add matrix deployment

Reviewed-on: #210

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.13.4"
+    newTag: "2.15.0"

apps/dendrite/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - postgres.yaml
+  - postgres-user.secret.yaml
+  - ingress.yaml
+
+namespace: dendrite
+
+helmCharts:
+  - name: dendrite
+    releaseName: dendrite
+    version: 0.13.5
+    valuesFile: values.yaml
+    repo: https://matrix-org.github.io/dendrite/

apps/dendrite/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

apps/dendrite/postgres.yaml

@@ -0,0 +1,25 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: dendrite-postgres
+spec:
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:16.4
+  bootstrap:
+    initdb:
+      owner: dendrite
+      database: dendrite
+      secret:
+        name: postgres-password
+
+  # Persistent storage configuration
+  storage:
+    size: 2Gi
+    pvcTemplate:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: nfs-client
+      volumeMode: Filesystem

apps/dendrite/values.yaml

@@ -0,0 +1,287 @@
+
+# signing key to use
+signing_key:
+  # -- Create a new signing key, if not exists
+  create: true
+
+persistence:
+  jetstream:
+    # -- PVC Storage Request for the jetstream volume
+    capacity: "1Gi"
+    # -- The storage class to use for volume claims.
+    storageClass: "nfs-client"
+  media:
+    # -- PVC Storage Request for the media volume
+    capacity: "1Gi"
+    # -- The storage class to use for volume claims.
+    storageClass: "nfs-client"
+  search:
+    # -- PVC Storage Request for the search volume
+    capacity: "1Gi"
+    # -- The storage class to use for volume claims.
+    storageClass: "nfs-client"
+
+
+
+dendrite_config:
+  version: 2
+  global:
+    # -- **REQUIRED** Servername for this Dendrite deployment.
+    server_name: "dendrite.kluster.moll.re"
+
+    # -- The server name to delegate server-server communications to, with optional port
+    # e.g. localhost:443
+    well_known_server_name: ""
+
+    # -- The server name to delegate client-server communications to, with optional port
+    # e.g. localhost:443
+    well_known_client_name: ""
+
+    # -- Lists of domains that the server will trust as identity servers to verify third
+    # party identifiers such as phone numbers and email addresses.
+    trusted_third_party_id_servers:
+      - matrix.org
+      - vector.im
+
+    # -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
+    # to old signing keys that were formerly in use on this domain name. These
+    # keys will not be used for federation request or event signing, but will be
+    # provided to any other homeserver that asks when trying to verify old events.
+    old_private_keys:
+    #  If the old private key file is available:
+    #  - private_key: old_matrix_key.pem
+    #    expired_at: 1601024554498
+    #  If only the public key (in base64 format) and key ID are known:
+    #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
+    #    key_id: ed25519:mykeyid
+    #    expired_at: 1601024554498
+
+    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
+    # to other servers and the federation API will not be exposed.
+    disable_federation: false
+
+    key_validity_period: 168h0m0s
+
+    database:
+      # -- The connection string for connections to Postgres.
+      # This will be set automatically if using the Postgres dependency
+      connection_string: "postgresql://dendrite:supersecretpassword!@dendrite-postgres-rw/dendrite"
+      # -- Default database maximum open connections
+      max_open_conns: 90
+      # -- Default database maximum idle connections
+      max_idle_conns: 5
+      # -- Default database maximum lifetime
+      conn_max_lifetime: -1
+
+    jetstream:
+      # -- Persistent directory to store JetStream streams in.
+      storage_path: "/data/jetstream"
+      # -- NATS JetStream server addresses if not using internal NATS.
+      addresses: []
+      # -- The prefix for JetStream streams
+      topic_prefix: "Dendrite"
+      # -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
+      in_memory: false
+      # -- Disables TLS validation. This should **NOT** be used in production.
+      disable_tls_validation: true
+
+    cache:
+      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
+      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
+      # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
+      # memory limit for the entire process. A cache that is too small may ultimately
+      # provide little or no benefit.
+      max_size_estimated: 1gb
+      # -- The maximum amount of time that a cache entry can live for in memory before
+      # it will be evicted and/or refreshed from the database. Lower values result in
+      # easier admission of new cache entries but may also increase database load in
+      # comparison to higher values, so adjust conservatively. Higher values may make
+      # it harder for new items to make it into the cache, e.g. if new rooms suddenly
+      # become popular.
+      max_age: 1h
+
+    report_stats:
+      # -- Configures phone-home statistics reporting. These statistics contain the server
+      # name, number of active users and some information on your deployment config.
+      # We use this information to understand how Dendrite is being used in the wild.
+      enabled: false
+
+    presence:
+      # -- Controls whether we receive presence events from other servers
+      enable_inbound: false
+      # -- Controls whether we send presence events for our local users to other servers.
+      # (_May increase CPU/memory usage_)
+      enable_outbound: false
+
+    server_notices:
+      # -- Server notices allows server admins to send messages to all users on the server.
+      enabled: false
+      # -- The local part for the user sending server notices.
+      local_part: "_server"
+      # -- The display name for the user sending server notices.
+      display_name: "Server Alerts"
+      # -- The avatar URL (as a mxc:// URL) name for the user sending server notices.
+      avatar_url: ""
+      # The room name to be used when sending server notices. This room name will
+      # appear in user clients.
+      room_name: "Server Alerts"
+
+    # prometheus metrics
+    metrics:
+      # -- Whether or not Prometheus metrics are enabled.
+      enabled: false
+      # HTTP basic authentication to protect access to monitoring.
+      basic_auth:
+        # -- HTTP basic authentication username
+        user: "metrics"
+        # -- HTTP basic authentication password
+        password: metrics
+
+  app_service_api:
+    # -- Disable the validation of TLS certificates of appservices. This is
+    # not recommended in production since it may allow appservice traffic
+    # to be sent to an insecure endpoint.
+    disable_tls_validation: false
+    # -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
+    config_files: []
+
+  client_api:
+    # -- Prevents new users from being able to register on this homeserver, except when
+    # using the registration shared secret below.
+    registration_disabled: true
+
+    # Prevents new guest accounts from being created. Guest registration is also
+    # disabled implicitly by setting 'registration_disabled' above.
+    guests_disabled: true
+
+    # -- If set, allows registration by anyone who knows the shared secret, regardless of
+    # whether registration is otherwise disabled.
+    registration_shared_secret: "supersecretpassword"
+
+
+    # TURN server information that this homeserver should send to clients.
+    turn:
+      # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
+      turn_user_lifetime: "24h"
+      turn_uris: []
+      turn_shared_secret: ""
+      # -- The TURN username
+      turn_username: ""
+      # -- The TURN password
+      turn_password: ""
+
+    rate_limiting:
+      # -- Enable rate limiting
+      enabled: true
+      # -- After how many requests a rate limit should be activated
+      threshold: 20
+      # -- Cooloff time in milliseconds
+      cooloff_ms: 500
+      # -- Users which should be exempt from rate limiting
+      exempt_user_ids:
+
+  federation_api:
+    # -- Federation failure threshold. How many consecutive failures that we should
+    # tolerate when sending federation requests to a specific server. The backoff
+    # is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
+    # The default value is 16 if not specified, which is circa 18 hours.
+    send_max_retries: 16
+    # -- Disable TLS validation. This should **NOT** be used in production.
+    disable_tls_validation: false
+    prefer_direct_fetch: false
+    # -- Prevents Dendrite from keeping HTTP connections
+    # open for reuse for future requests. Connections will be closed quicker
+    # but we may spend more time on TLS handshakes instead.
+    disable_http_keepalives: false
+    # -- Perspective keyservers, to use as a backup when direct key fetch
+    # requests don't succeed.
+    # @default -- See value.yaml
+    key_perspectives:
+      - server_name: matrix.org
+        keys:
+          - key_id: ed25519:auto
+            public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
+          - key_id: ed25519:a_RXGa
+            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
+
+  media_api:
+    # -- The path to store media files (e.g. avatars) in
+    base_path: "/data/media_store"
+    # -- The max file size for uploaded media files
+    max_file_size_bytes: 10485760
+    # Whether to dynamically generate thumbnails if needed.
+    dynamic_thumbnails: false
+    # -- The maximum number of simultaneous thumbnail generators to run.
+    max_thumbnail_generators: 10
+    # -- A list of thumbnail sizes to be generated for media content.
+    # @default -- See value.yaml
+    thumbnail_sizes:
+      - width: 32
+        height: 32
+        method: crop
+      - width: 96
+        height: 96
+        method: crop
+      - width: 640
+        height: 480
+        method: scale
+
+  sync_api:
+    # -- This option controls which HTTP header to inspect to find the real remote IP
+    # address of the client. This is likely required if Dendrite is running behind
+    # a reverse proxy server.
+    real_ip_header: X-Real-IP
+    # -- Configuration for the full-text search engine.
+    search:
+      # -- Whether fulltext search is enabled.
+      enabled: true
+      # -- The path to store the search index in.
+      index_path: "/data/search"
+      # -- The language most likely to be used on the server - used when indexing, to
+      # ensure the returned results match expectations. A full list of possible languages
+      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
+      language: "en"
+
+  user_api:
+    # -- bcrypt cost to use when hashing passwords.
+    # (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._)
+    bcrypt_cost: 10
+    # -- OpenID Token lifetime in milliseconds.
+    openid_token_lifetime_ms: 3600000
+    # - Disable TLS validation when hitting push gateways. This should **NOT** be used in production.
+    push_gateway_disable_tls_validation: false
+    # -- Rooms to join users to after registration
+    auto_join_rooms: []
+
+  # -- Default logging configuration
+  logging:
+  - type: std
+    level: info
+
+postgresql:
+  # -- Enable and configure postgres as the database for dendrite.
+  # @default -- See value.yaml
+  enabled: false
+
+ingress:
+  # -- Create an ingress for the deployment
+  enabled: false
+
+service:
+  type: ClusterIP
+  port: 8008
+
+prometheus:
+  servicemonitor:
+    # -- Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint
+    enabled: false
+    # -- Extra Labels on ServiceMonitor for selector of Prometheus Instance
+    labels: {}
+  rules:
+    # -- Enable PrometheusRules for Prometheus-Operator for setup alerting
+    enabled: false
+    # -- Extra Labels on PrometheusRules for selector of Prometheus Instance
+    labels: {}
+    # -- additional alertrules (no default alertrules are provided)
+    additionalRules: []
+

