feat(mycloud-matrix): init

base-values/mycloud-matrix.yaml

@@ -0,0 +1,18 @@
+##
+# commons are from mycloud-core
+##
+
+components:
+  mycloud-services:
+    # patch mycloud-core to get another database
+    values:
+      databases:
+        matrix-synapse:
+          type: postgresql
+          additionalParams: "LC_COLLATE='C' LC_CTYPE='C' ENCODING=UTF8 TEMPLATE=template0"
+
+  mycloud-matrix:
+    enabled: true
+    namespace:
+      # current namespace
+      name:

docs/modules/components/nav.adoc

@@ -8,5 +8,6 @@
 ** xref:mycloud-authentik.adoc[mycloud-authentik]
 ** xref:mycloud-collabora.adoc[mycloud-collabora]
 ** xref:mycloud-gotosocial.adoc[mycloud-gotosocial]
+** xref:mycloud-matrix.adoc[mycloud-matrix]
 ** xref:mycloud-nextcloud.adoc[mycloud-nextcloud]
 ** xref:mycloud-services.adoc[mycloud-services]

docs/modules/components/pages/mycloud-matrix.adoc

@@ -0,0 +1 @@
+../../../../mycloud-matrix/README.adoc

docs/modules/mycloud/pages/partial-list-components.adoc

@@ -2,5 +2,6 @@
 * xref:components:mycloud-authentik.adoc[mycloud-authentik]
 * xref:components:mycloud-collabora.adoc[mycloud-collabora]
 * xref:components:mycloud-gotosocial.adoc[mycloud-gotosocial]
+* xref:components:mycloud-matrix.adoc[mycloud-matrix]
 * xref:components:mycloud-nextcloud.adoc[mycloud-nextcloud]
 * xref:components:mycloud-services.adoc[mycloud-services]

mycloud-matrix/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

mycloud-matrix/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: mycloud-matrix
+description: myCloud component to setup matrix
+type: application
+maintainers:
+  - name: WrenIX
+    url: https://wrenix.eu
+
+version: 0.1.0

mycloud-matrix/README.adoc

@@ -0,0 +1,255 @@
+
+
+= mycloud-matrix
+
+image::https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square[Version: 0.1.0]
+image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
+== Maintainers
+
+.Maintainers
+|===
+| Name | Email | Url
+
+| WrenIX
+|
+| <https://wrenix.eu>
+|===
+
+== Values
+
+.Values
+|===
+| Key | Type | Default | Description
+
+| commons.auth.host
+| string
+| `nil`
+| default auth.(.Values.commons.ingress.domain)
+
+| commons.helm.release.driftDetection
+| object
+| `{}`
+|
+
+| commons.helm.release.install
+| object
+| `{}`
+|
+
+| commons.helm.release.test
+| object
+| `{}`
+|
+
+| commons.helm.release.upgrade
+| object
+| `{}`
+|
+
+| commons.ingress.annotations."cert-manager.io/cluster-issuer"
+| string
+| `"letsencrypt-prod"`
+|
+
+| commons.ingress.domain
+| string
+| `"wrenix.eu"`
+|
+
+| commons.ingress.tls.enabled
+| bool
+| `true`
+| tls on every ingress
+
+| commons.ingress.tls.override
+| string
+| `nil`
+| use own definition of tls (e.g. for own or wildcard certificate)
+
+| commons.mail.from
+| string
+| `nil`
+|
+
+| commons.mail.host
+| string
+| `nil`
+|
+
+| commons.mail.password
+| string
+| `nil`
+|
+
+| commons.mail.use_ssl
+| bool
+| `false`
+|
+
+| commons.mail.use_tls
+| bool
+| `false`
+|
+
+| commons.mail.username
+| string
+| `nil`
+|
+
+| commons.masterPassword
+| string
+| `"CHANGEME"`
+|
+
+| commons.persistence.hostPath.enabled
+| bool
+| `false`
+|
+
+| commons.persistence.hostPath.prefix
+| string
+| `"/var/lib/mycloud"`
+|
+
+| commons.persistence.storageClass
+| string
+| `nil`
+|
+
+| commons.prometheus.monitor.labels
+| object
+| `{}`
+|
+
+| commons.prometheus.rules.labels
+| object
+| `{}`
+|
+
+| commons.theme.favicon
+| string
+| `"/static/dist/assets/icons/icon.png"`
+|
+
+| commons.theme.logo
+| string
+| `"/static/dist/assets/icons/icon_left_brand.svg"`
+|
+
+| commons.theme.title
+| string
+| `"myCloud"`
+|
+
+| databases.server.host
+| string
+| `"mycloud-services-postgresql"`
+| default is from mysql-services
+
+| databases.server.name
+| string
+| `"matrix-synapse"`
+|
+
+| databases.server.password
+| string
+| `nil`
+| generated by .commons.masterPassword (equal to mycloud-services)
+
+| databases.server.username
+| string
+| `"matrix-synapse"`
+|
+
+| ingress.element.annotations
+| string
+| `nil`
+|
+
+| ingress.element.enabled
+| bool
+| `true`
+|
+
+| ingress.element.host
+| string
+| `nil`
+| default: element.(.commons.ingress.domain)
+
+| ingress.hydrogen.annotations
+| string
+| `nil`
+|
+
+| ingress.hydrogen.enabled
+| bool
+| `false`
+|
+
+| ingress.hydrogen.host
+| string
+| `nil`
+| default: hydrogen.(.commons.ingress.domain)
+
+| ingress.server.annotations
+| string
+| `nil`
+|
+
+| ingress.server.host
+| string
+| `nil`
+| default: matrix.(.commons.ingress.domain)
+
+| init.namespace
+| string
+| `"bases"`
+|
+
+| init.version
+| int
+| `0`
+|
+
+| persistence.size
+| string
+| `"16Gi"`
+|
+
+| persistence.storageClass
+| string
+| `nil`
+|
+
+| server.auth.clientID
+| string
+| `nil`
+| generated by .commons.masterPassword
+
+| server.auth.clientSecret
+| string
+| `nil`
+| generated by .commons.masterPassword
+
+| server.host
+| string
+| `nil`
+| default: (commons.ingress.domain)
+
+| server.mail.from
+| string
+| `nil`
+| generade by .commons.mail.from
+
+| server.mail.host
+| string
+| `nil`
+| default .commons.mail.host
+
+| server.software
+| string
+| `"synapse"`
+|
+|===
+
+Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

