monorepo/dezendorf/homelab/k3s/matrix/matrix.yaml

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: matrix
  labels:
    app: matrix
spec:
  replicas: 1
  selector:
    matchLabels:
      app: matrix
  template:
    metadata:
      labels:
        app: matrix
    spec:
      dnsPolicy: ClusterFirst
      dnsConfig:
        nameservers:
          - 8.8.8.8
      containers:
      - name: matrix
        image: ghcr.io/element-hq/synapse
          #command: ["/bin/bash", "-c", "--"]
          #args: ["while true; do sleep 3; done;"] 
        env:
        - name: SYNAPSE_SERVER_NAME
          value: "matrix.dezendorf.net"
        - name: SYNAPSE_CONFIG_PATH
          value: "/data/homeserver.yaml"
        ports:
        - name: web
          containerPort: 8008
        volumeMounts:
          - name: "matrix-homeserver-yaml"
            mountPath: "/data/homeserver.yaml"
            subPath: "homeserver-yaml"
            readOnly: no
          - name: "matrix-homeserver-yaml"
            mountPath: "/homeserver.log"
            subPath: "homeserver-log"
            readOnly: no
          - name: "matrix-homeserver-yaml"
            mountPath: "/data/matrix.dezendorf.net.log.config"
            subPath: "homeserver-log-config"
            readOnly: no
          - name: "matrix-homeserver-yaml"
            mountPath: "/data/matrix.dezendorf.net.signing.key"
            readOnly: no
            subPath: "matrix-dezendorf-net-signing-key"
          - name: "matrix-data-volume"
            mountPath: "/data"
            readOnly: no
          - name: "matrix-media-volume"
            mountPath: "/data/media_store"
      - name: matrix-id-service
        image: ghcr.io/element-hq/matrix-authentication-service:latest
        volumeMounts:
          - name: "matrix-auth-volume"
            mountPath: "/data"
            readOnly: no
          - name: "matrix-auth-files"
            mountPath: "/config.yaml"
            subPath: "config-yaml"
            readOnly: no

      volumes:
        - name: "matrix-media-volume"
          persistentVolumeClaim:
            claimName: "matrix-media-pvc"
        - name: "matrix-data-volume"
          persistentVolumeClaim:
            claimName: "matrix-data-pvc"
        - name: "matrix-auth-volume"
          persistentVolumeClaim:
            claimName: "matrix-auth-pvc"
        - name: "matrix-auth-files"
          configMap:
            defaultMode: 0777
            name: "matrix-auth-files"
        - name: "matrix-homeserver-yaml"
          configMap:
            defaultMode: 0777
            name: "matrix-homeserver-yaml"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: matrix-data-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 50G
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: matrix-media-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: nfs
  resources:
    requests:
      storage: 100G
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: matrix-auth-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 50G

---
apiVersion: v1
kind: Service
metadata:
  name: matrix
spec:
  type: ClusterIP
  ports:
    - name: web
      port: 8008
  selector:
    app: matrix

---
apiVersion: v1
kind: Service
metadata:
  name: matrix-auth
spec:
  type: ClusterIP
  ports:
    - name: web
      port: 8080
  selector:
    app: matrix

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: matrix-ingress-route
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: ((Host(`matrix`)||Host(`matrix.dezendorf.net`)))
    kind: Rule
    priority: 1
    services:
    - name: matrix
      port: 8008
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: matrix-websecure-route
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: (Host(`matrix.dezendorf.net`) && PathPrefix(`/_matrix/client/{id:.*}/{method:(login|logout|refresh)}`))
    kind: Rule
    services:
    - name: matrix-auth
      port: 8080

  - match: Host(`matrix.dezendorf.net`)
    kind: Rule
    services:
    - name: matrix
      port: 8008
  tls:
    certResolver: myresolver
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: matrix-auth-ingress-route
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: ((Host(`matrix-auth`)||Host(`matrix-auth.dezendorf.net`)))
    kind: Rule
    priority: 1
    services:
    - name: matrix-auth
      port: 8080
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: matrix-auth-websecure-route
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`matrix-auth.dezendorf.net`)
    kind: Rule
    services:
    - name: matrix-auth
      port: 8080
  tls:
    certResolver: myresolver

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: matrix-homeserver-yaml
  namespace: default
data:
  homeserver-log: |

  matrix-dezendorf-net-signing-key: |
    ed25519 a_xHsH bCSbSZVaDAz5pgKweKO3nIgXK8PL5rOhfbWbwkh63kg

  homeserver-yaml: |
    # Configuration file for Synapse.
    #
    # This is a YAML file: see [1] for a quick introduction. Note in particular
    # that *indentation is important*: all the elements of a list or dictionary
    # should have the same indentation.
    #
    # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
    #
    # For more information on how to configure Synapse, including a complete accounting of
    # each option, go to docs/usage/configuration/config_documentation.md or
    # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
    server_name: "matrix.dezendorf.net"
    pid_file: /data/homeserver.pid
    listeners:
      - port: 8008
        tls: false
        type: http
        x_forwarded: true
          #bind_addresses: ['::1', '127.0.0.1']
        resources:
          - names: [client, federation]
            compress: false
    database:
      name: psycopg2
      args:
        user: synapse_user
        password: "Bee1701Charming1!"
        dbname: synapse
        host: postgres-mas
        cp_min: 5
        cp_max: 10
    log_config: "/data/matrix.dezendorf.net.log.config"
    media_store_path: /data/media_store
    registration_shared_secret: "9.^i#+7YXwrC^bzKMqkenOZb;9ra6jV0zgZMvO:EBQ.CipL47k"
    report_stats: false
    macaroon_secret_key: ".ughvXa0Or.Xv7o5y550cXnTlv.J8*Mq@JAA^1QXuu2bpR@Lpd"
    form_secret: "iESBV0d@Tg;4~:v5KT3-UX.Kva@.cbJZ9SNU:nWKubPo:X^*Y-"
    signing_key_path: "/data/matrix.dezendorf.net.signing.key"
    enable_registration: false
    enable_registration_captcha: false
    public_baseurl: "https://matrix.dezendorf.net"
    recaptcha_public_key: "6LddQ7EqAAAAACWLD1ZKUBKrLHoFvGWhFiNmrgPh"
    recaptcha_private_key: "6LddQ7EqAAAAAOX7Qrn2PL-s2r5Zo4c_aTi4uzkh"
    trusted_key_servers:
      - server_name: "matrix.org"
    #oidc_providers:
    #      - idp_id: google
    #    idp_name: Google
    #    idp_brand: "google"  # optional: styling hint for clients
    #    issuer: "https://accounts.google.com/"
    #    client_id: "743600892864-394ileehj9l1vfvvip3l3meqb0it6g50.apps.googleusercontent.com"
    #    client_secret: "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"
    #    scopes: ["openid", "profile", "email"] # email is optional, read below
    #    user_mapping_provider:
    #      config:
    #        localpart_template: "{{ user.given_name|lower }}"
    #        display_name_template: "{{ user.name }}"
    #        email_template: "{{ user.email }}" # needs "email" in scopes above
    experimental_features:
      msc4108_enabled: true
      msc3861:
        enabled: true

        # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
        issuer: https://matrix-auth.dezendorf.net

        # Matches the `client_id` in the auth service config
        client_id: 01JNKPPJSBJR4X9DCM2F631H2E
        # Matches the `client_auth_method` in the auth service config
        client_auth_method: client_secret_basic
        # Matches the `client_secret` in the auth service config
        client_secret: "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"

        # Matches the `matrix.secret` in the auth service config
        admin_token: "yvuN4UMz6ZHWWp4WVNxWbBneWSlNLwYy"
        introspection_endpoint: "https://matrix-auth.dezendorf.net/oauth2/introspect"

  homeserver-log-config: |
    version: 1

    formatters:
      precise:
        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
    
    handlers:
      console:
        class: logging.StreamHandler
        formatter: precise

    loggers:
      # This is just here so we can leave `loggers` in the config regardless of whether
      # we configure other loggers below (avoid empty yaml dict error).
      _placeholder:
        level: "INFO"
        handlers: [console]
    
      synapse.storage.SQL:
        # beware: increasing this to DEBUG will make synapse log sensitive
        # information such as access tokens.
        level: INFO
        handlers: [console]

