diff --git a/apps/files/README.md b/apps/files/README.md
new file mode 100644
index 0000000..641143c
--- /dev/null
+++ b/apps/files/README.md
@@ -0,0 +1,8 @@
+# File sync
+
+My personal cross-platform filesync. Using syncthing for my android and linux clients. And nextcloud for my ios clients.
+
+
+## Overview
+Both services share a common persistence which allows them to apply each their own logic for synching to other devices. The server acts as a relay.
+
diff --git a/apps/files/kustomization.yaml b/apps/files/kustomization.yaml
new file mode 100644
index 0000000..5919c98
--- /dev/null
+++ b/apps/files/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: files
+
+resources:
+ - namespace.yaml
+ - pvc.yaml
+
+ - syncthing/
+ - nextcloud/
diff --git a/apps/files/namespace.yaml b/apps/files/namespace.yaml
new file mode 100644
index 0000000..0a074bd
--- /dev/null
+++ b/apps/files/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: placeholder
diff --git a/apps/files/nextcloud/ingress.yaml b/apps/files/nextcloud/ingress.yaml
new file mode 100644
index 0000000..5ef0d35
--- /dev/null
+++ b/apps/files/nextcloud/ingress.yaml
@@ -0,0 +1,16 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+ name: nextcloud-ingress
+
+spec:
+ entryPoints:
+ - websecure
+ routes:
+ - match: Host(`nextcloud2.kluster.moll.re`)
+ kind: Rule
+ services:
+ - name: nextcloud
+ port: 8080
+ tls:
+ certResolver: default-tls
diff --git a/apps/files/nextcloud/kustomization.yaml b/apps/files/nextcloud/kustomization.yaml
new file mode 100644
index 0000000..aa712e4
--- /dev/null
+++ b/apps/files/nextcloud/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - pvc.yaml
+ - ingress.yaml
+ - postgres.yaml
+ - postgres-credentials.sealedsecret.yaml
+
+helmCharts:
+ - name: nextcloud
+ releaseName: nextcloud
+ version: 4.5.5
+ valuesFile: values.yaml
+ repo: https://nextcloud.github.io/helm/
diff --git a/apps/files/nextcloud/postgres-credentials.sealedsecret.yaml b/apps/files/nextcloud/postgres-credentials.sealedsecret.yaml
new file mode 100644
index 0000000..9f41cd5
--- /dev/null
+++ b/apps/files/nextcloud/postgres-credentials.sealedsecret.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+ creationTimestamp: null
+ name: postgres-credentials
+ namespace: files
+spec:
+ encryptedData:
+ database: AgBOgmqlfgiN2VqxNyYL6O+/jdzPmGg97zOXxZ7KiD07b4/2FdmlWgOZZp7oUpQ9RMV0WybC0jau2YVlgXB32afgJ3uinaAAhzZwvzy8dgapNpe8ClxnFINRhKKC9kxK7YeDwtptbDQn7YtEmVGHI66/71VyGy7NME4Pk0Y4FxxpF6KAZMAHNyez4JMa9V+XFtYV5G5bOkPY/ku4LcYntiMAlEaArF+re1m5nLQmZ4SVkWlOc41N4Hv1HrCv8qq2kj7zVR5/J2qW8NlzmdJJqv1AP1foELuITZZKxwNspxynNxhjXTX0fP6vzfJpxtzb2s/4Yh2uT/UPb2rOdcGaXjjHKxjSX23tG5ZT+z5lt0y9UEmUYytlcsYv9vsRqCmeFsB63S7aABeCRSOJyGLsuUc7xqSZ2ijDG38qLij+JPgoEIbSLfRYVGE5GMo9EbHt4N+ZIMpJYQXq0VhDip/r11SENfUa3XoautQ5uVR1D50FuSrN16t24bQXai9uifkBpDyvqbiqgv7s3qOjF9u8I0eyeJA0ZO1JO174B9SO3IcZYys8c87fSuWvFbGepLNqfneSIx93klDUdx3YEjqcrqib49+3/dn3RO9/puyhJ6O0TEZneToyauV3lxpR+XG/PDx7EQ88lELgD/AmtulsLHkYNgpoblFPbgDUeHhOgoBRAe22Hiy0Co4eh0SPVPyKhj8MyYhPtLEV+UY=
+ password: AgB2eY5aKJhEcJIgArGRrsqYf5pJJoXHRkplFpaqCCQW7X7WLREb+35HDijhnJSWRI2/LXDVy/8ArJe1LiiW+05aRY/9nvmjdpUmvsdQ6DK1mvirl8Py4JYueNrk2iUmI1h+ROyubBCvRBKxueQNkuwipKvk7nIlON6cwFnqp6GPcuWihSG/GZ2nSZmxmu+thdsM/S8DPaTW/N+Sut8DyarlCN94ZRiFVZIJialibfsJGQtL/uPX0W61GTkEU4m34IN9e+POdEdg3HuFMd3RvNQpndgPjaTv4A22TJRFs+rcHlcHr+5r8acVy1V+sZy97126Z7moeKDp1rFbG2/yMT1iS2oxQN4GJceTgMzSagqdn+KgD0N38OYvp+mRUQsl7+Fpglcq03vqbvxsc1fC78XpAAPMNA/pQDvtlS1qjuB7WCa5b3mkJxjc8efIuna9GAnDGh+djhlGHLEERnEfjlnpeDb/afRejUX+i6r00GnBxuRJfV+lKh4BJsnJm29nC4t10F6ff91Ngcjf+wCm5yWSFETZ9oFrPn10igGvoZwROJYABdtfMNjidGLkdKQnG1dj3EFu5XDn9vRqt8Iu/dEyoh7a2iGYDQ1lGpz+zxA/OZ9l/SuL6JUUwXq5W1/fSbtaBPdit4cwUTopq7AcpZkMuAQyVy6N9D0Hvjx432rCxmqyGU8PyjKHoAN+nuvTi79HtHR2wo4hJeIDoktdpxswSCe9VJEvqTFGQyCZtX3uEg==
+ username: AgATMaQ/BRCO9vx329YxGGUGl3E68Tm3coU6IO6pYm8f+Uf7ImH4l/P84mjGDLho1zBUfILPAvM4G5xG2qkkyW4mEuB8A7NNWAhXMOS5i1msNaV2oqLYNWCOG2lFO7unkYwPSyu9EyGn/Hq/kbGPAKfUf6dtDLEc+Y0S5Ue9YA2gYK4VYUec491+02EOoprGcfM1QdGPLBrunXn4krxtGm+eTsK8nd/lnm3DK+f5uGupO844i8T0mXE1xcliysBTZzxEVpmzPN8q4TMay6qcB2wOvEyngnGCfxJGTSjTrkydPFLcI4p6IONW5QAX9eQwo6ZDo56WVNgvyNW+ZJ6hmPP9nLeHnKb3rM91CIMM0GDRYc3VFsVXwBY/sj12hiompXEVQEp+EJUbgnDLK2lW+J602ZnzyHFgwGKnfdI8PHfKoxRVf06TXPdROu1mfXr5jOXc+++LoRotkVOuf2KXMip/7HlTkRlZXKkenhIqrTtQkENJ+aaxCKdQwgE8iDtmB6ZEBiMJq/dZgvn7qbcMc/SYF3l6YZKSU2L1359CRTeuQ6J6aDml+WHvgtwLH6sIgR9Sjgxid9XlhQ3/8f9UQdR6OpblsBZYn8gYEQ1WRr7H1R3IjENpA7LtburPYyogSk4eSFWR1hkwfiiTJrfwJCPEka28a7MqX0nCKZqzzUOQqXNGPX8W9rU8aA2HcnSPrzLoOV2av9h4icw=
+ template:
+ metadata:
+ creationTimestamp: null
+ name: postgres-credentials
+ namespace: files
diff --git a/apps/files/nextcloud/postgres.yaml b/apps/files/nextcloud/postgres.yaml
new file mode 100644
index 0000000..d6669fe
--- /dev/null
+++ b/apps/files/nextcloud/postgres.yaml
@@ -0,0 +1,20 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+ name: nextcloud-postgres
+spec:
+ instances: 1
+ imageName: ghcr.io/cloudnative-pg/postgresql:16
+ bootstrap:
+ initdb:
+ owner: nextcloud
+ database: nextcloud
+ secret:
+ name: postgres-credentials
+
+ storage:
+ size: 1Gi
+ storageClass: nfs-client
+
+ monitoring:
+ enablePodMonitor: true
diff --git a/apps/files/nextcloud/pvc.yaml b/apps/files/nextcloud/pvc.yaml
new file mode 100644
index 0000000..451e3db
--- /dev/null
+++ b/apps/files/nextcloud/pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: nextcloud-config
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 1Gi
diff --git a/apps/files/nextcloud/values.yaml b/apps/files/nextcloud/values.yaml
new file mode 100644
index 0000000..2d2412c
--- /dev/null
+++ b/apps/files/nextcloud/values.yaml
@@ -0,0 +1,155 @@
+## Official nextcloud image version
+## ref: https://hub.docker.com/r/library/nextcloud/tags/
+
+ingress:
+ enabled: false
+
+
+nextcloud:
+ host: nextcloud2.kluster.moll.re
+ username: admin
+ password: changeme
+ ## Use an existing secret
+ existingSecret:
+ enabled: false
+ update: 0
+ # If web server is not binding default port, you can define it
+ # containerPort: 8080
+ datadir: /var/www/html/data
+ persistence:
+ subPath:
+ mail:
+ enabled: false
+ # PHP Configuration files
+ # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
+ phpConfigs: {}
+ # Default config files
+ # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
+ # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config
+ defaultConfigs:
+ # To protect /var/www/html/config
+ .htaccess: true
+ # Redis default configuration
+ redis.config.php: true
+ # Apache configuration for rewrite urls
+ apache-pretty-urls.config.php: true
+ # Define APCu as local cache
+ apcu.config.php: true
+ # Apps directory configs
+ apps.config.php: true
+ # Used for auto configure database
+ autoconfig.php: true
+ # SMTP default configuration
+ smtp.config.php: true
+
+
+ extraVolumes:
+ - name: files-nfs
+ persistentVolumeClaim:
+ claimName: files-nfs
+
+ extraVolumeMounts:
+ - name: files-nfs
+ mountPath: /files
+
+
+ # Extra config files created in /var/www/html/config/
+ # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
+ # configs:
+ # config.php: |-
+
+ # For example, to use S3 as primary storage
+ # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
+ #
+ # configs:
+ # s3.config.php: |-
+ # array(
+ # 'class' => '\\OC\\Files\\ObjectStore\\S3',
+ # 'arguments' => array(
+ # 'bucket' => 'my-bucket',
+ # 'autocreate' => true,
+ # 'key' => 'xxx',
+ # 'secret' => 'xxx',
+ # 'region' => 'us-east-1',
+ # 'use_ssl' => true
+ # )
+ # )
+ # );
+
+nginx:
+ ## You need to set an fpm version of the image for nextcloud if you want to use nginx!
+ enabled: false
+
+internalDatabase:
+ enabled: false
+
+##
+## External database configuration
+##
+externalDatabase:
+ enabled: true
+ type: postgresql
+ host: nextcloud-postgres-rw
+
+ database: nextcloud
+ existingSecret:
+ enabled: true
+ secretName: postgres-credentials
+ usernameKey: username
+ passwordKey: password
+
+
+mariadb:
+ enabled: false
+postgresql:
+ enabled: false
+redis:
+ enabled: false
+
+
+cronjob:
+ enabled: false
+
+persistence:
+ # Nextcloud Data (/var/www/html)
+ enabled: true
+ annotations: {}
+
+ ## If defined, PVC must be created manually before volume will be bound
+ existingClaim: nextcloud-config
+
+ ## Use an additional pvc for the data directory rather than a subpath of the default PVC
+ ## Useful to store data on a different storageClass (e.g. on slower disks)
+ nextcloudData:
+ enabled: false
+
+
+resources:
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ limits:
+ cpu: 2000m
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+livenessProbe:
+ enabled: false
+ # disable when upgrading from a previous chart version
+
+hpa:
+ enabled: false
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+ enabled: false
+
+
+rbac:
+ enabled: false
diff --git a/apps/files/pvc.yaml b/apps/files/pvc.yaml
new file mode 100644
index 0000000..ede5bd1
--- /dev/null
+++ b/apps/files/pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: files-nfs
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 100Gi
diff --git a/apps/files/syncthing/deployment.yaml b/apps/files/syncthing/deployment.yaml
new file mode 100644
index 0000000..aaa143b
--- /dev/null
+++ b/apps/files/syncthing/deployment.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: syncthing
+spec:
+ selector:
+ matchLabels:
+ app: syncthing
+ template:
+ metadata:
+ labels:
+ app: syncthing
+ spec:
+ containers:
+ - name: syncthing
+ image: syncthing
+ resources:
+ limits:
+ memory: "256Mi"
+ cpu: "500m"
+ ports:
+ - containerPort: 8384
+ protocol: TCP
+ name: syncthing-web
+ - containerPort: 22000
+ protocol: TCP
+ - containerPort: 22000
+ protocol: UDP
+ volumeMounts:
+ - name: persistence
+ mountPath: /files
+ - name: config
+ mountPath: /var/syncthing/config
+ volumes:
+ - name: persistence
+ persistentVolumeClaim:
+ claimName: files-nfs
+ - name: config
+ persistentVolumeClaim:
+ claimName: syncthing-config
diff --git a/apps/files/syncthing/ingress.yaml b/apps/files/syncthing/ingress.yaml
new file mode 100644
index 0000000..84e7b99
--- /dev/null
+++ b/apps/files/syncthing/ingress.yaml
@@ -0,0 +1,16 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+ name: rss-ingressroute
+
+spec:
+ entryPoints:
+ - websecure
+ routes:
+ - match: Host(`syncthing2.kluster.moll.re`)
+ kind: Rule
+ services:
+ - name: syncthing-web
+ port: 8384
+ tls:
+ certResolver: default-tls
diff --git a/apps/files/syncthing/kustomization.yaml b/apps/files/syncthing/kustomization.yaml
new file mode 100644
index 0000000..8d4e1f3
--- /dev/null
+++ b/apps/files/syncthing/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - pvc.yaml
+ - deployment.yaml
+ - service.yaml
+ - ingress.yaml
+ - servicemonitor.yaml
+ # - syncthing-api.sealedsecret.yaml
+
+images:
+ - name: syncthing
+ newName: syncthing/syncthing
+ newTag: "1.27"
diff --git a/apps/files/syncthing/pvc.yaml b/apps/files/syncthing/pvc.yaml
new file mode 100644
index 0000000..83b292d
--- /dev/null
+++ b/apps/files/syncthing/pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: syncthing-config
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 1Gi
diff --git a/apps/files/syncthing/service.yaml b/apps/files/syncthing/service.yaml
new file mode 100644
index 0000000..85a6103
--- /dev/null
+++ b/apps/files/syncthing/service.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: syncthing-web
+ labels:
+ app: syncthing
+spec:
+ selector:
+ app: syncthing
+ type: ClusterIP
+ ports:
+ - port: 8384
+ targetPort: 8384
+ name: syncthing-web
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: syncthing-listen
+ annotations:
+ metallb.universe.tf/allow-shared-ip: syncthing-service
+spec:
+ selector:
+ app: syncthing
+ type: LoadBalancer
+ loadBalancerIP: 192.168.3.5
+ ports:
+ - port: 22000
+ targetPort: 22000
+ protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: syncthing-discover
+ annotations:
+ metallb.universe.tf/allow-shared-ip: syncthing-service
+spec:
+ selector:
+ app: syncthing
+ type: LoadBalancer
+ loadBalancerIP: 192.168.3.5
+ ports:
+ - port: 22000
+ targetPort: 22000
+ protocol: UDP
diff --git a/apps/files/syncthing/servicemonitor.yaml b/apps/files/syncthing/servicemonitor.yaml
new file mode 100644
index 0000000..878576a
--- /dev/null
+++ b/apps/files/syncthing/servicemonitor.yaml
@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: syncthing-servicemonitor
+ labels:
+ app: syncthing
+spec:
+ selector:
+ matchLabels:
+ app: syncthing
+ endpoints:
+ - port: syncthing-web
+ path: /metrics
+ bearerTokenSecret:
+ name: syncthing-api
+ key: token
diff --git a/apps/files1/deployment.yaml b/apps/files1/deployment.yaml
new file mode 100644
index 0000000..9eeac1e
--- /dev/null
+++ b/apps/files1/deployment.yaml
@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: spacedrive
+spec:
+ selector:
+ matchLabels:
+ app: spacedrive
+ template:
+ metadata:
+ labels:
+ app: spacedrive
+ spec:
+ containers:
+ - name: spacedrive
+ image: spacedrive
+ resources:
+ limits:
+ memory: "128Mi"
+ cpu: "500m"
+ ports:
+ - containerPort: 80
+ volumeMounts:
+ - name: storage
+ mountPath: /data
+
+ volumes:
+ - name: storage
+ persistentVolumeClaim:
+ claimName: spacedrive-nfs
diff --git a/apps/files1/kustomization.yaml b/apps/files1/kustomization.yaml
new file mode 100644
index 0000000..94305fa
--- /dev/null
+++ b/apps/files1/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: files1
+
+resources:
+ - namespace.yaml
+ - pvc.yaml
+ - deployment.yaml
+
+
+images:
+ - name: spacedrive
+ newName: ghcr.io/spacedriveapp/spacedrive/server
+ newTag: 0.2.4
diff --git a/apps/files1/namespace.yaml b/apps/files1/namespace.yaml
new file mode 100644
index 0000000..0a074bd
--- /dev/null
+++ b/apps/files1/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: placeholder
diff --git a/apps/files1/pvc.yaml b/apps/files1/pvc.yaml
new file mode 100644
index 0000000..590b37d
--- /dev/null
+++ b/apps/files1/pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: spacedrive-nfs
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 100Gi
diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml
index 8158765..d1e9cb1 100644
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -1,11 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- namespace.yaml
-- ingress.yaml
-- pvc.yaml
-- postgres.yaml
-- postgres.sealedsecret.yaml
+ - namespace.yaml
+ - ingress.yaml
+ - pvc.yaml
+ - postgres.yaml
+ - postgres.sealedsecret.yaml
namespace: immich
@@ -22,4 +22,3 @@ images:
newTag: v1.95.1
- name: ghcr.io/immich-app/immich-server
newTag: v1.95.1
-
diff --git a/apps/matrix/kustomization.yaml b/apps/matrix/kustomization.yaml
new file mode 100644
index 0000000..a36e593
--- /dev/null
+++ b/apps/matrix/kustomization.yaml
@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - namespace.yaml
+ - postgres.yaml
+ - synapse.deployment.yaml
+ - synapse.service.yaml
+ - synapse.configmap.yaml
+ - synapse.ingress.yaml
+ - postgres-credentials.secret.yaml
+
+ - mautrix.pvc.yaml
+ - mautrix-telegram.statefulset.yaml
+ - mautrix-telegram.configmap.yaml
+ - mautrix-whatsapp.statefulset.yaml
+
+
+namespace: matrix
+
+images:
+ - name: mautrix-telegram
+ newName: dock.mau.dev/mautrix/telegram
+ newTag: "v0.15.1"
+ - name: mautrix-whatsapp
+ newName: dock.mau.dev/mautrix/whatsapp
+ newTag: "v0.10.5"
+ - name: synapse
+ newName: ghcr.io/element-hq/synapse
+ newTag: "v1.100.0"
diff --git a/apps/matrix/mautrix-telegram.configmap.yaml b/apps/matrix/mautrix-telegram.configmap.yaml
new file mode 100644
index 0000000..fe06cf9
--- /dev/null
+++ b/apps/matrix/mautrix-telegram.configmap.yaml
@@ -0,0 +1,511 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: mautrix-telegram
+data:
+ config.yaml: |
+ # Homeserver details
+ homeserver:
+ # The address that this appservice can use to connect to the homeserver.
+ address: http://synapse:8448
+ # The domain of the homeserver (for MXIDs, etc).
+ domain: matrix.kluster.moll.re
+ # Whether or not to verify the SSL certificate of the homeserver.
+ # Only applies if address starts with https://
+ verify_ssl: false
+ # What software is the homeserver running?
+ # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+ software: standard
+ # Number of retries for all HTTP requests if the homeserver isn't reachable.
+ http_retry_count: 4
+ # The URL to push real-time bridge status to.
+ # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
+ # The bridge will use the appservice as_token to authorize requests.
+ status_endpoint: null
+ # Endpoint for reporting per-message status.
+ message_send_checkpoint_endpoint: null
+ # Whether asynchronous uploads via MSC2246 should be enabled for media.
+ # Requires a media repo that supports MSC2246.
+ async_media: false
+ # Application service host/registration related details
+ # Changing these values requires regeneration of the registration.
+ appservice:
+ # The address that the homeserver can use to connect to this appservice.
+ address: http://mautrix-telegram:29318
+ # When using https:// the TLS certificate and key files for the address.
+ tls_cert: false
+ tls_key: false
+ # The hostname and port where this appservice should listen.
+ hostname: 0.0.0.0
+ port: 29317
+ # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+ # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+ max_body_size: 1
+ # The full URI to the database. SQLite and Postgres are supported.
+ # Format examples:
+ # SQLite: sqlite:filename.db
+ # Postgres: postgres://username:password@hostname/dbname
+ database: sqlite:mautrix-telegram.db
+
+ # The unique ID of this appservice.
+ id: telegram
+ # Username of the appservice bot.
+ bot_username: telegrambot
+ # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+ # to leave display name/avatar as-is.
+ bot_displayname: Telegram bridge bot
+ bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
+ # Whether or not to receive ephemeral events via appservice transactions.
+ # Requires MSC2409 support (i.e. Synapse 1.22+).
+ # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+ ephemeral_events: true
+ # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+ as_token: "This value is generated when generating the registration"
+ hs_token: "This value is generated when generating the registration"
+
+ # Bridge config
+ bridge:
+ # Localpart template of MXIDs for Telegram users.
+ # {userid} is replaced with the user ID of the Telegram user.
+ username_template: "telegram_{userid}"
+ # Localpart template of room aliases for Telegram portal rooms.
+ # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
+ alias_template: "telegram_{groupname}"
+ # Displayname template for Telegram users.
+ # {displayname} is replaced with the display name of the Telegram user.
+ displayname_template: "{displayname} (Telegram)"
+ # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
+ # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
+ # ID is used.
+ #
+ # If the bridge is working properly, a phone number or an username should always be known, but
+ # the other one can very well be empty.
+ #
+ # Valid keys:
+ # "full name" (First and/or last name)
+ # "full name reversed" (Last and/or first name)
+ # "first name"
+ # "last name"
+ # "username"
+ # "phone number"
+ displayname_preference:
+ - full name
+ - username
+ - phone number
+ # Maximum length of displayname
+ displayname_max_length: 100
+ # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
+ # as there's no way to determine whether an avatar is removed or just hidden from some users. If
+ # you're on a single-user instance, this should be safe to enable.
+ allow_avatar_remove: false
+ # Should contact names and profile pictures be allowed?
+ # This is only safe to enable on single-user instances.
+ allow_contact_info: false
+ # Maximum number of members to sync per portal when starting up. Other members will be
+ # synced when they send messages. The maximum is 10000, after which the Telegram server
+ # will not send any more members.
+ # -1 means no limit (which means it's limited to 10000 by the server)
+ max_initial_member_sync: 100
+ # Maximum number of participants in chats to bridge. Only applies when the portal is being created.
+ # If there are more members when trying to create a room, the room creation will be cancelled.
+ # -1 means no limit (which means all chats can be bridged)
+ max_member_count: -1
+ # Whether or not to sync the member list in channels.
+ # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
+ # list regardless of this setting.
+ sync_channel_members: false
+ # Whether or not to skip deleted members when syncing members.
+ skip_deleted_members: true
+ # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
+ # their Telegram account at startup.
+ startup_sync: false
+ # Number of most recently active dialogs to check when syncing chats.
+ # Set to 0 to remove limit.
+ sync_update_limit: 0
+ # Number of most recently active dialogs to create portals for when syncing chats.
+ # Set to 0 to remove limit.
+ sync_create_limit: 15
+ # Should all chats be scheduled to be created later?