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.9.0
+    newTag: 24.10.1

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant/home-assistant
     newName: homeassistant/home-assistant
-    newTag: "2024.9"
+    newTag: "2024.10"

apps/immich/kustomization.yaml

@@ -14,16 +14,16 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.7.2
+    version: 0.8.1
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.116.2
+    newTag: v1.117.0
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.116.2
+    newTag: v1.117.0
 
 
 patches:

apps/monitoring/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.5.2
+    version: 8.5.4
     valuesFile: grafana.values.yaml

apps/paperless/deployment.yaml

@@ -37,6 +37,15 @@ spec:
             value: /data
           - name: PAPERLESS_MEDIA_ROOT
             value: /data
+          - name: PAPERLESS_APPS
+            value: allauth.socialaccount.providers.openid_connect
+          - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
+            valueFrom:
+              secretKeyRef:
+                name: paperless-oauth
+                key: provider-config
+          # - name: PAPERLESS_DISABLE_REGULAR_LOGIN
+          #   value: "True"
           volumeMounts:
             - name: data
               mountPath: /data

apps/paperless/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - service.yaml
   - ingress.yaml
   - paperless-secret-key.sealedsecret.yaml
+  - paperless-oauth.sealedsecret.yaml
 
 namespace: paperless
 

apps/paperless/paperless-oauth.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: paperless-oauth
+  namespace: paperless
+spec:
+  encryptedData:
+    provider-config: AgBI9IcNOfBevjUtIMwNTd0MTnr1WGxMKJ0cPnHzAS3cddmI+LTrkxxdRBuz2PFKTrhJ6/vh/2tiI9FBWMVm/YqTB64drbF3v13GfZMk/9c7W4SFyMoMcoE4xe6gs4SOm1ggTVxWT6O8IQ0gt7+FRUFaiLmwa08dxTkzrT0/zfQfYg+0aV8qS0eCJIrQk/IA1N31RpUoNV5Jl6vF7oE+cKIVyZ6LVMdecmFnuUgU+1qTC7ncgxxhWQekDQXJQnfYpgsQTF5GaHkGV8kvqJOa2Ohnk7MIeQEz5WuiKaXzU1ZMCYq3D8q/kaf/itLLBlL5MQh/hkuksCVG13aWxvulA/zIw3rSDujjZcSrD8LWH6oCMCn8zVcZjYQQBcTKUYEyYNvHLsmm0fOFIkUmFfBOS4WdHhjsBudz+941Wuc2EX5i6eLind7dk6gOlCL1HEyvbQRV6W50T104DQSNHslRG9CIjPh0BueGJ5fiaFoQa/UuM/JI8R/7cv3y5VkCG6j4gax9FVFgZKxPMtOTxB3gKolT25JHPDOqbDo996T4lsmiYRrYShni4JFZ8ALhcr7pKwlg+gVbDVaqMrVaSz1xzTP0MNxPMsojXVLtG3/Zv0/iXSVW4DPY67pFITEbZBWB3bHLvL9MiwKbWNwsDwPUylWkXTTFHsNbuRUnAXhRxcLn43uIv98JFTQcMVl2J9qrYkHm7w0FVImUr3oC+Ny/Z6j89ARposNx27B4FBgW7H7+yWMKRsAObC8cAjBOkBdXue0x5bEl7Al2BRRG7/WUKHXZvTOlvlj7GFTpLOQbPYjnBo8V8h42uOjGbiMLaCeN5sWlMtWD+7mpHV3XGdcGtPAZlIzgpUs2si/XIRNun2oDoUmJhb7YcGmugodcAK9+aYBThIkNU3guXdrM6Vc7CO2RP8PFpKBpcI9pUHgYA8dyYY+TaBqfYGrKFlGgoVcgh6oVkeOuctTX90XkojVFfqkCqab93faMh2pGCGcH4IZ81sdTYeWwNIvz1RGoi9GhUhQU5NfDeUBn2eHdOpfdsf4FkWe0kgE6TBPlQx7GQy56FldIc0G4QA8H8utL3E/MXYrao70ek/GHIxuev1/hzljJDk+5HJz5itBtKiW4s/5j2ZMD7MMBu/voDQW14XEK5pM9EbwmC6kRg6ljXvTlnUVmw1s04iUvIzF/dO6bCgaOEwFPjZj8oZs0dt64Ov+ZPLwTrmezFgHtfh4dyiRgHt4cO/WYFmzzYwd532p2De3JqjHUzT0iQIpkaz4jrF7+fdtDxtj7XgkJIg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: paperless-oauth
+      namespace: paperless

infrastructure/authelia/kustomization.yaml

@@ -26,6 +26,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.6
+    version: 0.9.9
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/gitea/gitea-oauth.sealedsecret.yaml