mycloud-matrix/templates/authentik-application.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-auth
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./authentik-application"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  values:
+    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+    {{- $clientHost := .Values.server.auth.webClient | default (printf "element.%s" .Values.commons.ingress.domain) }}
+    blueprint:
+      authentik:
+        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
+      provider:
+        type: "oidc"
+        name: "Matrix"
+        oidc:
+          clientType: "confidential"
+          redirectURL: "https://{{ $serverHost }}/_synapse/client/oidc/callback"
+          clientID: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
+          clientSecret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
+          signingKey: "authentik Self-signed Certificate"
+          scopes:
+            - name: "authentik default OAuth Mapping: OpenID 'openid'"
+            - name: "authentik default OAuth Mapping: OpenID 'email'"
+            - name: "authentik default OAuth Mapping: OpenID 'profile'"
+
+      groups:
+        - slug: "mycloud - users"
+          bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
+
+      application:
+        policyEngineMode: "any"
+        openInNewTab: true
+        publisher: "WrenIX's myCloud"
+        slug: "mycloud-matrix"
+        group: "Chat"
+        name: "Matrix"
+        launchURL: "https://{{ $clientHost }}/"
+        icon: "https://{{ $clientHost }}/themes/element/img/logos/element-logo.svg"
+        description: "Matrix is an open standard and communication protocol for real-time communication. It aims to make real-time communication work seamlessly between different service providers."

mycloud-matrix/templates/clients/element.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.ingress.element.enabled }}
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: "{{ .Release.Name }}-element-web"
+spec:
+  url: https://ananace.gitlab.io/charts
+  interval: 10m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-element-web"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: "{{ .Release.Name }}-element-web"
+      chart: "element-web"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  values:
+    {{- $serverDomain := .Values.server.host | default .Values.commons.ingress.domain }}
+    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+    {{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }}
+    image:
+      repository: docker.io/vectorim/element-web
+    defaultServer:
+      url: https://{{ $serverHost }}
+      name: {{ $serverDomain }}
+    config:
+      sso_redirect_options:
+        on_welcome_page: true
+    ingress:
+      enabled: true
+      annotations:
+        {{- with .Values.commons.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      hosts:
+        - {{ $host | quote }}
+      {{- if .Values.commons.ingress.tls.enabled }}
+      tls:
+        {{- with .Values.commons.ingress.tls.override }}
+        {{- toYaml . | nindent 8 }}
+        {{- else }}
+        - secretName: "mycloud-matrix-element-cert"
+          hosts:
+            - "{{ $host }}"
+        {{- end }}
+      {{- end }}
+{{- end }}

