feat(bridges): Add signal and messenger (meta)

This commit is contained in:
Tanguy Herbron 2024-12-15 15:45:50 +01:00
parent 24995c3a05
commit 5312a0eb0a
21 changed files with 420 additions and 39 deletions

View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./signal
- ./messenger

View File

@ -0,0 +1,14 @@
#!/bin/bash
echo "Checking if $MESSENGER_DB database exists..."
if psql -lqt | cut -d \| -f 1 | grep -qw $MESSENGER_DB; then
echo "Database exists, skipping creation"
else
echo "Database does not exist, creating..."
createdb $MESSENGER_DB
createuser $MESSENGER_USER
psql -c "ALTER USER $MESSENGER_USER WITH ENCRYPTED PASSWORD '$MESSENGER_PASSWORD';"
psql -c "GRANT ALL PRIVILEGES ON DATABASE $MESSENGER_DB TO $MESSENGER_USER;"
psql -c "ALTER DATABASE $MESSENGER_DB OWNER TO $MESSENGER_USER;"
fi

View File

@ -0,0 +1,46 @@
apiVersion: batch/v1
kind: Job
metadata:
name: messenger-db-init
namespace: synapse
spec:
template:
spec:
containers:
- name: messenger-db-init
image: postgres:15.10
command: ["/bin/bash", "/data/create_db.sh"]
env:
- name: PGHOST
value: synapse-db-rw.synapse.svc.cluster.local
- name: PGUSER
valueFrom:
secretKeyRef:
name: synapse-db-superuser
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: synapse-db-superuser
key: password
- name: messenger_USER
valueFrom:
secretKeyRef:
name: mautrix-messenger-db
key: username
- name: messenger_PASSWORD
valueFrom:
secretKeyRef:
name: mautrix-messenger-db
key: password
- name: messenger_DB
value: messenger
volumeMounts:
- name: create-db
mountPath: /data
volumes:
- name: create-db
configMap:
name: messenger-db-creation
restartPolicy: Never
backoffLimit: 4

View File

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: synapse
resources:
- service.yaml
- statefulset.yaml
- secrets.yaml
- job.yaml
generatorOptions:
labels:
app: messenger
configMapGenerator:
- name: messenger-db-creation
behavior: create
files:
- create_db.sh

View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: synapse-messenger-secrets
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/k3s-secrets
targetRevision: prod-migration
path: synapse/bridges/messenger
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- PruneLast=true
destination:
server: https://kubernetes.default.svc
namespace: synapse

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: messenger
namespace: synapse
labels:
app.kubernetes.io/name: messenger
spec:
ports:
- name: http
port: 29319
protocol: TCP
targetPort: 29319
selector:
app: messenger
publishNotReadyAddresses: true

View File

@ -0,0 +1,36 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: messenger
namespace: synapse
spec:
selector:
matchLabels:
app: messenger
serviceName: messenger
replicas: 1
minReadySeconds: 10
template:
metadata:
labels:
app: messenger
spec:
terminationGracePeriodSeconds: 10
containers:
- name: messenger
image: dock.mau.dev/mautrix/meta:v0.4.2
command: [
"/usr/bin/mautrix-meta",
"--config", "/data/config.yaml",
"--no-update",
]
ports:
- containerPort: 29328
volumeMounts:
- mountPath: "/data/config.yaml"
name: messenger-config-file
subPath: config.yaml
volumes:
- name: messenger-config-file
secret:
secretName: messenger-secret-config

View File

@ -0,0 +1,14 @@
#!/bin/bash
echo "Checking if $SIGNAL_DB database exists..."
if psql -lqt | cut -d \| -f 1 | grep -qw $SIGNAL_DB; then
echo "Database exists, skipping creation"
else
echo "Database does not exist, creating..."
createdb $SIGNAL_DB
createuser $SIGNAL_USER
psql -c "ALTER USER $SIGNAL_USER WITH ENCRYPTED PASSWORD '$SIGNAL_PASSWORD';"
psql -c "GRANT ALL PRIVILEGES ON DATABASE $SIGNAL_DB TO $SIGNAL_USER;"
psql -c "ALTER DATABASE $SIGNAL_DB OWNER TO $SIGNAL_USER;"
fi

View File

@ -0,0 +1,46 @@
apiVersion: batch/v1
kind: Job
metadata:
name: signal-db-init
namespace: synapse
spec:
template:
spec:
containers:
- name: signal-db-init
image: postgres:15.10
command: ["/bin/bash", "/data/create_db.sh"]
env:
- name: PGHOST
value: synapse-db-rw.synapse.svc.cluster.local
- name: PGUSER
valueFrom:
secretKeyRef:
name: synapse-db-superuser
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: synapse-db-superuser
key: password
- name: SIGNAL_USER
valueFrom:
secretKeyRef:
name: mautrix-signal-db
key: username
- name: SIGNAL_PASSWORD
valueFrom:
secretKeyRef:
name: mautrix-signal-db
key: password
- name: SIGNAL_DB
value: signal
volumeMounts:
- name: create-db
mountPath: /data
volumes:
- name: create-db
configMap:
name: signal-db-creation
restartPolicy: Never
backoffLimit: 4

View File

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: synapse
resources:
- service.yaml
- statefulset.yaml
- secrets.yaml
- job.yaml
generatorOptions:
labels:
app: signal
configMapGenerator:
- name: signal-db-creation
behavior: create
files:
- create_db.sh

View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: synapse-signal-secrets
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/k3s-secrets
targetRevision: prod-migration
path: synapse/bridges/signal
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- PruneLast=true
destination:
server: https://kubernetes.default.svc
namespace: synapse

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: signal
namespace: synapse
labels:
app.kubernetes.io/name: signal
spec:
ports:
- name: http
port: 29328
protocol: TCP
targetPort: 29328
selector:
app: signal
publishNotReadyAddresses: true

View File

@ -0,0 +1,36 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: signal
namespace: synapse
spec:
selector:
matchLabels:
app: signal
serviceName: signal
replicas: 1
minReadySeconds: 10
template:
metadata:
labels:
app: signal
spec:
terminationGracePeriodSeconds: 10
containers:
- name: signal
image: dock.mau.dev/mautrix/signal:v0.7.3
command: [
"/usr/bin/mautrix-signal",
"--config", "/data/config.yaml",
"--no-update",
]
ports:
- containerPort: 29328
volumeMounts:
- mountPath: "/data/config.yaml"
name: signal-config-file
subPath: config.yaml
volumes:
- name: signal-config-file
secret:
secretName: signal-secret-config

View File

@ -4,7 +4,7 @@ metadata:
name: synapse-config name: synapse-config
namespace: synapse namespace: synapse
data: data:
matrix.beta.halia.dev.log.config: | matrix.halis.io.log.config: |
version: 1 version: 1
formatters: formatters:
precise: precise:

View File

@ -0,0 +1,10 @@
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: synapse-db-backup
namespace: synapse
spec:
schedule: "0 0 0 * * *"
backupOwnerReference: self
cluster:
name: synapse-db

View File

@ -9,7 +9,7 @@ spec:
storage: storage:
size: 5Gi size: 5Gi
storageClass: redundant-storage-class storageClass: local-path
bootstrap: bootstrap:
initdb: initdb:
@ -22,6 +22,24 @@ spec:
pg_hba: pg_hba:
- host all all all md5 - host all all all md5
backup:
barmanObjectStore:
destinationPath: "s3://halis/cloudnativepg"
endpointURL: https://s3.halia.dev
s3Credentials:
accessKeyId:
name: s3-secret
key: AWS_ACCESS_KEY_ID
secretAccessKey:
name: s3-secret
key: AWS_SECRET_ACCESS_KEY
region:
name: s3-secret
key: AWS_REGION
wal:
compression: gzip
maxParallel: 8
resources: resources:
requests: requests:
cpu: 100m cpu: 100m

View File

@ -4,7 +4,7 @@ metadata:
name: synapse name: synapse
namespace: synapse namespace: synapse
spec: spec:
replicas: 2 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: synapse app: synapse
@ -13,18 +13,11 @@ spec:
labels: labels:
app: synapse app: synapse
spec: spec:
topologySpreadConstraints:
- maxSkrew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: synapse
securityContext: securityContext:
fsGroup: 991 fsGroup: 991
containers: containers:
- name: synapse - name: synapse
image: matrixdotorg/synapse:latest image: ghcr.io/element-hq/synapse:v1.119.0
ports: ports:
- containerPort: 8008 - containerPort: 8008
- containerPort: 9009 - containerPort: 9009
@ -34,9 +27,15 @@ spec:
- mountPath: "/data/homeserver.yaml" - mountPath: "/data/homeserver.yaml"
name: synapse-config-file name: synapse-config-file
subPath: homeserver.yaml subPath: homeserver.yaml
- mountPath: "/data/matrix.beta.halia.dev.log.config" - mountPath: "/data/matrix.halis.io.log.config"
name: synapse-log-config-file name: synapse-log-config-file
subPath: matrix.beta.halia.dev.log.config subPath: matrix.halis.io.log.config
- mountPath: "/data/double-puppeting.yaml"
name: synapse-secret-doublepuppeting
subPath: double-puppeting.yaml
- mountPath: "/data/signal.yaml"
name: signal-secret-registration
subPath: signal.yaml
volumes: volumes:
- name: synapse-data - name: synapse-data
persistentVolumeClaim: persistentVolumeClaim:
@ -47,3 +46,9 @@ spec:
- name: synapse-log-config-file - name: synapse-log-config-file
configMap: configMap:
name: synapse-config name: synapse-config
- name: synapse-secret-doublepuppeting
secret:
secretName: synapse-secret-doublepuppeting
- name: signal-secret-registration
secret:
secretName: signal-secret-registration

View File

@ -1,23 +1,26 @@
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: synapse-ingress name: synapse-ingress
namespace: synapse namespace: synapse
annotations: annotations:
kubernetes.io/ingress.class: "traefik" cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: nginx-external
acme.cert-manager.io/http01-edit-in-place: "true"
spec: spec:
tls: tls:
- secretName: synapse-beta-tls - hosts:
hosts: - matrix.halis.io
- matrix.beta.halia.dev secretName: matrix-halis-io-tls
rules: ingressClassName: nginx-external
- host: matrix.beta.halia.dev rules:
http: - host: matrix.halis.io
paths: http:
- path: / paths:
pathType: Prefix - path: /
backend: pathType: Prefix
service: backend:
name: synapse-svc service:
port: name: synapse-svc
number: 80 port:
number: 80

View File

@ -5,9 +5,11 @@ resources:
- namespace.yaml - namespace.yaml
- pvc.yaml - pvc.yaml
- database.yaml - database.yaml
- database-backup.yaml
- service.yaml - service.yaml
- servicemonitor.yaml - servicemonitor.yaml
- ingress.yaml - ingress.yaml
- configmap.yaml - configmap.yaml
- secrets.yaml
- deployment.yaml - deployment.yaml
- ./bridges

View File

@ -3,10 +3,13 @@ kind: PersistentVolumeClaim
metadata: metadata:
name: synapse-pvc name: synapse-pvc
namespace: synapse namespace: synapse
labels:
recurring-job.longhorn.io/source: enabled
recurring-job-group.longhorn.io/standard-pvc: enabled
spec: spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
storageClassName: redundant-storage-class storageClassName: redundant-storage-class
resources: resources:
requests: requests:
storage: 1Gi storage: 50Gi

24
manifests/secrets.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: synapse-secrets
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.halis.io/athens-school/k3s-secrets
targetRevision: prod-migration
path: synapse
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- PruneLast=true
destination:
server: https://kubernetes.default.svc
namespace: synapse