blob: 14a0366855da2e91f57df1891543796fe564bb0d [file] [log] [blame]
local matrix = import "lib/matrix-ng.libsonnet";
local irc = import "lib/appservice-irc.libsonnet";
local telegram = import "lib/appservice-telegram.libsonnet";
matrix {
local app = self,
local cfg = app.cfg,
cfg+:: {
namespace: "matrix",
webDomain: "matrix.hackerspace.pl",
serverName: "hackerspace.pl",
oidc+: {
enable: true,
config+: {
allow_existing_users: true,
issuer: "https://sso.hackerspace.pl",
client_id: "matrix",
client_secret: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
user_profile_method: "userinfo_endpoint",
userinfo_endpoint: "https://sso.hackerspace.pl/api/1/userinfo",
client_auth_method: "client_secret_post",
scopes: ["profile:read"],
},
},
mediaRepo+: {
enable: true,
route: true,
s3+: {
endpoint: std.strReplace((import "secrets/plain/media-repo-matrix-ceph.json").Endpoint, "http://", ""),
accessKey: (import "secrets/plain/media-repo-matrix-ceph.json").AccessKey,
secretKey: (import "secrets/plain/media-repo-matrix-ceph.json").SecretKey,
bucketName: "media-repo-matrix",
region: "eu",
},
db+: {
password: std.strReplace(importstr "secrets/plain/media-repo-matrix-postgres", "\n", ""),
},
},
},
riot+: {
config+: {
showLabsSettings: true,
},
},
synapse+: {
cfg+: {
appserviceWorker: true,
federationWorker: false,
},
config+: {
federation_metrics_domains: ["matrix.org", "evolved.systems", "narupo.pl", "staging-matrix.inf.re"]
},
genericWorker+: {
deployment+: {
spec+: {
replicas: 4,
},
},
},
// Synapse media worker has been replaced by matrix-media-repo deployment
mediaWorker+: {
deployment+: {
spec+: {
replicas: 0,
},
},
},
},
// Bump up storage to 200Gi from default 100Gi, use different name. The
// new name corresponds to a manually migrated and sized-up PVC that
// contains data from the original waw3-postgres PVC.
postgres3+: {
volumeClaim+: {
metadata+: {
name: "waw3-postgres-2",
},
spec+: {
resources+: {
requests+: {
storage: "200Gi",
},
},
},
},
},
appservices: {
"irc-freenode": irc.AppServiceIrc("freenode") {
cfg+: {
image: cfg.images.appserviceIRC,
storageClassName: "waw-hdd-redundant-3",
metadata: app.metadata("appservice-irc-freenode"),
// TODO(q3k): add labels to blessed nodes
nodeSelector: {
"kubernetes.io/hostname": "bc01n02.hswaw.net",
},
bootstrapJob: false,
config+: {
homeserver+: {
url: "https://%s" % [cfg.webDomain],
domain: "%s" % [cfg.serverName],
},
ircService+: {
permissions: {
"@q3k:hackerspace.pl": "admin",
"@informatic:hackerspace.pl": "admin",
},
ident: {
enabled: true,
port: 1113,
},
servers+: {
local servers = self,
"irc.freenode.net"+: {
mappings+: {},
ircClients+: {
maxClients: 150,
},
},
"irc.libera.chat": servers["irc.freenode.net"] {
mappings+: import "secrets/plain/appservice-irc-libera-mappings.jsonnet",
ircClients+: {
maxClients: 150,
},
name: "Libera Chat",
networkId: "libera",
dynamicChannels+: {
groupId: "+libera:hackerspace.pl",
aliasTemplate: "#libera_$CHANNEL",
},
matrixClients+: {
userTemplate:"@libera_$NICK",
},
},
},
},
},
passwordEncryptionKeySecret: "appservice-irc-password-encryption-key",
},
},
"telegram-prod": telegram.AppServiceTelegram("prod") {
cfg+: {
image: cfg.images.appserviceTelegram,
storageClassName: cfg.storageClassName,
metadata: app.metadata("appservice-telegram-prod"),
bootstrapJob: false,
config+: {
homeserver+: {
address: "https://%s" % [cfg.webDomain],
domain: cfg.serverName,
},
appservice+: {
id: "telegram",
},
telegram+: {
api_id: (std.split(importstr "secrets/plain/appservice-telegram-prod-api-id", "\n"))[0],
api_hash: (std.split(importstr "secrets/plain/appservice-telegram-prod-api-hash", "\n"))[0],
bot_token: (std.split(importstr "secrets/plain/appservice-telegram-prod-token", "\n"))[0],
},
bridge+: {
permissions+: {
"hackerspace.pl": "puppeting",
"@q3k:hackerspace.pl": "admin",
},
},
},
},
},
},
}