--- kind: Deployment apiVersion: apps/v1 metadata: name: matrix labels: app: matrix spec: replicas: 1 selector: matchLabels: app: matrix template: metadata: labels: app: matrix spec: dnsPolicy: ClusterFirst dnsConfig: nameservers: - 8.8.8.8 containers: - name: matrix image: ghcr.io/element-hq/synapse #command: ["/bin/bash", "-c", "--"] #args: ["while true; do sleep 3; done;"] env: - name: SYNAPSE_SERVER_NAME value: "matrix.dezendorf.net" - name: SYNAPSE_CONFIG_PATH value: "/data/homeserver.yaml" ports: - name: web containerPort: 8008 volumeMounts: - name: "matrix-homeserver-yaml" mountPath: "/data/homeserver.yaml" subPath: "homeserver-yaml" readOnly: no - name: "matrix-homeserver-yaml" mountPath: "/homeserver.log" subPath: "homeserver-log" readOnly: no - name: "matrix-homeserver-yaml" mountPath: "/data/matrix.dezendorf.net.log.config" subPath: "homeserver-log-config" readOnly: no - name: "matrix-homeserver-yaml" mountPath: "/data/matrix.dezendorf.net.signing.key" readOnly: no subPath: "matrix-dezendorf-net-signing-key" - name: "matrix-data-volume" mountPath: "/data" readOnly: no - name: "matrix-media-volume" mountPath: "/data/media_store" - name: matrix-id-service image: ghcr.io/element-hq/matrix-authentication-service:latest volumeMounts: - name: "matrix-auth-volume" mountPath: "/data" readOnly: no - name: "matrix-auth-files" mountPath: "/config.yaml" subPath: "config-yaml" readOnly: no volumes: - name: "matrix-media-volume" persistentVolumeClaim: claimName: "matrix-media-pvc" - name: "matrix-data-volume" persistentVolumeClaim: claimName: "matrix-data-pvc" - name: "matrix-auth-volume" persistentVolumeClaim: claimName: "matrix-auth-pvc" - name: "matrix-auth-files" configMap: defaultMode: 0777 name: "matrix-auth-files" - name: "matrix-homeserver-yaml" configMap: defaultMode: 0777 name: "matrix-homeserver-yaml" --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: matrix-data-pvc spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 50G --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: matrix-media-pvc spec: accessModes: - ReadWriteOnce storageClassName: nfs resources: requests: storage: 100G --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: matrix-auth-pvc spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 50G --- apiVersion: v1 kind: Service metadata: name: matrix spec: type: ClusterIP ports: - name: web port: 8008 selector: app: matrix --- apiVersion: v1 kind: Service metadata: name: matrix-auth spec: type: ClusterIP ports: - name: web port: 8080 selector: app: matrix --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: matrix-ingress-route namespace: default spec: entryPoints: - web routes: - match: ((Host(`matrix`)||Host(`matrix.dezendorf.net`))) kind: Rule priority: 1 services: - name: matrix port: 8008 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: matrix-websecure-route namespace: default spec: entryPoints: - websecure routes: - match: (Host(`matrix.dezendorf.net`) && PathPrefix(`/_matrix/client/{id:.*}/{method:(login|logout|refresh)}`)) kind: Rule services: - name: matrix-auth port: 8080 - match: Host(`matrix.dezendorf.net`) kind: Rule services: - name: matrix port: 8008 tls: certResolver: myresolver --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: matrix-auth-ingress-route namespace: default spec: entryPoints: - web routes: - match: ((Host(`matrix-auth`)||Host(`matrix-auth.dezendorf.net`))) kind: Rule priority: 1 services: - name: matrix-auth port: 8080 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: matrix-auth-websecure-route namespace: default spec: entryPoints: - websecure routes: - match: Host(`matrix-auth.dezendorf.net`) kind: Rule services: - name: matrix-auth port: 8080 tls: certResolver: myresolver --- apiVersion: v1 kind: ConfigMap metadata: name: matrix-homeserver-yaml namespace: default data: homeserver-log: | matrix-dezendorf-net-signing-key: | ed25519 a_xHsH bCSbSZVaDAz5pgKweKO3nIgXK8PL5rOhfbWbwkh63kg