diff --git a/manifests/bridges/kustomization.yaml b/manifests/bridges/kustomization.yaml new file mode 100644 index 0000000..c3ecb09 --- /dev/null +++ b/manifests/bridges/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./signal + - ./messenger diff --git a/manifests/bridges/messenger/create_db.sh b/manifests/bridges/messenger/create_db.sh new file mode 100644 index 0000000..1596fd1 --- /dev/null +++ b/manifests/bridges/messenger/create_db.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +echo "Checking if $MESSENGER_DB database exists..." + +if psql -lqt | cut -d \| -f 1 | grep -qw $MESSENGER_DB; then + echo "Database exists, skipping creation" +else + echo "Database does not exist, creating..." + createdb $MESSENGER_DB + createuser $MESSENGER_USER + psql -c "ALTER USER $MESSENGER_USER WITH ENCRYPTED PASSWORD '$MESSENGER_PASSWORD';" + psql -c "GRANT ALL PRIVILEGES ON DATABASE $MESSENGER_DB TO $MESSENGER_USER;" + psql -c "ALTER DATABASE $MESSENGER_DB OWNER TO $MESSENGER_USER;" +fi diff --git a/manifests/bridges/messenger/job.yaml b/manifests/bridges/messenger/job.yaml new file mode 100644 index 0000000..dc051c1 --- /dev/null +++ b/manifests/bridges/messenger/job.yaml @@ -0,0 +1,46 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: messenger-db-init + namespace: synapse +spec: + template: + spec: + containers: + - name: messenger-db-init + image: postgres:15.10 + command: ["/bin/bash", "/data/create_db.sh"] + env: + - name: PGHOST + value: synapse-db-rw.synapse.svc.cluster.local + - name: PGUSER + valueFrom: + secretKeyRef: + name: synapse-db-superuser + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: synapse-db-superuser + key: password + - name: messenger_USER + valueFrom: + secretKeyRef: + name: mautrix-messenger-db + key: username + - name: messenger_PASSWORD + valueFrom: + secretKeyRef: + name: mautrix-messenger-db + key: password + - name: messenger_DB + value: messenger + volumeMounts: + - name: create-db + mountPath: /data + volumes: + - name: create-db + configMap: + name: messenger-db-creation + restartPolicy: Never + backoffLimit: 4 diff --git a/manifests/bridges/messenger/kustomization.yaml b/manifests/bridges/messenger/kustomization.yaml new file mode 100644 index 0000000..ae263df --- /dev/null +++ b/manifests/bridges/messenger/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: synapse + +resources: + - service.yaml + - statefulset.yaml + - secrets.yaml + - job.yaml + +generatorOptions: + labels: + app: messenger + +configMapGenerator: + - name: messenger-db-creation + behavior: create + files: + - create_db.sh diff --git a/manifests/bridges/messenger/secrets.yaml b/manifests/bridges/messenger/secrets.yaml new file mode 100644 index 0000000..239eadf --- /dev/null +++ b/manifests/bridges/messenger/secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: synapse-messenger-secrets + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://git.halis.io/athens-school/k3s-secrets + targetRevision: prod-migration + path: synapse/bridges/messenger + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ApplyOutOfSyncOnly=true + - PruneLast=true + destination: + server: https://kubernetes.default.svc + namespace: synapse diff --git a/manifests/bridges/messenger/service.yaml b/manifests/bridges/messenger/service.yaml new file mode 100644 index 0000000..66f5021 --- /dev/null +++ b/manifests/bridges/messenger/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: messenger + namespace: synapse + labels: + app.kubernetes.io/name: messenger +spec: + ports: + - name: http + port: 29319 + protocol: TCP + targetPort: 29319 + selector: + app: messenger + publishNotReadyAddresses: true diff --git a/manifests/bridges/messenger/statefulset.yaml b/manifests/bridges/messenger/statefulset.yaml new file mode 100644 index 0000000..ae36d75 --- /dev/null +++ b/manifests/bridges/messenger/statefulset.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: messenger + namespace: synapse +spec: + selector: + matchLabels: + app: messenger + serviceName: messenger + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app: messenger + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: messenger + image: dock.mau.dev/mautrix/meta:v0.4.2 + command: [ + "/usr/bin/mautrix-meta", + "--config", "/data/config.yaml", + "--no-update", + ] + ports: + - containerPort: 29328 + volumeMounts: + - mountPath: "/data/config.yaml" + name: messenger-config-file + subPath: config.yaml + volumes: + - name: messenger-config-file + secret: + secretName: messenger-secret-config diff --git a/manifests/bridges/signal/create_db.sh b/manifests/bridges/signal/create_db.sh new file mode 100644 index 0000000..a11e4de --- /dev/null +++ b/manifests/bridges/signal/create_db.