add matrix deployment

2024-10-15 17:52:03 +02:00
10 changed files with 346 additions and 153 deletions
--- a/apps/dendrite/ingress.yaml
+++ b/apps/dendrite/ingress.yaml
@@ -0,0 +1,18 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: dendrite-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`dendrite.kluster.moll.re`)
    kind: Rule
    services:
    - name: dendrite
      port: 8008
      # scheme: https
  tls:
    certResolver: default-tls 
--- a/apps/dendrite/kustomization.yaml
+++ b/apps/dendrite/kustomization.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - postgres.yaml
  - postgres-user.secret.yaml
  - ingress.yaml
 namespace: dendrite
 helmCharts:
  - name: dendrite
    releaseName: dendrite
    version: 0.13.5
    valuesFile: values.yaml
    repo: https://matrix-org.github.io/dendrite/
--- a/infrastructure/crowdsec/namespace.yaml
+++ b/infrastructure/crowdsec/namespace.yaml
--- a/apps/dendrite/postgres.yaml
+++ b/apps/dendrite/postgres.yaml
@@ -0,0 +1,25 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: dendrite-postgres
 spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:16.4
  bootstrap:
    initdb:
      owner: dendrite
      database: dendrite
      secret:
        name: postgres-password
  # Persistent storage configuration
  storage:
    size: 2Gi
    pvcTemplate:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 2Gi
      storageClassName: nfs-client
      volumeMode: Filesystem
--- a/apps/dendrite/values.yaml
+++ b/apps/dendrite/values.yaml
@@ -0,0 +1,287 @@
 # signing key to use
 signing_key:
  # -- Create a new signing key, if not exists
  create: true
 persistence:
  jetstream:
    # -- PVC Storage Request for the jetstream volume
    capacity: "1Gi"
    # -- The storage class to use for volume claims.
    storageClass: "nfs-client"
  media:
    # -- PVC Storage Request for the media volume
    capacity: "1Gi"
    # -- The storage class to use for volume claims.
    storageClass: "nfs-client"
  search:
    # -- PVC Storage Request for the search volume
    capacity: "1Gi"
    # -- The storage class to use for volume claims.
    storageClass: "nfs-client"
 dendrite_config:
  version: 2
  global:
    # -- **REQUIRED** Servername for this Dendrite deployment.
    server_name: "dendrite.kluster.moll.re"
    # -- The server name to delegate server-server communications to, with optional port
    # e.g. localhost:443
    well_known_server_name: ""
    # -- The server name to delegate client-server communications to, with optional port
    # e.g. localhost:443
    well_known_client_name: ""
    # -- Lists of domains that the server will trust as identity servers to verify third
    # party identifiers such as phone numbers and email addresses.
    trusted_third_party_id_servers:
      - matrix.org
      - vector.im
    # -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
    # to old signing keys that were formerly in use on this domain name. These
    # keys will not be used for federation request or event signing, but will be
    # provided to any other homeserver that asks when trying to verify old events.
    old_private_keys:
    #  If the old private key file is available:
    #  - private_key: old_matrix_key.pem
    #    expired_at: 1601024554498
    #  If only the public key (in base64 format) and key ID are known:
    #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
    #    key_id: ed25519:mykeyid
    #    expired_at: 1601024554498
    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
    # to other servers and the federation API will not be exposed.
    disable_federation: false
    key_validity_period: 168h0m0s
    database:
      # -- The connection string for connections to Postgres.
      # This will be set automatically if using the Postgres dependency
      connection_string: "postgresql://dendrite:supersecretpassword!@dendrite-postgres-rw/dendrite"
      # -- Default database maximum open connections
      max_open_conns: 90
      # -- Default database maximum idle connections
      max_idle_conns: 5
      # -- Default database maximum lifetime
      conn_max_lifetime: -1
    jetstream:
      # -- Persistent directory to store JetStream streams in.
      storage_path: "/data/jetstream"
      # -- NATS JetStream server addresses if not using internal NATS.
      addresses: []
      # -- The prefix for JetStream streams
      topic_prefix: "Dendrite"
      # -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
      in_memory: false
      # -- Disables TLS validation. This should **NOT** be used in production.
      disable_tls_validation: true
    cache:
      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
      # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
      # memory limit for the entire process. A cache that is too small may ultimately
      # provide little or no benefit.
      max_size_estimated: 1gb
      # -- The maximum amount of time that a cache entry can live for in memory before
      # it will be evicted and/or refreshed from the database. Lower values result in
      # easier admission of new cache entries but may also increase database load in
      # comparison to higher values, so adjust conservatively. Higher values may make
      # it harder for new items to make it into the cache, e.g. if new rooms suddenly
      # become popular.
      max_age: 1h
    report_stats:
      # -- Configures phone-home statistics reporting. These statistics contain the server
      # name, number of active users and some information on your deployment config.
      # We use this information to understand how Dendrite is being used in the wild.
      enabled: false
    presence:
      # -- Controls whether we receive presence events from other servers
      enable_inbound: false
      # -- Controls whether we send presence events for our local users to other servers.
      # (_May increase CPU/memory usage_)
      enable_outbound: false
    server_notices:
      # -- Server notices allows server admins to send messages to all users on the server.
      enabled: false
      # -- The local part for the user sending server notices.
      local_part: "_server"
      # -- The display name for the user sending server notices.
      display_name: "Server Alerts"
      # -- The avatar URL (as a mxc:// URL) name for the user sending server notices.
      avatar_url: ""
      # The room name to be used when sending server notices. This room name will
      # appear in user clients.
      room_name: "Server Alerts"
    # prometheus metrics
    metrics:
      # -- Whether or not Prometheus metrics are enabled.
      enabled: false
      # HTTP basic authentication to protect access to monitoring.
      basic_auth:
        # -- HTTP basic authentication username
        user: "metrics"
        # -- HTTP basic authentication password
        password: metrics
  app_service_api:
    # -- Disable the validation of TLS certificates of appservices. This is
    # not recommended in production since it may allow appservice traffic
    # to be sent to an insecure endpoint.
    disable_tls_validation: false
    # -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
    config_files: []
  client_api:
    # -- Prevents new users from being able to register on this homeserver, except when
    # using the registration shared secret below.
    registration_disabled: true
    # Prevents new guest accounts from being created. Guest registration is also
    # disabled implicitly by setting 'registration_disabled' above.
    guests_disabled: true
    # -- If set, allows registration by anyone who knows the shared secret, regardless of
    # whether registration is otherwise disabled.
    registration_shared_secret: "supersecretpassword"
    # TURN server information that this homeserver should send to clients.
    turn:
      # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
      turn_user_lifetime: "24h"
      turn_uris: []
      turn_shared_secret: ""
      # -- The TURN username
      turn_username: ""
      # -- The TURN password
      turn_password: ""
    rate_limiting:
      # -- Enable rate limiting
      enabled: true
      # -- After how many requests a rate limit should be activated
      threshold: 20
      # -- Cooloff time in milliseconds
      cooloff_ms: 500
      # -- Users which should be exempt from rate limiting
      exempt_user_ids:
  federation_api:
    # -- Federation failure threshold. How many consecutive failures that we should
    # tolerate when sending federation requests to a specific server. The backoff
    # is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
    # The default value is 16 if not specified, which is circa 18 hours.
    send_max_retries: 16
    # -- Disable TLS validation. This should **NOT** be used in production.
    disable_tls_validation: false
    prefer_direct_fetch: false
    # -- Prevents Dendrite from keeping HTTP connections
    # open for reuse for future requests. Connections will be closed quicker
    # but we may spend more time on TLS handshakes instead.
    disable_http_keepalives: false
    # -- Perspective keyservers, to use as a backup when direct key fetch
    # requests don't succeed.
    # @default -- See value.yaml
    key_perspectives:
      - server_name: matrix.org
        keys:
          - key_id: ed25519:auto
            public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
          - key_id: ed25519:a_RXGa
            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
  media_api:
    # -- The path to store media files (e.g. avatars) in
    base_path: "/data/media_store"
    # -- The max file size for uploaded media files
    max_file_size_bytes: 10485760
    # Whether to dynamically generate thumbnails if needed.
    dynamic_thumbnails: false
    # -- The maximum number of simultaneous thumbnail generators to run.
    max_thumbnail_generators: 10
    # -- A list of thumbnail sizes to be generated for media content.
    # @default -- See value.yaml
    thumbnail_sizes:
      - width: 32
        height: 32
        method: crop
      - width: 96
        height: 96
        method: crop
      - width: 640
        height: 480
        method: scale
  sync_api:
    # -- This option controls which HTTP header to inspect to find the real remote IP
    # address of the client. This is likely required if Dendrite is running behind
    # a reverse proxy server.
    real_ip_header: X-Real-IP
    # -- Configuration for the full-text search engine.
    search:
      # -- Whether fulltext search is enabled.
      enabled: true
      # -- The path to store the search index in.
      index_path: "/data/search"
      # -- The language most likely to be used on the server - used when indexing, to
      # ensure the returned results match expectations. A full list of possible languages
      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
      language: "en"
  user_api:
    # -- bcrypt cost to use when hashing passwords.
    # (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._)
    bcrypt_cost: 10
    # -- OpenID Token lifetime in milliseconds.
    openid_token_lifetime_ms: 3600000
    # - Disable TLS validation when hitting push gateways. This should **NOT** be used in production.
    push_gateway_disable_tls_validation: false
    # -- Rooms to join users to after registration
    auto_join_rooms: []
  # -- Default logging configuration
  logging:
  - type: std
    level: info
 postgresql:
  # -- Enable and configure postgres as the database for dendrite.
  # @default -- See value.yaml
  enabled: false
 ingress:
  # -- Create an ingress for the deployment
  enabled: false
 service:
  type: ClusterIP
  port: 8008
 prometheus:
  servicemonitor:
    # -- Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint
    enabled: false
    # -- Extra Labels on ServiceMonitor for selector of Prometheus Instance
    labels: {}
  rules:
    # -- Enable PrometheusRules for Prometheus-Operator for setup alerting
    enabled: false
    # -- Extra Labels on PrometheusRules for selector of Prometheus Instance
    labels: {}
    # -- additional alertrules (no default alertrules are provided)
    additionalRules: []
--- a/infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml
+++ b/infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml
@@ -1,15 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: bouncer-api-key
  namespace: crowdsec
 spec:
  encryptedData:
    BOUNCER_KEY_TRAEFIK: AgAQYtZ9nhTcPudhhvBb/UC01CXLsItYr8u890ctD9AsTcn/tVZELCYDmmhoRCebMZofdLwhsnR4BoaBvFU4NgQk7qCUOm2O5YG11RXwOLuQv50+XcK2NTIuj9DsBqwLjYjWdRwV2PG++twP33mRFe+L/nw9d2JjyujF9FoFWL9OyU/IH8qb3FK9652wBTrC0VX251lZ2AU0xMvgGEa9BhTtobw+cE7xUbhazsRc7SqimW0iJ6ZiYYsJcVnMustHRx951YiVin2c0ub1v+JfvsMTiXUfbdt235BMXgevmvWVqPDlUgBHEfAiKl1ktQKqdd2KijEPCzEtVKbRXfFRtv0SOebLeQ949uNUmnhYUn7k+s9QiDo/4Pl4w5p5+i//BKbDe/dyagUFxNTw3ZpsGusI4B2dHwTtE0y8TTW4BDxNh4PaTVT0hN0ctSsG6joBCTes6dWfdFDo7NzRZ4suZGfTpZbJknYcp+hbaJxeHLnJUAkFHLj9AfT1tAAZVc8wVy3Nw/hwnntEBGUJJ35BhyKKYvkWWPqk/5Ay6U8CeaiupHHMbTRisiqZfuZ4KI6zJZlBMLcdK32d1gMqTJpvhkiC8h4+U3ygBf+rxf6R66+kDzalrLFX8sU3Sl7fVc8qYTPESrz9/RXBGHegunhrmfq6g5lyYyM+KPK71C7NCyhqDfzY4nqO6omh83UDOlCjm+++N7/UHHf+9hs6OUi1BmAOMJkvb8bX43SVDDA4gxoZplVgAK7E0w==
  template:
    metadata:
      creationTimestamp: null
      name: bouncer-api-key
      namespace: crowdsec
--- a/infrastructure/crowdsec/bouncer.middleware.yaml
+++ b/infrastructure/crowdsec/bouncer.middleware.yaml
@@ -1,12 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: bouncer
 spec:
  plugin:
    bouncer:
      enabled: true
      crowdsecMode: stream
      crowdsecLapiScheme: https
      crowdsecLapiHost: crowdsec-service.crowdsec:8080
      crowdsecLapiKey: saödlkfhhqäüweo1p30947ß4rfepoihäp
--- a/infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml
+++ b/infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml
@@ -1,15 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: dashboard-api-key
  namespace: crowdsec
 spec:
  encryptedData:
    ENROLL_KEY: AgAOEbB81UuCj2qgR4p+gsvnDY3LC+IcI8kMwFlPl91pVngyrGDHutafilDZD/QiGxu+3mBVMlFRzYXyAl2RjaO4YZ8p59hznSn6jf3bcfbfhQJhXjUfKkf1Jmm6gWbeDMKcOuRvxgG2YWRtOo+xNLhHtMnTKC4B7R7X160GjlNV7SdXn4S+q9Oo/ZIz/q2Y6p5wXccpPNS6OEMjb8YJlfhj6FrsAoeO25fNruELBtzgHApVvx922wx9mpYialkQOsC+3IcogQprXQZZ+B8qph7PYQ1vIzD8Ch7df3Wj4JmMHsfpK5DRP6tACrM6PsYUy0BVqaBHWT9EHbIGc2w1/g9qPfauuTS8ZDsUEl7wpyQvHfXsQER63er5xT9Xv9kSrBUvSEaYoZr+Gw8Qi4N/SNW7e1JPiwQEpFP3GrFnnDLdGhGHvrvMzO5FAz1m+tnziVhfjpoOYQDlrvsS4+h+qU17/Kmu6EoGcpjqrEvUwN19Ar9pNz8qLbumTGlIzRbeVQWmv9F6icdT3idd8sCHeiAplE99kBAz780pxMgXRR/YmaBQz1xeOrKHAVBLegdj9eNmS62b72DHdsiY2jX7D1s1dFGWl45lIyv4RlNAQhjTiqFHeaUzJUii85WNSxpp9n8Cw/ua/mdUvcn8z9WQ11uVbVqurYD3TvsOnva0V6rffaeJjIovyMOXs2wHk6nokxj4L4Ut4YkmRGZaTu7wptjqBanaROZgEHEd
  template:
    metadata:
      creationTimestamp: null
      name: dashboard-api-key
      namespace: crowdsec
--- a/infrastructure/crowdsec/kustomization.yaml
+++ b/infrastructure/crowdsec/kustomization.yaml
@@ -1,18 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - dashboard-api-key.sealedsecret.yaml
  - bouncer-api-key.sealedsecret.yaml
  - bouncer.middleware.yaml
 namespace: crowdsec
 helmCharts:
  - name: crowdsec
    releaseName: crowdsec
    version: 0.12.0
    valuesFile: values.yaml
    repo: https://crowdsecurity.github.io/helm-charts
--- a/infrastructure/crowdsec/values.yaml
+++ b/infrastructure/crowdsec/values.yaml
@@ -1,93 +0,0 @@
 # -- for raw logs format: json or cri (docker|containerd)
 container_runtime: containerd
 # lapi will deploy pod with crowdsec lapi and dashboard as deployment
 lapi:
  # -- replicas for local API
  replicas: 1
  # -- environment variables from crowdsecurity/crowdsec docker image
  env:
    - name: ENROLL_INSTANCE_NAME
      value: "kluster"
  # Allows you to load environment variables from kubernetes secret or config map
  envFrom:
    - secretRef:
        name: dashboard-api-key
    - secretRef:
        name: bouncer-api-key
  dashboard:
    # -- Enable Metabase Dashboard (by default disabled)
    enabled: false
  # -- Enable persistent volumes
  persistentVolume:
    # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
    data:
      enabled: true
      accessModes:
        - ReadWriteOnce
      storageClassName: "nfs-client"
      size: 1Gi
    # -- Persistent volume for config folder. Stores e.g. online api credentials
    config:
      enabled: true
      accessModes:
        - ReadWriteOnce
      storageClassName: "nfs-client"
      size: 100Mi
  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
  metrics:
    enabled: true
    # -- Creates a ServiceMonitor so Prometheus will monitor this service
    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
    serviceMonitor:
      enabled: true
 # agent will deploy pod on every node as daemonSet to read wanted pods logs
 agent:
  acquisition:
    # The namespace where the pod is located
    - namespace: traefik-system
      # The pod name
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name to find a matching parser
      program: traefik
  # -- Enable persistent volumes
  persistentVolume:
    # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
    config:
      enabled: false
      accessModes:
        - ReadWriteOnce
      storageClassName: ""
      existingClaim: ""
      size: 100Mi
  # -- Enable hostPath to /var/log
  hostVarLog: true
  # -- environment variables from crowdsecurity/crowdsec docker image
  env:
    - name: COLLECTIONS
      value: "crowdsecurity/traefik"
  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
  metrics:
    enabled: true
    # -- Creates a ServiceMonitor so Prometheus will monitor this service
    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
    serviceMonitor:
      enabled: false
      additionalLabels: {}