# matrix.hackerspace.pl, a matrix/synapse instance
# This needs a secret provisioned, create with:
#    kubectl -n matrix create secret generic synapse --from-literal=postgres_password=$(pwgen 24 1)
#    kubectl -n matrix create secret generic oauth2-cas-proxy --from-literal=oauth2_secret=...
#    kubectl -n matrix create secret generic appservice-irc-freenode-registration --from-file=registration.yaml=<(kubectl logs -n matrix $(kubectl get pods -n matrix --selector=job-name=appservice-irc-freenode-bootstrap --output=jsonpath='{.items[*].metadata.name}') | tail -n +4 | sed -r 's/(.*aliases:.*)/      group_id: "+freenode:hackerspace.pl"\n\1/')
#
#    TODO: /appservices/*/registration.yaml needs to be copied into /data/appservices/*.yaml manually
#    kubectl exec -n matrix synapse-7b69cd5b6c-6686j -- sh -c 'mkdir /data/appservices ; cp /appservices/irc-freenode/registration.yaml /data/appservices/freenode-irc.yaml'

local kube = import "../../kube/kube.libsonnet";
local postgres = import "../../kube/postgres.libsonnet";

{
    local app = self,
    local cfg = app.cfg,
    cfg:: {
        namespace: "matrix",
        domain: "matrix.hackerspace.pl",
        serverName: "hackerspace.pl",
        storageClassName: "waw-hdd-paranoid-2",

        synapseImage: "matrixdotorg/synapse:v0.99.4",
        riotImage: "bubuntux/riot-web:v1.1.2",
        casProxyImage: "registry.k0.hswaw.net/informatic/oauth2-cas-proxy:0.1.4"
    },

    metadata(component):: {
        namespace: cfg.namespace,
        labels: {
            "app.kubernetes.io/name": "matrix",
            "app.kubernetes.io/managed-by": "kubecfg",
            "app.kubernetes.io/component": component,
        },
    },

    namespace: kube.Namespace(cfg.namespace),

    postgres: postgres {
        cfg+: {
            namespace: cfg.namespace,
            appName: "synapse",
            database: "synapse",
            username: "synapse",
            password: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
        },
    },

    dataVolume: kube.PersistentVolumeClaim("synapse-data") {
        metadata+: app.metadata("synapse-data"),
        spec+: {
            storageClassName: cfg.storageClassName,
            accessModes: [ "ReadWriteOnce" ],
            resources: {
                requests: {
                    storage: "50Gi",
                },
            },
        },
    },

    synapseConfig: kube.ConfigMap("synapse") {
        metadata+: app.metadata("synapse"),
        data: {
            "homeserver.yaml": importstr "homeserver.yaml.j2",
        },
    },

    casDeployment: kube.Deployment("oauth2-cas-proxy") {
        metadata+: app.metadata("oauth2-cas-proxy"),
        spec+: {
            replicas: 1,
            template+: {
                spec+: {
                    containers_: {
                        proxy: kube.Container("oauth2-cas-proxy") {
                            image: cfg.casProxyImage,
                            ports_: {
                                http: { containerPort: 5000 },
                            },
                            env_: {
                                BASE_URL: "https://matrix.hackerspace.pl",
                                SERVICE_URL: "https://matrix.hackerspace.pl",
                                OAUTH2_CLIENT: "matrix",
                                OAUTH2_SECRET: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
                            },
                        },
                    },
                },
            },
        },
    },

    casSvc: kube.Service("oauth2-cas-proxy") {
        metadata+: app.metadata("oauth2-cas-proxy"),
        target_pod:: app.casDeployment.spec.template,
    },

    synapseDeployment: kube.Deployment("synapse") {
        metadata+: app.metadata("synapse"),
        spec+: {
            replicas: 1,
            template+: {
                spec+: {
                    volumes_: {
                        data: kube.PersistentVolumeClaimVolume(app.dataVolume),
                        config: kube.ConfigMapVolume(app.synapseConfig),
                    } + {
                        [k]: { secret: { secretName: "appservice-%s-registration" % [k] } }
                        for k in std.objectFields(app.appservices)
                    },
                    containers_: {
                        web: kube.Container("synapse") {
                            image: cfg.synapseImage,
                            ports_: {
                                http: { containerPort: 8008 },
                            },
                            env_: {
                                SYNAPSE_SERVER_NAME: cfg.serverName,
                                SYNAPSE_REPORT_STATS: "no",
                                SYNAPSE_NO_TLS: "1",
                                SYNAPSE_ALLOW_GUEST: "yes",

                                POSTGRES_HOST: "postgres",
                                POSTGRES_USER: app.postgres.cfg.username,
                                POSTGRES_PORT: "5432",
                                POSTGRES_DB: app.postgres.cfg.database,
                                POSTGRES_PASSWORD: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
                            },
                            volumeMounts_: {
                                data: { mountPath: "/data" },
                                config: {
                                    mountPath: "/conf/homeserver.yaml",
                                    subPath: "homeserver.yaml",
                                },
                            } + {
                                [k]: { mountPath: "/appservices/%s" % [k] }
                                for k in std.objectFields(app.appservices)
                            },
                        },
                    },
                },
            },
        },
    },

    synapseSvc: kube.Service("synapse") {
        metadata+: app.metadata("synapse"),
        target_pod:: app.synapseDeployment.spec.template,
    },

    riotConfig: kube.ConfigMap("riot-web-config") {
        metadata+: app.metadata("riot-web-config"),
        data: {
            "config.json": std.manifestJsonEx({
                "default_hs_url": "https://%s" % [cfg.domain],
                "disable_custom_urls": false,
                "disable_guests": false,
                "disable_login_language_selector": false,
                "disable_3pid_login": true,
                "brand": "Riot",
                "integrations_ui_url": "https://scalar.vector.im/",
                "integrations_rest_url": "https://scalar.vector.im/api",
                "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",

