Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / aa0e7553890f7f39f90605cce1420b0dfa96db27 / . / app / matrix / prod.jsonnet
blob: cabcc812313fa099d589da8ec034008b0fdb7156 [file] [log] [blame]
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]1# matrix.hackerspace.pl, a matrix/synapse instance
2# This needs a secret provisioned, create with:
3# kubectl -n matrix create secret generic synapse --from-literal=postgres_password=$(pwgen 24 1)
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]4# kubectl -n matrix create secret generic oauth2-cas-proxy --from-literal=oauth2_secret=...
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]5# kubectl -n matrix create secret generic appservice-irc-freenode-registration --from-file=registration.yaml=<(kubectl logs -n matrix $(kubectl get pods -n matrix --selector=job-name=appservice-irc-freenode-bootstrap --output=jsonpath='{.items[*].metadata.name}') | tail -n +4)
Piotr Dobrowolskiaa0e7552019-05-17 12:55:48 +0200[diff] [blame^]6# TODO: /appservices/*/registration.yaml needs to be copied into /data/appservices/*.yaml manually
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]7
8local kube = import "../../kube/kube.libsonnet";
9local postgres = import "../../kube/postgres.libsonnet";
10
11{
12 local app = self,
13 local cfg = app.cfg,
14 cfg:: {
15 namespace: "matrix",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]16 domain: "matrix.hackerspace.pl",
17 serverName: "hackerspace.pl",
18 storageClassName: "waw-hdd-redundant-1",
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]19
20 synapseImage: "matrixdotorg/synapse:v0.99.4",
Piotr Dobrowolski9ab9f612019-05-17 09:53:13 +0200[diff] [blame]21 riotImage: "bubuntux/riot-web:v1.1.2",
Piotr Dobrowolskiaa0e7552019-05-17 12:55:48 +0200[diff] [blame^]22 casProxyImage: "registry.k0.hswaw.net/informatic/oauth2-cas-proxy:0.1.4"
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]23 },
24
25 metadata(component):: {
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]26 namespace: cfg.namespace,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]27 labels: {
28 "app.kubernetes.io/name": "matrix",
29 "app.kubernetes.io/managed-by": "kubecfg",
30 "app.kubernetes.io/component": component,
31 },
32 },
33
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]34 namespace: kube.Namespace(cfg.namespace),
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]35
36 postgres: postgres {
37 cfg+: {
38 namespace: cfg.namespace,
39 appName: "synapse",
40 database: "synapse",
41 username: "synapse",
42 password: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
43 },
44 },
45
46 dataVolume: kube.PersistentVolumeClaim("synapse-data") {
47 metadata+: app.metadata("synapse-data"),
48 spec+: {
49 storageClassName: cfg.storageClassName,
50 accessModes: [ "ReadWriteOnce" ],
51 resources: {
52 requests: {
53 storage: "50Gi",
54 },
55 },
56 },
57 },
Piotr Dobrowolskiffbb47c2019-05-16 12:18:39 +0200[diff] [blame]58
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]59 synapseConfig: kube.ConfigMap("synapse") {
60 metadata+: app.metadata("synapse"),
61 data: {
62 "homeserver.yaml": importstr "homeserver.yaml.j2",
63 },
64 },
65
66 casDeployment: kube.Deployment("oauth2-cas-proxy") {
67 metadata+: app.metadata("oauth2-cas-proxy"),
68 spec+: {
69 replicas: 1,
70 template+: {
71 spec+: {
72 containers_: {
73 proxy: kube.Container("oauth2-cas-proxy") {
74 image: cfg.casProxyImage,
75 ports_: {
76 http: { containerPort: 5000 },
77 },
78 env_: {
79 BASE_URL: "https://matrix.hackerspace.pl",
Piotr Dobrowolskiaa0e7552019-05-17 12:55:48 +0200[diff] [blame^]80 SERVICE_URL: "https://matrix.hackerspace.pl",
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]81 OAUTH2_CLIENT: "matrix",
82 OAUTH2_SECRET: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
83 },
84 },
85 },
86 },
87 },
88 },
89 },
90
91 casSvc: kube.Service("oauth2-cas-proxy") {
92 metadata+: app.metadata("oauth2-cas-proxy"),
93 target_pod:: app.casDeployment.spec.template,
94 },
95
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]96 synapseDeployment: kube.Deployment("synapse") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]97 metadata+: app.metadata("synapse"),
