From d143a902287e3c40d507a0bf14198507c3c32bf7 Mon Sep 17 00:00:00 2001 From: Remy Moll Date: Sun, 3 Mar 2024 20:35:37 +0100 Subject: [PATCH] testing a few sample (joint) configurations --- apps/files/README.md | 8 + apps/files/kustomization.yaml | 11 + apps/files/namespace.yaml | 4 + apps/files/nextcloud/ingress.yaml | 16 + apps/files/nextcloud/kustomization.yaml | 15 + .../postgres-credentials.sealedsecret.yaml | 17 + apps/files/nextcloud/postgres.yaml | 20 + apps/files/nextcloud/pvc.yaml | 11 + apps/files/nextcloud/values.yaml | 155 ++++++ apps/files/pvc.yaml | 11 + apps/files/syncthing/deployment.yaml | 40 ++ apps/files/syncthing/ingress.yaml | 16 + apps/files/syncthing/kustomization.yaml | 15 + apps/files/syncthing/pvc.yaml | 11 + apps/files/syncthing/service.yaml | 46 ++ apps/files/syncthing/servicemonitor.yaml | 16 + apps/files1/deployment.yaml | 30 + apps/files1/kustomization.yaml | 15 + apps/files1/namespace.yaml | 4 + apps/files1/pvc.yaml | 11 + apps/immich/kustomization.yaml | 11 +- apps/matrix/kustomization.yaml | 30 + apps/matrix/mautrix-telegram.configmap.yaml | 511 ++++++++++++++++++ apps/matrix/mautrix-telegram.statefulset.yaml | 32 ++ apps/matrix/mautrix-whatsapp.configmap.yaml | 428 +++++++++++++++ apps/matrix/mautrix-whatsapp.statefulset.yaml | 30 + apps/matrix/mautrix.pvc.yaml | 23 + apps/matrix/namespace.yaml | 4 + apps/matrix/postgres.yaml | 20 + apps/matrix/synapse.configmap.yaml | 62 +++ apps/matrix/synapse.deployment.yaml | 43 ++ apps/matrix/synapse.ingress.yaml | 29 + apps/matrix/synapse.service.yaml | 11 + apps/nextcloud/pvc.yaml | 26 + apps/nextcloud/values.yaml | 21 +- 35 files changed, 1736 insertions(+), 17 deletions(-) create mode 100644 apps/files/README.md create mode 100644 apps/files/kustomization.yaml create mode 100644 apps/files/namespace.yaml create mode 100644 apps/files/nextcloud/ingress.yaml create mode 100644 apps/files/nextcloud/kustomization.yaml create mode 100644 apps/files/nextcloud/postgres-credentials.sealedsecret.yaml create mode 100644 apps/files/nextcloud/postgres.yaml create mode 100644 apps/files/nextcloud/pvc.yaml create mode 100644 apps/files/nextcloud/values.yaml create mode 100644 apps/files/pvc.yaml create mode 100644 apps/files/syncthing/deployment.yaml create mode 100644 apps/files/syncthing/ingress.yaml create mode 100644 apps/files/syncthing/kustomization.yaml create mode 100644 apps/files/syncthing/pvc.yaml create mode 100644 apps/files/syncthing/service.yaml create mode 100644 apps/files/syncthing/servicemonitor.yaml create mode 100644 apps/files1/deployment.yaml create mode 100644 apps/files1/kustomization.yaml create mode 100644 apps/files1/namespace.yaml create mode 100644 apps/files1/pvc.yaml create mode 100644 apps/matrix/kustomization.yaml create mode 100644 apps/matrix/mautrix-telegram.configmap.yaml create mode 100644 apps/matrix/mautrix-telegram.statefulset.yaml create mode 100644 apps/matrix/mautrix-whatsapp.configmap.yaml create mode 100644 apps/matrix/mautrix-whatsapp.statefulset.yaml create mode 100644 apps/matrix/mautrix.pvc.yaml create mode 100644 apps/matrix/namespace.yaml create mode 100644 apps/matrix/postgres.yaml create mode 100644 apps/matrix/synapse.configmap.yaml create mode 100644 apps/matrix/synapse.deployment.yaml create mode 100644 apps/matrix/synapse.ingress.yaml create mode 100644 apps/matrix/synapse.service.yaml diff --git a/apps/files/README.md b/apps/files/README.md new file mode 100644 index 0000000..641143c --- /dev/null +++ b/apps/files/README.md @@ -0,0 +1,8 @@ +# File sync + +My personal cross-platform filesync. Using syncthing for my android and linux clients. And nextcloud for my ios clients. + + +## Overview +Both services share a common persistence which allows them to apply each their own logic for synching to other devices. The server acts as a relay. + diff --git a/apps/files/kustomization.yaml b/apps/files/kustomization.yaml new file mode 100644 index 0000000..5919c98 --- /dev/null +++ b/apps/files/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: files + +resources: + - namespace.yaml + - pvc.yaml + + - syncthing/ + - nextcloud/ diff --git a/apps/files/namespace.yaml b/apps/files/namespace.yaml new file mode 100644 index 0000000..0a074bd --- /dev/null +++ b/apps/files/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: placeholder diff --git a/apps/files/nextcloud/ingress.yaml b/apps/files/nextcloud/ingress.yaml new file mode 100644 index 0000000..5ef0d35 --- /dev/null +++ b/apps/files/nextcloud/ingress.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: nextcloud-ingress + +spec: + entryPoints: + - websecure + routes: + - match: Host(`nextcloud2.kluster.moll.re`) + kind: Rule + services: + - name: nextcloud + port: 8080 + tls: + certResolver: default-tls diff --git a/apps/files/nextcloud/kustomization.yaml b/apps/files/nextcloud/kustomization.yaml new file mode 100644 index 0000000..aa712e4 --- /dev/null +++ b/apps/files/nextcloud/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - pvc.yaml + - ingress.yaml + - postgres.yaml + - postgres-credentials.sealedsecret.yaml + +helmCharts: + - name: nextcloud + releaseName: nextcloud + version: 4.5.5 + valuesFile: values.yaml + repo: https://nextcloud.github.io/helm/ diff --git a/apps/files/nextcloud/postgres-credentials.sealedsecret.yaml b/apps/files/nextcloud/postgres-credentials.sealedsecret.yaml new file mode 100644 index 0000000..9f41cd5 --- /dev/null +++ b/apps/files/nextcloud/postgres-credentials.sealedsecret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: postgres-credentials + namespace: files +spec: + encryptedData: + database: AgBOgmqlfgiN2VqxNyYL6O+/jdzPmGg97zOXxZ7KiD07b4/2FdmlWgOZZp7oUpQ9RMV0WybC0jau2YVlgXB32afgJ3uinaAAhzZwvzy8dgapNpe8ClxnFINRhKKC9kxK7YeDwtptbDQn7YtEmVGHI66/71VyGy7NME4Pk0Y4FxxpF6KAZMAHNyez4JMa9V+XFtYV5G5bOkPY/ku4LcYntiMAlEaArF+re1m5nLQmZ4SVkWlOc41N4Hv1HrCv8qq2kj7zVR5/J2qW8NlzmdJJqv1AP1foELuITZZKxwNspxynNxhjXTX0fP6vzfJpxtzb2s/4Yh2uT/UPb2rOdcGaXjjHKxjSX23tG5ZT+z5lt0y9UEmUYytlcsYv9vsRqCmeFsB63S7aABeCRSOJyGLsuUc7xqSZ2ijDG38qLij+JPgoEIbSLfRYVGE5GMo9EbHt4N+ZIMpJYQXq0VhDip/r11SENfUa3XoautQ5uVR1D50FuSrN16t24bQXai9uifkBpDyvqbiqgv7s3qOjF9u8I0eyeJA0ZO1JO174B9SO3IcZYys8c87fSuWvFbGepLNqfneSIx93klDUdx3YEjqcrqib49+3/dn3RO9/puyhJ6O0TEZneToyauV3lxpR+XG/PDx7EQ88lELgD/AmtulsLHkYNgpoblFPbgDUeHhOgoBRAe22Hiy0Co4eh0SPVPyKhj8MyYhPtLEV+UY= + password: AgB2eY5aKJhEcJIgArGRrsqYf5pJJoXHRkplFpaqCCQW7X7WLREb+35HDijhnJSWRI2/LXDVy/8ArJe1LiiW+05aRY/9nvmjdpUmvsdQ6DK1mvirl8Py4JYueNrk2iUmI1h+ROyubBCvRBKxueQNkuwipKvk7nIlON6cwFnqp6GPcuWihSG/GZ2nSZmxmu+thdsM/S8DPaTW/N+Sut8DyarlCN94ZRiFVZIJialibfsJGQtL/uPX0W61GTkEU4m34IN9e+POdEdg3HuFMd3RvNQpndgPjaTv4A22TJRFs+rcHlcHr+5r8acVy1V+sZy97126Z7moeKDp1rFbG2/yMT1iS2oxQN4GJceTgMzSagqdn+KgD0N38OYvp+mRUQsl7+Fpglcq03vqbvxsc1fC78XpAAPMNA/pQDvtlS1qjuB7WCa5b3mkJxjc8efIuna9GAnDGh+djhlGHLEERnEfjlnpeDb/afRejUX+i6r00GnBxuRJfV+lKh4BJsnJm29nC4t10F6ff91Ngcjf+wCm5yWSFETZ9oFrPn10igGvoZwROJYABdtfMNjidGLkdKQnG1dj3EFu5XDn9vRqt8Iu/dEyoh7a2iGYDQ1lGpz+zxA/OZ9l/SuL6JUUwXq5W1/fSbtaBPdit4cwUTopq7AcpZkMuAQyVy6N9D0Hvjx432rCxmqyGU8PyjKHoAN+nuvTi79HtHR2wo4hJeIDoktdpxswSCe9VJEvqTFGQyCZtX3uEg== + username: AgATMaQ/BRCO9vx329YxGGUGl3E68Tm3coU6IO6pYm8f+Uf7ImH4l/P84mjGDLho1zBUfILPAvM4G5xG2qkkyW4mEuB8A7NNWAhXMOS5i1msNaV2oqLYNWCOG2lFO7unkYwPSyu9EyGn/Hq/kbGPAKfUf6dtDLEc+Y0S5Ue9YA2gYK4VYUec491+02EOoprGcfM1QdGPLBrunXn4krxtGm+eTsK8nd/lnm3DK+f5uGupO844i8T0mXE1xcliysBTZzxEVpmzPN8q4TMay6qcB2wOvEyngnGCfxJGTSjTrkydPFLcI4p6IONW5QAX9eQwo6ZDo56WVNgvyNW+ZJ6hmPP9nLeHnKb3rM91CIMM0GDRYc3VFsVXwBY/sj12hiompXEVQEp+EJUbgnDLK2lW+J602ZnzyHFgwGKnfdI8PHfKoxRVf06TXPdROu1mfXr5jOXc+++LoRotkVOuf2KXMip/7HlTkRlZXKkenhIqrTtQkENJ+aaxCKdQwgE8iDtmB6ZEBiMJq/dZgvn7qbcMc/SYF3l6YZKSU2L1359CRTeuQ6J6aDml+WHvgtwLH6sIgR9Sjgxid9XlhQ3/8f9UQdR6OpblsBZYn8gYEQ1WRr7H1R3IjENpA7LtburPYyogSk4eSFWR1hkwfiiTJrfwJCPEka28a7MqX0nCKZqzzUOQqXNGPX8W9rU8aA2HcnSPrzLoOV2av9h4icw= + template: + metadata: + creationTimestamp: null + name: postgres-credentials + namespace: files diff --git a/apps/files/nextcloud/postgres.yaml b/apps/files/nextcloud/postgres.yaml new file mode 100644 index 0000000..d6669fe --- /dev/null +++ b/apps/files/nextcloud/postgres.yaml @@ -0,0 +1,20 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: nextcloud-postgres +spec: + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:16 + bootstrap: + initdb: + owner: nextcloud + database: nextcloud + secret: + name: postgres-credentials + + storage: + size: 1Gi + storageClass: nfs-client + + monitoring: + enablePodMonitor: true diff --git a/apps/files/nextcloud/pvc.yaml b/apps/files/nextcloud/pvc.yaml new file mode 100644 index 0000000..451e3db --- /dev/null +++ b/apps/files/nextcloud/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: nextcloud-config +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi diff --git a/apps/files/nextcloud/values.yaml b/apps/files/nextcloud/values.yaml new file mode 100644 index 0000000..2d2412c --- /dev/null +++ b/apps/files/nextcloud/values.yaml @@ -0,0 +1,155 @@ +## Official nextcloud image version +## ref: https://hub.docker.com/r/library/nextcloud/tags/ + +ingress: + enabled: false + + +nextcloud: + host: nextcloud2.kluster.moll.re + username: admin + password: changeme + ## Use an existing secret + existingSecret: + enabled: false + update: 0 + # If web server is not binding default port, you can define it + # containerPort: 8080 + datadir: /var/www/html/data + persistence: + subPath: + mail: + enabled: false + # PHP Configuration files + # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true + phpConfigs: {} + # Default config files + # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself + # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config + defaultConfigs: + # To protect /var/www/html/config + .htaccess: true + # Redis default configuration + redis.config.php: true + # Apache configuration for rewrite urls + apache-pretty-urls.config.php: true + # Define APCu as local cache + apcu.config.php: true + # Apps directory configs + apps.config.php: true + # Used for auto configure database + autoconfig.php: true + # SMTP default configuration + smtp.config.php: true + + + extraVolumes: + - name: files-nfs + persistentVolumeClaim: + claimName: files-nfs + + extraVolumeMounts: + - name: files-nfs + mountPath: /files + + + # Extra config files created in /var/www/html/config/ + # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file + # configs: + # config.php: |- + + # For example, to use S3 as primary storage + # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3 + # + # configs: + # s3.config.php: |- + # array( + # 'class' => '\\OC\\Files\\ObjectStore\\S3', + # 'arguments' => array( + # 'bucket' => 'my-bucket', + # 'autocreate' => true, + # 'key' => 'xxx', + # 'secret' => 'xxx', + # 'region' => 'us-east-1', + # 'use_ssl' => true + # ) + # ) + # ); + +nginx: + ## You need to set an fpm version of the image for nextcloud if you want to use nginx! + enabled: false + +internalDatabase: + enabled: false + +## +## External database configuration +## +externalDatabase: + enabled: true + type: postgresql + host: nextcloud-postgres-rw + + database: nextcloud + existingSecret: + enabled: true + secretName: postgres-credentials + usernameKey: username + passwordKey: password + + +mariadb: + enabled: false +postgresql: + enabled: false +redis: + enabled: false + + +cronjob: + enabled: false + +persistence: + # Nextcloud Data (/var/www/html) + enabled: true + annotations: {} + + ## If defined, PVC must be created manually before volume will be bound + existingClaim: nextcloud-config + + ## Use an additional pvc for the data directory rather than a subpath of the default PVC + ## Useful to store data on a different storageClass (e.g. on slower disks) + nextcloudData: + enabled: false + + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 2000m + memory: 2Gi + requests: + cpu: 100m + memory: 128Mi + +livenessProbe: + enabled: false + # disable when upgrading from a previous chart version + +hpa: + enabled: false + +## Prometheus Exporter / Metrics +## +metrics: + enabled: false + + +rbac: + enabled: false diff --git a/apps/files/pvc.yaml b/apps/files/pvc.yaml new file mode 100644 index 0000000..ede5bd1 --- /dev/null +++ b/apps/files/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: files-nfs +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Gi diff --git a/apps/files/syncthing/deployment.yaml b/apps/files/syncthing/deployment.yaml new file mode 100644 index 0000000..aaa143b --- /dev/null +++ b/apps/files/syncthing/deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: syncthing +spec: + selector: + matchLabels: + app: syncthing + template: + metadata: + labels: + app: syncthing + spec: + containers: + - name: syncthing + image: syncthing + resources: + limits: + memory: "256Mi" + cpu: "500m" + ports: + - containerPort: 8384 + protocol: TCP + name: syncthing-web + - containerPort: 22000 + protocol: TCP + - containerPort: 22000 + protocol: UDP + volumeMounts: + - name: persistence + mountPath: /files + - name: config + mountPath: /var/syncthing/config + volumes: + - name: persistence + persistentVolumeClaim: + claimName: files-nfs + - name: config + persistentVolumeClaim: + claimName: syncthing-config diff --git a/apps/files/syncthing/ingress.yaml b/apps/files/syncthing/ingress.yaml new file mode 100644 index 0000000..84e7b99 --- /dev/null +++ b/apps/files/syncthing/ingress.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: rss-ingressroute + +spec: + entryPoints: + - websecure + routes: + - match: Host(`syncthing2.kluster.moll.re`) + kind: Rule + services: + - name: syncthing-web + port: 8384 + tls: + certResolver: default-tls diff --git a/apps/files/syncthing/kustomization.yaml b/apps/files/syncthing/kustomization.yaml new file mode 100644 index 0000000..8d4e1f3 --- /dev/null +++ b/apps/files/syncthing/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - pvc.yaml + - deployment.yaml + - service.yaml + - ingress.yaml + - servicemonitor.yaml + # - syncthing-api.sealedsecret.yaml + +images: + - name: syncthing + newName: syncthing/syncthing + newTag: "1.27" diff --git a/apps/files/syncthing/pvc.yaml b/apps/files/syncthing/pvc.yaml new file mode 100644 index 0000000..83b292d --- /dev/null +++ b/apps/files/syncthing/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: syncthing-config +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi diff --git a/apps/files/syncthing/service.yaml b/apps/files/syncthing/service.yaml new file mode 100644 index 0000000..85a6103 --- /dev/null +++ b/apps/files/syncthing/service.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Service +metadata: + name: syncthing-web + labels: + app: syncthing +spec: + selector: + app: syncthing + type: ClusterIP + ports: + - port: 8384 + targetPort: 8384 + name: syncthing-web +--- +apiVersion: v1 +kind: Service +metadata: + name: syncthing-listen + annotations: + metallb.universe.tf/allow-shared-ip: syncthing-service +spec: + selector: + app: syncthing + type: LoadBalancer + loadBalancerIP: 192.168.3.5 + ports: + - port: 22000 + targetPort: 22000 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + name: syncthing-discover + annotations: + metallb.universe.tf/allow-shared-ip: syncthing-service +spec: + selector: + app: syncthing + type: LoadBalancer + loadBalancerIP: 192.168.3.5 + ports: + - port: 22000 + targetPort: 22000 + protocol: UDP diff --git a/apps/files/syncthing/servicemonitor.yaml b/apps/files/syncthing/servicemonitor.yaml new file mode 100644 index 0000000..878576a --- /dev/null +++ b/apps/files/syncthing/servicemonitor.yaml @@ -0,0 +1,16 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: syncthing-servicemonitor + labels: + app: syncthing +spec: + selector: + matchLabels: + app: syncthing + endpoints: + - port: syncthing-web + path: /metrics + bearerTokenSecret: + name: syncthing-api + key: token diff --git a/apps/files1/deployment.yaml b/apps/files1/deployment.yaml new file mode 100644 index 0000000..9eeac1e --- /dev/null +++ b/apps/files1/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spacedrive +spec: + selector: + matchLabels: + app: spacedrive + template: + metadata: + labels: + app: spacedrive + spec: + containers: + - name: spacedrive + image: spacedrive + resources: + limits: + memory: "128Mi" + cpu: "500m" + ports: + - containerPort: 80 + volumeMounts: + - name: storage + mountPath: /data + + volumes: + - name: storage + persistentVolumeClaim: + claimName: spacedrive-nfs diff --git a/apps/files1/kustomization.yaml b/apps/files1/kustomization.yaml new file mode 100644 index 0000000..94305fa --- /dev/null +++ b/apps/files1/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: files1 + +resources: + - namespace.yaml + - pvc.yaml + - deployment.yaml + + +images: + - name: spacedrive + newName: ghcr.io/spacedriveapp/spacedrive/server + newTag: 0.2.4 diff --git a/apps/files1/namespace.yaml b/apps/files1/namespace.yaml new file mode 100644 index 0000000..0a074bd --- /dev/null +++ b/apps/files1/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: placeholder diff --git a/apps/files1/pvc.yaml b/apps/files1/pvc.yaml new file mode 100644 index 0000000..590b37d --- /dev/null +++ b/apps/files1/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: spacedrive-nfs +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Gi diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml index 8158765..d1e9cb1 100644 --- a/apps/immich/kustomization.yaml +++ b/apps/immich/kustomization.yaml @@ -1,11 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml -- ingress.yaml -- pvc.yaml -- postgres.yaml -- postgres.sealedsecret.yaml + - namespace.yaml + - ingress.yaml + - pvc.yaml + - postgres.yaml + - postgres.sealedsecret.yaml namespace: immich @@ -22,4 +22,3 @@ images: newTag: v1.95.1 - name: ghcr.io/immich-app/immich-server newTag: v1.95.1 - diff --git a/apps/matrix/kustomization.yaml b/apps/matrix/kustomization.yaml new file mode 100644 index 0000000..a36e593 --- /dev/null +++ b/apps/matrix/kustomization.yaml @@ -0,0 +1,30 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - postgres.yaml + - synapse.deployment.yaml + - synapse.service.yaml + - synapse.configmap.yaml + - synapse.ingress.yaml + - postgres-credentials.secret.yaml + + - mautrix.pvc.yaml + - mautrix-telegram.statefulset.yaml + - mautrix-telegram.configmap.yaml + - mautrix-whatsapp.statefulset.yaml + + +namespace: matrix + +images: + - name: mautrix-telegram + newName: dock.mau.dev/mautrix/telegram + newTag: "v0.15.1" + - name: mautrix-whatsapp + newName: dock.mau.dev/mautrix/whatsapp + newTag: "v0.10.5" + - name: synapse + newName: ghcr.io/element-hq/synapse + newTag: "v1.100.0" diff --git a/apps/matrix/mautrix-telegram.configmap.yaml b/apps/matrix/mautrix-telegram.configmap.yaml new file mode 100644 index 0000000..fe06cf9 --- /dev/null +++ b/apps/matrix/mautrix-telegram.configmap.yaml @@ -0,0 +1,511 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mautrix-telegram +data: + config.yaml: | + # Homeserver details + homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:8448 + # The domain of the homeserver (for MXIDs, etc). + domain: matrix.kluster.moll.re + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: false + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + # Application service host/registration related details + # Changing these values requires regeneration of the registration. + appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-telegram:29318 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29317 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:mautrix-telegram.db + + # The unique ID of this appservice. + id: telegram + # Username of the appservice bot. + bot_username: telegrambot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Telegram bridge bot + bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + + # Bridge config + bridge: + # Localpart template of MXIDs for Telegram users. + # {userid} is replaced with the user ID of the Telegram user. + username_template: "telegram_{userid}" + # Localpart template of room aliases for Telegram portal rooms. + # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) + alias_template: "telegram_{groupname}" + # Displayname template for Telegram users. + # {displayname} is replaced with the display name of the Telegram user. + displayname_template: "{displayname} (Telegram)" + # Set the preferred order of user identifiers which to use in the Matrix puppet display name. + # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user + # ID is used. + # + # If the bridge is working properly, a phone number or an username should always be known, but + # the other one can very well be empty. + # + # Valid keys: + # "full name" (First and/or last name) + # "full name reversed" (Last and/or first name) + # "first name" + # "last name" + # "username" + # "phone number" + displayname_preference: + - full name + - username + - phone number + # Maximum length of displayname + displayname_max_length: 100 + # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default + # as there's no way to determine whether an avatar is removed or just hidden from some users. If + # you're on a single-user instance, this should be safe to enable. + allow_avatar_remove: false + # Should contact names and profile pictures be