see [1] for a quick introduction. Note in particular
+    # that *indentation is important*: all the elements of a list or dictionary
+    # should have the same indentation.
+    #
+    # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+    #
+    # For more information on how to configure Synapse, including a complete accounting of
+    # each option, go to docs/usage/configuration/config_documentation.md or
+    # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+    server_name: "matrix.dezendorf.net"
+    pid_file: /data/homeserver.pid
+    listeners:
+      - port: 8008
+        tls: false
+        type: http
+        x_forwarded: true
+          #bind_addresses: ['::1', '127.0.0.1']
+        resources:
+          - names: [client, federation]
+            compress: false
+    database:
+      name: sqlite3
+      args:
+        database: /data/homeserver.db
+    log_config: "/data/matrix.dezendorf.net.log.config"
+    media_store_path: /data/media_store
+    registration_shared_secret: "9.^i#+7YXwrC^bzKMqkenOZb;9ra6jV0zgZMvO:EBQ.CipL47k"
+    report_stats: false
+    macaroon_secret_key: ".ughvXa0Or.Xv7o5y550cXnTlv.J8*Mq@JAA^1QXuu2bpR@Lpd"
+    form_secret: "iESBV0d@Tg;4~:v5KT3-UX.Kva@.cbJZ9SNU:nWKubPo:X^*Y-"
+    signing_key_path: "/data/matrix.dezendorf.net.signing.key"
+    enable_registration: true
+    enable_registration_captcha: true
+    public_baseurl: "https://matrix.dezendorf.net"
+    recaptcha_public_key: "6LddQ7EqAAAAACWLD1ZKUBKrLHoFvGWhFiNmrgPh"
+    recaptcha_private_key: "6LddQ7EqAAAAAOX7Qrn2PL-s2r5Zo4c_aTi4uzkh"
+    trusted_key_servers:
+      - server_name: "matrix.org"
+
+  homeserver-log-config: |
+    version: 1
+
+    formatters:
+      precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+    
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+
+    loggers:
+      # This is just here so we can leave `loggers` in the config regardless of whether
+      # we configure other loggers below (avoid empty yaml dict error).
+      _placeholder:
+        level: "INFO"
+        handlers: [console]
+    
+      synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+        handlers: [console]
+
+    root:
+      level: INFO
+      handlers: [console]
+    disable_existing_loggers: false

dezendorf/homelab/k3s/matrix/matrix.yaml

@@ -15,6 +15,10 @@ spec:
       labels:
         app: matrix
     spec:
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 8.8.8.8
       containers:
       - name: matrix
         image: ghcr.io/element-hq/synapse
@@ -46,6 +50,17 @@ spec:
             readOnly: no
           - name: "matrix-media-volume"
             mountPath: "/data/media_store"
+      - name: matrix-id-service
+        image: ghcr.io/element-hq/matrix-authentication-service:latest
+        volumeMounts:
+          - name: "matrix-auth-volume"
+            mountPath: "/data"
+            readOnly: no
+          - name: "matrix-auth-files"
+            mountPath: "/config.yaml"
+            subPath: "config-yaml"
+            readOnly: no
+
       volumes:
         - name: "matrix-media-volume"
           persistentVolumeClaim:
@@ -53,6 +68,13 @@ spec:
         - name: "matrix-data-volume"
           persistentVolumeClaim:
             claimName: "matrix-data-pvc"
+        - name: "matrix-auth-volume"
+          persistentVolumeClaim:
+            claimName: "matrix-auth-pvc"
+        - name: "matrix-auth-files"
+          configMap:
+            defaultMode: 0777
+            name: "matrix-auth-files"
         - name: "matrix-homeserver-yaml"
           configMap:
             defaultMode: 0777
@@ -83,6 +105,19 @@ spec:
       storage: 100G
 ---
 apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: matrix-auth-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 50G
+
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: matrix
@@ -94,6 +129,19 @@ spec:
   selector:
     app: matrix
 
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-auth
+spec:
+  type: ClusterIP
+  ports:
+    - name: web
+      port: 8080
+  selector:
+    app: matrix
+
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
@@ -120,6 +168,12 @@ spec:
   entryPoints:
     - websecure
   routes:
+  - match: (Host(`matrix.dezendorf.net`) && PathPrefix(`/_matrix/client/{id:.*}/{method:(login|logout|refresh)}`))
+    kind: Rule
+    services:
+    - name: matrix-auth
+      port: 8080
+
   - match: Host(`matrix.dezendorf.net`)
     kind: Rule
     services:
@@ -127,6 +181,39 @@ spec:
       port: 8008
   tls:
     certResolver: myresolver
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-auth-ingress-route
+  namespace: default
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: ((Host(`matrix-auth`)||Host(`matrix-auth.dezendorf.net`)))
+    kind: Rule
+    priority: 1
+    services:
+    - name: matrix-auth
+      port: 8080
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-auth-websecure-route
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`matrix-auth.dezendorf.net`)
+    kind: Rule
+    services:
+    - name: matrix-auth
+      port: 8080
+  tls:
+    certResolver: myresolver
 
 ---
 apiVersion: v1
@@ -171,13 +258,43 @@ data:
     macaroon_secret_key: ".ughvXa0Or.Xv7o5y550cXnTlv.J8*Mq@JAA^1QXuu2bpR@Lpd"
     form_secret: "iESBV0d@Tg;4~:v5KT3-UX.Kva@.cbJZ9SNU:nWKubPo:X^*Y-"
     signing_key_path: "/data/matrix.dezendorf.net.signing.key"
-    enable_registration: true
-    enable_registration_captcha: true
+    enable_registration: false
+    enable_registration_captcha: false
     public_baseurl: "https://matrix.dezendorf.net"
     recaptcha_public_key: "6LddQ7EqAAAAACWLD1ZKUBKrLHoFvGWhFiNmrgPh"
     recaptcha_private_key: "6LddQ7EqAAAAAOX7Qrn2PL-s2r5Zo4c_aTi4uzkh"
     trusted_key_servers:
       - server_name: "matrix.org"
+    #oidc_providers:
+    #      - idp_id: google
+    #    idp_name: Google
+    #    idp_brand: "google"  # optional: styling hint for clients
+    #    issuer: "https://accounts.google.com/"
+    #    client_id: "743600892864-394ileehj9l1vfvvip3l3meqb0it6g50.apps.googleusercontent.com"
+    #    client_secret: "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"
+    #    scopes: ["openid", "profile", "email"] # email is optional, read below
+    #    user_mapping_provider:
+    #      config:
+    #        localpart_template: "{{ user.given_name|lower }}"
+    #        display_name_template: "{{ user.name }}"
+    #        email_template: "{{ user.email }}" # needs "email" in scopes above
+    experimental_features:
+      msc3861:
+        enabled: true
+
+        # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
+        issuer: https://matrix-auth.dezendorf.net
+
+        # Matches the `client_id` in the auth service config
+        client_id: 0000000000000000000SYNAPSE
+        # Matches the `client_auth_method` in the auth service config
+        client_auth_method: client_secret_basic
+        # Matches the `client_secret` in the auth service config
+        client_secret: "SomeRandomSecret"
+
+        # Matches the `matrix.secret` in the auth service config
+        admin_token: "AnotherRandomSecret"
+        introspection_endpoint: "https://matrix-auth.dezendorf.net/oauth2/introspect"
 