98 spec+: {
99 replicas: 1,
100 template+: {
101 spec+: {
102 volumes_: {
103 data: kube.PersistentVolumeClaimVolume(app.dataVolume),
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]104 config: kube.ConfigMapVolume(app.synapseConfig),
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]105 } + {
106 [k]: { secret: { secretName: "appservice-%s-registration" % [k] } }
107 for k in std.objectFields(app.appservices)
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]108 },
109 containers_: {
110 web: kube.Container("synapse") {
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]111 image: cfg.synapseImage,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]112 ports_: {
113 http: { containerPort: 8008 },
114 },
115 env_: {
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]116 SYNAPSE_SERVER_NAME: cfg.serverName,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]117 SYNAPSE_REPORT_STATS: "no",
118 SYNAPSE_NO_TLS: "1",
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]119 SYNAPSE_ALLOW_GUEST: "yes",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]120
121 POSTGRES_HOST: "postgres",
122 POSTGRES_USER: app.postgres.cfg.username,
123 POSTGRES_PORT: "5432",
124 POSTGRES_DB: app.postgres.cfg.database,
125 POSTGRES_PASSWORD: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
126 },
127 volumeMounts_: {
128 data: { mountPath: "/data" },
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]129 config: {
130 mountPath: "/conf/homeserver.yaml",
131 subPath: "homeserver.yaml",
132 },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]133 } + {
134 [k]: { mountPath: "/appservices/%s" % [k] }
135 for k in std.objectFields(app.appservices)
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]136 },
137 },
138 },
139 },
140 },
141 },
142 },
143
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]144 synapseSvc: kube.Service("synapse") {
Piotr Dobrowolskiffbb47c2019-05-16 12:18:39 +0200[diff] [blame]145 metadata+: app.metadata("synapse"),
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]146 target_pod:: app.synapseDeployment.spec.template,
Piotr Dobrowolskiffbb47c2019-05-16 12:18:39 +0200[diff] [blame]147 },
148
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]149 riotConfig: kube.ConfigMap("riot-web-config") {
150 metadata+: app.metadata("riot-web-config"),
151 data: {
152 "config.json": std.manifestJsonEx({
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]153 "default_hs_url": "https://%s" % [cfg.domain],
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]154 "disable_custom_urls": false,
155 "disable_guests": false,
156 "disable_login_language_selector": false,
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]157 "disable_3pid_login": true,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]158 "brand": "Riot",
159 "integrations_ui_url": "https://scalar.vector.im/",
160 "integrations_rest_url": "https://scalar.vector.im/api",
161 "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]162
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]163 "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
164 "features": {
165 "feature_groups": "labs",
166 "feature_pinning": "labs",
167 "feature_reactions": "labs"
168 },
169 "default_federate": true,
170 "default_theme": "light",
171 "roomDirectory": {
172 "servers": [
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]173 "hackerspace.pl"
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]174 ]
175 },
176 "welcomeUserId": "@riot-bot:matrix.org",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]177 "enable_presence_by_hs_url": {
178 "https://matrix.org": false
179 }
180 }, ""),
181 },
182 },
183
184 riotDeployment: kube.Deployment("riot-web") {
185 metadata+: app.metadata("riot-web"),
186 spec+: {
187 replicas: 1,
188 template+: {
189 spec+: {
190 volumes_: {
191 config: kube.ConfigMapVolume(app.riotConfig),
192 },
193 containers_: {
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]194 web: kube.Container("riot-web") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]195 image: cfg.riotImage,
196 ports_: {
197 http: { containerPort: 80 },
198 },
199 volumeMounts_: {