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +echo "Checking if $SIGNAL_DB database exists..." + +if psql -lqt | cut -d \| -f 1 | grep -qw $SIGNAL_DB; then + echo "Database exists, skipping creation" +else + echo "Database does not exist, creating..." + createdb $SIGNAL_DB + createuser $SIGNAL_USER + psql -c "ALTER USER $SIGNAL_USER WITH ENCRYPTED PASSWORD '$SIGNAL_PASSWORD';" + psql -c "GRANT ALL PRIVILEGES ON DATABASE $SIGNAL_DB TO $SIGNAL_USER;" + psql -c "ALTER DATABASE $SIGNAL_DB OWNER TO $SIGNAL_USER;" +fi diff --git a/manifests/bridges/signal/job.yaml b/manifests/bridges/signal/job.yaml new file mode 100644 index 0000000..1dd2bcb --- /dev/null +++ b/manifests/bridges/signal/job.yaml @@ -0,0 +1,46 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: signal-db-init + namespace: synapse +spec: + template: + spec: + containers: + - name: signal-db-init + image: postgres:15.10 + command: ["/bin/bash", "/data/create_db.sh"] + env: + - name: PGHOST + value: synapse-db-rw.synapse.svc.cluster.local + - name: PGUSER + valueFrom: + secretKeyRef: + name: synapse-db-superuser + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: synapse-db-superuser + key: password + - name: SIGNAL_USER + valueFrom: + secretKeyRef: + name: mautrix-signal-db + key: username + - name: SIGNAL_PASSWORD + valueFrom: + secretKeyRef: + name: mautrix-signal-db + key: password + - name: SIGNAL_DB + value: signal + volumeMounts: + - name: create-db + mountPath: /data + volumes: + - name: create-db + configMap: + name: signal-db-creation + restartPolicy: Never + backoffLimit: 4 diff --git a/manifests/bridges/signal/kustomization.yaml b/manifests/bridges/signal/kustomization.yaml new file mode 100644 index 0000000..d74c7d6 --- /dev/null +++ b/manifests/bridges/signal/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: synapse + +resources: + - service.yaml + - statefulset.yaml + - secrets.yaml + - job.yaml + +generatorOptions: + labels: + app: signal + +configMapGenerator: + - name: signal-db-creation + behavior: create + files: + - create_db.sh diff --git a/manifests/bridges/signal/secrets.yaml b/manifests/bridges/signal/secrets.yaml new file mode 100644 index 0000000..6acf79d --- /dev/null +++ b/manifests/bridges/signal/secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: synapse-signal-secrets + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://git.halis.io/athens-school/k3s-secrets + targetRevision: prod-migration + path: synapse/bridges/signal + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ApplyOutOfSyncOnly=true + - PruneLast=true + destination: + server: https://kubernetes.default.svc + namespace: synapse diff --git a/manifests/bridges/signal/service.yaml b/manifests/bridges/signal/service.yaml new file mode 100644 index 0000000..499381d --- /dev/null +++ b/manifests/bridges/signal/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: signal + namespace: synapse + labels: + app.kubernetes.io/name: signal +spec: + ports: + - name: http + port: 29328 + protocol: TCP + targetPort: 29328 + selector: + app: signal + publishNotReadyAddresses: true diff --git a/manifests/bridges/signal/statefulset.yaml b/manifests/bridges/signal/statefulset.yaml new file mode 100644 index 0000000..c283f6c --- /dev/null +++ b/manifests/bridges/signal/statefulset.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: signal + namespace: synapse +spec: + selector: + matchLabels: + app: signal + serviceName: signal + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app: signal + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: signal + image: dock.mau.dev/mautrix/signal:v0.7.3 + command: [ + "/usr/bin/mautrix-signal", + "--config", "/data/config.yaml", + "--no-update", + ] + ports: + - containerPort: 29328 + volumeMounts: + - mountPath: "/data/config.yaml" + name: signal-config-file + subPath: config.yaml + volumes: + - name: signal-config-file + secret: + secretName: signal-secret-config diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml index 99ba7ea..d229406 100644 --- a/manifests/configmap.yaml +++ b/manifests/configmap.yaml @@ -4,7 +4,7 @@ metadata: name: synapse-config namespace: synapse data: - matrix.beta.halia.dev.log.config: | + matrix.halis.io.log.config: | version: 1 formatters: precise: diff --git a/manifests/database-backup.yaml b/manifests/database-backup.yaml new file mode 100644 index 0000000..3f7c4e3 --- /dev/null +++ b/manifests/database-backup.yaml @@ -0,0 +1,10 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: synapse-db-backup + namespace: synapse +spec: + schedule: "0 0 0 * * *" + backupOwnerReference: self + cluster: + name: synapse-db diff --git a/manifests/database.yaml b/manifests/database.yaml index 46c75a9..0e6d244 100644 --- a/manifests/database.yaml +++ b/manifests/database.yaml @@ -9,7 +9,7 @@ spec: storage: size: 5Gi - storageClass: redundant-storage-class + storageClass: local-path bootstrap: initdb: @@ -22,6 +22,24 @@ spec: pg_hba: - host all all all md5 + backup: + barmanObjectStore: + destinationPath: "s3://halis/cloudnativepg" + endpointURL: https://s3.halia.dev + s3Credentials: + accessKeyId: + name: s3-secret + key: AWS_ACCESS_KEY_ID + secretAccessKey: + name: s3-secret + key: AWS_SECRET_ACCESS_KEY + region: + name: s3-secret + key: AWS_REGION + wal: + compression: gzip + maxParallel: 8 + resources: requests: cpu: 100m diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index 98a2e1e..274ad6c 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: synapse namespace: synapse spec: - replicas: 2 + replicas: 1 selector: matchLabels: app: synapse @@ -13,18 +13,11 @@ spec: labels: app: synapse spec: - topologySpreadConstraints: - - maxSkrew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app: synapse securityContext: fsGroup: 991 containers: - name: synapse - image: matrixdotorg/synapse:latest + image: ghcr.io/element-hq/synapse:v1.119.0 ports: - containerPort: 8008 - containerPort: 9009 @@ -34,9 +27,15 @@ spec: - mountPath: "/data/homeserver.yaml" name: synapse-config-file subPath: homeserver.yaml - - mountPath: "/data/matrix.beta.halia.dev.log.config" + - mountPath: "/data/matrix.halis.io.log.config" name: synapse-log-config-file - subPath: matrix.beta.halia.dev.log.config + subPath: matrix.halis.io.log.config + - mountPath: "/data/double-puppeting.yaml" + name: synapse-secret-doublepuppeting + subPath: double-puppeting.yaml + - mountPath: "/data/signal.yaml" + name: signal-secret-registration + subPath: signal.yaml volumes: - name: synapse-data persistentVolumeClaim: @@ -47,3 +46,9 @@ spec: - name: synapse-log-config-file configMap: name: synapse-config + - name: synapse-secret-doublepuppeting + secret: + secretName: synapse-secret-doublepuppeting + - name: signal-secret-registration + secret: + secretName: signal-secret-registration diff --git a/manifests/ingress.yaml b/manifests/ingress.yaml index d5baf94..c143c47 100644 --- a/manifests/ingress.yaml +++ b/manifests/ingress.yaml @@ -1,23 +1,26 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: synapse-ingress - namespace: synapse - annotations: - kubernetes.io/ingress.class: "traefik" + name: synapse-ingress + namespace: synapse + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + kubernetes.io/ingress.class: nginx-external + acme.cert-manager.io/http01-edit-in-place: "true" spec: - tls: - - secretName: synapse-beta-tls - hosts: - - matrix.beta.halia.dev - rules: - - host: matrix.beta.halia.dev - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: synapse-svc - port: - number: 80 + tls: + - hosts: + - matrix.halis.io + secretName: matrix-halis-io-tls + ingressClassName: nginx-external + rules: + - host: matrix.halis.io + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: synapse-svc + port: + number: 80 diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml index 1a47acf..b76db83 100644 --- a/manifests/kustomization.yaml +++ b/manifests/kustomization.yaml @@ -5,9 +5,11 @@ resources: - namespace.yaml - pvc.yaml - database.yaml + - database-backup.yaml - service.yaml - servicemonitor.yaml - ingress.yaml - configmap.yaml + - secrets.yaml - deployment.yaml - + - ./bridges diff --git a/manifests/pvc.yaml b/manifests/pvc.yaml index fe395ca..5b5d1aa 100644 --- a/manifests/pvc.yaml +++ b/manifests/pvc.yaml @@ -3,10 +3,13 @@ kind: PersistentVolumeClaim metadata: name: synapse-pvc namespace: synapse + labels: + recurring-job.longhorn.io/source: enabled + recurring-job-group.longhorn.io/standard-pvc: enabled spec: - accessModes: - - ReadWriteMany - storageClassName: redundant-storage-class - resources: - requests: - storage: 1Gi + accessModes: + - ReadWriteMany + storageClassName: redundant-storage-class + resources: + requests: + storage: 50Gi diff --git a/manifests/secrets.yaml b/manifests/secrets.yaml new file mode 100644 index 0000000..864fd05 --- /dev/null +++ b/manifests/secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: synapse-secrets + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://git.halis.io/athens-school/k3s-secrets + targetRevision: prod-migration + path: synapse + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ApplyOutOfSyncOnly=true + - PruneLast=true + destination: + server: https://kubernetes.default.svc + namespace: synapse