   homeserver-log-config: |
     version: 1
@@ -208,3 +325,145 @@ data:
       level: INFO
       handlers: [console]
     disable_existing_loggers: false
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-auth-files
+  namespace: default
+data:
+  config-yaml: |
+    http:
+      listeners:
+      - name: web
+        resources:
+        - name: discovery
+        - name: human
+        - name: oauth
+        - name: compat
+        - name: graphql
+        - name: assets
+        binds:
+        - address: '0.0.0.0:8080'
+        proxy_protocol: false
+      - name: internal
+        resources:
+        - name: health
+        binds:
+        - host: localhost
+          port: 8081
+        proxy_protocol: false
+      trusted_proxies:
+      - 192.168.0.0/16
+      - 172.16.0.0/12
+      - 10.0.0.0/10
+      - 127.0.0.1/8
+      - fd00::/8
+      - ::1/128
+      public_base: https://matrix-auth.dezendorf.net
+      issuer: https://matrix-auth.dezendorf.net
+    database:
+      host: postgres
+      port: 5432
+      username: mas_user
+      password: "Bee1701Charming1!"
+      database: mas
+      max_connections: 10
+      min_connections: 0
+      connect_timeout: 30
+      idle_timeout: 600
+      max_lifetime: 1800
+    email:
+      from: '"Authentication Service" <breandan@dezendorf.com>'
+      reply_to: '"Authentication Service" <breandan@dezendorf.com>'
+      transport: blackhole
+    secrets:
+      encryption: 3c181674eb46ae497285dae790f6db7a4c2e8844b00d8ae643fd135c85032d63
+      keys:
+      - kid: Lg9L19ltKs
+        key: |
+          -----BEGIN RSA PRIVATE KEY-----
+          MIIEowIBAAKCAQEA0Hx3fsKShaNEz3JLmeGMoHPK46lOJMUqtAi/4c0I4+Dl/sy+
+          M0B8+6qUD9R5+KR0Lheohfq0o1HnWtwRv3drh7hkGl1CSfV28qOen9USEzAckxwq
+          Yak/hMzeQLXnmlKNKjtolBBdGoQC6DfC8wqrvoJ8Qfopy4oPC5096GYaQrPgfji6
+          2JARDMoclstK/0ms4VH8E44RkTl+aMu8SFkaPIpKYZZ+tqifYjNQfa43BB02QZVm
+          Khz6eS/w0f/wOjybP+EBajvsYgfQDSHhNVAS5TkrfJlUnfxF1jEGxsoHc6E0pevW
+          Fc+EAll2ZHr9MDYLIze8hQLZcGXVzQXRaa9hbQIDAQABAoIBAGsuUdBc/y6szQdI
+          3wzxI3apkLiRpZbJtjZv+RWAbv2X9SWU5IM8uAQ5oXyx4zKseP3pM74NMSh1Rtcz
+          I/ymzCUt6miTYSzcgJYk/7tzsqMirM4EQNWMSRdgqzHhUnvHzMLVX+Iet36WN1hi
+          slp4Neru8iqJDUuSYkG6SMVdGEsJeEBGnOlX0UANIGDzx+d0xqfyKlqCd3iucqc9
+          rIl5pKogqHCbww+AY4F60A5fqZRlVOliZybFKzODXmYJbsT2nHXNUKmdpRaw/UAq
+          X4253k/cZ+PhJ1l9TzYPuGSfLpLIedyfmEP8FuTD0nk+wZuR1bTVOmLYxAc59cPu
+          gHa6dRECgYEA1mdWmqW3RxnevPY0UQ7M36SmmLpzyyuH//alXQ0VMKzRfOsw1Yvu
+          tKfguqzyf9Sl/bQQPoadtrRRz2cN2mtZTyUAfnI+umQraXDgo6Garwp/p3NzQbcb
+          CFHB/1gKwW9XJxdQsDdFsJDL5eav/augwjKwNtRrSgtlH1OZR6Eo6SMCgYEA+O86
+          psduumOB4FNj8KUblsRtu9EeRZVGLnBS5j5ZSvE2ZbD2fF+NrBqmlGiElUQztUua
+          XXSovHROiiQpZO7pXXTL2yWXY3/ONS7Ad7fN+klVna9rtcH6TyZn7cdBNaaA99ke
+          WP5TpNBzGRG8kfbGFhotBJR0X6WxvotiWoNMXC8CgYAWdx+A9so8ff5zyEx1Ddrz
+          uBnouOi3KimG7X4oQN2uiv0sXKxyQ8ZQUaLfjI2gTVTTP5HQK2TNJxnHZKHz9/mU
+          rGjf1vKxrxtJYhV3r9A4dR4pGpTCFwCTH5X3Pm9qE1OLegrvW+tGc/WZclGQf/JJ
