app/matrix: parametrize configuration
This adds cfg.cas.enable, and parametrizes homeserver.yaml from jsonnet
configuration.
Change-Id: I37a9b27a7080248cdd70282b897bbf6d3f9ae5f6
diff --git a/app/matrix/lib/matrix.libsonnet b/app/matrix/lib/matrix.libsonnet
index 300cf31..ed033bb 100644
--- a/app/matrix/lib/matrix.libsonnet
+++ b/app/matrix/lib/matrix.libsonnet
@@ -31,12 +31,19 @@
serverName: error "cfg.serverName must be set",
storageClassName: "waw-hdd-redundant-3",
- synapseImage: "matrixdotorg/synapse:v1.19.2",
- riotImage: "vectorim/riot-web:v1.7.7",
- casProxyImage: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4",
- appserviceIRCImage: "matrixdotorg/matrix-appservice-irc:release-0.17.1",
- # That's v0.8.2 - we just don't trust that host to not re-tag images.
- appserviceTelegramImage: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330"
+ images: {
+ synapse: "matrixdotorg/synapse:v1.19.2",
+ riot: "vectorim/riot-web:v1.7.7",
+ casProxy: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4",
+ appserviceIRC: "matrixdotorg/matrix-appservice-irc:release-0.17.1",
+ # That's v0.8.2 - we just don't trust that host to not re-tag images.
+ appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330",
+ },
+
+ cas: {
+ # whether to enable the CAS proxy (ie. connect to hswaw sso via OAuth)
+ enable: false,
+ },
},
metadata(component):: {
@@ -76,15 +83,35 @@
},
},
+ // homeserver.yaml that will be used to run synapse (in synapseConfig ConfigMap).
+ // This is based off of //app/matrix/lib/synapse/homeserver.yaml with some fields overriden per
+ // deployment.
+ // Note this is a templated yaml - {{}}/{%%} style. This templatization is consumed by the Docker
+ // container startup magic.
+ homeserverYaml:: (std.native("parseYaml"))(importstr "synapse/homeserver.yaml")[0] {
+ server_name: cfg.serverName,
+ public_baseurl: "https://%s" % [cfg.webDomain],
+ signing_key_path: "/data/%s.signing.key" % [cfg.serverName],
+ cas_config+: if cfg.cas.enable then {
+ enabled: true,
+ server_url: "https://%s/_cas" % [cfg.webDomain],
+ service_url: "https://%s" % [cfg.webDomain],
+ } else {},
+ app_service_config_files: [
+ "/data/appservices/%s.yaml" % [k]
+ for k in std.objectFields(app.appservices)
+ ],
+ },
+
synapseConfig: kube.ConfigMap("synapse") {
metadata+: app.metadata("synapse"),
data: {
- "homeserver.yaml": importstr "synapse/homeserver.yaml",
+ "homeserver.yaml": std.manifestYamlDoc(app.homeserverYaml),
"log.config": importstr "synapse/log.config",
},
},
- casDeployment: kube.Deployment("oauth2-cas-proxy") {
+ casDeployment: if cfg.cas.enable then kube.Deployment("oauth2-cas-proxy") {
metadata+: app.metadata("oauth2-cas-proxy"),
spec+: {
replicas: 1,
@@ -92,7 +119,7 @@
spec+: {
containers_: {
proxy: kube.Container("oauth2-cas-proxy") {
- image: cfg.casProxyImage,
+ image: cfg.images.casProxy,
ports_: {
http: { containerPort: 5000 },
},
@@ -109,7 +136,7 @@
},
},
- casSvc: kube.Service("oauth2-cas-proxy") {
+ casSvc: if cfg.cas.enable then kube.Service("oauth2-cas-proxy") {
metadata+: app.metadata("oauth2-cas-proxy"),
target_pod:: app.casDeployment.spec.template,
},
@@ -129,7 +156,7 @@
},
containers_: {
web: kube.Container("synapse") {
- image: cfg.synapseImage,
+ image: cfg.images.synapse,
command: ["/bin/sh", "-c", "/start.py migrate_config && exec /start.py"],
ports_: {
http: { containerPort: 8008 },
@@ -216,7 +243,7 @@
},
containers_: {
web: kube.Container("riot-web") {
- image: cfg.riotImage,
+ image: cfg.images.riot,
ports_: {
http: { containerPort: 80 },
},
@@ -268,8 +295,9 @@
paths: [
{ path: "/", backend: app.riotSvc.name_port },
{ path: "/_matrix", backend: app.synapseSvc.name_port },
+ ] + (if cfg.cas.enable then [
{ path: "/_cas", backend: app.casSvc.name_port },
- ]
+ ] else [])
},
}
],
diff --git a/app/matrix/lib/synapse/homeserver.yaml b/app/matrix/lib/synapse/homeserver.yaml
index 6152807..2c39c23 100644
--- a/app/matrix/lib/synapse/homeserver.yaml
+++ b/app/matrix/lib/synapse/homeserver.yaml
@@ -2,8 +2,8 @@
## Server ##
-server_name: "hackerspace.pl"
-public_baseurl: "https://matrix.hackerspace.pl"
+server_name: "example.com"
+public_baseurl: "https://example.com"
pid_file: /homeserver.pid
web_client: False
soft_file_limit: 0
@@ -117,15 +117,6 @@
- "m.room.avatar"
- "m.room.name"
-
-{% if SYNAPSE_APPSERVICES %}
-app_service_config_files:
-{% for appservice in SYNAPSE_APPSERVICES %} - "{{ appservice }}"
-{% endfor %}
-{% else %}
-app_service_config_files: []
-{% endif %}
-
macaroon_secret_key: "{{ SYNAPSE_MACAROON_SECRET_KEY }}"
expire_access_token: False
@@ -147,6 +138,4 @@
enabled: false
cas_config:
- enabled: true
- server_url: "https://matrix.hackerspace.pl/_cas"
- service_url: "https://matrix.hackerspace.pl"
+ enabled: false
diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet
index bbfa27c..e882636 100644
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@@ -9,12 +9,15 @@
namespace: "matrix",
webDomain: "matrix.hackerspace.pl",
serverName: "hackerspace.pl",
+ cas: {
+ enable: true,
+ },
},
appservices: {
"irc-freenode": irc.AppServiceIrc("freenode") {
cfg+: {
- image: cfg.appserviceIRCImage,
+ image: cfg.images.appserviceIRC,
// TODO(q3k): move this appservice to waw-hdd-redundant-3
storageClassName: "waw-hdd-paranoid-2",
metadata: app.metadata("appservice-irc-freenode"),
@@ -41,7 +44,7 @@
},
"telegram-prod": telegram.AppServiceTelegram("prod") {
cfg+: {
- image: cfg.appserviceTelegramImage,
+ image: cfg.images.appserviceTelegram,
storageClassName: cfg.storageClassName,
metadata: app.metadata("appservice-telegram-prod"),