mycloud-matrix/templates/clients/hydrogen.yaml

@@ -0,0 +1,54 @@
+{{- if .Values.ingress.hydrogen.enabled }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-hydrogen-web"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./hydrogen-web"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  values:
+    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+    {{- $host := .Values.ingress.hydrogen.host | default (printf "hydrogen.%s" .Values.commons.ingress.domain) }}
+    hydrogen:
+      defaultHomeServer: {{ $serverHost }}
+    ingress:
+      enabled: true
+      annotations:
+        {{- with .Values.commons.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      hosts:
+        - host: {{ $host | quote }}
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      {{- if .Values.commons.ingress.tls.enabled }}
+      tls:
+        {{- with .Values.commons.ingress.tls.override }}
+        {{- toYaml . | nindent 8 }}
+        {{- else }}
+        - secretName: "mycloud-matrix-element-cert"
+          hosts:
+            - "{{ $host }}"
+        {{- end }}
+      {{- end }}
+{{- end }}

mycloud-matrix/templates/configmap_init_crd.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-init
+  namespace: "{{ .Values.init.namespace }}"
+data:
+  {{- if and
+    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
+    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor")
+  }}
+  init: "-1"
+  {{- else }}
+  init: "{{ add1 .Values.init.version }}"
+  {{- end }}

mycloud-matrix/templates/server/synapse.yaml

@@ -0,0 +1,187 @@
+{{- if (eq .Values.server.software "synapse") }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-synapse"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./matrix-synapse"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  values:
+    {{- $domain := .Values.server.host | default .Values.commons.ingress.domain }}
+    {{- $host := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+    serverName: {{ $domain }}
+    publicServerName: {{ $host }}
+    config:
+      enableRegistration: false
+      useStructuredLogging: true
+    extraConfig:
+      use_presence: false
+      enable_search: false
+      dynamic_thumbnails: true
+    extraSecrets:
+      email:
+        smtp_host: {{ .Values.server.mail.host | default .Values.commons.mail.host | quote }}
+        smtp_port: 587
+        {{- if .Values.commons.mail.use_tls }}
+        require_transport_security: true
+        {{- end }}
+        smtp_user: {{ .Values.commons.mail.username | quote }}
+        smtp_pass: {{ .Values.commons.mail.password | quote }}
+        app_name: "{{ .Values.commons.theme.title }}-matrix"
+        # TODO
+        # notif_from: {{ .Values.server.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
+        notif_from: {{ .Values.server.mail.from | default .Values.commons.mail.from | quote }}
+      oidc_providers:
+        - idp_id: mycloud
+          idp_name: {{ .Values.commons.theme.title | quote }}
+          discover: true
+          issuer: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-matrix/"
+          client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
+          client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
+          scopes:
+            - "openid"
+            - "profile"
+            - "email"
+          user_mapping_provider:
+            config:
+              {{`
+              localpart_template: "{{ user.preferred_username }}"
+              display_name_template: "{{ user.name|capitalize }}"
+              `}}
+
+    {{- if .Values.server.scaling }}
+    workers:
+      generic_worker:
+        enabled: true
+      federation_reader:
+        enabled: true
+      synchrotron:
+        enabled: true
+      pusher:
+        enabled: true
+      appservice:
+        enabled: true
+      federation_sender:
+        enabled: true
+      media_repository:
+        enabled: true
+      user_dir:
+        enabled: true
+      frontend_proxy:
+        enabled: true
+        csPaths:
+          - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
+          - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
+    {{- end }}
+
+    synapse:
+      livenessProbe:
+        timeoutSeconds: 2
+        periodSeconds: 15
+      readinessProbe:
+        timeoutSeconds: 2
+        periodSeconds: 15
+      startupProbe:
+        timeoutSeconds: 2
+        periodSeconds: 15
+      resources:
+        requests:
+          cpu: 1
+          memory: "256Mi"
+        limits:
+          memory: "4Gi"
+
+    wellknown:
+      enabled: true
+      resources:
+        requests:
+          cpu: 0.1
+          memory: "64Mi"
+        limits:
+          memory: "256Mi"
+
+    signingkey:
+      resources:
+        requests:
+          cpu: 0.1
+          memory: "64Mi"
+        limits:
+          memory: "256Mi"
+
+
+    ingress:
+      enabled: true
+      annotations:
+        {{- with .Values.commons.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      hosts:
+        - "{{ .Values.commons.ingress.domain }}"
+        - "{{ $host }}"
+      {{- if .Values.commons.ingress.tls.enabled }}
+      tls:
+        {{- with .Values.commons.ingress.tls.override }}
+        {{- toYaml . | nindent 8 }}
+        {{- else }}
+        - secretName: "mycloud-metrix-server-cert"
+          hosts:
+            - "{{ .Values.commons.ingress.domain }}"
+            - "{{ $host }}"
+        {{- end }}
+      {{- end }}
+
+    persistence:
+      enabled: true
+      size: {{ .Values.persistence.size }}
+      {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
+      storageClass: {{ . }}
+      {{- end }}
+      {{- if .Values.commons.persistence.hostPath.enabled }}
+      hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/matrix/synapse"
+      {{- end }}
+
+    postgresql:
+      enabled: false
+    externalPostgresql:
+      host: {{ .Values.databases.server.host | quote }}
+      username: {{ .Values.databases.server.username | quote }}
+      password: {{ .Values.databases.server.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-synapse" "database_password") | quote }}
+      database: {{ .Values.databases.server.name | quote }}
+
+    prometheus:
+      podmonitor:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
+        labels:
+          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
+      rules:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
+        labels:
+          {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}
+
+    grafana:
+      dashboards:
+        enabled: true
+        labels:
+          {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
+        annotations:
+          {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}
+{{- end }}{{/* end-if .software == synapse */}}

mycloud-matrix/values.yaml

@@ -0,0 +1,101 @@
+init:
+  version: 0
+  namespace: "bases"
+
+commons:
+  masterPassword: "CHANGEME"
+
+  auth:
+    # -- default auth.(.Values.commons.ingress.domain)
+    host:
+
+  theme:
+    title: myCloud
+    logo: /static/dist/assets/icons/icon_left_brand.svg
+    favicon: /static/dist/assets/icons/icon.png
+
+  mail:
+    host:
+    username:
+    password:
+    from:
+    use_tls: false
+    use_ssl: false
+
+  persistence:
+    storageClass:
+    hostPath:
+      enabled: false
+      prefix: "/var/lib/mycloud"
+
+  helm:
+    release:
+      install: {}
+      test: {}
+      upgrade: {}
+      driftDetection: {}
+
+  ingress:
+    domain: "wrenix.eu"
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls:
+      # -- tls on every ingress
+      enabled: true
+      # -- use own definition of tls (e.g. for own or wildcard certificate)
+      override:
+
+  prometheus:
+    monitor:
+      labels: {}
+    rules:
+      labels: {}
+
+server:
+  # -- default: (commons.ingress.domain)
+  host:
+  software: "synapse"
+  scaling: false
+
+  auth:
+    # -- generated by .commons.masterPassword
+    clientID:
+    # -- generated by .commons.masterPassword
+    clientSecret:
+    # -- default: element.(.commons.ingress.domain)
+    webClient:
+
+  mail:
+    # -- generade by .commons.mail.from
+    from:
+    # -- default .commons.mail.host
+    host:
+
+ingress:
+  server:
+    # -- default: matrix.(.commons.ingress.domain)
+    host:
+    annotations:
+  element:
+    enabled: true
+    # -- default: element.(.commons.ingress.domain)
+    host:
+    annotations:
+  hydrogen:
+    enabled: false
+    # -- default: hydrogen.(.commons.ingress.domain)
+    host:
+    annotations:
+
+databases:
+  server:
+    # -- default is from mysql-services
+    host: mycloud-services-postgresql
+    name: matrix-synapse
+    username: matrix-synapse
+    # -- generated by .commons.masterPassword (equal to mycloud-services)
+    password:
+
+persistence:
+  storageClass:
+  size: 16Gi