allowed? + # This is only safe to enable on single-user instances. + allow_contact_info: false + # Maximum number of members to sync per portal when starting up. Other members will be + # synced when they send messages. The maximum is 10000, after which the Telegram server + # will not send any more members. + # -1 means no limit (which means it's limited to 10000 by the server) + max_initial_member_sync: 100 + # Maximum number of participants in chats to bridge. Only applies when the portal is being created. + # If there are more members when trying to create a room, the room creation will be cancelled. + # -1 means no limit (which means all chats can be bridged) + max_member_count: -1 + # Whether or not to sync the member list in channels. + # If no channel admins have logged into the bridge, the bridge won't be able to sync the member + # list regardless of this setting. + sync_channel_members: false + # Whether or not to skip deleted members when syncing members. + skip_deleted_members: true + # Whether or not to automatically synchronize contacts and chats of Matrix users logged into + # their Telegram account at startup. + startup_sync: false + # Number of most recently active dialogs to check when syncing chats. + # Set to 0 to remove limit. + sync_update_limit: 0 + # Number of most recently active dialogs to create portals for when syncing chats. + # Set to 0 to remove limit. + sync_create_limit: 15 + # Should all chats be scheduled to be created later? + # This is best used in combination with MSC2716 infinite backfill. + sync_deferred_create_all: false + # Whether or not to sync and create portals for direct chats at startup. + sync_direct_chats: false + # The maximum number of simultaneous Telegram deletions to handle. + # A large number of simultaneous redactions could put strain on your homeserver. + max_telegram_delete: 10 + # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) + # at startup and when creating a bridge. + sync_matrix_state: true + # Allow logging in within Matrix. If false, users can only log in using login-qr or the + # out-of-Matrix login website (see appservice.public config section) + allow_matrix_login: true + # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. + public_portals: false + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: false + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Servers to always allow double puppeting from + double_puppet_server_map: + example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: + example.com: foobar + # Set to false to disable link previews in messages sent to Telegram. + telegram_link_preview: true + # Whether or not the !tg join command should do a HTTP request + # to resolve redirects in invite links. + invite_link_resolve: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + # Maximum size of image in megabytes before sending to Telegram as a document. + image_as_file_size: 10 + # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216. + image_as_file_pixels: 16777216 + # Enable experimental parallel file transfer, which makes uploads/downloads much faster by + # streaming from/to Matrix and using many connections for Telegram. + # Note that generating HQ thumbnails for videos is not possible with streamed transfers. + # This option uses internal Telethon implementation details and may break with minor updates. + parallel_file_transfer: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Should the bridge send all unicode reactions as custom emoji reactions to Telegram? + # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions. + always_custom_emoji_reaction: false + # Settings for converting animated stickers. + animated_sticker: + # Format to which animated stickers should be converted. + # disable - No conversion, send as-is (gzipped lottie) + # png - converts to non-animated png (fastest), + # gif - converts to animated gif + # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support + target: gif + # Should video stickers be converted to the specified format as well? + convert_from_webm: false + # Arguments for converter. All converters take width and height. + args: + width: 256 + height: 256 + fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended) + # Settings for converting animated emoji. + # Same as animated_sticker, but webm is not supported as the target + # (because inline images can only contain images, not videos). + animated_emoji: + target: webp + args: + width: 64 + height: 64 + fps: 25 + # # End-to-bridge encryption support options. + # # + # # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + # encryption: + # # Allow encryption, work in group chat rooms with e2ee enabled + # allow: false + # # Default to encryption, force-enable encryption in all portals the bridge creates + # # This will cause the bridge bot to be in private chats for the encryption to work properly. + # default: false + # # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + # appservice: false + # # Require encryption, drop any unencrypted messages. + # require: false + # # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # # You must use a client that supports requesting keys from other users to use this feature. + # allow_key_sharing: false + # # Options for deleting megolm sessions from the bridge. + # delete_keys: + # # Beeper-specific: delete outbound sessions when hungryserv confirms + # # that the user has uploaded the key to key backup. + # delete_outbound_on_ack: false + # # Don't store outbound sessions in the inbound table. + # dont_store_outbound: false + # # Ratchet megolm sessions forward after decrypting messages. + # ratchet_on_decrypt: false + # # Delete fully used keys (index >= max_messages) after decrypting messages. + # delete_fully_used_on_decrypt: false + # # Delete previous megolm sessions from same device when receiving a new one. + # delete_prev_on_new_session: false + # # Delete megolm sessions received from a device when the device is deleted. + # delete_on_device_delete: false + # # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + # periodically_delete_expired: false + # # Delete inbound megolm sessions that don't have the received_at field used for + # # automatic ratcheting and expired session deletion. This is meant as a migration + # # to delete old keys prior to the bridge update. + # delete_outdated_inbound: false + # # What level of device verification should be required from users? + # # + # # Valid levels: + # # unverified - Send keys to all device in the room. + # # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # # Note that creating user signatures from the bridge bot is not currently possible. + # # verified - Require manual per-device verification + # # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + # verification_levels: + # # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + # receive: unverified + # # Minimum level that the bridge should accept for incoming Matrix messages. + # send: unverified + # # Minimum level that the bridge should require for accepting key requests. + # share: cross-signed-tofu + # # Options for Megolm room key rotation. These options allow you to + # # configure the m.room.encryption event content. See: + # # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # # more information about that event. + # rotation: + # # Enable custom Megolm room key rotation settings. Note that these + # # settings will only apply to rooms created after this option is + # # set. + # enable_custom: false + # # The maximum number of milliseconds a session should be used + # # before changing it. The Matrix spec recommends 604800000 (a week) + # # as the default. + # milliseconds: 604800000 + # # The maximum number of messages that should be sent with a given a + # # session before changing it. The Matrix spec recommends 100 as the + # # default. + # messages: 100 + # # Disable rotating keys when a user's devices change? + # # You should not enable this option unless you understand all the implications. + # disable_device_change_key_rotation: false + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + # Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this. + cross_room_replies: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Telegram. + delivery_receipts: false + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Should errors in incoming message handling send a message to the Matrix room? + incoming_bridge_error_reports: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: false + # When using double puppeting, should pinned chats be moved to a specific tag in Matrix? + # The favorites tag is `m.favourite`. + pinned_tag: null + # Same as above for archived chats, the low priority tag is `m.lowpriority`. + archive_tag: null + # Whether or not mute status and tags should only be bridged when the portal room is created. + tag_only_on_create: true + # Should leaving the room on Matrix make the user leave on Telegram? + bridge_matrix_leave: true + # Should the user be kicked out of all portals when logging out of the bridge? + kick_on_logout: true + # Should the "* user joined Telegram" notice always be marked as read automatically? + always_read_joined_telegram_notice: true + # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room? + # Requires the user to have sufficient power level and double puppeting enabled. + create_group_on_invite: true + # Settings for backfilling messages from Telegram. + backfill: + # Allow backfilling at all? + enable: true + # Whether or not to enable backfilling in normal groups. + # Normal groups have numerous technical problems in Telegram, and backfilling normal groups + # will likely cause problems if there are multiple Matrix users in the group. + normal_groups: false + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + # Forward backfilling limits. + # + # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch. + forward_limits: + # Number of messages to backfill immediately after creating a portal. + initial: + user: 50 + normal_group: 100 + supergroup: 10 + channel: 10 + # Number of messages to backfill when syncing chats. + sync: + user: 100 + normal_group: 100 + supergroup: 100 + channel: 100 + # Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too. + forward_timeout: 900 + # Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of batches to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_batches: + # Direct chats + user: -1 + # Normal groups. Note that the normal_groups option above must be enabled + # for these to be backfilled. + normal_group: -1 + # Supergroups + supergroup: 10 + # Broadcast channels + channel: -1 + # Overrides for base power levels. + initial_power_level_overrides: + user: {} + group: {} + # Whether to bridge Telegram bot messages as m.notices or m.texts. + bot_messages_as_notices: true + bridge_notices: + # Whether or not Matrix bot messages (type m.notice) should be bridged. + default: false + # List of user IDs for whom the previous flag is flipped. + # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but + # notices from users listed here will be bridged. + exceptions: [] + # An array of possible values for the $distinguisher variable in message formats. + # Each user gets one of the values here, based on a hash of their user ID. + # If the array is empty, the $distinguisher variable will also be empty. + relay_user_distinguishers: ["\U0001F7E6", "\U0001F7E3", "\U0001F7E9", "⭕️", "\U0001F536", "⬛️", "\U0001F535", "\U0001F7E2"] + # The formats to use when sending messages to Telegram via the relay bot. + # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $distinguisher - A random string from the options in the relay_user_distinguishers array. + # $message - The message content + message_formats: + m.text: "$distinguisher $sender_displayname: $message" + m.notice: "$distinguisher $sender_displayname: $message" + m.emote: "* $distinguisher $sender_displayname $message" + m.file: "$distinguisher $sender_displayname sent a file: $message" + m.image: "$distinguisher $sender_displayname sent an image: $message" + m.audio: "$distinguisher $sender_displayname sent an audio file: $message" + m.video: "$distinguisher $sender_displayname sent a video: $message" + m.location: "$distinguisher $sender_displayname sent a location: $message" + # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated + # users are sent to telegram. All fields in message_formats are supported. Additionally, the + # Telegram user info is available in the following variables: + # $displayname - Telegram displayname + # $username - Telegram username (may not exist) + # $mention - Telegram @username or displayname mention (depending on which exists) + emote_format: "* $mention $formatted_body" + # The formats to use when sending state events to Telegram via the relay bot. + # + # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. + # In name_change events, `$prev_displayname` is the previous displayname. + # + # Set format to an empty string to disable the messages for that event. + state_event_formats: + join: "$distinguisher $displayname joined the room." + leave: "$distinguisher $displayname left the room." + name_change: "$distinguisher $prev_displayname changed their name to $distinguisher $displayname" + # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and + # `filter-mode` management commands. + # + # An empty blacklist will essentially disable the filter. + filter: + # Filter mode to use. Either "blacklist" or "whitelist". + # If the mode is "blacklist", the listed chats will never be bridged. + # If the mode is "whitelist", only the listed chats can be bridged. + mode: blacklist + # The list of group/channel IDs to filter. + list: [] + # How to handle direct chats: + # If users is "null", direct chats will follow the previous settings. + # If users is "true", direct chats will always be bridged. + # If users is "false", direct chats will never be bridged. + users: true + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tg" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Telegram bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + # Send each message separately (for readability in some clients) + management_room_multiple_messages: false + # Permissions for using the bridge. + # Permitted values: + # relaybot - Only use the bridge via the relaybot, no access to commands. + # user - Relaybot level + access to commands to create bridges. + # puppeting - User level + logging in with a Telegram account. + # full - Full access to use the bridge, i.e. previous levels + Matrix login. + # admin - Full access to use the bridge and some extra administration commands. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "matrix.kluster.moll.re": "full" + "@remy:matrix.kluster.moll.re": "admin" + # Options related to the message relay Telegram bot. + relaybot: + private_chat: + # List of users to invite to the portal when someone starts a private chat with the bot. + # If empty, private chats with the bot won't create a portal. + invite: [] + # Whether or not to bridge state change messages in relaybot private chats. + state_changes: true + # When private_chat_invite is empty, this message is sent to users /starting the + # relaybot. Telegram's "markdown" is supported. + message: This is a Matrix bridge relaybot and does not support direct chats + # List of users to invite to all group chat portals created by the bridge. + group_chat_invite: [] + # Whether or not the relaybot should not bridge events in unbridged group chats. + # If false, portals will be created when the relaybot receives messages, just like normal + # users. This behavior is usually not desirable, as it interferes with manually bridging + # the chat to another room. + ignore_unbridged_group_chat: true + # Whether or not to allow creating portals from Telegram. + authless_portals: true + # Whether or not to allow Telegram group admins to use the bot commands. + whitelist_group_admins: true + # Whether or not to ignore incoming events sent by the relay bot. + ignore_own_incoming_events: true + # List of usernames/user IDs who are also allowed to use the bot commands. + whitelist: + - myusername + - 12345678 + # Telegram config + telegram: + # Get your own API keys at https://my.telegram.org/apps + api_id: 862555 + api_hash: 7387a7b6ba71793d6f3fa98261117e4e + # (Optional) Create your own bot at https://t.me/BotFather + bot_token: disabled + # Should the bridge request missed updates from Telegram when restarting? + catch_up: true + # Should incoming updates be handled sequentially to make sure order is preserved on Matrix? + sequential_updates: true + exit_on_update_error: false diff --git a/apps/matrix/mautrix-telegram.statefulset.yaml b/apps/matrix/mautrix-telegram.statefulset.yaml new file mode 100644 index 0000000..baecab9 --- /dev/null +++ b/apps/matrix/mautrix-telegram.statefulset.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mautrix-telegram +spec: + selector: + matchLabels: + app: mautrix-telegram + serviceName: mautrix-telegram + replicas: 1 + template: + metadata: + labels: + app: mautrix-telegram + spec: + containers: + - name: mautrix-telegram + image: mautrix-telegram + volumeMounts: + - name: config + mountPath: /data/config.yaml + subPath: config.yaml + - name: persistence + mountPath: /data + args: + - --no-update # disable overwriting config.yaml + volumes: + - name: config + configMap: + name: mautrix-telegram + - name: persistence + emptyDir: {} diff --git a/apps/matrix/mautrix-whatsapp.configmap.yaml b/apps/matrix/mautrix-whatsapp.configmap.yaml new file mode 100644 index 0000000..0a854e1 --- /dev/null +++ b/apps/matrix/mautrix-whatsapp.configmap.yaml @@ -0,0 +1,428 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mautrix-whatsapp +data: + config.yaml: | + # Homeserver details. + homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:8448 + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: matrix.kluster.moll.re + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + + # Application service host/registration related details. + # Changing these values requires regeneration of the registration. + appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-whatsapp:29318 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29318 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: sqlite3-fk-wal + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: file:/data/mautrix-whatsapp.db?_txlock=immediate + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: whatsapp + # Appservice bot details. + bot: + # Username of the appservice bot. + username: whatsappbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: WhatsApp bridge bot + avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + + # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors. + analytics: + # Hostname of the tracking server. The path is hardcoded to /v1/track + host: api.segment.io + # API key to send with tracking requests. Tracking is disabled if this is null. + token: null + # Optional user ID for tracking events. If null, defaults to using Matrix user ID. + user_id: null + + # Prometheus config. + metrics: + # Enable prometheus metrics? + enabled: false + # IP and port where the metrics listener should be. The path is always /metrics + listen: 127.0.0.1:8001 + + # Config for things that are directly sent to WhatsApp. + whatsapp: + # Device name that's shown in the "WhatsApp Web" section in the mobile app. + os_name: Mautrix-WhatsApp bridge + # Browser name that determines the logo shown in the mobile app. + # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon. + # List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 + browser_name: unknown + + # Bridge config + bridge: + # Localpart template of MXIDs for WhatsApp users. + # {{.}} is replaced with the phone number of the WhatsApp user. + username_template: whatsapp_{{.}} + # Displayname template for WhatsApp users. + # {{.PushName}} - nickname set by the WhatsApp user + # {{.BusinessName}} - validated WhatsApp business name + # {{.Phone}} - phone number (international format) + # The following variables are also available, but will cause problems on multi-user instances: + # {{.FullName}} - full name from contact list + # {{.FirstName}} - first name from contact list + displayname_template: "{{or .BusinessName .PushName .JID}} (WA)" + # Should the bridge create a space for each logged-in user and add bridged rooms to it? + # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time. + personal_filtering_spaces: false + # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp? + delivery_receipts: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + # Should incoming calls send a message to the Matrix room? + call_start_notices: true + # Should another user's cryptographic identity changing send a message to Matrix? + identity_change_notices: false + portal_message_buffer: 128 + # Settings for handling history sync payloads. + history_sync: + # Enable backfilling history sync payloads from WhatsApp? + backfill: true + # The maximum number of initial conversations that should be synced. + # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat. + max_initial_conversations: -1 + # Maximum number of messages