From 3562b3a65954f312b599eac1c47dc59f5772cefb Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Sun, 7 Sep 2025 21:12:13 +0200 Subject: [PATCH] synapse initial commit --- synapse/kustomization.yaml | 6 + synapse/main.yaml | 485 ++++++++++++++ synapse/src/kustomization.yaml | 12 + synapse/src/values.yaml | 1122 ++++++++++++++++++++++++++++++++ 4 files changed, 1625 insertions(+) create mode 100644 synapse/kustomization.yaml create mode 100644 synapse/main.yaml create mode 100644 synapse/src/kustomization.yaml create mode 100644 synapse/src/values.yaml diff --git a/synapse/kustomization.yaml b/synapse/kustomization.yaml new file mode 100644 index 0000000..4ae436c --- /dev/null +++ b/synapse/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - main.yaml \ No newline at end of file diff --git a/synapse/main.yaml b/synapse/main.yaml new file mode 100644 index 0000000..0577f1f --- /dev/null +++ b/synapse/main.yaml @@ -0,0 +1,485 @@ +apiVersion: v1 +data: + homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit + K8s concepts\n\n## Server ##\n\nserver_name: \"borninpain.de\"\npublic_baseurl: + \"https://borninpain.de\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: + 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n + \ main:\n host: synapse-replication\n port: 9093\n\n## Ports ##\n\nlisteners:\n + \ - port: 8008\n tls: false\n bind_addresses: [\"::\"]\n type: http\n + \ x_forwarded: true\n\n resources:\n - names: \n - client\n + \ - federation\n compress: false\n\n - port: 9090\n tls: false\n + \ bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: + [metrics]\n compress: false\n\n - port: 9093\n tls: false\n bind_addresses: + [\"::\"]\n type: http\n\n resources:\n - names: [replication]\n compress: + false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: + \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## + Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: + \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys + from.\ntrusted_key_servers:\n - server_name: matrix.org\n\n## Workers ##\n" + log.yaml: | + version: 1 + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + level: INFO + loggers: + synapse: + level: INFO + root: + level: INFO + handlers: [console] +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-matrix-synapse +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-matrix-synapse +stringData: + config.yaml: "## Registration ##\n\nregistration_shared_secret: \"XJZazKMZ0yxZn41THYnuWNhy\"\n\n## + API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n + \ args:\n user: \"synapse\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: + \"synapse\"\n host: \"synapse-postgresql\"\n port: 5432\n sslmode: \"prefer\"\n + \ cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: + true\n host: \"redis-master.redis.svc.cluster.local\"\n port: 6379\n password: + \"@@REDIS_PASSWORD@@\"\n dbid: 2\n" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 15.4.0 + helm.sh/chart: postgresql-12.12.10 + name: synapse-postgresql + namespace: synapse +spec: + ports: + - name: tcp-postgresql + nodePort: null + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: postgresql + sessionAffinity: None + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 15.4.0 + helm.sh/chart: postgresql-12.12.10 + name: synapse-postgresql-hl + namespace: synapse +spec: + clusterIP: None + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: postgresql + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-matrix-synapse +spec: + ports: + - name: http + port: 8008 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: matrix-synapse + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-replication +spec: + ports: + - name: replication + port: 9093 + protocol: TCP + targetPort: replication + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: matrix-synapse + type: ClusterIP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-matrix-synapse +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: openebs-3-replicas +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-matrix-synapse +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: matrix-synapse + strategy: + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: dab251d30ce24b7cfadde305d1491b34df6c6db3a75b49073547f3e31472f62b + checksum/secrets: 8c94b6a8ad91d3f67c95e8b79f3d314dff1fe05c9089c3e5c9a9ada2a00237a2 + labels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: matrix-synapse + spec: + containers: + - command: + - sh + - -c + - | + export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + exec python -B -m synapse.app.homeserver \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: db-pass + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + key: redis-pass + name: synapse + image: ghcr.io/element-hq/synapse:v1.137.