@@ -6,7 +6,9 @@ metadata:
   name: gitea-oauth
   namespace: gitea
 spec:
-  encryptedData: {}
+  encryptedData:
+    key: AgAXDv5WIcA8AFGT4Eb1spaXbtifwOIFaiqjMbEuDYNG43Me7evzgrWmHvUQsf3jzkElsAhC/ykhsMKTNIGdeLC15oVifqOKL+19fcuBPwt7ubaL/z35svluq3P87vTP4Yp+rag3SvN05E4xteOiqyYJWSIUmrOHwkLRco4QzgTk2FO594//ZsA2TJb9YdjhBLXl/Ywhjpnf36t5blgUZAwX1NY61QkBbzr3UV2McWBB5dU2t561bvyo9KcAXkMNG/okzlhE2OzQoHoQYRz8o+xpySlI1Z06TE4G6mtojxnexuwR4EDds0c21aA2i5CIesnybGD8Vzwd4123A00PlQd67PSQm8hj3UJMzB3eWGAQuIhWn3zp7r01GElA9JW+9yVbPEkxaXMWaT6yaH3Zo04emRKPqBwxFpEPgWqZ00H9PjZn+KDBVnMs5+BG1jaYAuF3acLfLmgnO81F1B/jNX8JDShty2oW1heB9YBxSK2lTCYN1f4ItYV6N6eoC/q/mRlJOe2nAiUW8V3oT4x2x2S7Jw5Fwnd4avSesahtHzr4YwSNtq8jB/BSicYp1BezmALvXU8RUMmI6kvXkABuEHB6+G0ugQ8RDdg2OggZ92e4yKqv6vazWopH4GJ0sgpjViRHU8ZdxEJSgWH34+KKoUcW9eE8ugOynXAtthkasazfahxTmMd5XK6IbYsnNN/Bf3MyOonq0A==
+    secret: AgBh0QjLGKbQLRsI8imDwlktlUP/kRD/nUQAYWIEkVy6hZU1OWAAexfcwJi6uVIu/s4Wfzlzl7i5ok5WeeVCWDSTFh5Xz8+SNQoio0/xubbNiYCC81y/ZDhwS9CBn74UX1St4eEFeIcRjey+cyeB7vYCRrYO1WvpZFHx8G9KZa8F4Ca9fy07A3HTGEFdm0Of8MfOM/TVGn8pgJLh2KL+VnYbmyAwQp9hd1NlMM2DC5nPW5kkdfMnz9YG7uAMyaL2MkxTynpKvEJeSCWtIXQSuj60+3IGXNAUWOgYVF46vqzsBbQErXCC67tf8TXOo/lCcDZSVluuo50uWqQceuZ2QujrjwSsQiM9ax29mnI9idu7zqT4q2MQ08+HZT0qNKqN/1jYTUwf7j3jLcANQX5VVuY6zDSZ/hDE4sBuuEoisYTFQH2RicElX73BCfXeOHTOmD4R4EiL/Cn546JG+7qjmBLnljqdNwp0Tug0iLAp25IWhsz9FsNhVwEozil6Es5RGjVHrmIp7z61OwQPqyBOxvBXjIKfQjPY9rykl00UF/X34YWltob2qilUVfYnDGQcA/OZ6UNqN2IC6Pj+vlzAqdbElGapGvqhg2w+ErnL1vAl40HLfRiDCmK5s6dOE2eHdvi6lbbwVWtlpeB7BNuFRuf8npZiMfQmtA3x3FF7dcMXiFsPJ8RbTJRQDO9VeaVTAFDnql3eBhUssVKIehywj9m39dfLvDtdRA0=
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/gitea.values.yaml

@@ -81,6 +81,7 @@ persistence:
 signing:
   enabled: false
 
+    
 ## @section Gitea
 #
 gitea:
@@ -115,11 +116,23 @@ gitea:
     indexer:
       ISSUE_INDEXER_TYPE: bleve
       REPO_INDEXER_ENABLED: false
+
+  oauth:
+    - name: authelia
+      provider: openidConnect
+      autoDiscoverUrl: https://auth.kluster.moll.re/.well-known/openid-configuration
+      scopes: openid email profile groups
+      existingSecret: gitea-oauth
+      required-claim-name: groups
+      required-claim-value: gitea
+      admin-group: apps_admin
+
   
-  additionalConfigSources:
-    - secret:
-        secretName: gitea-oauth
-  # since we want to reuse the posgres secret, we cannot directly use it here, but instead set the ENV variables
+  # since we want to reuse the postgres secret, we cannot directly use it in
+  # additionalConfigSources:
+  #   - secret:
+  #       secretName: postgres-password
+  # but instead set the ENV variables
   additionalConfigFromEnvs:
     - name: GITEA__DATABASE__DB_TYPE
       value: postgres

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 32.0.0
+    version: 32.1.1
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts