apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: matrix namespace: chat annotations: cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0" spec: ingressClassName: nginx tls: - hosts: - matrix.cluster.fun secretName: matrix-ingress rules: - host: matrix.cluster.fun http: paths: - path: /.well-known/matrix pathType: ImplementationSpecific backend: service: name: well-known port: number: 80 - path: / pathType: ImplementationSpecific backend: service: name: matrix-synapse port: number: 80 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: riot namespace: chat annotations: cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0" spec: ingressClassName: nginx tls: - hosts: - chat.cluster.fun secretName: riot-ingress rules: - host: chat.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: name: matrix-riot port: number: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: well-known namespace: chat annotations: configmap.reloader.stakater.com/reload: "well-known" spec: replicas: 1 selector: matchLabels: app: well-known template: metadata: labels: app: well-known spec: containers: - name: web image: nginx imagePullPolicy: IfNotPresent ports: - containerPort: 80 name: web volumeMounts: - name: well-known mountPath: /usr/share/nginx/html/.well-known/matrix resources: limits: memory: 15Mi requests: memory: 15Mi volumes: - name: well-known configMap: name: well-known --- apiVersion: v1 kind: Service metadata: name: well-known namespace: chat spec: type: ClusterIP ports: - port: 80 targetPort: 80 name: web selector: app: well-known --- apiVersion: v1 kind: ConfigMap metadata: name: well-known namespace: chat data: server: |- { "m.server": "matrix.cluster.fun:443" } client: |- { "m.homeserver": { "base_url": "https://matrix.cluster.fun" }, "org.matrix.msc3575.proxy": { "url": "https://syncv3.matrix.cluster.fun" } } --- # Source: matrix/templates/riot/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: matrix-riot-config namespace: chat labels: app.kubernetes.io/name: "matrix" component: element data: config.json: | { "default_server_config": { "m.homeserver": { "base_url": "https://matrix.cluster.fun" } }, "brand": "Element", "branding": {}, "integrations_ui_url": "https://scalar.vector.im/", "integrations_rest_url": "https://scalar.vector.im/api", "integrations_widgets_urls": [ "https://scalar.vector.im/_matrix/integrations/v1", "https://scalar.vector.im/api", "https://scalar-staging.vector.im/_matrix/integrations/v1", "https://scalar-staging.vector.im/api", "https://scalar-staging.riot.im/scalar/api" ], "showLabsSettings": true, "features": { "feature_pinning": true, "feature_custom_status": "labs", "feature_state_counters": "labs", "feature_many_integration_managers": "labs", "feature_mjolnir": "labs", "feature_dm_verification": "labs", "feature_bridge_state": "labs", "feature_presence_in_room_list": true, "feature_custom_themes": "labs", "feature_new_spinner": "labs", "feature_jump_to_date": "labs", "feature_location_share_pin_drop": "labs", "feature_location_share_live": "labs", "feature_thread": true, "feature_video_rooms": true, "feature_favourite_messages": "labs" }, "roomDirectory": { "servers": [] }, "permalinkPrefix": "https://chat.cluster.fun", "enable_presence_by_hs_url": { "https://matrix.org": false, "https://matrix-client.matrix.org": false }, "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=2IerXP2a5g1e7hxxBbzs" } nginx.conf: | worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/pid/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; include /etc/nginx/conf.d/*.conf; } default.conf: | server { listen 8080; server_name localhost; location / { root /usr/share/nginx/html; index index.html index.htm; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } --- apiVersion: v1 kind: Secret metadata: name: matrix-synapse-config namespace: chat annotations: kube-1password: wbj4oozwyx6m2zz5m42pgcmymy kube-1password/vault: Kubernetes kube-1password/secret-text-key: homeserver.yaml labels: app.kubernetes.io/name: "matrix" component: synapse type: Opaque --- apiVersion: v1 kind: ConfigMap metadata: name: matrix-synapse-config namespace: chat labels: app.kubernetes.io/name: "matrix" component: element data: matrix.cluster.fun.log.config: | version: 1 formatters: precise: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' filters: context: (): synapse.util.logcontext.LoggingContextFilter request: "" handlers: console: class: logging.StreamHandler formatter: precise filters: [context] loggers: synapse: level: WARNING synapse.storage.SQL: # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. level: WARNING root: level: WARNING handlers: [console] --- # Source: matrix/templates/riot/service.yaml apiVersion: v1 kind: Service metadata: name: matrix-riot namespace: chat labels: app.kubernetes.io/name: "matrix" component: element spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/name: matrix-riot --- # Source: matrix/templates/synapse/service.yaml apiVersion: v1 kind: Service metadata: name: matrix-synapse namespace: chat labels: app.kubernetes.io/name: "matrix" component: synapse annotations: prometheus.io/scrape: "true" prometheus.io/path: "/_synapse/metrics" prometheus.io/port: "9000" spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http - port: 9000 targetPort: metrics protocol: TCP name: metrics selector: app.kubernetes.io/name: matrix-synapse --- # Source: matrix/templates/riot/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: matrix-riot namespace: chat labels: app.kubernetes.io/name: "matrix" component: element spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: matrix-riot template: metadata: labels: app.kubernetes.io/name: matrix-riot spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: "riot" image: "vectorim/element-web:v1.11.86" imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8080 protocol: TCP volumeMounts: - mountPath: /app/config.json name: riot-config subPath: config.json readOnly: true - mountPath: /etc/nginx/nginx.conf name: riot-config subPath: nginx.conf readOnly: true - mountPath: /etc/nginx/conf.d/default.conf name: riot-config subPath: default.conf readOnly: true - mountPath: /var/cache/nginx name: ephemeral subPath: cache - mountPath: /var/run/pid name: ephemeral subPath: pid readinessProbe: httpGet: path: / port: http startupProbe: httpGet: path: / port: http livenessProbe: httpGet: path: / port: http securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true allowPrivilegeEscalation: false volumes: - name: riot-config configMap: name: matrix-riot-config - name: ephemeral emptyDir: {} --- # Source: matrix/templates/synapse/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: matrix-synapse namespace: chat labels: app.kubernetes.io/name: "matrix" component: synapse spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: matrix-synapse strategy: type: Recreate template: metadata: labels: app.kubernetes.io/name: matrix-synapse spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 initContainers: - name: generate-signing-key image: "ghcr.io/element-hq/synapse:v1.120.0" imagePullPolicy: IfNotPresent env: - name: SYNAPSE_SERVER_NAME value: matrix.cluster.fun - name: SYNAPSE_REPORT_STATS value: "no" command: ["python"] args: - "-m" - "synapse.app.homeserver" - "--config-path" - "/data/homeserver.yaml" - "--keys-directory" - "/data/keys" - "--generate-keys" volumeMounts: - name: synapse-config-homeserver mountPath: /data/homeserver.yaml subPath: homeserver.yaml - name: synapse-config-logging mountPath: /data/matrix.cluster.fun.log.config subPath: matrix.cluster.fun.log.config - name: signing-key mountPath: /data/keys containers: - name: "synapse" image: "ghcr.io/element-hq/synapse:v1.120.0" imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8008 protocol: TCP - name: metrics containerPort: 9000 protocol: TCP volumeMounts: - name: synapse-config-homeserver mountPath: /data/homeserver.yaml subPath: homeserver.yaml - name: mautrix-whatsapp-registration mountPath: /data/mautrix-whatsapp-registration.yaml subPath: registration.yaml # - name: mautrix-signal-registration # mountPath: /data/mautrix-signal-registration.yaml # subPath: registration.yaml # - name: mautrix-telegram-registration # mountPath: /data/mautrix-telegram-registration.yaml # subPath: registration.yaml - name: synapse-config-logging mountPath: /data/matrix.cluster.fun.log.config subPath: matrix.cluster.fun.log.config - name: signing-key mountPath: /data/keys - name: user-media mountPath: /data/media_store - name: uploads mountPath: /data/uploads - name: tmp mountPath: /tmp readinessProbe: httpGet: path: /_matrix/static/ port: http periodSeconds: 10 timeoutSeconds: 5 startupProbe: httpGet: path: /_matrix/static/ port: http failureThreshold: 6 periodSeconds: 5 timeoutSeconds: 5 livenessProbe: httpGet: path: /_matrix/static/ port: http periodSeconds: 10 timeoutSeconds: 5 securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true allowPrivilegeEscalation: false volumes: - name: synapse-config-logging configMap: name: matrix-synapse-config - name: synapse-config-homeserver secret: secretName: matrix-synapse-config - name: mautrix-whatsapp-registration secret: secretName: mautrix-whatsapp-registration # - name: mautrix-signal-registration # secret: # secretName: mautrix-signal-registration # - name: mautrix-telegram-registration # secret: # secretName: mautrix-telegram-registration - name: signing-key persistentVolumeClaim: claimName: chat-matrix-signing-key - name: user-media persistentVolumeClaim: claimName: chat-matrix-user-media - name: uploads emptyDir: {} - name: tmp emptyDir: {} ---