diff --git a/base-values/mycloud-matrix.yaml b/base-values/mycloud-matrix.yaml new file mode 100644 index 0000000..1b551c2 --- /dev/null +++ b/base-values/mycloud-matrix.yaml @@ -0,0 +1,18 @@ +## +# commons are from mycloud-core +## + +components: + mycloud-services: + # patch mycloud-core to get another database + values: + databases: + matrix-synapse: + type: postgresql + additionalParams: "LC_COLLATE='C' LC_CTYPE='C' ENCODING=UTF8 TEMPLATE=template0" + + mycloud-matrix: + enabled: true + namespace: + # current namespace + name: diff --git a/docs/modules/components/nav.adoc b/docs/modules/components/nav.adoc index 058a894..8146755 100644 --- a/docs/modules/components/nav.adoc +++ b/docs/modules/components/nav.adoc @@ -8,5 +8,6 @@ ** xref:mycloud-authentik.adoc[mycloud-authentik] ** xref:mycloud-collabora.adoc[mycloud-collabora] ** xref:mycloud-gotosocial.adoc[mycloud-gotosocial] +** xref:mycloud-matrix.adoc[mycloud-matrix] ** xref:mycloud-nextcloud.adoc[mycloud-nextcloud] ** xref:mycloud-services.adoc[mycloud-services] diff --git a/docs/modules/components/pages/mycloud-matrix.adoc b/docs/modules/components/pages/mycloud-matrix.adoc new file mode 120000 index 0000000..0c134a4 --- /dev/null +++ b/docs/modules/components/pages/mycloud-matrix.adoc @@ -0,0 +1 @@ +../../../../mycloud-matrix/README.adoc \ No newline at end of file diff --git a/docs/modules/mycloud/pages/partial-list-components.adoc b/docs/modules/mycloud/pages/partial-list-components.adoc index c5d80fe..43d35df 100644 --- a/docs/modules/mycloud/pages/partial-list-components.adoc +++ b/docs/modules/mycloud/pages/partial-list-components.adoc @@ -2,5 +2,6 @@ * xref:components:mycloud-authentik.adoc[mycloud-authentik] * xref:components:mycloud-collabora.adoc[mycloud-collabora] * xref:components:mycloud-gotosocial.adoc[mycloud-gotosocial] +* xref:components:mycloud-matrix.adoc[mycloud-matrix] * xref:components:mycloud-nextcloud.adoc[mycloud-nextcloud] * xref:components:mycloud-services.adoc[mycloud-services] diff --git a/mycloud-matrix/.helmignore b/mycloud-matrix/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/mycloud-matrix/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/mycloud-matrix/Chart.yaml b/mycloud-matrix/Chart.yaml new file mode 100644 index 0000000..2789d16 --- /dev/null +++ b/mycloud-matrix/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: mycloud-matrix +description: myCloud component to setup matrix +type: application +maintainers: + - name: WrenIX + url: https://wrenix.eu + +version: 0.1.0 diff --git a/mycloud-matrix/README.adoc b/mycloud-matrix/README.adoc new file mode 100644 index 0000000..354308c --- /dev/null +++ b/mycloud-matrix/README.adoc @@ -0,0 +1,255 @@ + + += mycloud-matrix + +image::https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square[Version: 0.1.0] +image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] +== Maintainers + +.Maintainers +|=== +| Name | Email | Url + +| WrenIX +| +| +|=== + +== Values + +.Values +|=== +| Key | Type | Default | Description + +| commons.auth.host +| string +| `nil` +| default auth.(.Values.commons.ingress.domain) + +| commons.helm.release.driftDetection +| object +| `{}` +| + +| commons.helm.release.install +| object +| `{}` +| + +| commons.helm.release.test +| object +| `{}` +| + +| commons.helm.release.upgrade +| object +| `{}` +| + +| commons.ingress.annotations."cert-manager.io/cluster-issuer" +| string +| `"letsencrypt-prod"` +| + +| commons.ingress.domain +| string +| `"wrenix.eu"` +| + +| commons.ingress.tls.enabled +| bool +| `true` +| tls on every ingress + +| commons.ingress.tls.override +| string +| `nil` +| use own definition of tls (e.g. for own or wildcard certificate) + +| commons.mail.from +| string +| `nil` +| + +| commons.mail.host +| string +| `nil` +| + +| commons.mail.password +| string +| `nil` +| + +| commons.mail.use_ssl +| bool +| `false` +| + +| commons.mail.use_tls +| bool +| `false` +| + +| commons.mail.username +| string +| `nil` +| + +| commons.masterPassword +| string +| `"CHANGEME"` +| + +| commons.persistence.hostPath.enabled +| bool +| `false` +| + +| commons.persistence.hostPath.prefix +| string +| `"/var/lib/mycloud"` +| + +| commons.persistence.storageClass +| string +| `nil` +| + +| commons.prometheus.monitor.labels +| object +| `{}` +| + +| commons.prometheus.rules.labels +| object +| `{}` +| + +| commons.theme.favicon +| string +| `"/static/dist/assets/icons/icon.png"` +| + +| commons.theme.logo +| string +| `"/static/dist/assets/icons/icon_left_brand.svg"` +| + +| commons.theme.title +| string +| `"myCloud"` +| + +| databases.server.host +| string +| `"mycloud-services-postgresql"` +| default is from mysql-services + +| databases.server.name +| string +| `"matrix-synapse"` +| + +| databases.server.password +| string +| `nil` +| generated by .commons.masterPassword (equal to mycloud-services) + +| databases.server.username +| string +| `"matrix-synapse"` +| + +| ingress.element.annotations +| string +| `nil` +| + +| ingress.element.enabled +| bool +| `true` +| + +| ingress.element.host +| string +| `nil` +| default: element.(.commons.ingress.domain) + +| ingress.hydrogen.annotations +| string +| `nil` +| + +| ingress.hydrogen.enabled +| bool +| `false` +| + +| ingress.hydrogen.host +| string +| `nil` +| default: hydrogen.(.commons.ingress.domain) + +| ingress.server.annotations +| string +| `nil` +| + +| ingress.server.host +| string +| `nil` +| default: matrix.(.commons.ingress.domain) + +| init.namespace +| string +| `"bases"` +| + +| init.version +| int +| `0` +| + +| persistence.size +| string +| `"16Gi"` +| + +| persistence.storageClass +| string +| `nil` +| + +| server.auth.clientID +| string +| `nil` +| generated by .commons.masterPassword + +| server.auth.clientSecret +| string +| `nil` +| generated by .commons.masterPassword + +| server.host +| string +| `nil` +| default: (commons.ingress.domain) + +| server.mail.from +| string +| `nil` +| generade by .commons.mail.from + +| server.mail.host +| string +| `nil` +| default .commons.mail.host + +| server.software +| string +| `"synapse"` +| +|=== + +Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs] diff --git a/mycloud-matrix/templates/authentik-application.yaml b/mycloud-matrix/templates/authentik-application.yaml new file mode 100644 index 0000000..41d409e --- /dev/null +++ b/mycloud-matrix/templates/authentik-application.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-auth +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./authentik-application" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} + {{- $clientHost := .Values.server.auth.webClient | default (printf "element.%s" .Values.commons.ingress.domain) }} + blueprint: + authentik: + domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}" + provider: + type: "oidc" + name: "Matrix" + oidc: + clientType: "confidential" + redirectURL: "https://{{ $serverHost }}/_synapse/client/oidc/callback" + clientID: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }} + clientSecret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }} + signingKey: "authentik Self-signed Certificate" + scopes: + - name: "authentik default OAuth Mapping: OpenID 'openid'" + - name: "authentik default OAuth Mapping: OpenID 'email'" + - name: "authentik default OAuth Mapping: OpenID 'profile'" + + groups: + - slug: "mycloud - users" + bindID: "cefc0c13-49fa-4374-a909-e201a88a473b" + + application: + policyEngineMode: "any" + openInNewTab: true + publisher: "WrenIX's myCloud" + slug: "mycloud-matrix" + group: "Chat" + name: "Matrix" + launchURL: "https://{{ $clientHost }}/" + icon: "https://{{ $clientHost }}/themes/element/img/logos/element-logo.svg" + description: "Matrix is an open standard and communication protocol for real-time communication. It aims to make real-time communication work seamlessly between different service providers." diff --git a/mycloud-matrix/templates/clients/element.yaml b/mycloud-matrix/templates/clients/element.yaml new file mode 100644 index 0000000..e2407c1 --- /dev/null +++ b/mycloud-matrix/templates/clients/element.yaml @@ -0,0 +1,64 @@ +{{- if .Values.ingress.element.enabled }} +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: "{{ .Release.Name }}-element-web" +spec: + url: https://ananace.gitlab.io/charts + interval: 10m +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: "{{ .Release.Name }}-element-web" +spec: + chart: + spec: + sourceRef: + kind: HelmRepository + name: "{{ .Release.Name }}-element-web" + chart: "element-web" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $serverDomain := .Values.server.host | default .Values.commons.ingress.domain }} + {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} + {{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }} + image: + repository: docker.io/vectorim/element-web + defaultServer: + url: https://{{ $serverHost }} + name: {{ $serverDomain }} + config: + sso_redirect_options: + on_welcome_page: true + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - {{ $host | quote }} + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-matrix-element-cert" + hosts: + - "{{ $host }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/mycloud-matrix/templates/clients/hydrogen.yaml b/mycloud-matrix/templates/clients/hydrogen.yaml new file mode 100644 index 0000000..a3fbf50 --- /dev/null +++ b/mycloud-matrix/templates/clients/hydrogen.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.hydrogen.enabled }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: "{{ .Release.Name }}-hydrogen-web" +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./hydrogen-web" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} + {{- $host := .Values.ingress.hydrogen.host | default (printf "hydrogen.%s" .Values.commons.ingress.domain) }} + hydrogen: + defaultHomeServer: {{ $serverHost }} + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - host: {{ $host | quote }} + paths: + - path: / + pathType: ImplementationSpecific + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-matrix-element-cert" + hosts: + - "{{ $host }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/mycloud-matrix/templates/configmap_init_crd.yaml b/mycloud-matrix/templates/configmap_init_crd.yaml new file mode 100644 index 0000000..a70688e --- /dev/null +++ b/mycloud-matrix/templates/configmap_init_crd.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-init + namespace: "{{ .Values.init.namespace }}" +data: + {{- if and + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") + }} + init: "-1" + {{- else }} + init: "{{ add1 .Values.init.version }}" + {{- end }} diff --git a/mycloud-matrix/templates/server/synapse.yaml b/mycloud-matrix/templates/server/synapse.yaml new file mode 100644 index 0000000..f7a15e1 --- /dev/null +++ b/mycloud-matrix/templates/server/synapse.yaml @@ -0,0 +1,187 @@ +{{- if (eq .Values.server.software "synapse") }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: "{{ .Release.Name }}-synapse" +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./matrix-synapse" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $domain := .Values.server.host | default .Values.commons.ingress.domain }} + {{- $host := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} + serverName: {{ $domain }} + publicServerName: {{ $host }} + config: + enableRegistration: false + useStructuredLogging: true + extraConfig: + use_presence: false + enable_search: false + dynamic_thumbnails: true + extraSecrets: + email: + smtp_host: {{ .Values.server.mail.host | default .Values.commons.mail.host | quote }} + smtp_port: 587 + {{- if .Values.commons.mail.use_tls }} + require_transport_security: true + {{- end }} + smtp_user: {{ .Values.commons.mail.username | quote }} + smtp_pass: {{ .Values.commons.mail.password | quote }} + app_name: "{{ .Values.commons.theme.title }}-matrix" + # TODO + # notif_from: {{ .Values.server.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }} + notif_from: {{ .Values.server.mail.from | default .Values.commons.mail.from | quote }} + oidc_providers: + - idp_id: mycloud + idp_name: {{ .Values.commons.theme.title | quote }} + discover: true + issuer: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-matrix/" + client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }} + client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }} + scopes: + - "openid" + - "profile" + - "email" + user_mapping_provider: + config: + {{` + localpart_template: "{{ user.preferred_username }}" + display_name_template: "{{ user.name|capitalize }}" + `}} + + {{- if .Values.server.scaling }} + workers: + generic_worker: + enabled: true + federation_reader: + enabled: true + synchrotron: + enabled: true + pusher: + enabled: true + appservice: + enabled: true + federation_sender: + enabled: true + media_repository: + enabled: true + user_dir: + enabled: true + frontend_proxy: + enabled: true + csPaths: + - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload" + - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status" + {{- end }} + + synapse: + livenessProbe: + timeoutSeconds: 2 + periodSeconds: 15 + readinessProbe: + timeoutSeconds: 2 + periodSeconds: 15 + startupProbe: + timeoutSeconds: 2 + periodSeconds: 15 + resources: + requests: + cpu: 1 + memory: "256Mi" + limits: + memory: "4Gi" + + wellknown: + enabled: true + resources: + requests: + cpu: 0.1 + memory: "64Mi" + limits: + memory: "256Mi" + + signingkey: + resources: + requests: + cpu: 0.1 + memory: "64Mi" + limits: + memory: "256Mi" + + + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - "{{ .Values.commons.ingress.domain }}" + - "{{ $host }}" + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-metrix-server-cert" + hosts: + - "{{ .Values.commons.ingress.domain }}" + - "{{ $host }}" + {{- end }} + {{- end }} + + persistence: + enabled: true + size: {{ .Values.persistence.size }} + {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }} + storageClass: {{ . }} + {{- end }} + {{- if .Values.commons.persistence.hostPath.enabled }} + hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/matrix/synapse" + {{- end }} + + postgresql: + enabled: false + externalPostgresql: + host: {{ .Values.databases.server.host | quote }} + username: {{ .Values.databases.server.username | quote }} + password: {{ .Values.databases.server.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-synapse" "database_password") | quote }} + database: {{ .Values.databases.server.name | quote }} + + prometheus: + podmonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} + rules: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} + labels: + {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }} + + grafana: + dashboards: + enabled: true + labels: + {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }} + annotations: + {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }} +{{- end }}{{/* end-if .software == synapse */}} diff --git a/mycloud-matrix/values.yaml b/mycloud-matrix/values.yaml new file mode 100644 index 0000000..c8690c0 --- /dev/null +++ b/mycloud-matrix/values.yaml @@ -0,0 +1,101 @@ +init: + version: 0 + namespace: "bases" + +commons: + masterPassword: "CHANGEME" + + auth: + # -- default auth.(.Values.commons.ingress.domain) + host: + + theme: + title: myCloud + logo: /static/dist/assets/icons/icon_left_brand.svg + favicon: /static/dist/assets/icons/icon.png + + mail: + host: + username: + password: + from: + use_tls: false + use_ssl: false + + persistence: + storageClass: + hostPath: + enabled: false + prefix: "/var/lib/mycloud" + + helm: + release: + install: {} + test: {} + upgrade: {} + driftDetection: {} + + ingress: + domain: "wrenix.eu" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: + # -- tls on every ingress + enabled: true + # -- use own definition of tls (e.g. for own or wildcard certificate) + override: + + prometheus: + monitor: + labels: {} + rules: + labels: {} + +server: + # -- default: (commons.ingress.domain) + host: + software: "synapse" + scaling: false + + auth: + # -- generated by .commons.masterPassword + clientID: + # -- generated by .commons.masterPassword + clientSecret: + # -- default: element.(.commons.ingress.domain) + webClient: + + mail: + # -- generade by .commons.mail.from + from: + # -- default .commons.mail.host + host: + +ingress: + server: + # -- default: matrix.(.commons.ingress.domain) + host: + annotations: + element: + enabled: true + # -- default: element.(.commons.ingress.domain) + host: + annotations: + hydrogen: + enabled: false + # -- default: hydrogen.(.commons.ingress.domain) + host: + annotations: + +databases: + server: + # -- default is from mysql-services + host: mycloud-services-postgresql + name: matrix-synapse + username: matrix-synapse + # -- generated by .commons.masterPassword (equal to mycloud-services) + password: + +persistence: + storageClass: + size: 16Gi