200 config: {
201 mountPath: "/etc/riot-web/config.json",
202 subPath: "config.json",
203 },
204 },
205 },
206 },
207 },
208 },
209 },
210 },
211
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]212 riotSvc: kube.Service("riot-web") {
213 metadata+: app.metadata("riot-web"),
214 target_pod:: app.riotDeployment.spec.template,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]215 },
216
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]217 appservices: {
218 "irc-freenode": app.AppServiceIrc("freenode") {
219 cfg+: {
220 metadata: app.metadata("appservice-irc-freenode"),
221 config+: {
222 homeserver+: {
223 url: "https://%s" % [cfg.domain],
224 domain: "%s" % [cfg.serverName],
225 },
226 },
227 },
228 },
229 },
230
231 ingress: kube.Ingress("matrix") {
232 metadata+: app.metadata("matrix") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]233 annotations+: {
234 "kubernetes.io/tls-acme": "true",
235 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
236 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
237 },
238 },
239 spec+: {
240 tls: [
241 {
242 hosts: [cfg.domain],
243 secretName: "synapse-tls",
244 },
245 ],
246 rules: [
247 {
248 host: cfg.domain,
249 http: {
250 paths: [
251 { path: "/", backend: app.riotSvc.name_port },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]252 { path: "/_matrix", backend: app.synapseSvc.name_port },
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]253 { path: "/_cas", backend: app.casSvc.name_port },
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]254 ]
255 },
256 }
257 ],
258 },
259 },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]260
261 AppServiceIrc(name):: {
262 local bridge = self,
263 local cfg = bridge.cfg,
264 cfg:: {
265 image: "registry.k0.hswaw.net/informatic/matrix-appservice-irc:0.11.2",
266 metadata: {},
267 config: std.native("parseYaml")(importstr "appservice-irc.yaml")[0],
268 storageClassName: "waw-hdd-redundant-1",
269 },
270
271 config: kube.ConfigMap("appservice-irc-%s" % [name]) {
272 metadata+: cfg.metadata,
273 data: {
274 "config.yaml": std.manifestJsonEx(cfg.config, ""),
275 },
276 },
277
278 dataVolume: kube.PersistentVolumeClaim("appservice-irc-%s" % [name]) {
279 metadata+: cfg.metadata,
280 spec+: {
281 storageClassName: cfg.storageClassName,
282 accessModes: [ "ReadWriteOnce" ],
283 resources: {
284 requests: {
285 storage: "10Gi",
286 },
287 },
288 },
289 },
290
291 bootstrapJob: kube.Job("appservice-irc-%s-bootstrap" % [name]) {
292 metadata+: cfg.metadata {
293 labels: {
294 "job-name": "appservice-irc-%s-bootstrap" % [name],
295 },
296 },
297 spec+: {
298 template+: {
299 spec+: {
300 volumes_: {
301 config: kube.ConfigMapVolume(bridge.config),
302 },
303 containers_: {
304 bootstrap: kube.Container("appservice-irc-%s-bootstrap" % [name]) {
305 image: cfg.image,
306 command: ["sh", "-c", "matrix-appservice-irc -r -u http://appservice-irc-%s:9999 -c /config/config.yaml -f /tmp/registration.yaml && cat /tmp/registration.yaml" % [name]],
307 volumeMounts_: {
308 config: { mountPath: "/config" },
309 },
310 },
311 },
312 },
313 },
314 },
315 },
316
317 deployment: kube.Deployment("appservice-irc-%s" % [name]) {
318 metadata+: cfg.metadata,
319 spec+: {
320 replicas: 1,
321 template+: {
322 spec+: {
323 volumes_: {
324 config: kube.ConfigMapVolume(bridge.config),
325 data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
326 registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
327 },
328 containers_: {
329 appserviceIrc: kube.Container("appservice-irc-%s" % [name]) {
330 image: cfg.image,
331 command: ["matrix-appservice-irc", "-c", "/config/config.yaml", "-f", "/registration/registration.yaml", "-p", "9999"],
332 ports_: {
333 http: { containerPort: 9999 },
334 },
335 volumeMounts_: {
336 registration: { mountPath: "/registration", },
337 config: { mountPath: "/config", },
338 data: { mountPath: "/data" },
339 },
340 },
341 },
342 },
343 },
344 },
345 },
346
347 svc: kube.Service("appservice-irc-%s" % [name]) {
348 metadata+: cfg.metadata,
349 target_pod:: bridge.deployment.spec.template,
350 },
351 },
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]352}