Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / cdba291e7d0c42544391d8dcf1bc1b5629e933fe / . / app / matrix / prod.jsonnet
blob: cf6873870ba9fb73bd32df16a2db7e44b73b3720 [file] [log] [blame]
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]1# matrix.hackerspace.pl, a matrix/synapse instance
2# This needs a secret provisioned, create with:
Piotr Dobrowolskieabbe8a2019-08-11 19:49:08 +0200[diff] [blame]3# kubectl -n matrix create secret generic synapse --from-literal=postgres_password=$(pwgen 24 1) --from-literal=macaroon_secret_key=$(pwgen 32 1) --from-literal=registration_shared_secret=$(pwgen 32 1)
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]4# kubectl -n matrix create secret generic oauth2-cas-proxy --from-literal=oauth2_secret=...
Piotr Dobrowolski3ea979d2019-05-23 16:11:52 +0200[diff] [blame]5# kubectl -n matrix create secret generic appservice-irc-freenode-registration --from-file=registration.yaml=<(kubectl logs -n matrix $(kubectl get pods -n matrix --selector=job-name=appservice-irc-freenode-bootstrap --output=jsonpath='{.items[*].metadata.name}') | tail -n +4 | sed -r 's/(.*aliases:.*)/ group_id: "+freenode:hackerspace.pl"\n\1/')
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]6
7local kube = import "../../kube/kube.libsonnet";
8local postgres = import "../../kube/postgres.libsonnet";
9
Serge Bazanskicdba2912020-08-24 19:11:10 +0000[diff] [blame^]10local irc = import "appservice-irc.libsonnet";
11
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]12{
13 local app = self,
14 local cfg = app.cfg,
15 cfg:: {
16 namespace: "matrix",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]17 domain: "matrix.hackerspace.pl",
18 serverName: "hackerspace.pl",
Sergiusz Bazanskid07861b2019-08-08 17:48:25 +0200[diff] [blame]19 storageClassName: "waw-hdd-paranoid-2",
Serge Bazanskic0c037a2020-08-23 01:24:03 +0000[diff] [blame]20 storageClassName3: "waw-hdd-redundant-3",
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]21
Sergiusz Bazanskiec221a02020-07-17 12:50:18 +0200[diff] [blame]22 synapseImage: "matrixdotorg/synapse:v1.17.0",
23 riotImage: "vectorim/riot-web:v1.7.1",
Sergiusz Bazanski735ac9c2020-07-17 12:10:42 +0200[diff] [blame]24 casProxyImage: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4",
25 appserviceIRCImage: "matrixdotorg/matrix-appservice-irc:release-0.17.1",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]26 },
27
28 metadata(component):: {
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]29 namespace: cfg.namespace,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]30 labels: {
31 "app.kubernetes.io/name": "matrix",
32 "app.kubernetes.io/managed-by": "kubecfg",
33 "app.kubernetes.io/component": component,
34 },
35 },
36
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]37 namespace: kube.Namespace(cfg.namespace),
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]38
Serge Bazanskic0c037a2020-08-23 01:24:03 +0000[diff] [blame]39 postgres3: postgres {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]40 cfg+: {
41 namespace: cfg.namespace,
42 appName: "synapse",
43 database: "synapse",
44 username: "synapse",
Serge Bazanskic0c037a2020-08-23 01:24:03 +0000[diff] [blame]45 prefix: "waw3-",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]46 password: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
Serge Bazanskic0c037a2020-08-23 01:24:03 +0000[diff] [blame]47 storageClassName: cfg.storageClassName3,
48 storageSize: "100Gi",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]49 },
50 },
51
Serge Bazanskic0c037a2020-08-23 01:24:03 +0000[diff] [blame]52 dataVolume: kube.PersistentVolumeClaim("synapse-data-waw3") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]53 metadata+: app.metadata("synapse-data"),
54 spec+: {
Serge Bazanskic0c037a2020-08-23 01:24:03 +0000[diff] [blame]55 storageClassName: cfg.storageClassName3,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]56 accessModes: [ "ReadWriteOnce" ],
57 resources: {
58 requests: {
59 storage: "50Gi",
60 },
61 },
62 },
63 },
Piotr Dobrowolskiffbb47c2019-05-16 12:18:39 +0200[diff] [blame]64
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]65 synapseConfig: kube.ConfigMap("synapse") {
66 metadata+: app.metadata("synapse"),
67 data: {
Piotr Dobrowolskieabbe8a2019-08-11 19:49:08 +0200[diff] [blame]68 "homeserver.yaml": importstr "homeserver.yaml",
69 "log.config": importstr "log.config",
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]70 },
71 },
72
73 casDeployment: kube.Deployment("oauth2-cas-proxy") {
74 metadata+: app.metadata("oauth2-cas-proxy"),
75 spec+: {
76 replicas: 1,
77 template+: {
78 spec+: {
79 containers_: {
80 proxy: kube.Container("oauth2-cas-proxy") {
81 image: cfg.casProxyImage,
82 ports_: {
83 http: { containerPort: 5000 },
84 },
85 env_: {
86 BASE_URL: "https://matrix.hackerspace.pl",
Piotr Dobrowolskiaa0e7552019-05-17 12:55:48 +0200[diff] [blame]87 SERVICE_URL: "https://matrix.hackerspace.pl",
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]88 OAUTH2_CLIENT: "matrix",
89 OAUTH2_SECRET: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
90 },
91 },
92 },
93 },
94 },
95 },
96 },
97
98 casSvc: kube.Service("oauth2-cas-proxy") {
99 metadata+: app.metadata("oauth2-cas-proxy"),
100 target_pod:: app.casDeployment.spec.template,
101 },
102
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]103 synapseDeployment: kube.Deployment("synapse") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]104 metadata+: app.metadata("synapse"),
105 spec+: {
106 replicas: 1,
107 template+: {
108 spec+: {
109 volumes_: {
110 data: kube.PersistentVolumeClaimVolume(app.dataVolume),
Piotr Dobrowolski8ebfc1d2020-03-03 21:01:18 +0100[diff] [blame]111 config_template: kube.ConfigMapVolume(app.synapseConfig),
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]112 } + {
113 [k]: { secret: { secretName: "appservice-%s-registration" % [k] } }
114 for k in std.objectFields(app.appservices)
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]115 },
116 containers_: {
117 web: kube.Container("synapse") {
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]118 image: cfg.synapseImage,
Piotr Dobrowolski8ebfc1d2020-03-03 21:01:18 +0100[diff] [blame]119 command: ["/bin/sh", "-c", "/start.py migrate_config && exec /start.py"],
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]120 ports_: {
121 http: { containerPort: 8008 },
122 },
123 env_: {
Piotr Dobrowolski8ebfc1d2020-03-03 21:01:18 +0100[diff] [blame]124 SYNAPSE_CONFIG_DIR: "/config",
Piotr Dobrowolskieabbe8a2019-08-11 19:49:08 +0200[diff] [blame]125 SYNAPSE_CONFIG_PATH: "/config/homeserver.yaml",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]126
Piotr Dobrowolski8ebfc1d2020-03-03 21:01:18 +0100[diff] [blame]127 # These values are not used in a template, but
128 # are required by /start.py migrate_config
129 SYNAPSE_SERVER_NAME: "hackerspace.pl",
130 SYNAPSE_REPORT_STATS: "no",
131
132 SYNAPSE_MACAROON_SECRET_KEY: { secretKeyRef: { name: "synapse", key: "macaroon_secret_key" } },
133 SYNAPSE_REGISTRATION_SHARED_SECRET: { secretKeyRef: { name: "synapse", key: "registration_shared_secret" } },
134 POSTGRES_PASSWORD: { secretKeyRef: { name: "synapse", key: "postgres_password" } },
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]135 },
136 volumeMounts_: {
137 data: { mountPath: "/data" },
Piotr Dobrowolski8ebfc1d2020-03-03 21:01:18 +0100[diff] [blame]138 config_template: {
139 mountPath: "/conf/homeserver.yaml",
140 subPath: "homeserver.yaml",
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]141 },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]142 } + {
143 [k]: { mountPath: "/appservices/%s" % [k] }
144 for k in std.objectFields(app.appservices)
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]145 },
146 },
147 },
148 },
149 },
150 },
151 },
152
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]153 synapseSvc: kube.Service("synapse") {
Piotr Dobrowolskiffbb47c2019-05-16 12:18:39 +0200[diff] [blame]154 metadata+: app.metadata("synapse"),
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]155 target_pod:: app.synapseDeployment.spec.template,
Piotr Dobrowolskiffbb47c2019-05-16 12:18:39 +0200[diff] [blame]156 },
157
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]158 riotConfig: kube.ConfigMap("riot-web-config") {
159 metadata+: app.metadata("riot-web-config"),
160 data: {
161 "config.json": std.manifestJsonEx({
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]162 "default_hs_url": "https://%s" % [cfg.domain],
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]163 "disable_custom_urls": false,
164 "disable_guests": false,