                "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
                "features": {
                    "feature_groups": "labs",
                    "feature_pinning": "labs",
                    "feature_reactions": "labs"
                },
                "default_federate": true,
                "default_theme": "light",
                "roomDirectory": {
                    "servers": [
                        "hackerspace.pl"
                    ]
                },
                "welcomeUserId": "@riot-bot:matrix.org",
                "enable_presence_by_hs_url": {
                    "https://matrix.org": false
                }
            }, ""),
        },
    },

    riotDeployment: kube.Deployment("riot-web") {
        metadata+: app.metadata("riot-web"),
        spec+: {
            replicas: 1,
            template+: {
                spec+: {
                    volumes_: {
                        config: kube.ConfigMapVolume(app.riotConfig),
                    },
                    containers_: {
                        web: kube.Container("riot-web") {
                            image: cfg.riotImage,
                            ports_: {
                                http: { containerPort: 80 },
                            },
                            volumeMounts_: {
                                config: {
                                    mountPath: "/etc/riot-web/config.json",
                                    subPath: "config.json",
                                },
                            },
                        },
                    },
                },
            },
        },
    },

    riotSvc: kube.Service("riot-web") {
        metadata+: app.metadata("riot-web"),
        target_pod:: app.riotDeployment.spec.template,
    },

    appservices: {
        "irc-freenode": app.AppServiceIrc("freenode") {
            cfg+: {
                metadata: app.metadata("appservice-irc-freenode"),
                config+: {
                    homeserver+: {
                        url: "https://%s" % [cfg.domain],
                        domain: "%s" % [cfg.serverName],
                    },
                },
            },
        },
    },

    ingress: kube.Ingress("matrix") {
        metadata+: app.metadata("matrix") {
            annotations+: {
                "kubernetes.io/tls-acme": "true",
                "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
                "nginx.ingress.kubernetes.io/proxy-body-size": "0",
            },
        },
        spec+: {
            tls: [
                {
                    hosts: [cfg.domain],
                    secretName: "synapse-tls",
                },
            ],
            rules: [
                {
                    host: cfg.domain,
                    http: {
                        paths: [
                            { path: "/", backend: app.riotSvc.name_port },
                            { path: "/_matrix", backend: app.synapseSvc.name_port },
                            { path: "/_cas", backend: app.casSvc.name_port },
                        ]
                    },
                }
            ],
        },
    },

    AppServiceIrc(name):: {
        local bridge = self,
        local cfg = bridge.cfg,
        cfg:: {
            image: "registry.k0.hswaw.net/informatic/matrix-appservice-irc:0.11.2",
            metadata: {},
            config: std.native("parseYaml")(importstr "appservice-irc.yaml")[0],
            storageClassName: "waw-hdd-paranoid-2",
        },

        config: kube.ConfigMap("appservice-irc-%s" % [name]) {
            metadata+: cfg.metadata,
            data: {
                "config.yaml": std.manifestJsonEx(cfg.config, ""),
            },
        },

        dataVolume: kube.PersistentVolumeClaim("appservice-irc-%s" % [name]) {
            metadata+: cfg.metadata,
            spec+: {
                storageClassName: cfg.storageClassName,
                accessModes: [ "ReadWriteOnce" ],
                resources: {
                    requests: {
                        storage: "10Gi",
                    },
                },
            },
        },

        bootstrapJob: kube.Job("appservice-irc-%s-bootstrap" % [name]) {
            metadata+: cfg.metadata {
                labels: {
                    "job-name": "appservice-irc-%s-bootstrap" % [name],
                },
            },
            spec+: {
                template+: {
                    spec+: {
                        volumes_: {
                            config: kube.ConfigMapVolume(bridge.config),
                        },
                        containers_: {
                            bootstrap: kube.Container("appservice-irc-%s-bootstrap" % [name]) {
                                image: cfg.image,
                                command: ["sh", "-c", "matrix-appservice-irc -r -u http://appservice-irc-%s:9999 -c /config/config.yaml -f /tmp/registration.yaml && cat /tmp/registration.yaml" % [name]],
                                volumeMounts_: {
                                    config: { mountPath: "/config" },
                                },
                            },
                        },
                    },
                },
            },
        },

        deployment: kube.Deployment("appservice-irc-%s" % [name]) {
            metadata+: cfg.metadata,
            spec+: {
                replicas: 1,
                template+: {
                    spec+: {
                        volumes_: {
                            config: kube.ConfigMapVolume(bridge.config),
                            data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
                            registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
                        },
                        containers_: {
                            appserviceIrc: kube.Container("appservice-irc-%s" % [name]) {
                                image: cfg.image,
                                command: ["matrix-appservice-irc", "-c", "/config/config.yaml", "-f", "/registration/registration.yaml", "-p", "9999"],
                                ports_: {
                                    http: { containerPort: 9999 },
                                },
                                volumeMounts_: {
                                    registration: { mountPath: "/registration", },
                                    config: { mountPath: "/config", },
                                    data: { mountPath: "/data" },
                                },
                            },
                        },
                    },
                },
            },
        },

        svc: kube.Service("appservice-irc-%s" % [name]) {
            metadata+: cfg.metadata,
            target_pod:: bridge.deployment.spec.template,
        },
    },
}