+          Ruxl4l4XlRgUbzsJYV6bBwKBgQCILP4tvA1jowmqOJQEUZ3dBQluZAAmWnlw7/s5
+          fsQEDh4O1RaRhQgQLOgRaXeV3CBZPcls9GNV7F4Gja+jSlqYyEq4UEEXqhOY3kFl
+          fEQOdc2DHDJU1I9kewMBfS279qC4dKp4TnBdSbac8Snxw0grURhtV/StWgv4y3D7
+          SLYd+wKBgHXJhL3lu4mFkg1ZXdDnlnGwsN26uIVLO38kgFx4VUVzXMkyNEenj4qi
+          Ah7Lqh7I0kYcbeU03N+YPCGhRw7J5VCfH2PfpaG/OYBrD5EDqUhXEcqKHF58DKuL
+          CZWqwhnlyPETPr01Cw+Ew7CHLtWQDsRmP7fOf0jBEGPnT0D/4mLJ
+          -----END RSA PRIVATE KEY-----
+      - kid: VlpwvY6SAD
+        key: |
+          -----BEGIN EC PRIVATE KEY-----
+          MHcCAQEEIIZmVwBwGDR+9/tqIcbjt6rTQ/8Bw78N7vkCoh8bsvC7oAoGCCqGSM49
+          AwEHoUQDQgAE6Cg0wMq2xaXRUQJd5JsDycuJzDsUq/2n+XLnyjEr3eUIxVzSYv+a
+          BN7y0dHUINthfc0TaTeS5RhXe8GcM2Albw==
+          -----END EC PRIVATE KEY-----
+      - kid: W3O3m4ayPx
+        key: |
+          -----BEGIN EC PRIVATE KEY-----
+          MIGkAgEBBDBbjf34M6QuUQ8+u7VouyRXeW4oJn+FjPx8obOYW/8FbJIZkNCgxnKN
+          wdR+LMulXjKgBwYFK4EEACKhZANiAASKeEoUVrElar/cN2iuUg/8Qf0KgoUnRBWI
+          Jx1doGFjAzb+HUr5KkPNaGQcbeIPqYPIOSYY27PgPBexBtb/NLjhFaK8w6qUVDOK
+          CU2Mb8op7dH+4cfe7l0ZBGy+lhY0jOQ=
+          -----END EC PRIVATE KEY-----
+      - kid: 3Rhruz5OEl
+        key: |
+          -----BEGIN EC PRIVATE KEY-----
+          MHQCAQEEIN8MzvjgVLEWxi32tKjgY9/bMUYpqdnQ4A6iO6o2ufTnoAcGBSuBBAAK
+          oUQDQgAEWvxNlx7qxzIyMIyGsltEuXAnnJ4NoYyUQoZzGaAgOAqeuRMg+qvb3tHC
+          aW9EU5Vc7RkqugaLUF2K2jcFMbxGPw==
+          -----END EC PRIVATE KEY-----
+    passwords:
+      enabled: true
+      schemes:
+      - version: 1
+        algorithm: argon2id
+      minimum_complexity: 3
+    matrix:
+      homeserver: matrix.dezendorf.net
+      secret: yvuN4UMz6ZHWWp4WVNxWbBneWSlNLwYy
+      endpoint: https://matrix.dezendorf.net
+    clients:
+      - client_id: 0000000000000000000SYNAPSE
+        client_auth_method: client_secret_basic
+        client_secret: "SomeRandomSecret"
+    upstream_oauth2:
+      providers:
+      - id: 01JNE805N1CE31RTW79FYC68VA
+        human_name: Google
+        brand_name: "google"
+        issuer: "https://accounts.google.com"
+        client_id: "743600892864-394ileehj9l1vfvvip3l3meqb0it6g50.apps.googleusercontent.com"
+        client_secret: "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"
+        token_endpoint_auth_method: client_secret_post
+        scope: "openid profile email"
+        claims_imports:
+          localpart:
+            action: ignore
+          displayname:
+            action: suggest
+            template: "{{ user.name }}"
+          email:
+            action: suggest
+            template: "{{ user.email }}"
+          account_name:
+            template: "{{ user.email }}"
+    

dezendorf/homelab/k3s/matrix/reload

@@ -0,0 +1,3 @@
+kubectl apply -f matrix.yaml
+kubectl rollout restart deployment matrix
+kubectl get pods | grep matrix

dezendorf/homelab/k3s/matrix/restart

@@ -0,0 +1,5 @@
+kubectl scale deployment matrix --replicas=0
+sleep 10
+kubectl apply -f matrix.yaml
+sleep 15
+./configsync