to backfill in each conversation. + # Set to -1 to disable limit. + message_count: 50 + # Should the bridge request a full sync from the phone when logging in? + # This bumps the size of history syncs from 3 months to 1 year. + request_full_sync: false + # Configuration parameters that are sent to the phone along with the request full sync flag. + # By default (when the values are null or 0), the config isn't sent at all. + full_sync_config: + # Number of days of history to request. + # The limit seems to be around 3 years, but using higher values doesn't break. + days_limit: null + # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob. + size_mb_limit: null + # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob. + storage_quota_mb: null + # If this value is greater than 0, then if the conversation's last message was more than + # this number of hours ago, then the conversation will automatically be marked it as read. + # Conversations that have a last message that is less than this number of hours ago will + # have their unread status synced from WhatsApp. + unread_hours_threshold: 0 + + + + # Should puppet avatars be fetched from the server even if an avatar is already set? + user_avatar_sync: true + # Should Matrix users leaving groups be bridged to WhatsApp? + bridge_matrix_leave: true + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Should the bridge use MSC2867 to bridge manual "mark as unread"s from + # WhatsApp and set the unread status on initial backfill? + # This will only work on clients that support the m.marked_unread or + # com.famedly.marked_unread room account data. + sync_manual_marked_unread: true + # When double puppeting is enabled, users can use `!wa toggle` to change whether + # presence is bridged. This setting sets the default value. + # Existing users won't be affected when these are changed. + default_bridge_presence: true + # Send the presence as "available" to whatsapp when users start typing on a portal. + # This works as a workaround for homeservers that do not support presence, and allows + # users to see when the whatsapp user on the other side is typing during a conversation. + send_presence_on_typing: false + # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp) + # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)? + # + # By default, the bridge acts like WhatsApp web, which only sends active delivery + # receipts when it's in the foreground. + force_active_delivery_receipts: false + # Servers to always allow double puppeting from + double_puppet_server_map: + example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: + example.com: foobar + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Should group members be synced in parallel? This makes member sync faster + parallel_member_sync: false + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: false + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix. + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: null + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: null + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Should WhatsApp status messages be bridged into a Matrix room? + # Disabling this won't affect already created status broadcast rooms. + enable_status_broadcast: true + # Should sending WhatsApp status messages be allowed? + # This can cause issues if the user has lots of contacts, so it's disabled by default. + disable_status_broadcast_send: true + # Should the status broadcast room be muted and moved into low priority by default? + # This is only applied when creating the room, the user can unmute it later. + mute_status_broadcast: true + # Tag to apply to the status broadcast room. + status_broadcast_tag: m.lowpriority + # Should the bridge use thumbnails from WhatsApp? + # They're disabled by default due to very low resolution. + whatsapp_thumbnail: false + # Allow invite permission for user. User can invite any bots to room with whatsapp + # users (private chat and groups) + allow_user_invite: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Should the bridge never send alerts to the bridge management room? + # These are mostly things like the user being logged out. + disable_bridge_alerts: false + # Should the bridge stop if the WhatsApp server says another user connected with the same session? + # This is only safe on single-user bridges. + crash_on_stream_replaced: false + # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview, + # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews` + # key in the event content even if this is disabled. + url_previews: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + # Send galleries as a single event? This is not an MSC (yet). + beeper_galleries: false + # Should polls be sent using MSC3381 event types? + extev_polls: false + # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this. + cross_room_replies: false + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration + # Null means there's no enforced timeout. + message_handling_timeout: + # Send an error message after this timeout, but keep waiting for the response until the deadline. + # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. + # If the message is older than this when it reaches the bridge, the message won't be handled at all. + error_after: null + # Drop messages after this timeout. They may still go through if the message got sent to the servers. + # This is counted from the time the bridge starts handling the message. + deadline: 120s + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!wa" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a WhatsApp bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: false + # Should users mentions be in the event wire content to enable the server to send push notifications? + plaintext_mentions: false + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + # Enable debug API at /debug with provisioning authentication. + debug_endpoints: false + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "example.com": user + "@admin:example.com": admin + + # Settings for relay mode + relay: + # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: false + # Should only admins be allowed to set themselves as relay users? + admin_only: true + # The formats to use when sending messages to WhatsApp via the relaybot. + message_formats: + m.text: "{{ .Sender.Displayname }}: {{ .Message }}" + m.notice: "{{ .Sender.Displayname }}: {{ .Message }}" + m.emote: "* {{ .Sender.Displayname }} {{ .Message }}" + m.file: "{{ .Sender.Displayname }} sent a file" + m.image: "{{ .Sender.Displayname }} sent an image" + m.audio: "{{ .Sender.Displayname }} sent an audio file" + m.video: "{{ .Sender.Displayname }} sent a video" + m.location: "{{ .Sender.Displayname }} sent a location" + + # Logging config. See https://github.com/tulir/zeroconfig for details. + logging: + min_level: debug + writers: + - type: stdout + format: pretty-colored + - type: file + format: json + filename: ./logs/mautrix-whatsapp.log + max_size: 100 + max_backups: 10 + compress: true \ No newline at end of file diff --git a/apps/matrix/mautrix-whatsapp.statefulset.yaml b/apps/matrix/mautrix-whatsapp.statefulset.yaml new file mode 100644 index 0000000..a7b36cb --- /dev/null +++ b/apps/matrix/mautrix-whatsapp.statefulset.