+ # This is best used in combination with MSC2716 infinite backfill.
+ sync_deferred_create_all: false
+ # Whether or not to sync and create portals for direct chats at startup.
+ sync_direct_chats: false
+ # The maximum number of simultaneous Telegram deletions to handle.
+ # A large number of simultaneous redactions could put strain on your homeserver.
+ max_telegram_delete: 10
+ # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
+ # at startup and when creating a bridge.
+ sync_matrix_state: true
+ # Allow logging in within Matrix. If false, users can only log in using login-qr or the
+ # out-of-Matrix login website (see appservice.public config section)
+ allow_matrix_login: true
+ # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
+ public_portals: false
+ # Whether or not to use /sync to get presence, read receipts and typing notifications
+ # when double puppeting is enabled
+ sync_with_custom_puppets: false
+ # Whether or not to update the m.direct account data event when double puppeting is enabled.
+ # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+ # and is therefore prone to race conditions.
+ sync_direct_chat_list: false
+ # Servers to always allow double puppeting from
+ double_puppet_server_map:
+ example.com: https://example.com
+ # Allow using double puppeting from any server with a valid client .well-known file.
+ double_puppet_allow_discovery: false
+ # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+ #
+ # If set, custom puppets will be enabled automatically for local users
+ # instead of users having to find an access token and run `login-matrix`
+ # manually.
+ # If using this for other servers than the bridge's server,
+ # you must also set the URL in the double_puppet_server_map.
+ login_shared_secret_map:
+ example.com: foobar
+ # Set to false to disable link previews in messages sent to Telegram.
+ telegram_link_preview: true
+ # Whether or not the !tg join command should do a HTTP request
+ # to resolve redirects in invite links.
+ invite_link_resolve: false
+ # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+ # This is currently not supported in most clients.
+ caption_in_message: false
+ # Maximum size of image in megabytes before sending to Telegram as a document.
+ image_as_file_size: 10
+ # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216.
+ image_as_file_pixels: 16777216
+ # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
+ # streaming from/to Matrix and using many connections for Telegram.
+ # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
+ # This option uses internal Telethon implementation details and may break with minor updates.
+ parallel_file_transfer: false
+ # Whether or not created rooms should have federation enabled.
+ # If false, created portal rooms will never be federated.
+ federate_rooms: true
+ # Should the bridge send all unicode reactions as custom emoji reactions to Telegram?
+ # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions.
+ always_custom_emoji_reaction: false
+ # Settings for converting animated stickers.
+ animated_sticker:
+ # Format to which animated stickers should be converted.
+ # disable - No conversion, send as-is (gzipped lottie)
+ # png - converts to non-animated png (fastest),
+ # gif - converts to animated gif
+ # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
+ # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
+ target: gif
+ # Should video stickers be converted to the specified format as well?
+ convert_from_webm: false
+ # Arguments for converter. All converters take width and height.
+ args:
+ width: 256
+ height: 256
+ fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
+ # Settings for converting animated emoji.
+ # Same as animated_sticker, but webm is not supported as the target
+ # (because inline images can only contain images, not videos).
+ animated_emoji:
+ target: webp
+ args:
+ width: 64
+ height: 64
+ fps: 25
+ # # End-to-bridge encryption support options.
+ # #
+ # # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+ # encryption:
+ # # Allow encryption, work in group chat rooms with e2ee enabled
+ # allow: false
+ # # Default to encryption, force-enable encryption in all portals the bridge creates
+ # # This will cause the bridge bot to be in private chats for the encryption to work properly.
+ # default: false
+ # # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+ # appservice: false
+ # # Require encryption, drop any unencrypted messages.
+ # require: false
+ # # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+ # # You must use a client that supports requesting keys from other users to use this feature.
+ # allow_key_sharing: false
+ # # Options for deleting megolm sessions from the bridge.
+ # delete_keys:
+ # # Beeper-specific: delete outbound sessions when hungryserv confirms
+ # # that the user has uploaded the key to key backup.
+ # delete_outbound_on_ack: false
+ # # Don't store outbound sessions in the inbound table.
+ # dont_store_outbound: false
+ # # Ratchet megolm sessions forward after decrypting messages.
+ # ratchet_on_decrypt: false
+ # # Delete fully used keys (index >= max_messages) after decrypting messages.
+ # delete_fully_used_on_decrypt: false
+ # # Delete previous megolm sessions from same device when receiving a new one.
+ # delete_prev_on_new_session: false
+ # # Delete megolm sessions received from a device when the device is deleted.
+ # delete_on_device_delete: false
+ # # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+ # periodically_delete_expired: false
+ # # Delete inbound megolm sessions that don't have the received_at field used for
+ # # automatic ratcheting and expired session deletion. This is meant as a migration
+ # # to delete old keys prior to the bridge update.
+ # delete_outdated_inbound: false
+ # # What level of device verification should be required from users?
+ # #
+ # # Valid levels:
+ # # unverified - Send keys to all device in the room.
+ # # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+ # # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+ # # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+ # # Note that creating user signatures from the bridge bot is not currently possible.
+ # # verified - Require manual per-device verification
+ # # (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+ # verification_levels:
+ # # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
+ # receive: unverified
+ # # Minimum level that the bridge should accept for incoming Matrix messages.
+ # send: unverified
+ # # Minimum level that the bridge should require for accepting key requests.
+ # share: cross-signed-tofu
+ # # Options for Megolm room key rotation. These options allow you to
+ # # configure the m.room.encryption event content. See:
+ # # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+ # # more information about that event.
+ # rotation:
+ # # Enable custom Megolm room key rotation settings. Note that these
+ # # settings will only apply to rooms created after this option is
+ # # set.
+ # enable_custom: false
+ # # The maximum number of milliseconds a session should be used
+ # # before changing it. The Matrix spec recommends 604800000 (a week)
+ # # as the default.
+ # milliseconds: 604800000
+ # # The maximum number of messages that should be sent with a given a
+ # # session before changing it. The Matrix spec recommends 100 as the
+ # # default.
+ # messages: 100
+ # # Disable rotating keys when a user's devices change?
+ # # You should not enable this option unless you understand all the implications.
+ # disable_device_change_key_rotation: false
+ # Whether to explicitly set the avatar and room name for private chat portal rooms.
+ # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+ # If set to `always`, all DM rooms will have explicit names and avatars set.
+ # If set to `never`, DM rooms will never have names and avatars set.
+ private_chat_portal_meta: default
+ # Disable generating reply fallbacks? Some extremely bad clients still rely on them,
+ # but they're being phased out and will be completely removed in the future.
+ disable_reply_fallbacks: false
+ # Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this.
+ cross_room_replies: false
+ # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+ # been sent to Telegram.
+ delivery_receipts: false
+ # Whether or not delivery errors should be reported as messages in the Matrix room.
+ delivery_error_reports: false
+ # Should errors in incoming message handling send a message to the Matrix room?
+ incoming_bridge_error_reports: false
+ # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+ message_status_events: false
+ # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+ # This field will automatically be changed back to false after it,
+ # except if the config file is not writable.
+ resend_bridge_info: false
+ # When using double puppeting, should muted chats be muted in Matrix?
+ mute_bridging: false
+ # When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
+ # The favorites tag is `m.favourite`.
+ pinned_tag: null
+ # Same as above for archived chats, the low priority tag is `m.lowpriority`.
+ archive_tag: null
+ # Whether or not mute status and tags should only be bridged when the portal room is created.
+ tag_only_on_create: true
+ # Should leaving the room on Matrix make the user leave on Telegram?
+ bridge_matrix_leave: true
+ # Should the user be kicked out of all portals when logging out of the bridge?
+ kick_on_logout: true
+ # Should the "* user joined Telegram" notice always be marked as read automatically?
+ always_read_joined_telegram_notice: true
+ # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room?
+ # Requires the user to have sufficient power level and double puppeting enabled.
+ create_group_on_invite: true
+ # Settings for backfilling messages from Telegram.
+ backfill:
+ # Allow backfilling at all?
+ enable: true
+ # Whether or not to enable backfilling in normal groups.
+ # Normal groups have numerous technical problems in Telegram, and backfilling normal groups
+ # will likely cause problems if there are multiple Matrix users in the group.
+ normal_groups: false
+ # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram.
+ # Set to -1 to let any chat be unread.
+ unread_hours_threshold: 720
+ # Forward backfilling limits.
+ #
+ # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch.
+ forward_limits:
+ # Number of messages to backfill immediately after creating a portal.
+ initial:
+ user: 50
+ normal_group: 100
+ supergroup: 10
+ channel: 10
+ # Number of messages to backfill when syncing chats.
+ sync:
+ user: 100
+ normal_group: 100
+ supergroup: 100
+ channel: 100
+ # Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too.
+ forward_timeout: 900
+ # Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716.
+ incremental:
+ # Maximum number of messages to backfill per batch.
+ messages_per_batch: 100
+ # The number of seconds to wait after backfilling the batch of messages.
+ post_batch_delay: 20
+ # The maximum number of batches to backfill per portal, split by the chat type.
+ # If set to -1, all messages in the chat will eventually be backfilled.
+ max_batches:
+ # Direct chats
+ user: -1
+ # Normal groups. Note that the normal_groups option above must be enabled
+ # for these to be backfilled.
+ normal_group: -1
+ # Supergroups
+ supergroup: 10
+ # Broadcast channels
+ channel: -1
+ # Overrides for base power levels.
+ initial_power_level_overrides:
+ user: {}
+ group: {}
+ # Whether to bridge Telegram bot messages as m.notices or m.texts.
+ bot_messages_as_notices: true
+ bridge_notices:
+ # Whether or not Matrix bot messages (type m.notice) should be bridged.
+ default: false
+ # List of user IDs for whom the previous flag is flipped.
+ # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
+ # notices from users listed here will be bridged.
+ exceptions: []
+ # An array of possible values for the $distinguisher variable in message formats.
+ # Each user gets one of the values here, based on a hash of their user ID.
+ # If the array is empty, the $distinguisher variable will also be empty.
+ relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"]
+ # The formats to use when sending messages to Telegram via the relay bot.
+ # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
+ #
+ # Available variables:
+ # $sender_displayname - The display name of the sender (e.g. Example User)
+ # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
+ # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
+ # $distinguisher - A random string from the options in the relay_user_distinguishers array.
+ # $message - The message content
+ message_formats:
+ m.text: "$distinguisher $sender_displayname: $message"
+ m.notice: "$distinguisher $sender_displayname: $message"
+ m.emote: "* $distinguisher $sender_displayname $message"
+ m.file: "$distinguisher $sender_displayname sent a file: $message"
+ m.image: "$distinguisher $sender_displayname sent an image: $message"
+ m.audio: "$distinguisher $sender_displayname sent an audio file: $message"
+ m.video: "$distinguisher $sender_displayname sent a video: $message"
+ m.location: "$distinguisher $sender_displayname sent a location: $message"
+ # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
+ # users are sent to telegram. All fields in message_formats are supported. Additionally, the
+ # Telegram user info is available in the following variables:
+ # $displayname - Telegram displayname
+ # $username - Telegram username (may not exist)
+ # $mention - Telegram @username or displayname mention (depending on which exists)
+ emote_format: "* $mention $formatted_body"
+ # The formats to use when sending state events to Telegram via the relay bot.
+ #
+ # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
+ # In name_change events, `$prev_displayname` is the previous displayname.
+ #
+ # Set format to an empty string to disable the messages for that event.
+ state_event_formats:
+ join: "$distinguisher $displayname joined the room."
+ leave: "$distinguisher $displayname left the room."
+ name_change: "$distinguisher $prev_displayname changed their name to $distinguisher $displayname"
+ # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
+ # `filter-mode` management commands.
+ #
+ # An empty blacklist will essentially disable the filter.
+ filter:
+ # Filter mode to use. Either "blacklist" or "whitelist".
+ # If the mode is "blacklist", the listed chats will never be bridged.
+ # If the mode is "whitelist", only the listed chats can be bridged.
+ mode: blacklist
+ # The list of group/channel IDs to filter.
+ list: []
+ # How to handle direct chats:
+ # If users is "null", direct chats will follow the previous settings.
+ # If users is "true", direct chats will always be bridged.
+ # If users is "false", direct chats will never be bridged.
+ users: true
+ # The prefix for commands. Only required in non-management rooms.
+ command_prefix: "!tg"
+ # Messages sent upon joining a management room.
+ # Markdown is supported. The defaults are listed below.
+ management_room_text:
+ # Sent when joining a room.
+ welcome: "Hello, I'm a Telegram bridge bot."
+ # Sent when joining a management room and the user is already logged in.
+ welcome_connected: "Use `help` for help."
+ # Sent when joining a management room and the user is not logged in.
+ welcome_unconnected: "Use `help` for help or `login` to log in."
+ # Optional extra text sent when joining a management room.
+ additional_help: ""
+ # Send each message separately (for readability in some clients)
+ management_room_multiple_messages: false
+ # Permissions for using the bridge.
+ # Permitted values:
+ # relaybot - Only use the bridge via the relaybot, no access to commands.
+ # user - Relaybot level + access to commands to create bridges.
+ # puppeting - User level + logging in with a Telegram account.
+ # full - Full access to use the bridge, i.e. previous levels + Matrix login.
+ # admin - Full access to use the bridge and some extra administration commands.
+ # Permitted keys:
+ # * - All Matrix users
+ # domain - All users on that homeserver
+ # mxid - Specific user
+ permissions:
+ "matrix.kluster.moll.re": "full"
+ "@remy:matrix.kluster.moll.re": "admin"
+ # Options related to the message relay Telegram bot.
+ relaybot:
+ private_chat:
+ # List of users to invite to the portal when someone starts a private chat with the bot.
+ # If empty, private chats with the bot won't create a portal.
+ invite: []
+ # Whether or not to bridge state change messages in relaybot private chats.
+ state_changes: true
+ # When private_chat_invite is empty, this message is sent to users /starting the
+ # relaybot. Telegram's "markdown" is supported.
+ message: This is a Matrix bridge relaybot and does not support direct chats
+ # List of users to invite to all group chat portals created by the bridge.
+ group_chat_invite: []
+ # Whether or not the relaybot should not bridge events in unbridged group chats.
+ # If false, portals will be created when the relaybot receives messages, just like normal
+ # users. This behavior is usually not desirable, as it interferes with manually bridging
+ # the chat to another room.
+ ignore_unbridged_group_chat: true
+ # Whether or not to allow creating portals from Telegram.
+ authless_portals: true
+ # Whether or not to allow Telegram group admins to use the bot commands.
+ whitelist_group_admins: true
+ # Whether or not to ignore incoming events sent by the relay bot.
+ ignore_own_incoming_events: true
+ # List of usernames/user IDs who are also allowed to use the bot commands.
+ whitelist:
+ - myusername
+ - 12345678
+ # Telegram config
+ telegram:
+ # Get your own API keys at https://my.telegram.org/apps
+ api_id: 862555
+ api_hash: 7387a7b6ba71793d6f3fa98261117e4e
+ # (Optional) Create your own bot at https://t.me/BotFather
+ bot_token: disabled
+ # Should the bridge request missed updates from Telegram when restarting?
+ catch_up: true
+ # Should incoming updates be handled sequentially to make sure order is preserved on Matrix?
+ sequential_updates: true
+ exit_on_update_error: false
diff --git a/apps/matrix/mautrix-telegram.statefulset.yaml b/apps/matrix/mautrix-telegram.statefulset.yaml
new file mode 100644
index 0000000..baecab9
--- /dev/null
+++ b/apps/matrix/mautrix-telegram.statefulset.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: mautrix-telegram
+spec:
+ selector:
+ matchLabels:
+ app: mautrix-telegram
+ serviceName: mautrix-telegram
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mautrix-telegram
+ spec:
+ containers:
+ - name: mautrix-telegram
+ image: mautrix-telegram
+ volumeMounts:
+ - name: config
+ mountPath: /data/config.yaml
+ subPath: config.yaml
+ - name: persistence
+ mountPath: /data
+ args:
+ - --no-update # disable overwriting config.yaml
+ volumes:
+ - name: config
+ configMap:
+ name: mautrix-telegram
+ - name: persistence
+ emptyDir: {}
diff --git a/apps/matrix/mautrix-whatsapp.configmap.yaml b/apps/matrix/mautrix-whatsapp.configmap.yaml
new file mode 100644
index 0000000..0a854e1
--- /dev/null
+++ b/apps/matrix/mautrix-whatsapp.configmap.yaml
@@ -0,0 +1,428 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: mautrix-whatsapp
+data:
+ config.yaml: |
+ # Homeserver details.