homeserver-yaml: | # Configuration file for Synapse. # # This is a YAML file: see [1] for a quick introduction. Note in particular # that *indentation is important*: all the elements of a list or dictionary # should have the same indentation. # # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html # # For more information on how to configure Synapse, including a complete accounting of # each option, go to docs/usage/configuration/config_documentation.md or # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html server_name: "matrix.dezendorf.net" pid_file: /data/homeserver.pid listeners: - port: 8008 tls: false type: http x_forwarded: true #bind_addresses: ['::1', '127.0.0.1'] resources: - names: [client, federation] compress: false database: name: psycopg2 args: user: synapse_user password: "Bee1701Charming1!" dbname: synapse host: postgres-mas cp_min: 5 cp_max: 10 log_config: "/data/matrix.dezendorf.net.log.config" media_store_path: /data/media_store registration_shared_secret: "9.^i#+7YXwrC^bzKMqkenOZb;9ra6jV0zgZMvO:EBQ.CipL47k" report_stats: false macaroon_secret_key: ".ughvXa0Or.Xv7o5y550cXnTlv.J8*Mq@JAA^1QXuu2bpR@Lpd" form_secret: "iESBV0d@Tg;4~:v5KT3-UX.Kva@.cbJZ9SNU:nWKubPo:X^*Y-" signing_key_path: "/data/matrix.dezendorf.net.signing.key" enable_registration: false enable_registration_captcha: false public_baseurl: "https://matrix.dezendorf.net" recaptcha_public_key: "6LddQ7EqAAAAACWLD1ZKUBKrLHoFvGWhFiNmrgPh" recaptcha_private_key: "6LddQ7EqAAAAAOX7Qrn2PL-s2r5Zo4c_aTi4uzkh" trusted_key_servers: - server_name: "matrix.org" #oidc_providers: # - idp_id: google # idp_name: Google # idp_brand: "google" # optional: styling hint for clients # issuer: "https://accounts.google.com/" # client_id: "743600892864-394ileehj9l1vfvvip3l3meqb0it6g50.apps.googleusercontent.com" # client_secret: "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" # scopes: ["openid", "profile", "email"] # email is optional, read below # user_mapping_provider: # config: # localpart_template: "{{ user.given_name|lower }}" # display_name_template: "{{ user.name }}" # email_template: "{{ user.email }}" # needs "email" in scopes above experimental_features: msc4108_enabled: true msc3861: enabled: true # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration issuer: https://matrix-auth.dezendorf.net # Matches the `client_id` in the auth service config client_id: 01JNKPPJSBJR4X9DCM2F631H2E # Matches the `client_auth_method` in the auth service config client_auth_method: client_secret_basic # Matches the `client_secret` in the auth service config client_secret: "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" # Matches the `matrix.secret` in the auth service config admin_token: "yvuN4UMz6ZHWWp4WVNxWbBneWSlNLwYy" introspection_endpoint: "https://matrix-auth.dezendorf.net/oauth2/introspect" homeserver-log-config: | version: 1 formatters: precise: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' handlers: console: class: logging.StreamHandler formatter: precise loggers: # This is just here so we can leave `loggers` in the config regardless of whether # we configure other loggers below (avoid empty yaml dict error). _placeholder: level: "INFO" handlers: [console] synapse.storage.SQL: # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. level: INFO handlers: [console] root: level: INFO handlers: [console] disable_existing_loggers: false --- apiVersion: v1 kind: ConfigMap metadata: name: matrix-auth-files namespace: default data: config-yaml: | http: listeners: - name: web resources: - name: discovery - name: human - name: oauth - name: compat - name: graphql - name: assets binds: - address: '0.0.0.0:8080' proxy_protocol: false - name: internal resources: - name: health binds: - host: localhost port: 8081 proxy_protocol: false trusted_proxies: - 192.168.0.0/16 - 172.16.0.0/12 - 10.0.0.0/10 - 127.0.0.1/8 - fd00::/8 - ::1/128 public_base: https://matrix-auth.dezendorf.net issuer: https://matrix-auth.dezendorf.net database: host: postgres-mas port: 5432 username: mas_user password: "Bee1701Charming1!" database: mas max_connections: 10 min_connections: 0 connect_timeout: 30 idle_timeout: 600 max_lifetime: 1800 email: from: '"Authentication Service" ' reply_to: '"Authentication Service" ' transport: blackhole secrets: encryption: 3c181674eb46ae497285dae790f6db7a4c2e8844b00d8ae643fd135c85032d63 keys: - kid: Lg9L19ltKs key: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA0Hx3fsKShaNEz3JLmeGMoHPK46lOJMUqtAi/4c0I4+Dl/sy+ M0B8+6qUD9R5+KR0Lheohfq0o1HnWtwRv3drh7hkGl1CSfV28qOen9USEzAckxwq Yak/hMzeQLXnmlKNKjtolBBdGoQC6DfC8wqrvoJ8Qfopy4oPC5096GYaQrPgfji6 2JARDMoclstK/0ms4VH8E44RkTl+aMu8SFkaPIpKYZZ+tqifYjNQfa43BB02QZVm Khz6eS/w0f/wOjybP+EBajvsYgfQDSHhNVAS5TkrfJlUnfxF1jEGxsoHc6E0pevW Fc+EAll2ZHr9MDYLIze8hQLZcGXVzQXRaa9hbQIDAQABAoIBAGsuUdBc/y6szQdI 3wzxI3apkLiRpZbJtjZv+RWAbv2X9SWU5IM8uAQ5oXyx4zKseP3pM74NMSh1Rtcz I/ymzCUt6miTYSzcgJYk/7tzsqMirM4EQNWMSRdgqzHhUnvHzMLVX+Iet36WN1hi slp4Neru8iqJDUuSYkG6SMVdGEsJeEBGnOlX0UANIGDzx+d0xqfyKlqCd3iucqc9 rIl5pKogqHCbww+AY4F60A5fqZRlVOliZybFKzODXmYJbsT2nHXNUKmdpRaw/UAq X4253k/cZ+PhJ1l9TzYPuGSfLpLIedyfmEP8FuTD0nk+wZuR1bTVOmLYxAc59cPu gHa6dRECgYEA1mdWmqW3RxnevPY0UQ7M36SmmLpzyyuH//alXQ0VMKzRfOsw1Yvu tKfguqzyf9Sl/bQQPoadtrRRz2cN2mtZTyUAfnI+umQraXDgo6Garwp/p3NzQbcb CFHB/1gKwW9XJxdQsDdFsJDL5eav/augwjKwNtRrSgtlH1OZR6Eo6SMCgYEA+O86 psduumOB4FNj8KUblsRtu9EeRZVGLnBS5j5ZSvE2ZbD2fF+NrBqmlGiElUQztUua XXSovHROiiQpZO7pXXTL2yWXY3/ONS7Ad7fN+klVna9rtcH6TyZn7cdBNaaA99ke WP5TpNBzGRG8kfbGFhotBJR0X6WxvotiWoNMXC8CgYAWdx+A9so8ff5zyEx1Ddrz uBnouOi3KimG7X4oQN2uiv0sXKxyQ8ZQUaLfjI2gTVTTP5HQK2TNJxnHZKHz9/mU rGjf1vKxrxtJYhV3r9A4dR4pGpTCFwCTH5X3Pm9qE1OLegrvW+tGc/WZclGQf/JJ Ruxl4l4XlRgUbzsJYV6bBwKBgQCILP4tvA1jowmqOJQEUZ3dBQluZAAmWnlw7/s5 fsQEDh4O1RaRhQgQLOgRaXeV3CBZPcls9GNV7F4Gja+jSlqYyEq4UEEXqhOY3kFl fEQOdc2DHDJU1I9kewMBfS279qC4dKp4TnBdSbac8Snxw0grURhtV/StWgv4y3D7 SLYd+wKBgHXJhL3lu4mFkg1ZXdDnlnGwsN26uIVLO38kgFx4VUVzXMkyNEenj4qi Ah7Lqh7I0kYcbeU03N+YPCGhRw7J5VCfH2PfpaG/OYBrD5EDqUhXEcqKHF58DKuL CZWqwhnlyPETPr01Cw+Ew7CHLtWQDsRmP7fOf0jBEGPnT0D/4mLJ -----END RSA PRIVATE KEY----- - kid: VlpwvY6SAD key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIIZmVwBwGDR+9/tqIcbjt6rTQ/8Bw78N7vkCoh8bsvC7oAoGCCqGSM49 AwEHoUQDQgAE6Cg0wMq2xaXRUQJd5JsDycuJzDsUq/2n+XLnyjEr3eUIxVzSYv+a BN7y0dHUINthfc0TaTeS5RhXe8GcM2Albw== -----END EC PRIVATE KEY----- - kid: W3O3m4ayPx key: | -----BEGIN EC PRIVATE KEY----- MIGkAgEBBDBbjf34M6QuUQ8+u7VouyRXeW4oJn+FjPx8obOYW/8FbJIZkNCgxnKN wdR+LMulXjKgBwYFK4EEACKhZANiAASKeEoUVrElar/cN2iuUg/8Qf0KgoUnRBWI Jx1doGFjAzb+HUr5KkPNaGQcbeIPqYPIOSYY27PgPBexBtb/NLjhFaK8w6qUVDOK CU2Mb8op7dH+4cfe7l0ZBGy+lhY0jOQ= -----END EC PRIVATE KEY----- - kid: 3Rhruz5OEl key: | -----BEGIN EC PRIVATE KEY----- MHQCAQEEIN8MzvjgVLEWxi32tKjgY9/bMUYpqdnQ4A6iO6o2ufTnoAcGBSuBBAAK oUQDQgAEWvxNlx7qxzIyMIyGsltEuXAnnJ4NoYyUQoZzGaAgOAqeuRMg+qvb3tHC aW9EU5Vc7RkqugaLUF2K2jcFMbxGPw== -----END EC PRIVATE KEY----- passwords: enabled: true schemes: - version: 1 algorithm: argon2id minimum_complexity: 3 matrix: homeserver: matrix.dezendorf.net secret: yvuN4UMz6ZHWWp4WVNxWbBneWSlNLwYy endpoint: https://matrix.dezendorf.net clients: - client_id: 01JNKPPJSBJR4X9DCM2F631H2E client_auth_method: client_secret_basic client_secret: "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" upstream_oauth2: providers: - id: 01JNKPPJSBJR4X9DCM2F631H2E human_name: Google brand_name: "google" issuer: "https://accounts.google.com" client_id: "743600892864-giudqeu3spf1h8mp7cblv13ticm1v1pq.apps.googleusercontent.com" client_secret: "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" token_endpoint_auth_method: client_secret_post scope: "openid profile email" claims_imports: localpart: action: ignore displayname: action: suggest template: "{{ user.name }}" email: action: suggest template: "{{ user.email }}" account_name: template: "{{ user.email }}"