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /health + port: http + name: synapse + ports: + - containerPort: 8008 + name: http + protocol: TCP + - containerPort: 9093 + name: replication + protocol: TCP + - containerPort: 9090 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /health + port: http + resources: {} + securityContext: {} + startupProbe: + failureThreshold: 12 + httpGet: + path: /health + port: http + volumeMounts: + - mountPath: /synapse/config + name: config + - mountPath: /synapse/config/conf.d + name: tmpconf + - mountPath: /synapse/secrets + name: secrets + - mountPath: /synapse/keys + name: signingkey + - mountPath: /synapse/data + name: media + - mountPath: /tmp + name: tmpdir + securityContext: {} + serviceAccountName: default + volumes: + - configMap: + name: synapse-matrix-synapse + name: config + - name: secrets + secret: + secretName: synapse-matrix-synapse + - name: signingkey + secret: + items: + - key: signing-key + path: signing.key + secretName: synapse + - emptyDir: {} + name: tmpconf + - emptyDir: {} + name: tmpdir + - name: media + persistentVolumeClaim: + claimName: synapse-matrix-synapse +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 15.4.0 + helm.sh/chart: postgresql-12.12.10 + name: synapse-postgresql + namespace: synapse +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: postgresql + serviceName: synapse-postgresql-hl + template: + metadata: + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 15.4.0 + helm.sh/chart: postgresql-12.12.10 + name: synapse-postgresql + spec: + affinity: + nodeAffinity: null + podAffinity: null + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: synapse + app.kubernetes.io/name: postgresql + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - env: + - name: BITNAMI_DEBUG + value: "false" + - name: POSTGRESQL_PORT_NUMBER + value: "5432" + - name: POSTGRESQL_VOLUME_DIR + value: /bitnami/postgresql + - name: PGDATA + value: /bitnami/postgresql/data + - name: POSTGRES_USER + value: synapse + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: db-pass + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: postgres-password + name: db-pass + - name: POSTGRES_DATABASE + value: synapse + - name: POSTGRES_INITDB_ARGS + value: --lc-collate=C --lc-ctype=C + - name: POSTGRESQL_ENABLE_LDAP + value: "no" + - name: POSTGRESQL_ENABLE_TLS + value: "no" + - name: POSTGRESQL_LOG_HOSTNAME + value: "false" + - name: POSTGRESQL_LOG_CONNECTIONS + value: "false" + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: "false" + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: "off" + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: error + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: pgaudit + image: docker.io/bitnami/postgresql:15.4.0-debian-11-r45 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U "synapse" -d "dbname=synapse" -h 127.0.0.1 -p 5432 + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: tcp-postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U "synapse" -d "dbname=synapse" -h 127.0.0.1 -p 5432 + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: {} + requests: + cpu: 250m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 0 + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /dev/shm + name: dshm + - mountPath: /bitnami/postgresql + name: data + hostIPC: false + hostNetwork: false + securityContext: + fsGroup: 1001 + serviceAccountName: default + volumes: + - emptyDir: + medium: Memory + name: dshm + updateStrategy: + rollingUpdate: {} + type: RollingUpdate + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 16Gi + storageClassName: openebs-3-replicas +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test-success + labels: + app.kubernetes.io/instance: synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.137.0 + helm.sh/chart: matrix-synapse-3.12.7 + name: synapse-matrix-synapse-test-connection +spec: + containers: + - args: + - synapse-matrix-synapse:8008/_matrix/client/versions + command: + - wget + image: busybox + name: wget + restartPolicy: Never diff --git a/synapse/src/kustomization.yaml b/synapse/src/kustomization.yaml new file mode 100644 index 0000000..8423a3b --- /dev/null +++ b/synapse/src/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: matrix-synapse + repo: https://ananace.gitlab.io/charts + version: 3.12.7 + releaseName: synapse + includeCRDs: true + namespace: synapse + valuesFile: values.yaml diff --git a/synapse/src/values.yaml b/synapse/src/values.yaml new file mode 100644 index 0000000..a166f62 --- /dev/null +++ b/synapse/src/values.yaml @@ -0,0 +1,1122 @@ +--- +## Docker image configuration, used for Synapse and workers. +## +image: + repository: ghcr.io/element-hq/synapse + ## Tag to override with, will default to the application version. + ## + # tag: '' + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Override part of the installed name, will still keep release name. +## +# nameOverride: "" + +## Override the full name of the installed chart. +## +# fullnameOverride: "" + + +## The Matrix domain name, this is what will be used for the domain part in +## your MXIDs. +## +serverName: 'borninpain.de' + +## The public Matrix server name, this will be used for any public URLs +## in config as well as for client API links in the ingress. +# publicServerName: 'matrix.example.com' + +## Force the chart to use ArgoCD compatibility. It should automatically detect it, but you can force it here to be sure. +# argoCD: true + +## The source of the signing key used by Synapse in federation. +## +signingkey: + ## Enable a Kubernetes job to generate and store a signing key if one does not + ## exist. + ## If you have already run a Matrix server at some point on your domain then + ## you will want to keep the old signing key, either by using the `existingSecret` + ## configuration, or by including the old key under `extraConfig.old_signing_keys` + ## + ## If you lose your signing key then any federation traffic from your instance + ## might not be trusted any more by the wider network. + ## + ## After the initial install, the job should be disabled to speed up subsequent upgrades. + ## + job: + enabled: false + + ## Annotations to apply to the signing-key-job. + ## + annotations: {} + # argocd.argoproj.io/hook: PostSync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + + generateImage: + repository: matrixdotorg/synapse + # tag: latest + pullPolicy: IfNotPresent + + publishImage: + repository: bitnami/kubectl + # tag: latest + pullPolicy: IfNotPresent + + ## Configure for pod job security policy, setting ovnership of the pod such that + ## synapse owns the files created by signing key job. + ## Synapse default UID:GID is 666:666 + ## + ## Some systems will have a default owner such as root to own the files, synpase + ## will not be able to access the files in such a case, deppending on permissions. + podSecurityContext: {} + # fsGroup: 666 + # runAsGroup: 666 + # runAsUser: 666 + + ## Configuration for the container security policy, refer to the above + ## podSecurityContext for more relevant information. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 666 + + ## Specify an existing signing key secret, will need to be created in advance. + ## + existingSecret: synapse + existingSecretKey: signing-key + + ## Resources to apply to the signing key generation job + ## + resources: {} + # limits: + # cpu: 100m + # memory: 250Mi + # requests: + # cpu: 100m + # memory: 250Mi + +## Matrix configuration values that affect other parts of the chart, for any +## value not handled by this block, you will want to instead set it in +## extraConfig below. +## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml +## +config: + ## The publicly accessible URL for the Synapse instance, will default to + ## https://. + ## + # publicBaseurl: 'https://matrix.example.com' + + ## The log level for Synapse and all modules. + ## + # logLevel: INFO + + ## Should usage stats be reported + ## + reportStats: false + + ## Protect registration with recaptcha. (optional) + ## + # recaptcha: + # publicKey: '' + # privateKey: '' + + ## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC + ## calls. + ## + # turnUris: [] + # turnSecret: '' + + ## Registration configuration, note that registration with the + ## container-internal register_new_matrix_user tool is always possible. + ## + # enableRegistration: false + + ## NB; this value will default to a random string if not specified. + # registrationSharedSecret: '' + + ## NB; Strongly recommended to set this to a secure value. + # macaroonSecretKey: '' + + ## A set of trusted servers to contact if another server doesn't respond to a + ## signing key request. + ## + trustedKeyServers: + - server_name: matrix.org + # verify_keys: + # "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + ## The bind addresses to use for the default listeners + ## + # bindAddresses: + # - '::' + + ## Extra listeners to configure. + ## + extraListeners: [] + # - port: 9000 + # bind_addresses: ['::'] + # type: manhole + + ## Extra listener types to add onto the main listener. + ## + extraMainListenerTypes: [] + # - consent + + ## Logging + # use TerseJsonFormatter structured logging + # Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html + useStructuredLogging: false + +## Specify arbitrary Synapse configuration here; +## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml +## +extraConfig: {} +# old_signing_keys: +# "ed25519:id": { key: "base64string", expired_ts: 123456789123 } +# use_presence: false +# enable_search: false +# federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +# dynamic_thumbnails: true + +## Specify additional loggers configutation here; +## Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html +extraLoggers: {} +# synapse.storage.SQL: +# level: WARNING + +## Specify arbitrary - secret - Synapse configuration here; +## These values will be stored in secrets instead of configmaps +## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml +## +extraSecrets: {} +# password_config: +# pepper: '' + +## Configuration to apply to the main Synapse pod. +## +synapse: + ## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository + ## is enabled for the main Synapse pod) + ## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + strategy: + type: RollingUpdate + + ## Applies a disruption budget to the main Synapse deployment. + ## Either minAvailable or maxUnavailable can be specified, but not both. + ## + podDisruptionBudget: + enabled: false + # minAvailable: 75% + # maxUnavailable: 25% + + ## Annotations to apply to the main Synapse pod. + ## + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/path: "/_synapse/metrics" + # prometheus.io/port: "9090" + + ## Labels to apply to the main Synapse pod. + ## + labels: {} + + ## Additional environment variables to apply to the main Synapse pod + ## + extraEnv: [] + # - name: LD_PRELOAD + # value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 + # - name: SYNAPSE_CACHE_FACTOR + # value: "2" + + ## Additional volumes to mount into Synapse + ## + extraVolumes: [] + # - name: spamcheck + # flexVolume: + # driver: ananace/git-live + # options: + # repo: https://github.com/company/synapse-module + # interval: 1d + # readOnly: true + extraVolumeMounts: [] + # - name: spamcheck + # mountPath: /usr/local/lib/python3.7/site-packages/company + + ## Extra commands to run when starting Synapse + ## + extraCommands: [] + # - 'apt-get update -yqq && apt-get install patch -yqq' + # - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch' + + ## Configuration for the pod security policy, Synapse will by always run as + ## its own user, even if not set. + ## Note that changing this may also require you to use the volumePermission + ## helper depending on your storage. + ## + ## NB; The synapse install is currently unable to run as anything but UID:GID + ## 666:666. + ## + podSecurityContext: {} + # fsGroup: 666 + # runAsGroup: 666 + # runAsUser: 666 + + ## Configuration for the container security policy, refer to the above + ## podSecurityContext for more relevant information. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 666 + + ## Resources to apply to the main Synapse pod. + ## + resources: {} + # limits: + # cpu: 1000m + # memory: 2500Mi + # requests: + # cpu: 1000m + # memory: 2500Mi + + ## Liveness probe configuration to use + ## + livenessProbe: + httpGet: + path: /health + port: http + + ## Readiness probe configuration to use + ## + readinessProbe: + httpGet: + path: /health + port: http + + ## Startup probe configuration to use + ## + startupProbe: + failureThreshold: 12 + httpGet: + path: /health + port: http + + ## Node selectors to set for the main Synapse pod. + ## + nodeSelector: {} + + ## Tolerations to set for the main Synapse pod. + ## + tolerations: [] + + ## Affinity to set for the main Synapse pod. + ## + affinity: {} + +## Configuration for handling Synapse workers, which are useful for handling +## high-load deployments. +## +## More information is available at; +## https://github.com/matrix-org/synapse/blob/master/docs/workers.md +## +workers: + ## Default configuration, this is inherited into all workers, and can also be + ## overriden on each worker type. + ## + default: + ## The number of worker replicas, note that some workers require special + ## handling. Refer to the information URL above. + ## + replicaCount: 1 + + ## Update strategy - only really applicable for deployments with RWO PVs attached (e.g. media repository) + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + strategy: + type: RollingUpdate + + ## Applies a disruption budget to the worker deployment. + ## Either minAvailable or maxUnavailable can be specified, but not both. + ## + podDisruptionBudget: + enabled: false + # minAvailable: 75% + # maxUnavailable: 25% + + ## A specific name for this worker, can't be set globally. + ## Note that this can only be set when replicaCount is 1 + # name: + + ## Additional configuration to set for the worker, can't be set globally. + # extraConfig: {} + + ## Annotations to apply to the worker. + ## + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/path: /_synapse/metrics + # prometheus.io/port: 9090 + + ## Additional environment variables to add to the worker. + ## + extraEnv: [] + # - name: LD_PRELOAD + # value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 + # - name: SYNAPSE_CACHE_FACTOR + # value: "1.0" + + ## Additional volumes to add to the worker. + ## Useful for the media repo, or for adding Python modules. + ## + volumes: [] + volumeMounts: [] + + ## Extra commands to run when starting Synapse + ## + extraCommands: [] + # - 'apt-get update -yqq && apt-get install patch -yqq' + # - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch' + + ## Security context information to set to the worker. + ## + podSecurityContext: {} + # fsGroup: 666 + # runAsGroup: 666 + # runAsUser: 666 + + ## Container security context information to set to the worker. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 666 + + ## Resources to apply to the worker. + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Liveness probe configuration to use + ## + livenessProbe: + httpGet: + path: /health + port: metrics + + ## Readiness probe configuration to use + ## + readinessProbe: + httpGet: + path: /health + port: metrics + + ## Readiness probe configuration to use + ## Defaults to allowing workers 60 seconds to start up + ## + startupProbe: + failureThreshold: 6 + httpGet: + path: /health + port: metrics + + ## Node selector configuration to set on the worker. + ## + nodeSelector: {} + + ## Toleration configuration to set on the worker. + ## + tolerations: [] + + ## Affinity configuration to set on the worker. + ## + affinity: {} + + ## The generic worker can be used to handle most endpoints. + ## Be careful when enabling the sync endpoints as they can eat large amounts of + ## resources. Refer to the information URL above for more info. + ## Proper load balancing with the K8s Ingress resource may not be possible. + ## + generic_worker: + enabled: false + generic: true + listeners: [client, federation] + csPaths: + ## Sync requests + # - "/_matrix/client/(r0|v3)/sync$" + - "/_matrix/client/(api/v1|r0|v3)/events$" + # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" + # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" + + ## Client API requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" + - "/_matrix/client/v1/rooms/.*/hierarchy$" + - "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$" + - "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$" + - "/_matrix/client/(r0|v3|unstable)/account/3pid$" + - "/_matrix/client/(r0|v3|unstable)/account/whoami$" + - "/_matrix/client/(r0|v3|unstable)/devices$" + - "/_matrix/client/versions$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/search$" + + ## Encryption requests + - "/_matrix/client/(r0|v3|unstable)/keys/query$" + - "/_matrix/client/(r0|v3|unstable)/keys/changes$" + - "/_matrix/client/(r0|v3|unstable)/keys/claim$" + - "/_matrix/client/(r0|v3|unstable)/room_keys/" + + ## Registration/login requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/login$" + - "/_matrix/client/(r0|v3|unstable)/register$" + - "/_matrix/client/v1/register/m.login.registration_token/validity$" + + ## Event sending requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/join/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/profile/" + + ## User directory search requests + - "/_matrix/client/(r0|v3|unstable)/user_directory/search" + + ## Worker event streams + ## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers + ## + + ## The typing event stream + # - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" + + ## The to_device event stream + # - "/_matrix/client/(r0|v3|unstable)/sendToDevice/" + + ## The account_data event stream + # - "/_matrix/client/(r0|v3|unstable)/.*/tags" + # - "/_matrix/client/(r0|v3|unstable)/.*/account_data" + + ## The receipts event stream + # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" + # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" + + ## The presence event stream + # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/" + + paths: + ## Federation requests + - "/_matrix/federation/v1/event/" + - "/_matrix/federation/v1/state/" + - "/_matrix/federation/v1/state_ids/" + - "/_matrix/federation/v1/backfill/" + - "/_matrix/federation/v1/get_missing_events/" + - "/_matrix/federation/v1/publicRooms" + - "/_matrix/federation/v1/query/" + - "/_matrix/federation/v1/make_join/" + - "/_matrix/federation/v1/make_leave/" + - "/_matrix/federation/(v1|v2)/send_join/" + - "/_matrix/federation/(v1|v2)/send_leave/" + - "/_matrix/federation/(v1|v2)/invite/" + - "/_matrix/federation/v1/event_auth/" + - "/_matrix/federation/v1/exchange_third_party_invite/" + - "/_matrix/federation/v1/user/devices/" + - "/_matrix/key/v2/query" + - "/_matrix/federation/v1/hierarchy/" + + ## Inbound federation transaction request + - "/_matrix/federation/v1/send/" + + ## To separate the generic worker into specific concerns - for example federation transaction receiving; + ## NB; This worker should have incoming traffic routed based on source IP, which is + ## left as an exercise to the reader. + ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing + # federation_reader: + # enabled: true + # generic: true + # listeners: [federation] + # paths: + # - "/_matrix/federation/v1/send/" + + ## Or /sync handling. + ## NB; Care should be taken to route users to the same instance when scaling this worker, + ## this is left as an exercise to the reader. + ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing + # synchrotron: + # enabled: true + # generic: true + # listeners: [client] + # csPaths: + # - "/_matrix/client/(v2_alpha|r0|v3)/sync$" + # - "/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$" + # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" + # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" + + ## Specialized - non-generic workers below; + + ## This worker deals with pushing notifications. + ## NB; Only one instance of this worker can be run at a time, refer to the + ## information URL above. + ## + pusher: + enabled: false + + ## This worker handles sending data to registered appservices. + ## NB; Only one instance of this worker can be run at at time, refer to the + ## information URL above. + ## + appservice: + enabled: false + generic: true + name: appservices + + ## This worker handles sending federation traffic to other Synapse servers. + ## + federation_sender: + enabled: false + + ## Specialized workers can also be run as multiple separate instances, + ## make sure to read the relevant documentation. + ## + # federation_sender_other: + # app: federation_sender + # enabled: false + + ## This worker deals with serving and storing media. + ## NB; Running multiple instances will conflict with background jobs. + ## + media_repository: + enabled: false + listeners: [media] + csPaths: + - "/_matrix/media/.*" + - "/_matrix/client/v1/media/.*" + - "/_matrix/federation/v1/media/.*" + - "/_synapse/admin/v1/purge_media_cache$" + - "/_synapse/admin/v1/room/.*/media" + - "/_synapse/admin/v1/user/.*/media" + - "/_synapse/admin/v1/media/" + - "/_synapse/admin/v1/quarantine_media/" + - "/_synapse/admin/v1/users/.*/media$" + paths: + - "/_matrix/media/.*" + - "/_matrix/client/v1/media/.*" + - "/_matrix/federation/v1/media/.*" + + ## This worker deals with user directory searches. + ## + user_dir: + enabled: false + name: userdir + listeners: [client] + csPaths: + - "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" + + ## This worker handles key uploads, and may also stub out presence if that is + ## disabled. If you set extraConfig.use_presence=false then you may want to + ## uncomment the second path. + ## + frontend_proxy: + enabled: false + listeners: [client] + csPaths: + - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload" + # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status" + +## This will set up a Lighttpd server to respond to any +## /.well-known/matrix/server requests, to make federation possible without +## adding SRV-records to DNS. +## +wellknown: + enabled: false + replicaCount: 1 + + ## Applies a disruption budget to the well-known deployment. + ## Either minAvailable or maxUnavailable can be specified, but not both. + ## + podDisruptionBudget: + enabled: false + # minAvailable: 75% + # maxUnavailable: 25% + + # Lighttpd does not bind on IPv6 by default, although this is required in + # Ipv6-only clusters. + useIpv6: false + + ## The host and port combo to serve on .well-known/matrix/server. + ## + server: {} + # m.server: matrix.example.com:443 + + ## Data to serve on .well-known/matrix/client. + ## + client: {} + # m.homeserver: + # base_url: https://matrix.example.com + + ## Configuration for the wellknown service. + ## + service: + type: ClusterIP + port: 80 + + ## Extra data objects to serve under .well-known/matrix/ + ## Dictionaries will be JSON converted, plain strings will be served as they are + ## + extraData: {} + ## MSC1929 example; + # support: + # admins: + # - matrix_id: '@admin:example.com' + # email_address: 'admin@example.com' + # role: 'admin' + # support_page: 'https://example.com/support' + + ## A custom htdocs path, useful when running another image. + ## + htdocsPath: /var/www/localhost/htdocs + + ## The lighttpd image to run. + ## + image: + repository: ghcr.io/rtsp/docker-lighttpd + tag: latest + pullPolicy: Always + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Configuration for the pod security policy. + ## + podSecurityContext: {} + # fsGroup: 101 + # runAsGroup: 101 + # runAsUser: 100 + + ## Configuration for the container security policy. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 100 + + ## Resource configuration to apply to the well-known server. + ## + resources: {} + # limits: + # cpu: 5m + # memory: 15Mi + # requests: + # cpu: 5m + # memory: 15Mi + + ## Node selectors to set for the well-known server. + ## + nodeSelector: {} + + ## Tolerations to set for the well-known server. + ## + tolerations: [] + + ## Affinity to set for the main well-known server. + ## + affinity: {} + +## This configuration is for setting up the internally provided Postgres server, +## if you instead want to use an existing server, then you may want to set +## enabled to false and configure the externalPostgresql block. +## +postgresql: + enabled: true + + auth: + # XXX Change me! + # password: synapse + + ## Or use existing secret with "password" key + ## instead of static password + ## + existingSecret: db-pass + + username: synapse + database: synapse + + primary: + initdb: + args: "--lc-collate=C --lc-ctype=C" + + persistence: + storageClass: openebs-3-replicas + size: 16Gi + + ## Extra arguments for the database connection + ## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + ## + extraArgs: {} + +## An externally configured Postgres server to use for Synapse's database, note +## that the database needs to have both COLLATE and CTYPE set to "C". +## +externalPostgresql: + # host: postgres + port: 5432 + username: synapse + # password: synapse + + ## The name of an existing secret with postgresql credentials + # existingSecret: postgres-secrets + + ## Password key to be retrieved from existing secret + # existingSecretPasswordKey: postgres-password + + database: synapse + # sslmode: prefer + + ## Extra arguments for the database connection + ## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + ## + extraArgs: {} + +## This configuration is for the internal Redis that's deployed for use with +## workers/sharding, for an external Redis server you want to set enabled to +## false and configure the externalRedis block. +## +redis: + enabled: false + + ## Database ID for non-default database + # dbid: 0 + + auth: + enabled: true + # XXX Change me! + password: synapse + + ## Or use existing secret with "redis-password" key + ## instead of static password + ## + # existingSecret: redis-secret + + architecture: standalone + master: + kind: Deployment + persistence: + ## Note that Synapse only uses redis as a synchronization utility, so no + ## data will ever need to be persisted. + ## + enabled: false + service: + port: 6379 + + ## TLS configuration + ## TODO: certs + # tls: + # enabled: false + +## An externally configured Redis server to use for workers/sharding. +## +externalRedis: + host: redis-master.redis.svc.cluster.local + port: 6379 + # password: synapse + + ## Database ID for non-default database + dbid: 2 + + ## The name of an existing secret with redis credentials + existingSecret: synapse + + ## Password key to be retrieved from existing secret + existingSecretPasswordKey: redis-pass + + ## TLS configuration + ## TODO: certs + # tls: false + +## Persistence configuration for the media repository function. +## This PVC will be mounted in either Synapse or a media_repo worker. +## +## NB; If you want to be able to scale this, you will have to set the +## accessMode to RWX/ReadWriteMany. +## +persistence: + enabled: true + # existingClaim: synapse-data + + storageClass: openebs-3-replicas + accessMode: ReadWriteOnce + size: 10Gi + +## Set up an init container to chown the mounted media if necessary. +## +volumePermissions: + enabled: false + + uid: 666 + gid: 666 + + image: + repository: alpine + tag: latest + pullPolicy: Always + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Configuration for the main Synapse service. +## To use TLS inside Synapse itself, add an TLS listener, and change the ports +## configured in here. +## +service: + type: ClusterIP + port: 8008 + targetPort: http + +## The K8s ingress configuration, this will be quite heavily used in order to +## set up all routing necessary for use with a sharded Synapse instance. +## If you're not using a Ingress compatible K8s ingress, you will need to set up +## your own routing instead. +## +ingress: + enabled: false + + ## Generate traefik-compatible regex paths instead of nginx-compatible ones. + ## + traefikPaths: false + + ## Annotations to apply to the created ingress resource. + ## + annotations: {} + # nginx.ingress.kubernetes.io/use-regex: "true" + # # Sync proxy-body-size with Synapse's max_upload_size which is 10M by default + # nginx.ingress.kubernetes.io/proxy-body-size: 10m + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + ## Hosts to add to the ingress configuration for handling Client-to-Server + ## API request paths. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + csHosts: [] + # - matrix.example.com + + ## Additional hosts to add to the ingress configuration for handling + ## Server-to-Server API requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + hosts: [] + # - example.com + + ## Additional hosts to add to the ingress configuration for handling + ## well-known requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + wkHosts: [] + # - example.com + + ## Additional paths to add to the Server-to-Server ingress blocks, will be + ## inserted before the /_matrix catch-all path. + ## + paths: [] + # # K8s 1.19+ + # - path: /_matrix/media + # pathType: Prefix + # backend: + # service: + # name: matrix-media-repo + # port: 8000 + # # K8s <1.19 + # - path: /_matrix/media + # backend: + # serviceName: matrix-media-repo + # servicePort: 8000 + + ## Additional paths to add to the Client-to-Server ingress blocks, will be + ## inserted before the /_matrix and /_synapse catch-all paths. + ## + csPaths: [] + # # K8s 1.19+ + # - path: /_matrix/media + # pathType: Prefix + # backend: + # service: + # name: matrix-media-repo + # port: + # number: 8000 + # # K8s <1.19 + # - path: /_matrix/media + # backend: + # serviceName: matrix-media-repo + # servicePort: 8000 + + ## Should the /_synapse path be included in the ingress, admin APIs are + ## provided under this path. + ## + includeUnderscoreSynapse: true + + ## Should config.serverName be included in the list of ingress paths, can be + ## set to false if the main domain is managed in some external way. + ## + includeServerName: true + + ## TLS configuration to include in the ingress configuration + ## + tls: [] + # - secretName: chart-example-tls + # hosts: + # - example.com + # - matrix.example.com + + ## Set the name of the IngressClass cluster resource (optional) + ## https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec + # className: can-be-anything + +## The K8s gateway HTTPRule configuration, this will be used in order to +## set up all routing necessary for use with a sharded Synapse instance. +## If you're not using a Gateway compatible K8s ingress, you might need to use +## the ingress configuration instead. +## +gateway: + enabled: false + + ## Annotations to apply to the created HTTPRule resource. + ## + annotations: {} + + ## Hosts to add to the HTTPRule configuration for handling Client-to-Server + ## API request paths. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + csHosts: [] + # - matrix.example.com + + ## Additional hosts to add to the HTTPRule configuration for handling + ## Server-to-Server API requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + hosts: [] + # - example.com + + ## Additional hosts to add to the HTTPRule configuration for handling + ## well-known requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + wkHosts: [] + # - example.com + + ## Additional paths to add to the Server-to-Server HTTPRule blocks, will be + ## inserted before the /_matrix catch-all path. + ## + paths: [] + # - backendRefs: + # - kind: Service + # name: matrix-media-repo + # port: 8000 + # matches: + # - path: + # type: PathPrefix + # value: /_matrix/media + + ## Additional paths to add to the Client-to-Server ingress blocks, will be + ## inserted before the /_matrix and /_synapse catch-all paths. + ## + csPaths: [] + # - backendRefs: + # - kind: Service + # name: matrix-media-repo + # port: 8000 + # matches: + # - path: + # type: PathPrefix + # value: /_matrix/media + + ## Should the /_synapse path be included in the HTTPRule, admin APIs are + ## provided under this path. + ## + includeUnderscoreSynapse: true + + ## Should config.serverName be included in the list of HTTPRule paths, can be + ## set to false if the main domain is managed in some external way. + ## + includeServerName: true + + ## Set the parentRefs of the HTTPRule resource + ## https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ParentReference + parentRefs: + # - name: example-gateway + + ## Set the global timeout for requests. + ## Note that this currently needs to be higher than your expected /sync timeout. Usually this is around 30s. + ## Some SDks however expect 60s + ## + ## Note that request MUST be higher or equals backendRequest + ## https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteTimeouts + timeouts: + request: "60s" + backendRequest: "60s" + +## Specifies whether a service account should be created, and annotations to add. +## +serviceAccount: + create: false + annotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse + # name: non-default-service-name +