+ homeserver:
+ # The address that this appservice can use to connect to the homeserver.
+ address: http://synapse:8448
+ # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+ domain: matrix.kluster.moll.re
+
+ # What software is the homeserver running?
+ # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+ software: standard
+ # The URL to push real-time bridge status to.
+ # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
+ # The bridge will use the appservice as_token to authorize requests.
+ status_endpoint: null
+ # Endpoint for reporting per-message status.
+ message_send_checkpoint_endpoint: null
+ # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+ async_media: false
+
+ # Should the bridge use a websocket for connecting to the homeserver?
+ # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+ # mautrix-asmux (deprecated), and hungryserv (proprietary).
+ websocket: false
+ # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+ ping_interval_seconds: 0
+
+ # Application service host/registration related details.
+ # Changing these values requires regeneration of the registration.
+ appservice:
+ # The address that the homeserver can use to connect to this appservice.
+ address: http://mautrix-whatsapp:29318
+
+ # The hostname and port where this appservice should listen.
+ hostname: 0.0.0.0
+ port: 29318
+
+ # Database config.
+ database:
+ # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+ type: sqlite3-fk-wal
+ # The database URI.
+ # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended.
+ # https://github.com/mattn/go-sqlite3#connection-string
+ # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+ # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+ uri: file:/data/mautrix-whatsapp.db?_txlock=immediate
+ # Maximum number of connections. Mostly relevant for Postgres.
+ max_open_conns: 20
+ max_idle_conns: 2
+ # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+ # Parsed with https://pkg.go.dev/time#ParseDuration
+ max_conn_idle_time: null
+ max_conn_lifetime: null
+
+ # The unique ID of this appservice.
+ id: whatsapp
+ # Appservice bot details.
+ bot:
+ # Username of the appservice bot.
+ username: whatsappbot
+ # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+ # to leave display name/avatar as-is.
+ displayname: WhatsApp bridge bot
+ avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
+
+ # Whether or not to receive ephemeral events via appservice transactions.
+ # Requires MSC2409 support (i.e. Synapse 1.22+).
+ ephemeral_events: true
+
+ # Should incoming events be handled asynchronously?
+ # This may be necessary for large public instances with lots of messages going through.
+ # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+ async_transactions: false
+
+ # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+ as_token: "This value is generated when generating the registration"
+ hs_token: "This value is generated when generating the registration"
+
+ # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
+ analytics:
+ # Hostname of the tracking server. The path is hardcoded to /v1/track
+ host: api.segment.io
+ # API key to send with tracking requests. Tracking is disabled if this is null.
+ token: null
+ # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
+ user_id: null
+
+ # Prometheus config.
+ metrics:
+ # Enable prometheus metrics?
+ enabled: false
+ # IP and port where the metrics listener should be. The path is always /metrics
+ listen: 127.0.0.1:8001
+
+ # Config for things that are directly sent to WhatsApp.
+ whatsapp:
+ # Device name that's shown in the "WhatsApp Web" section in the mobile app.
+ os_name: Mautrix-WhatsApp bridge
+ # Browser name that determines the logo shown in the mobile app.
+ # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.
+ # List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64
+ browser_name: unknown
+
+ # Bridge config
+ bridge:
+ # Localpart template of MXIDs for WhatsApp users.
+ # {{.}} is replaced with the phone number of the WhatsApp user.
+ username_template: whatsapp_{{.}}
+ # Displayname template for WhatsApp users.
+ # {{.PushName}} - nickname set by the WhatsApp user
+ # {{.BusinessName}} - validated WhatsApp business name
+ # {{.Phone}} - phone number (international format)
+ # The following variables are also available, but will cause problems on multi-user instances:
+ # {{.FullName}} - full name from contact list
+ # {{.FirstName}} - first name from contact list
+ displayname_template: "{{or .BusinessName .PushName .JID}} (WA)"
+ # Should the bridge create a space for each logged-in user and add bridged rooms to it?
+ # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time.
+ personal_filtering_spaces: false
+ # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
+ delivery_receipts: false
+ # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+ message_status_events: false
+ # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+ message_error_notices: true
+ # Should incoming calls send a message to the Matrix room?
+ call_start_notices: true
+ # Should another user's cryptographic identity changing send a message to Matrix?
+ identity_change_notices: false
+ portal_message_buffer: 128
+ # Settings for handling history sync payloads.
+ history_sync:
+ # Enable backfilling history sync payloads from WhatsApp?
+ backfill: true
+ # The maximum number of initial conversations that should be synced.
+ # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat.
+ max_initial_conversations: -1
+ # Maximum number of messages to backfill in each conversation.
+ # Set to -1 to disable limit.
+ message_count: 50
+ # Should the bridge request a full sync from the phone when logging in?
+ # This bumps the size of history syncs from 3 months to 1 year.
+ request_full_sync: false
+ # Configuration parameters that are sent to the phone along with the request full sync flag.
+ # By default (when the values are null or 0), the config isn't sent at all.
+ full_sync_config:
+ # Number of days of history to request.
+ # The limit seems to be around 3 years, but using higher values doesn't break.
+ days_limit: null
+ # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob.
+ size_mb_limit: null
+ # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob.
+ storage_quota_mb: null
+ # If this value is greater than 0, then if the conversation's last message was more than
+ # this number of hours ago, then the conversation will automatically be marked it as read.
+ # Conversations that have a last message that is less than this number of hours ago will
+ # have their unread status synced from WhatsApp.
+ unread_hours_threshold: 0
+
+
+
+ # Should puppet avatars be fetched from the server even if an avatar is already set?
+ user_avatar_sync: true
+ # Should Matrix users leaving groups be bridged to WhatsApp?
+ bridge_matrix_leave: true
+ # Should the bridge update the m.direct account data event when double puppeting is enabled.
+ # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+ # and is therefore prone to race conditions.
+ sync_direct_chat_list: false
+ # Should the bridge use MSC2867 to bridge manual "mark as unread"s from
+ # WhatsApp and set the unread status on initial backfill?
+ # This will only work on clients that support the m.marked_unread or
+ # com.famedly.marked_unread room account data.
+ sync_manual_marked_unread: true
+ # When double puppeting is enabled, users can use `!wa toggle` to change whether
+ # presence is bridged. This setting sets the default value.
+ # Existing users won't be affected when these are changed.
+ default_bridge_presence: true
+ # Send the presence as "available" to whatsapp when users start typing on a portal.
+ # This works as a workaround for homeservers that do not support presence, and allows
+ # users to see when the whatsapp user on the other side is typing during a conversation.
+ send_presence_on_typing: false
+ # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp)
+ # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)?
+ #
+ # By default, the bridge acts like WhatsApp web, which only sends active delivery
+ # receipts when it's in the foreground.
+ force_active_delivery_receipts: false
+ # Servers to always allow double puppeting from
+ double_puppet_server_map:
+ example.com: https://example.com
+ # Allow using double puppeting from any server with a valid client .well-known file.
+ double_puppet_allow_discovery: false
+ # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+ #
+ # If set, double puppeting will be enabled automatically for local users
+ # instead of users having to find an access token and run `login-matrix`
+ # manually.
+ login_shared_secret_map:
+ example.com: foobar
+ # Whether to explicitly set the avatar and room name for private chat portal rooms.
+ # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+ # If set to `always`, all DM rooms will have explicit names and avatars set.
+ # If set to `never`, DM rooms will never have names and avatars set.
+ private_chat_portal_meta: default
+ # Should group members be synced in parallel? This makes member sync faster
+ parallel_member_sync: false
+ # Should Matrix m.notice-type messages be bridged?
+ bridge_notices: true
+ # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+ # This field will automatically be changed back to false after it, except if the config file is not writable.
+ resend_bridge_info: false
+ # When using double puppeting, should muted chats be muted in Matrix?
+ mute_bridging: false
+ # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
+ # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
+ # This can be set to a tag (e.g. m.lowpriority), or null to disable.
+ archive_tag: null
+ # Same as above, but for pinned chats. The favorite tag is called m.favourite
+ pinned_tag: null
+ # Should mute status and tags only be bridged when the portal room is created?
+ tag_only_on_create: true
+ # Should WhatsApp status messages be bridged into a Matrix room?
+ # Disabling this won't affect already created status broadcast rooms.
+ enable_status_broadcast: true
+ # Should sending WhatsApp status messages be allowed?
+ # This can cause issues if the user has lots of contacts, so it's disabled by default.
+ disable_status_broadcast_send: true
+ # Should the status broadcast room be muted and moved into low priority by default?
+ # This is only applied when creating the room, the user can unmute it later.
+ mute_status_broadcast: true
+ # Tag to apply to the status broadcast room.
+ status_broadcast_tag: m.lowpriority
+ # Should the bridge use thumbnails from WhatsApp?
+ # They're disabled by default due to very low resolution.
+ whatsapp_thumbnail: false
+ # Allow invite permission for user. User can invite any bots to room with whatsapp
+ # users (private chat and groups)
+ allow_user_invite: false
+ # Whether or not created rooms should have federation enabled.
+ # If false, created portal rooms will never be federated.
+ federate_rooms: true
+ # Should the bridge never send alerts to the bridge management room?
+ # These are mostly things like the user being logged out.
+ disable_bridge_alerts: false
+ # Should the bridge stop if the WhatsApp server says another user connected with the same session?
+ # This is only safe on single-user bridges.
+ crash_on_stream_replaced: false
+ # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
+ # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
+ # key in the event content even if this is disabled.
+ url_previews: false
+ # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+ # This is currently not supported in most clients.
+ caption_in_message: false
+ # Send galleries as a single event? This is not an MSC (yet).
+ beeper_galleries: false
+ # Should polls be sent using MSC3381 event types?
+ extev_polls: false
+ # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this.
+ cross_room_replies: false
+ # Disable generating reply fallbacks? Some extremely bad clients still rely on them,
+ # but they're being phased out and will be completely removed in the future.
+ disable_reply_fallbacks: false
+ # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
+ # Null means there's no enforced timeout.
+ message_handling_timeout:
+ # Send an error message after this timeout, but keep waiting for the response until the deadline.
+ # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
+ # If the message is older than this when it reaches the bridge, the message won't be handled at all.
+ error_after: null
+ # Drop messages after this timeout. They may still go through if the message got sent to the servers.
+ # This is counted from the time the bridge starts handling the message.
+ deadline: 120s
+
+ # The prefix for commands. Only required in non-management rooms.
+ command_prefix: "!wa"
+
+ # Messages sent upon joining a management room.
+ # Markdown is supported. The defaults are listed below.
+ management_room_text:
+ # Sent when joining a room.
+ welcome: "Hello, I'm a WhatsApp bridge bot."
+ # Sent when joining a management room and the user is already logged in.
+ welcome_connected: "Use `help` for help."
+ # Sent when joining a management room and the user is not logged in.
+ welcome_unconnected: "Use `help` for help or `login` to log in."
+ # Optional extra text sent when joining a management room.
+ additional_help: ""
+
+ # End-to-bridge encryption support options.
+ #
+ # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+ encryption:
+ # Allow encryption, work in group chat rooms with e2ee enabled
+ allow: false
+ # Default to encryption, force-enable encryption in all portals the bridge creates
+ # This will cause the bridge bot to be in private chats for the encryption to work properly.
+ default: false
+ # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+ appservice: false
+ # Require encryption, drop any unencrypted messages.
+ require: false
+ # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+ # You must use a client that supports requesting keys from other users to use this feature.
+ allow_key_sharing: false
+ # Should users mentions be in the event wire content to enable the server to send push notifications?
+ plaintext_mentions: false
+ # Options for deleting megolm sessions from the bridge.
+ delete_keys:
+ # Beeper-specific: delete outbound sessions when hungryserv confirms
+ # that the user has uploaded the key to key backup.
+ delete_outbound_on_ack: false
+ # Don't store outbound sessions in the inbound table.
+ dont_store_outbound: false
+ # Ratchet megolm sessions forward after decrypting messages.
+ ratchet_on_decrypt: false
+ # Delete fully used keys (index >= max_messages) after decrypting messages.
+ delete_fully_used_on_decrypt: false
+ # Delete previous megolm sessions from same device when receiving a new one.
+ delete_prev_on_new_session: false
+ # Delete megolm sessions received from a device when the device is deleted.
+ delete_on_device_delete: false
+ # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+ periodically_delete_expired: false
+ # Delete inbound megolm sessions that don't have the received_at field used for
+ # automatic ratcheting and expired session deletion. This is meant as a migration
+ # to delete old keys prior to the bridge update.
+ delete_outdated_inbound: false
+ # What level of device verification should be required from users?
+ #
+ # Valid levels:
+ # unverified - Send keys to all device in the room.
+ # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+ # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+ # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+ # Note that creating user signatures from the bridge bot is not currently possible.
+ # verified - Require manual per-device verification
+ # (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+ verification_levels:
+ # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+ receive: unverified
+ # Minimum level that the bridge should accept for incoming Matrix messages.
+ send: unverified
+ # Minimum level that the bridge should require for accepting key requests.
+ share: cross-signed-tofu
+ # Options for Megolm room key rotation. These options allow you to
+ # configure the m.room.encryption event content. See:
+ # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+ # more information about that event.
+ rotation:
+ # Enable custom Megolm room key rotation settings. Note that these
+ # settings will only apply to rooms created after this option is
+ # set.
+ enable_custom: false
+ # The maximum number of milliseconds a session should be used
+ # before changing it. The Matrix spec recommends 604800000 (a week)
+ # as the default.
+ milliseconds: 604800000
+ # The maximum number of messages that should be sent with a given a
+ # session before changing it. The Matrix spec recommends 100 as the
+ # default.
+ messages: 100
+
+ # Disable rotating keys when a user's devices change?
+ # You should not enable this option unless you understand all the implications.
+ disable_device_change_key_rotation: false
+
+ # Settings for provisioning API
+ provisioning:
+ # Prefix for the provisioning API paths.
+ prefix: /_matrix/provision
+ # Shared secret for authentication. If set to "generate", a random secret will be generated,
+ # or if set to "disable", the provisioning API will be disabled.
+ shared_secret: generate
+ # Enable debug API at /debug with provisioning authentication.
+ debug_endpoints: false
+
+ # Permissions for using the bridge.
+ # Permitted values:
+ # relay - Talk through the relaybot (if enabled), no access otherwise
+ # user - Access to use the bridge to chat with a WhatsApp account.
+ # admin - User level and some additional administration tools
+ # Permitted keys:
+ # * - All Matrix users
+ # domain - All users on that homeserver
+ # mxid - Specific user
+ permissions:
+ "*": relay
+ "example.com": user
+ "@admin:example.com": admin
+
+ # Settings for relay mode
+ relay:
+ # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
+ # authenticated user into a relaybot for that chat.
+ enabled: false
+ # Should only admins be allowed to set themselves as relay users?
+ admin_only: true
+ # The formats to use when sending messages to WhatsApp via the relaybot.
+ message_formats:
+ m.text: "{{ .Sender.Displayname }}: {{ .Message }}"
+ m.notice: "{{ .Sender.Displayname }}: {{ .Message }}"
+ m.emote: "* {{ .Sender.Displayname }} {{ .Message }}"
+ m.file: "{{ .Sender.Displayname }} sent a file"
+ m.image: "{{ .Sender.Displayname }} sent an image"
+ m.audio: "{{ .Sender.Displayname }} sent an audio file"
+ m.video: "{{ .Sender.Displayname }} sent a video"
+ m.location: "{{ .Sender.Displayname }} sent a location"
+
+ # Logging config. See https://github.com/tulir/zeroconfig for details.
+ logging:
+ min_level: debug
+ writers:
+ - type: stdout
+ format: pretty-colored
+ - type: file
+ format: json
+ filename: ./logs/mautrix-whatsapp.log
+ max_size: 100
+ max_backups: 10
+ compress: true
\ No newline at end of file
diff --git a/apps/matrix/mautrix-whatsapp.statefulset.yaml b/apps/matrix/mautrix-whatsapp.statefulset.yaml
new file mode 100644
index 0000000..a7b36cb
--- /dev/null
+++ b/apps/matrix/mautrix-whatsapp.statefulset.yaml
@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: mautrix-whatsapp
+spec:
+ selector:
+ matchLabels:
+ app: mautrix-whatsapp
+ serviceName: mautrix-whatsapp
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mautrix-whatsapp
+ spec:
+ containers:
+ - name: mautrix-whatsapp
+ image: mautrix-whatsapp
+ volumeMounts:
+ - name: persistence
+ mountPath: /data
+ # contains config.yaml
+ securityContext:
+ fsGroup: 1337
+
+
+ volumes:
+ - name: persistence
+ persistentVolumeClaim:
+ claimName: mautrix-whatsapp
diff --git a/apps/matrix/mautrix.pvc.yaml b/apps/matrix/mautrix.pvc.yaml
new file mode 100644
index 0000000..bea0a75
--- /dev/null
+++ b/apps/matrix/mautrix.pvc.yaml
@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: mautrix-telegram
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 1Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: mautrix-whatsapp
+spec:
+ storageClassName: nfs-client
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 1Gi
diff --git a/apps/matrix/namespace.yaml b/apps/matrix/namespace.yaml
new file mode 100644
index 0000000..0a074bd
--- /dev/null
+++ b/apps/matrix/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: placeholder
diff --git a/apps/matrix/postgres.yaml b/apps/matrix/postgres.yaml
new file mode 100644
index 0000000..32c6ced
--- /dev/null
+++ b/apps/matrix/postgres.yaml
@@ -0,0 +1,20 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+ name: matrix-postgres
+spec:
+ instances: 1
+ imageName: ghcr.io/cloudnative-pg/postgresql:16
+ bootstrap:
+ initdb:
+ owner: matrix
+ database: matrix
+ secret:
+ name: postgres-credentials
+
+ storage:
+ size: 1Gi
+ storageClass: nfs-client
+
+ monitoring:
+ enablePodMonitor: true
diff --git a/apps/matrix/synapse.configmap.yaml b/apps/matrix/synapse.configmap.yaml
new file mode 100644
index 0000000..1a139ba
--- /dev/null
+++ b/apps/matrix/synapse.configmap.yaml
@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: synapse
+data:
+ # matrix.kluster.moll.re.log.config: |
+ # version: 1
+
+ # formatters:
+ # precise:
+ # format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+ # handlers:
+ # console:
+ # class: logging.StreamHandler
+ # formatter: precise
+
+ # loggers:
+ # # This is just here so we can leave `loggers` in the config regardless of whether
+ # # we configure other loggers below (avoid empty yaml dict error).
+ # _placeholder:
+ # level: "INFO"
+
+ # synapse.storage.SQL:
+ # # beware: increasing this to DEBUG will make synapse log sensitive
+ # # information such as access tokens.
+ # level: INFO
+
+
+
+ # root:
+ # level: INFO
+ # handlers: [console]
+
+ homeserver.yaml: |
+ server_name: "matrix.kluster.moll.re"
+ report_stats: false
+ # enable_registration: true
+ # enable_registration_without_verification: true
+ listeners:
+ - port: 8448
+ tls: false
+ type: http
+ x_forwarded: true
+ bind_addresses: ['::1', '127.0.0.1']
+ resources:
+ - names: [client, federation]
+ compress: false
+
+ # log_config: "./matrix.kluster.moll.re.log.config"
+ media_store_path: /media_store
+ trusted_key_servers:
+ - server_name: "matrix.org"
+ database:
+ name: psycopg2
+ args:
+ user: matrix
+ password: "0ssdsdsdM6vbxhs.kdjsdasd9Z0qK5bdTwM6vbxh9Z"
+ dbname: matrix
+ host: matrix-postgres-rw
+ cp_min: 5
+ cp_max: 10
\ No newline at end of file
diff --git a/apps/matrix/synapse.deployment.yaml b/apps/matrix/synapse.deployment.yaml
new file mode 100644
index 0000000..1e250c3
--- /dev/null
+++ b/apps/matrix/synapse.deployment.yaml
@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: synapse
+spec:
+ selector:
+ matchLabels:
+ app: synapse
+ template:
+ metadata:
+ labels:
+ app: synapse
+ spec:
+ containers:
+ - name: synapse
+ image: synapse
+ resources:
+ limits:
+ memory: "128Mi"
+ cpu: "500m"
+ ports:
+ - containerPort: 8448
+ env:
+ - name: SYNAPSE_CONFIG_PATH
+ value: /config/homeserver.yaml
+ volumeMounts:
+ - name: config
+ mountPath: /config/homeserver.yaml
+ subPath: homeserver.yaml
+ - name: config-persistence
+ mountPath: /config
+ - name: media
+ mountPath: /media_store
+ securityContext:
+ fsGroup: 1001
+ volumes:
+ - name: config
+ configMap:
+ name: synapse
+ - name: config-persistence
+ emptyDir: {}
+ - name: media
+ emptyDir: {}
\ No newline at end of file
diff --git a/apps/matrix/synapse.ingress.yaml b/apps/matrix/synapse.ingress.yaml
new file mode 100644
index 0000000..f79e4f6
--- /dev/null
+++ b/apps/matrix/synapse.ingress.yaml
@@ -0,0 +1,29 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+ name: synapse-federation
+spec:
+ entryPoints:
+ - websecure
+ routes:
+ - match: Host(`matrix.kluster.moll.re`)
+ kind: Rule
+ services:
+ - name: synapse
+ port: 8448
+ # auto route to the _matrix path
+ middlewares:
+ - name: matrix-redirect
+
+ tls:
+ certResolver: default-tls
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+ name: matrix-redirect
+spec:
+ redirectRegex:
+ regex: "^https://matrix.kluster.moll.re/(.*)"
+ replacement: "https://matrix.kluster.moll.re/_matrix/$${1}"
+ permanent: true
diff --git a/apps/matrix/synapse.service.yaml b/apps/matrix/synapse.service.yaml
new file mode 100644
index 0000000..7e633e3
--- /dev/null
+++ b/apps/matrix/synapse.service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: synapse
+spec:
+ selector:
+ app: synapse
+ ports:
+ - protocol: TCP
+ port: 8448
+ targetPort: 8448
diff --git a/apps/nextcloud/pvc.yaml b/apps/nextcloud/pvc.yaml
index e398899..ddce446 100644
--- a/apps/nextcloud/pvc.yaml
+++ b/apps/nextcloud/pvc.yaml
@@ -23,3 +23,29 @@ spec:
requests:
storage: "150Gi"
volumeName: nextcloud-nfs
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+ name: nextcloud-syncthing-shared
+spec:
+ capacity:
+ storage: "150Gi"
+ accessModes:
+ - ReadWriteOnce
+ nfs:
+ path: /kluster/syncthing
+ server: 192.168.1.157
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: nextcloud-syncthing-shared
+spec:
+ storageClassName: ""
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "150Gi"
+ volumeName: nextcloud-syncthing-shared
\ No newline at end of file
diff --git a/apps/nextcloud/values.yaml b/apps/nextcloud/values.yaml
index 8dfdcc8..220c3ba 100644
--- a/apps/nextcloud/values.yaml
+++ b/apps/nextcloud/values.yaml
@@ -1,9 +1,6 @@
## Official nextcloud image version
## ref: https://hub.docker.com/r/library/nextcloud/tags/
-image:
- tag: "28"
-
ingress:
enabled: false
@@ -49,6 +46,15 @@ nextcloud:
# ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
configs: {}
+ extraVolumes:
+ - name: my-volume
+ persistentVolumeClaim:
+ claimName: nextcloud-nfs
+
+ extraVolumeMounts:
+ - name: my-volume
+ mountPath: /var/www/html/my-volume
+
# For example, to use S3 as primary storage
# ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
#
@@ -74,8 +80,7 @@ nginx:
enabled: false
internalDatabase:
- enabled: true
- name: nextcloud
+ enabled: false
##
## External database configuration
@@ -89,13 +94,7 @@ externalDatabase:
## Database host
host: postgres-postgresql.postgres
- ## Database user
- # user: nextcloud
- # ## Database password
- # password: test
-
- ## Database name
database: nextcloud
## Use a existing secret