165 "disable_login_language_selector": false,
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]166 "disable_3pid_login": true,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]167 "brand": "Riot",
168 "integrations_ui_url": "https://scalar.vector.im/",
169 "integrations_rest_url": "https://scalar.vector.im/api",
170 "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]171
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]172 "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
173 "features": {
174 "feature_groups": "labs",
175 "feature_pinning": "labs",
176 "feature_reactions": "labs"
177 },
178 "default_federate": true,
179 "default_theme": "light",
180 "roomDirectory": {
181 "servers": [
Piotr Dobrowolski4b4231d2019-05-15 11:41:21 +0200[diff] [blame]182 "hackerspace.pl"
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]183 ]
184 },
185 "welcomeUserId": "@riot-bot:matrix.org",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]186 "enable_presence_by_hs_url": {
187 "https://matrix.org": false
188 }
189 }, ""),
190 },
191 },
192
193 riotDeployment: kube.Deployment("riot-web") {
194 metadata+: app.metadata("riot-web"),
195 spec+: {
196 replicas: 1,
197 template+: {
198 spec+: {
199 volumes_: {
200 config: kube.ConfigMapVolume(app.riotConfig),
201 },
202 containers_: {
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]203 web: kube.Container("riot-web") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]204 image: cfg.riotImage,
205 ports_: {
206 http: { containerPort: 80 },
207 },
208 volumeMounts_: {
209 config: {
Piotr Dobrowolskiaca7e282020-03-21 22:14:38 +0100[diff] [blame]210 mountPath: "/app/config.json",
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]211 subPath: "config.json",
212 },
213 },
214 },
215 },
216 },
217 },
218 },
219 },
220
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]221 riotSvc: kube.Service("riot-web") {
222 metadata+: app.metadata("riot-web"),
223 target_pod:: app.riotDeployment.spec.template,
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]224 },
225
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]226 appservices: {
Serge Bazanskicdba2912020-08-24 19:11:10 +0000[diff] [blame^]227 "irc-freenode": irc.AppServiceIrc("freenode") {
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]228 cfg+: {
Serge Bazanskicdba2912020-08-24 19:11:10 +0000[diff] [blame^]229 image: cfg.appserviceIRCImage,
230 storageClassName: cfg.storageClassName,
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]231 metadata: app.metadata("appservice-irc-freenode"),
Sergiusz Bazanski92b48d62020-01-08 13:59:04 +0100[diff] [blame]232 // TODO(q3k): add labels to blessed nodes
233 nodeSelector: {
Serge Bazanski1b15dc42020-08-23 01:01:28 +0200[diff] [blame]234 "kubernetes.io/hostname": "bc01n03.hswaw.net",
Sergiusz Bazanski92b48d62020-01-08 13:59:04 +0100[diff] [blame]235 },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]236 config+: {
237 homeserver+: {
238 url: "https://%s" % [cfg.domain],
239 domain: "%s" % [cfg.serverName],
240 },
Piotr Dobrowolskieabbe8a2019-08-11 19:49:08 +0200[diff] [blame]241 ircService+: {
242 servers+: {
243 "irc.freenode.net"+: {
244 ircClients+: {
245 maxClients: 150,
246 },
247 },
248 },
249 },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]250 },
251 },
252 },
253 },
254
255 ingress: kube.Ingress("matrix") {
256 metadata+: app.metadata("matrix") {
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]257 annotations+: {
258 "kubernetes.io/tls-acme": "true",
259 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
260 "nginx.ingress.kubernetes.io/proxy-body-size": "0",
261 },
262 },
263 spec+: {
264 tls: [
265 {
266 hosts: [cfg.domain],
267 secretName: "synapse-tls",
268 },
269 ],
270 rules: [
271 {
272 host: cfg.domain,
273 http: {
274 paths: [
275 { path: "/", backend: app.riotSvc.name_port },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]276 { path: "/_matrix", backend: app.synapseSvc.name_port },
Piotr Dobrowolskic39fb042019-05-17 09:13:56 +0200[diff] [blame]277 { path: "/_cas", backend: app.casSvc.name_port },
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]278 ]
279 },
280 }
281 ],
282 },
283 },
Piotr Dobrowolskifef4c122019-05-16 21:05:02 +0200[diff] [blame]284
Piotr Dobrowolskia2226912019-05-14 18:49:29 +0200[diff] [blame]285}