fix(mycloud-matrix): add bridge-matrix support

2024-02-19 01:13:40 +01:00 · 2024-02-19 01:13:40 +01:00 · 141001b2ff
commit 141001b2ff
parent 8547aac0f6
5 changed files with 229 additions and 0 deletions
--- a/base-values/mycloud-matrix-signal.yaml
+++ b/base-values/mycloud-matrix-signal.yaml
@ -0,0 +1,18 @@
+##
+# commons are from mycloud-core
+##
+
+components:
+  mycloud-services:
+    # patch mycloud-core to get another database
+    values:
+      databases:
+        matrix-bridge-signal:
+          type: postgresql
+
+  mycloud-matrix:
+    # patch mycloud-core to get another database
+    values:
+      bridge:
+        signal:
+          enabled: true
--- a/mycloud-matrix/templates/bridge/signal.yaml
+++ b/mycloud-matrix/templates/bridge/signal.yaml
@ -0,0 +1,102 @@
+{{- if .Values.bridge.signal.enabled }}
+{{- $domain := .Values.server.host | default .Values.commons.ingress.domain }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-mautrix-signal"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./mautrix-signal"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  valuesFrom:
+    - kind: Secret
+      name: "{{ .Release.Name }}-mautrix-signal"
+      valuesKey: as_token
+      targetPath: config.appservice.as_token
+      optional: true
+    - kind: Secret
+      name: "{{ .Release.Name }}-mautrix-signal"
+      valuesKey: hs_token
+      targetPath: config.appservice.hs_token
+      optional: true
+    - kind: Secret
+      name: "{{ .Release.Name }}-doublepuppet"
+      valuesKey: as_token_code
+      targetPath: config.bridge.login_shared_secret_map.{{ $domain | replace "." "\\." }}
+  values:
+    config:
+      homeserver:
+        address: http://{{ .Release.Name }}-synapse:8008
+        domain: {{ $domain }}
+      appservice:
+        address: http://{{ .Release.Name }}-mautrix-signal:29328
+        database:
+          type: postgres
+          {{- $username := .Values.databases.bridge.signal.username  }}
+          {{- $password := .Values.databases.bridge.signal.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-bridge-signal" "database_password" | b64enc) }}
+          {{- $host := .Values.databases.bridge.signal.host }}
+          {{- $database := .Values.databases.bridge.signal.name }}
+          uri: {{ printf "postgres://%s:%s@%s/%s?sslmode=disable" $username $password $host $database | quote }}
+      bridge:
+        personal_filtering_spaces: true
+        sync_direct_chat_list: true
+        double_puppet_server_map:
+          example.com: null
+          {{ $domain }}: http://{{ .Release.Name }}-synapse:8008
+        login_shared_secret_map:
+          example.com: null
+        encryption:
+          allow: true
+          default: true
+          require: true
+          delete_keys:
+            periodically_delete_expired: true
+        permissions:
+          "example.com": null
+          "@admin:example.com": null
+          "{{ $domain }}": user
+          {{- range $user := .Values.bridge.signal.admins }}
+          {{ $user | quote }}: admin
+          {{- end }}
+        relay:
+          enabled: true
+
+    registration:
+      namespaces:
+        users:
+          - regex: {{ printf "^@signalbot:%s$" ($domain | replace "." "\\.") | quote }}
+            exclusive: true
+          - regex: {{ printf "^@signal_.*:%s$" ($domain | replace "." "\\.") | quote }}
+            exclusive: true
+
+    persistence:
+      enabled: true
+      size: {{ .Values.persistence.size }}
+      {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
+      storageClass: {{ . }}
+      {{- end }}
+      {{- if .Values.commons.persistence.hostPath.enabled }}
+      hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/matrix/bridge/signal"
+      {{- end }}
+
+    prometheus:
+      servicemonitor:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
+        labels:
+          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
+{{- end }}{{/* end-if .bridge.signal.enabled */}}
--- a/mycloud-matrix/templates/server/doublepuppet.yaml
+++ b/mycloud-matrix/templates/server/doublepuppet.yaml
@ -0,0 +1,45 @@
+{{- if or .Values.bridge.signal.enabled }}
+---
+{{ $secretName := printf "%s-doublepuppet" .Release.Name }}
+{{- $asToken := "" }}
+{{- $hsToken := "" }}
+{{- $senderLocalpart := "" }}
+{{- if not (and $asToken $hsToken $senderLocalpart) }}
+{{- with (lookup "v1" "Secret" .Release.Namespace $secretName)}}
+{{- with get . "data" }}
+{{- $asToken = $asToken | default (get . "as_token" | b64dec) }}
+{{- $hsToken = $hsToken | default (get . "hs_token" | b64dec) }}
+{{- $senderLocalpart = (get . "sender_localpart" | b64dec) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- $asToken = $asToken | default (randAlphaNum 64) }}
+{{- $hsToken = $hsToken | default (randAlphaNum 64) }}
+{{- $senderLocalpart = $senderLocalpart | default (randAlphaNum 64) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  as_token: {{ $asToken | b64enc }}
+  as_token_code: {{ printf "as_token:%s" $asToken | b64enc }}
+  hs_token: {{ $hsToken | b64enc }}
+  sender_localpart: {{ $senderLocalpart | b64enc }}
+  registration.yaml: {{ (dict
+   "id" "doublepuppet"
+   "url" nil
+   "as_token" $asToken
+   "hs_token" $hsToken
+   "sender_localpart" $senderLocalpart
+   "rate_limited" false
+   "namespaces" (dict
+     "users" (list
+       (dict
+         "regex" (printf "@.*:%s" (.Values.server.host | default .Values.commons.ingress.domain | replace "." "\\." ))
+         "exclusive" false
+       )
+     )
+   )
+  ) | toYaml | b64enc }}
+{{- end }}
--- a/mycloud-matrix/templates/server/synapse.yaml
+++ b/mycloud-matrix/templates/server/synapse.yaml
@ -30,10 +30,20 @@ spec:
    config:
      enableRegistration: false
      useStructuredLogging: true
+      logLevel: INFO
    extraConfig:
      use_presence: false
      enable_search: false
      dynamic_thumbnails: true
+      {{- with .Values.bridge }}
+      {{- if or .signal.enabled }}
+      app_service_config_files:
+        - "/etc/appservices/doublepuppet.yaml"
+        {{- if .signal.enabled }}
+        - "/etc/appservices/bridge-signal.yaml"
+        {{- end }}{{/* end-if .signale.enabled */}}
+      {{- end }}{{/* end-if .*.enabled */}}
+      {{- end }}{{/* end-with .bridge*/}}
    extraSecrets:
      email:
        smtp_host: {{ .Values.server.mail.host | default .Values.commons.mail.host | quote }}
@ -64,6 +74,9 @@ spec:
              localpart_template: "{{ user.preferred_username }}"
              display_name_template: "{{ user.name|capitalize }}"
              `}}
+    extraLoggers:
+      synapse.storage.SQL:
+        level: WARNING