    root:
      level: INFO
      handlers: [console]
    disable_existing_loggers: false
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: matrix-auth-files
  namespace: default
data:
  config-yaml: |
    http:
      listeners:
      - name: web
        resources:
        - name: discovery
        - name: human
        - name: oauth
        - name: compat
        - name: graphql
        - name: assets
        binds:
        - address: '0.0.0.0:8080'
        proxy_protocol: false
      - name: internal
        resources:
        - name: health
        binds:
        - host: localhost
          port: 8081
        proxy_protocol: false
      trusted_proxies:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/10
      - 127.0.0.1/8
      - fd00::/8
      - ::1/128
      public_base: https://matrix-auth.dezendorf.net
      issuer: https://matrix-auth.dezendorf.net
    database:
      host: postgres-mas
      port: 5432
      username: mas_user
      password: "Bee1701Charming1!"
      database: mas
      max_connections: 10
      min_connections: 0
      connect_timeout: 30
      idle_timeout: 600
      max_lifetime: 1800
    email:
      from: '"Authentication Service" <breandan@dezendorf.com>'
      reply_to: '"Authentication Service" <breandan@dezendorf.com>'
      transport: blackhole
    secrets:
      encryption: 3c181674eb46ae497285dae790f6db7a4c2e8844b00d8ae643fd135c85032d63
      keys:
      - kid: Lg9L19ltKs
        key: |
          -----BEGIN RSA PRIVATE KEY-----
          MIIEowIBAAKCAQEA0Hx3fsKShaNEz3JLmeGMoHPK46lOJMUqtAi/4c0I4+Dl/sy+
          M0B8+6qUD9R5+KR0Lheohfq0o1HnWtwRv3drh7hkGl1CSfV28qOen9USEzAckxwq
          Yak/hMzeQLXnmlKNKjtolBBdGoQC6DfC8wqrvoJ8Qfopy4oPC5096GYaQrPgfji6
          2JARDMoclstK/0ms4VH8E44RkTl+aMu8SFkaPIpKYZZ+tqifYjNQfa43BB02QZVm
          Khz6eS/w0f/wOjybP+EBajvsYgfQDSHhNVAS5TkrfJlUnfxF1jEGxsoHc6E0pevW
          Fc+EAll2ZHr9MDYLIze8hQLZcGXVzQXRaa9hbQIDAQABAoIBAGsuUdBc/y6szQdI
          3wzxI3apkLiRpZbJtjZv+RWAbv2X9SWU5IM8uAQ5oXyx4zKseP3pM74NMSh1Rtcz
          I/ymzCUt6miTYSzcgJYk/7tzsqMirM4EQNWMSRdgqzHhUnvHzMLVX+Iet36WN1hi
          slp4Neru8iqJDUuSYkG6SMVdGEsJeEBGnOlX0UANIGDzx+d0xqfyKlqCd3iucqc9
          rIl5pKogqHCbww+AY4F60A5fqZRlVOliZybFKzODXmYJbsT2nHXNUKmdpRaw/UAq
          X4253k/cZ+PhJ1l9TzYPuGSfLpLIedyfmEP8FuTD0nk+wZuR1bTVOmLYxAc59cPu
          gHa6dRECgYEA1mdWmqW3RxnevPY0UQ7M36SmmLpzyyuH//alXQ0VMKzRfOsw1Yvu
          tKfguqzyf9Sl/bQQPoadtrRRz2cN2mtZTyUAfnI+umQraXDgo6Garwp/p3NzQbcb
          CFHB/1gKwW9XJxdQsDdFsJDL5eav/augwjKwNtRrSgtlH1OZR6Eo6SMCgYEA+O86
          psduumOB4FNj8KUblsRtu9EeRZVGLnBS5j5ZSvE2ZbD2fF+NrBqmlGiElUQztUua
          XXSovHROiiQpZO7pXXTL2yWXY3/ONS7Ad7fN+klVna9rtcH6TyZn7cdBNaaA99ke
          WP5TpNBzGRG8kfbGFhotBJR0X6WxvotiWoNMXC8CgYAWdx+A9so8ff5zyEx1Ddrz
          uBnouOi3KimG7X4oQN2uiv0sXKxyQ8ZQUaLfjI2gTVTTP5HQK2TNJxnHZKHz9/mU
          rGjf1vKxrxtJYhV3r9A4dR4pGpTCFwCTH5X3Pm9qE1OLegrvW+tGc/WZclGQf/JJ
          Ruxl4l4XlRgUbzsJYV6bBwKBgQCILP4tvA1jowmqOJQEUZ3dBQluZAAmWnlw7/s5
          fsQEDh4O1RaRhQgQLOgRaXeV3CBZPcls9GNV7F4Gja+jSlqYyEq4UEEXqhOY3kFl
          fEQOdc2DHDJU1I9kewMBfS279qC4dKp4TnBdSbac8Snxw0grURhtV/StWgv4y3D7
          SLYd+wKBgHXJhL3lu4mFkg1ZXdDnlnGwsN26uIVLO38kgFx4VUVzXMkyNEenj4qi
          Ah7Lqh7I0kYcbeU03N+YPCGhRw7J5VCfH2PfpaG/OYBrD5EDqUhXEcqKHF58DKuL
          CZWqwhnlyPETPr01Cw+Ew7CHLtWQDsRmP7fOf0jBEGPnT0D/4mLJ
          -----END RSA PRIVATE KEY-----
      - kid: VlpwvY6SAD
        key: |
          -----BEGIN EC PRIVATE KEY-----
          MHcCAQEEIIZmVwBwGDR+9/tqIcbjt6rTQ/8Bw78N7vkCoh8bsvC7oAoGCCqGSM49
          AwEHoUQDQgAE6Cg0wMq2xaXRUQJd5JsDycuJzDsUq/2n+XLnyjEr3eUIxVzSYv+a
          BN7y0dHUINthfc0TaTeS5RhXe8GcM2Albw==
          -----END EC PRIVATE KEY-----
      - kid: W3O3m4ayPx
        key: |
          -----BEGIN EC PRIVATE KEY-----
          MIGkAgEBBDBbjf34M6QuUQ8+u7VouyRXeW4oJn+FjPx8obOYW/8FbJIZkNCgxnKN
          wdR+LMulXjKgBwYFK4EEACKhZANiAASKeEoUVrElar/cN2iuUg/8Qf0KgoUnRBWI
          Jx1doGFjAzb+HUr5KkPNaGQcbeIPqYPIOSYY27PgPBexBtb/NLjhFaK8w6qUVDOK
          CU2Mb8op7dH+4cfe7l0ZBGy+lhY0jOQ=
          -----END EC PRIVATE KEY-----
      - kid: 3Rhruz5OEl
        key: |
          -----BEGIN EC PRIVATE KEY-----
          MHQCAQEEIN8MzvjgVLEWxi32tKjgY9/bMUYpqdnQ4A6iO6o2ufTnoAcGBSuBBAAK
          oUQDQgAEWvxNlx7qxzIyMIyGsltEuXAnnJ4NoYyUQoZzGaAgOAqeuRMg+qvb3tHC
          aW9EU5Vc7RkqugaLUF2K2jcFMbxGPw==
          -----END EC PRIVATE KEY-----
    passwords:
      enabled: true
      schemes:
      - version: 1
        algorithm: argon2id
      minimum_complexity: 3
    matrix:
      homeserver: matrix.dezendorf.net
      secret: yvuN4UMz6ZHWWp4WVNxWbBneWSlNLwYy
      endpoint: https://matrix.dezendorf.net
    clients:
      - client_id: 01JNKPPJSBJR4X9DCM2F631H2E
        client_auth_method: client_secret_basic
        client_secret: "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"
    upstream_oauth2:
      providers:
      - id: 01JNKPPJSBJR4X9DCM2F631H2E
        human_name: Google
        brand_name: "google"
        issuer: "https://accounts.google.com"
        client_id: "743600892864-giudqeu3spf1h8mp7cblv13ticm1v1pq.apps.googleusercontent.com"
        client_secret: "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"
        token_endpoint_auth_method: client_secret_post
        scope: "openid profile email"
        claims_imports:
          localpart:
            action: ignore
          displayname:
            action: suggest
            template: "{{ user.name }}"
          email:
            action: suggest
            template: "{{ user.email }}"
          account_name:
            template: "{{ user.email }}"