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mautrix-whatsapp +spec: + selector: + matchLabels: + app: mautrix-whatsapp + serviceName: mautrix-whatsapp + replicas: 1 + template: + metadata: + labels: + app: mautrix-whatsapp + spec: + containers: + - name: mautrix-whatsapp + image: mautrix-whatsapp + volumeMounts: + - name: persistence + mountPath: /data + # contains config.yaml + securityContext: + fsGroup: 1337 + + + volumes: + - name: persistence + persistentVolumeClaim: + claimName: mautrix-whatsapp diff --git a/apps/matrix/mautrix.pvc.yaml b/apps/matrix/mautrix.pvc.yaml new file mode 100644 index 0000000..bea0a75 --- /dev/null +++ b/apps/matrix/mautrix.pvc.yaml @@ -0,0 +1,23 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mautrix-telegram +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mautrix-whatsapp +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi diff --git a/apps/matrix/namespace.yaml b/apps/matrix/namespace.yaml new file mode 100644 index 0000000..0a074bd --- /dev/null +++ b/apps/matrix/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: placeholder diff --git a/apps/matrix/postgres.yaml b/apps/matrix/postgres.yaml new file mode 100644 index 0000000..32c6ced --- /dev/null +++ b/apps/matrix/postgres.yaml @@ -0,0 +1,20 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: matrix-postgres +spec: + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:16 + bootstrap: + initdb: + owner: matrix + database: matrix + secret: + name: postgres-credentials + + storage: + size: 1Gi + storageClass: nfs-client + + monitoring: + enablePodMonitor: true diff --git a/apps/matrix/synapse.configmap.yaml b/apps/matrix/synapse.configmap.yaml new file mode 100644 index 0000000..1a139ba --- /dev/null +++ b/apps/matrix/synapse.configmap.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: synapse +data: + # matrix.kluster.moll.re.log.config: | + # version: 1 + + # formatters: + # precise: + # format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + # handlers: + # console: + # class: logging.StreamHandler + # formatter: precise + + # loggers: + # # This is just here so we can leave `loggers` in the config regardless of whether + # # we configure other loggers below (avoid empty yaml dict error). + # _placeholder: + # level: "INFO" + + # synapse.storage.SQL: + # # beware: increasing this to DEBUG will make synapse log sensitive + # # information such as access tokens. + # level: INFO + + + + # root: + # level: INFO + # handlers: [console] + + homeserver.yaml: | + server_name: "matrix.kluster.moll.re" + report_stats: false + # enable_registration: true + # enable_registration_without_verification: true + listeners: + - port: 8448 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client, federation] + compress: false + + # log_config: "./matrix.kluster.moll.re.log.config" + media_store_path: /media_store + trusted_key_servers: + - server_name: "matrix.org" + database: + name: psycopg2 + args: + user: matrix + password: "0ssdsdsdM6vbxhs.kdjsdasd9Z0qK5bdTwM6vbxh9Z" + dbname: matrix + host: matrix-postgres-rw + cp_min: 5 + cp_max: 10 \ No newline at end of file diff --git a/apps/matrix/synapse.deployment.yaml b/apps/matrix/synapse.deployment.yaml new file mode 100644 index 0000000..1e250c3 --- /dev/null +++ b/apps/matrix/synapse.deployment.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: synapse +spec: + selector: + matchLabels: + app: synapse + template: + metadata: + labels: + app: synapse + spec: + containers: + - name: synapse + image: synapse + resources: + limits: + memory: "128Mi" + cpu: "500m" + ports: + - containerPort: 8448 + env: + - name: SYNAPSE_CONFIG_PATH + value: /config/homeserver.yaml + volumeMounts: + - name: config + mountPath: /config/homeserver.yaml + subPath: homeserver.yaml + - name: config-persistence + mountPath: /config + - name: media + mountPath: /media_store + securityContext: + fsGroup: 1001 + volumes: + - name: config + configMap: + name: synapse + - name: config-persistence + emptyDir: {} + - name: media + emptyDir: {} \ No newline at end of file diff --git a/apps/matrix/synapse.ingress.yaml b/apps/matrix/synapse.ingress.yaml new file mode 100644 index 0000000..f79e4f6 --- /dev/null +++ b/apps/matrix/synapse.ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: synapse-federation +spec: + entryPoints: + - websecure + routes: + - match: Host(`matrix.kluster.moll.re`) + kind: Rule + services: + - name: synapse + port: 8448 + # auto route to the _matrix path + middlewares: + - name: matrix-redirect + + tls: + certResolver: default-tls +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: matrix-redirect +spec: + redirectRegex: + regex: "^https://matrix.kluster.moll.re/(.*)" + replacement: "https://matrix.kluster.moll.re/_matrix/$${1}" + permanent: true diff --git a/apps/matrix/synapse.service.yaml b/apps/matrix/synapse.service.yaml new file mode 100644 index 0000000..7e633e3 --- /dev/null +++ b/apps/matrix/synapse.service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: synapse +spec: + selector: + app: synapse + ports: + - protocol: TCP + port: 8448 + targetPort: 8448 diff --git a/apps/nextcloud/pvc.yaml b/apps/nextcloud/pvc.yaml index e398899..ddce446 100644 --- a/apps/nextcloud/pvc.yaml +++ b/apps/nextcloud/pvc.yaml @@ -23,3 +23,29 @@ spec: requests: storage: "150Gi" volumeName: nextcloud-nfs +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nextcloud-syncthing-shared +spec: + capacity: + storage: "150Gi" + accessModes: + - ReadWriteOnce + nfs: + path: /kluster/syncthing + server: 192.168.1.157 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-syncthing-shared +spec: + storageClassName: "" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "150Gi" + volumeName: nextcloud-syncthing-shared \ No newline at end of file diff --git a/apps/nextcloud/values.yaml b/apps/nextcloud/values.yaml index 8dfdcc8..220c3ba 100644 --- a/apps/nextcloud/values.yaml +++ b/apps/nextcloud/values.yaml @@ -1,9 +1,6 @@ ## Official nextcloud image version ## ref: https://hub.docker.com/r/library/nextcloud/tags/ -image: - tag: "28" - ingress: enabled: false @@ -49,6 +46,15 @@ nextcloud: # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file configs: {} + extraVolumes: + - name: my-volume + persistentVolumeClaim: + claimName: nextcloud-nfs + + extraVolumeMounts: + - name: my-volume + mountPath: /var/www/html/my-volume + # For example, to use S3 as primary storage # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3 # @@ -74,8 +80,7 @@ nginx: enabled: false internalDatabase: - enabled: true - name: nextcloud + enabled: false ## ## External database configuration @@ -89,13 +94,7 @@ externalDatabase: ## Database host host: postgres-postgresql.postgres - ## Database user - # user: nextcloud - # ## Database password - # password: test - - ## Database name database: nextcloud ## Use a existing secret