    {{- if .Values.server.scaling }}
    workers:
@ -106,6 +119,38 @@ spec:
          memory: "256Mi"
        limits:
          memory: "4Gi"
+      extraVolumeMounts:
+        {{- with .Values.bridge }}
+        {{- if or .signal.enabled }}
+        - name: doublepuppet
+          mountPath: "/etc/appservices/doublepuppet.yaml"
+          subPath: "doublepuppet.yaml"
+        {{- if .signal.enabled }}
+        - name: bridge-signal
+          mountPath: "/etc/appservices/bridge-signal.yaml"
+          subPath: "bridge-signal.yaml"
+        {{- end }}{{/* end-if .signale.enabled */}}
+        {{- end }}{{/* end-if .*.enabled */}}
+        {{- end }}{{/* end-with .bridge*/}}
+      extraVolumes:
+        {{- with .Values.bridge }}
+        {{- if or .signal.enabled }}
+        - name: doublepuppet
+          secret:
+            secretName: "{{ $.Release.Name }}-doublepuppet"
+            items:
+              - key: "registration.yaml"
+                path: "doublepuppet.yaml"
+        {{- if .signal.enabled }}
+        - name: bridge-signal
+          secret:
+            secretName: "{{ $.Release.Name }}-mautrix-signal"
+            items:
+              - key: "registration.yaml"
+                path: "bridge-signal.yaml"
+        {{- end }}{{/* end-if .signale.enabled */}}
+        {{- end }}{{/* end-if .*.enabled */}}
+        {{- end }}{{/* end-with .bridge*/}}

    wellknown:
      enabled: true
--- a/mycloud-matrix/values.yaml
+++ b/mycloud-matrix/values.yaml
@ -51,6 +51,12 @@ commons:
    rules:
      labels: {}

+  grafana:
+    dashboards:
+      labels:
+        grafana_dashboard: "1"
+      annotations:
+
 server:
  # -- default: (commons.ingress.domain)
  host:
@ -71,6 +77,11 @@ server:
    # -- default .commons.mail.host
    host:

+bridge:
+  signal:
+    enabled: false
+    admins: []
+
 ingress:
  server:
    # -- default: matrix.(.commons.ingress.domain)
@ -95,6 +106,14 @@ databases:
    username: matrix-synapse
    # -- generated by .commons.masterPassword (equal to mycloud-services)
    password:
+  bridge:
+    signal:
+      # -- default is from mysql-services
+      host: mycloud-services-postgresql
+      name: matrix-bridge-signal
+      username: matrix-bridge-signal
+      # -- generated by .commons.masterPassword (equal to mycloud-services)
+      password:

 persistence:
  storageClass: