From 141001b2ff4ad1ce8ba055b7800723b52c236180 Mon Sep 17 00:00:00 2001 From: WrenIX Date: Mon, 19 Feb 2024 01:13:40 +0100 Subject: [PATCH] fix(mycloud-matrix): add bridge-matrix support --- base-values/mycloud-matrix-signal.yaml | 18 ++++ mycloud-matrix/templates/bridge/signal.yaml | 102 ++++++++++++++++++ .../templates/server/doublepuppet.yaml | 45 ++++++++ mycloud-matrix/templates/server/synapse.yaml | 45 ++++++++ mycloud-matrix/values.yaml | 19 ++++ 5 files changed, 229 insertions(+) create mode 100644 base-values/mycloud-matrix-signal.yaml create mode 100644 mycloud-matrix/templates/bridge/signal.yaml create mode 100644 mycloud-matrix/templates/server/doublepuppet.yaml diff --git a/base-values/mycloud-matrix-signal.yaml b/base-values/mycloud-matrix-signal.yaml new file mode 100644 index 0000000..f016599 --- /dev/null +++ b/base-values/mycloud-matrix-signal.yaml @@ -0,0 +1,18 @@ +## +# commons are from mycloud-core +## + +components: + mycloud-services: + # patch mycloud-core to get another database + values: + databases: + matrix-bridge-signal: + type: postgresql + + mycloud-matrix: + # patch mycloud-core to get another database + values: + bridge: + signal: + enabled: true diff --git a/mycloud-matrix/templates/bridge/signal.yaml b/mycloud-matrix/templates/bridge/signal.yaml new file mode 100644 index 0000000..43dbcc3 --- /dev/null +++ b/mycloud-matrix/templates/bridge/signal.yaml @@ -0,0 +1,102 @@ +{{- if .Values.bridge.signal.enabled }} +{{- $domain := .Values.server.host | default .Values.commons.ingress.domain }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: "{{ .Release.Name }}-mautrix-signal" +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./mautrix-signal" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + valuesFrom: + - kind: Secret + name: "{{ .Release.Name }}-mautrix-signal" + valuesKey: as_token + targetPath: config.appservice.as_token + optional: true + - kind: Secret + name: "{{ .Release.Name }}-mautrix-signal" + valuesKey: hs_token + targetPath: config.appservice.hs_token + optional: true + - kind: Secret + name: "{{ .Release.Name }}-doublepuppet" + valuesKey: as_token_code + targetPath: config.bridge.login_shared_secret_map.{{ $domain | replace "." "\\." }} + values: + config: + homeserver: + address: http://{{ .Release.Name }}-synapse:8008 + domain: {{ $domain }} + appservice: + address: http://{{ .Release.Name }}-mautrix-signal:29328 + database: + type: postgres + {{- $username := .Values.databases.bridge.signal.username }} + {{- $password := .Values.databases.bridge.signal.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-bridge-signal" "database_password" | b64enc) }} + {{- $host := .Values.databases.bridge.signal.host }} + {{- $database := .Values.databases.bridge.signal.name }} + uri: {{ printf "postgres://%s:%s@%s/%s?sslmode=disable" $username $password $host $database | quote }} + bridge: + personal_filtering_spaces: true + sync_direct_chat_list: true + double_puppet_server_map: + example.com: null + {{ $domain }}: http://{{ .Release.Name }}-synapse:8008 + login_shared_secret_map: + example.com: null + encryption: + allow: true + default: true + require: true + delete_keys: + periodically_delete_expired: true + permissions: + "example.com": null + "@admin:example.com": null + "{{ $domain }}": user + {{- range $user := .Values.bridge.signal.admins }} + {{ $user | quote }}: admin + {{- end }} + relay: + enabled: true + + registration: + namespaces: + users: + - regex: {{ printf "^@signalbot:%s$" ($domain | replace "." "\\.") | quote }} + exclusive: true + - regex: {{ printf "^@signal_.*:%s$" ($domain | replace "." "\\.") | quote }} + exclusive: true + + persistence: + enabled: true + size: {{ .Values.persistence.size }} + {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }} + storageClass: {{ . }} + {{- end }} + {{- if .Values.commons.persistence.hostPath.enabled }} + hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/matrix/bridge/signal" + {{- end }} + + prometheus: + servicemonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} +{{- end }}{{/* end-if .bridge.signal.enabled */}} diff --git a/mycloud-matrix/templates/server/doublepuppet.yaml b/mycloud-matrix/templates/server/doublepuppet.yaml new file mode 100644 index 0000000..c468d74 --- /dev/null +++ b/mycloud-matrix/templates/server/doublepuppet.yaml @@ -0,0 +1,45 @@ +{{- if or .Values.bridge.signal.enabled }} +--- +{{ $secretName := printf "%s-doublepuppet" .Release.Name }} +{{- $asToken := "" }} +{{- $hsToken := "" }} +{{- $senderLocalpart := "" }} +{{- if not (and $asToken $hsToken $senderLocalpart) }} +{{- with (lookup "v1" "Secret" .Release.Namespace $secretName)}} +{{- with get . "data" }} +{{- $asToken = $asToken | default (get . "as_token" | b64dec) }} +{{- $hsToken = $hsToken | default (get . "hs_token" | b64dec) }} +{{- $senderLocalpart = (get . "sender_localpart" | b64dec) }} +{{- end }} +{{- end }} +{{- end }} +{{- $asToken = $asToken | default (randAlphaNum 64) }} +{{- $hsToken = $hsToken | default (randAlphaNum 64) }} +{{- $senderLocalpart = $senderLocalpart | default (randAlphaNum 64) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + as_token: {{ $asToken | b64enc }} + as_token_code: {{ printf "as_token:%s" $asToken | b64enc }} + hs_token: {{ $hsToken | b64enc }} + sender_localpart: {{ $senderLocalpart | b64enc }} + registration.yaml: {{ (dict + "id" "doublepuppet" + "url" nil + "as_token" $asToken + "hs_token" $hsToken + "sender_localpart" $senderLocalpart + "rate_limited" false + "namespaces" (dict + "users" (list + (dict + "regex" (printf "@.*:%s" (.Values.server.host | default .Values.commons.ingress.domain | replace "." "\\." )) + "exclusive" false + ) + ) + ) + ) | toYaml | b64enc }} +{{- end }} diff --git a/mycloud-matrix/templates/server/synapse.yaml b/mycloud-matrix/templates/server/synapse.yaml index 11e6b1c..2869b7b 100644 --- a/mycloud-matrix/templates/server/synapse.yaml +++ b/mycloud-matrix/templates/server/synapse.yaml @@ -30,10 +30,20 @@ spec: config: enableRegistration: false useStructuredLogging: true + logLevel: INFO extraConfig: use_presence: false enable_search: false dynamic_thumbnails: true + {{- with .Values.bridge }} + {{- if or .signal.enabled }} + app_service_config_files: + - "/etc/appservices/doublepuppet.yaml" + {{- if .signal.enabled }} + - "/etc/appservices/bridge-signal.yaml" + {{- end }}{{/* end-if .signale.enabled */}} + {{- end }}{{/* end-if .*.enabled */}} + {{- end }}{{/* end-with .bridge*/}} extraSecrets: email: smtp_host: {{ .Values.server.mail.host | default .Values.commons.mail.host | quote }} @@ -64,6 +74,9 @@ spec: localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name|capitalize }}" `}} + extraLoggers: + synapse.storage.SQL: + level: WARNING {{- if .Values.server.scaling }} workers: @@ -106,6 +119,38 @@ spec: memory: "256Mi" limits: memory: "4Gi" + extraVolumeMounts: + {{- with .Values.bridge }} + {{- if or .signal.enabled }} + - name: doublepuppet + mountPath: "/etc/appservices/doublepuppet.yaml" + subPath: "doublepuppet.yaml" + {{- if .signal.enabled }} + - name: bridge-signal + mountPath: "/etc/appservices/bridge-signal.yaml" + subPath: "bridge-signal.yaml" + {{- end }}{{/* end-if .signale.enabled */}} + {{- end }}{{/* end-if .*.enabled */}} + {{- end }}{{/* end-with .bridge*/}} + extraVolumes: + {{- with .Values.bridge }} + {{- if or .signal.enabled }} + - name: doublepuppet + secret: + secretName: "{{ $.Release.Name }}-doublepuppet" + items: + - key: "registration.yaml" + path: "doublepuppet.yaml" + {{- if .signal.enabled }} + - name: bridge-signal + secret: + secretName: "{{ $.Release.Name }}-mautrix-signal" + items: + - key: "registration.yaml" + path: "bridge-signal.yaml" + {{- end }}{{/* end-if .signale.enabled */}} + {{- end }}{{/* end-if .*.enabled */}} + {{- end }}{{/* end-with .bridge*/}} wellknown: enabled: true diff --git a/mycloud-matrix/values.yaml b/mycloud-matrix/values.yaml index c8690c0..89d8374 100644 --- a/mycloud-matrix/values.yaml +++ b/mycloud-matrix/values.yaml @@ -51,6 +51,12 @@ commons: rules: labels: {} + grafana: + dashboards: + labels: + grafana_dashboard: "1" + annotations: + server: # -- default: (commons.ingress.domain) host: @@ -71,6 +77,11 @@ server: # -- default .commons.mail.host host: +bridge: + signal: + enabled: false + admins: [] + ingress: server: # -- default: matrix.(.commons.ingress.domain) @@ -95,6 +106,14 @@ databases: username: matrix-synapse # -- generated by .commons.masterPassword (equal to mycloud-services) password: + bridge: + signal: + # -- default is from mysql-services + host: mycloud-services-postgresql + name: matrix-bridge-signal + username: matrix-bridge-signal + # -- generated by .commons.masterPassword (equal to mycloud-services) + password: persistence: storageClass: