diff --git a/clusters/cl01tl/manifests/matrix-synapse/-.yaml b/clusters/cl01tl/manifests/matrix-synapse/-.yaml deleted file mode 100644 index 8b1378917..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/-.yaml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/clusters/cl01tl/manifests/matrix-synapse/Cluster-matrix-synapse-postgresql-18-cluster.yaml b/clusters/cl01tl/manifests/matrix-synapse/Cluster-matrix-synapse-postgresql-18-cluster.yaml new file mode 100644 index 000000000..6d8521a90 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Cluster-matrix-synapse-postgresql-18-cluster.yaml @@ -0,0 +1,66 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: matrix-synapse-postgresql-18-cluster + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-postgresql-18-cluster + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + instances: 3 + imageName: "ghcr.io/cloudnative-pg/postgresql:18.3-standard-trixie" + imagePullPolicy: IfNotPresent + postgresUID: 26 + postgresGID: 26 + storage: + size: 10Gi + storageClass: local-path + walStorage: + size: 2Gi + storageClass: local-path + resources: + limits: + hugepages-2Mi: 256Mi + requests: + cpu: 20m + memory: 80Mi + affinity: + enablePodAntiAffinity: true + topologyKey: kubernetes.io/hostname + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + logLevel: info + enableSuperuserAccess: false + enablePDB: true + postgresql: + parameters: + hot_standby_feedback: "on" + max_slot_wal_keep_size: 2000MB + shared_buffers: 128MB + monitoring: + enablePodMonitor: true + disableDefaultQueries: false + plugins: + - name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: true + parameters: + barmanObjectName: "matrix-synapse-postgresql-18-backup-garage-local" + serverName: "matrix-synapse-postgresql-18-backup-1" + bootstrap: + recovery: + database: app + source: matrix-synapse-postgresql-18-backup-1 + externalClusters: + - name: matrix-synapse-postgresql-18-backup-1 + plugin: + name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: false + parameters: + barmanObjectName: "matrix-synapse-postgresql-18-recovery" + serverName: matrix-synapse-postgresql-18-backup-1 diff --git a/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml new file mode 100644 index 000000000..a9cbd264f --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-synapse-valkey-hookshot-init-scripts + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="matrix-synapse-valkey-hookshot-0.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip matrix-synapse-valkey-hookshot-$POD_INDEX.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local" + } >>"$VALKEY_CONFIG" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml new file mode 100644 index 000000000..b26a9c601 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml @@ -0,0 +1,149 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-synapse-valkey-init-scripts + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + # Function to get password for a user + # Usage: get_user_password [password_key] + # Returns: password via stdout, exits with error if not found + get_user_password() { + username="$1" + password_key="${2:-$username}" + password="" + # Try to get password from existing secret first (priority) + if [ -f "/valkey-users-secret/$password_key" ]; then + password=$(cat "/valkey-users-secret/$password_key") + log "Using password from existing secret for user $username" + elif [ -f "/valkey-auth-secret/${username}-password" ]; then + # Fallback to inline password + password=$(cat "/valkey-auth-secret/${username}-password") + log "Using inline password for user $username" + else + log "ERROR: No password found for user $username" + return 1 + fi + + echo "$password" + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Create secure directory for ACL file + log "Creating /etc/valkey directory for ACL file" + mkdir -p /etc/valkey + + # Set aclfile path in valkey.conf + echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG" + + # Remove or reset existing ACL file if present (it may be read-only from previous run) + log "Preparing ACL file at /etc/valkey/users.acl" + if [ -f /etc/valkey/users.acl ]; then + log "Removing existing read-only users.acl file" + chmod 0600 /etc/valkey/users.acl + rm -f /etc/valkey/users.acl + fi + + # Create ACL file with secure permissions + touch /etc/valkey/users.acl + chmod 0600 /etc/valkey/users.acl + # Generate ACL entries for each user + log "Generating ACL entries for users" + + # User: default + PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Hash the password and write ACL entry + PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ") + echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl + + # Set final permissions + chmod 0400 /etc/valkey/users.acl + log "ACL file created with 0400 permissions" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="matrix-synapse-valkey-0.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip matrix-synapse-valkey-$POD_INDEX.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local" + echo "" + echo "# Master authentication" + } >>"$VALKEY_CONFIG" + # Get the password for the replication user + REPL_PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Write masterauth configuration + echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG" + echo "masteruser default" >>"$VALKEY_CONFIG" + log "Configured masterauth with user default" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-wellknown-lighttpd.yaml b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-wellknown-lighttpd.yaml new file mode 100644 index 000000000..1e4d59505 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-wellknown-lighttpd.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-synapse-wellknown-lighttpd + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm + component: well-known +data: + lighttpd.conf: | + server.port = 8080 + + server.modules = ( + "mod_rewrite", + "mod_status", + "mod_accesslog", + "mod_extforward", + "mod_setenv" + ) + include "conf.d/00-mime-types.conf" + server.username = "lighttpd" + server.groupname = "lighttpd" + server.document-root = "/var/www/localhost/htdocs" + server.pid-file = "/run/lighttpd.pid" + url.rewrite-once = ( + "^/\.well-known/matrix/client" => "/client.json", + "^/\.well-known/matrix/server" => "/server.json" + ) + status.status-url = "/server-status" + extforward.forwarder = ( "all" => "trust") + setenv.add-response-header = ( + "access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization", + "access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS", + "access-control-allow-origin" => "*" + ) + setenv.set-response-header = ( + "content-type" => "application/json" + ) + server.json: |2- + + {"m.server":"matrix.alexlebens.dev:443"} + client.json: |2- + + {"m.homeserver":{"base_url":"https://matrix.alexlebens.dev"}} diff --git a/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse.yaml new file mode 100644 index 000000000..d3aa50a79 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-synapse + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm +data: + log.yaml: | + version: 1 + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + level: INFO + loggers: + synapse: + level: INFO + root: + level: INFO + handlers: [console] + homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"alexlebens.dev\"\npublic_baseurl: \"https://matrix.alexlebens.dev\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n main:\n host: matrix-synapse-replication\n port: 9093\n\n## Ports ##\n\nlisteners:\n - port: 8008\n tls: false\n bind_addresses: [\"::\"]\n type: http\n x_forwarded: true\n\n resources:\n - names: \n - client\n - federation\n compress: false\n\n - port: 9090\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [metrics]\n compress: false\n\n - port: 9093\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [replication]\n compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: true\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n []\n\n## Workers ##\n\n## Extra config ##\n\napp_service_config_files:\n- /synapse/config/conf.d/hookshot-registration.yaml\n- /synapse/config/conf.d/double-puppet-registration.yaml\n- /synapse/config/conf.d/mautrix-whatsapp-registration.yaml\n- /synapse/config/conf.d/mautrix-discord-registration.yaml\nenable_metrics: true\nenable_registration_without_verification: true\nexperimental_features:\n msc2409_to_device_messages_enabled: true\n msc3202_device_masquerading: true\n msc3202_transaction_extensions: true\npassword_config:\n enabled: false\nsso:\n client_whitelist:\n - https://chat.alexlebens.dev/\n update_profile_information: true\n" diff --git a/clusters/cl01tl/manifests/matrix-synapse/Database-matrix-synapse-postgresql-18-database-mautrix-discord.yaml b/clusters/cl01tl/manifests/matrix-synapse/Database-matrix-synapse-postgresql-18-database-mautrix-discord.yaml new file mode 100644 index 000000000..bfbe567cd --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Database-matrix-synapse-postgresql-18-database-mautrix-discord.yaml @@ -0,0 +1,21 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: matrix-synapse-postgresql-18-database-mautrix-discord + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-postgresql-18-database-mautrix-discord + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + name: mautrix-discord + cluster: + name: matrix-synapse-postgresql-18-cluster + ensure: present + owner: app + template: template1 + encoding: UTF8 + databaseReclaimPolicy: retain diff --git a/clusters/cl01tl/manifests/matrix-synapse/Database-matrix-synapse-postgresql-18-database-mautrix-whatsapp.yaml b/clusters/cl01tl/manifests/matrix-synapse/Database-matrix-synapse-postgresql-18-database-mautrix-whatsapp.yaml new file mode 100644 index 000000000..ef26889b6 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Database-matrix-synapse-postgresql-18-database-mautrix-whatsapp.yaml @@ -0,0 +1,21 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: matrix-synapse-postgresql-18-database-mautrix-whatsapp + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-postgresql-18-database-mautrix-whatsapp + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + name: mautrix-whatsapp + cluster: + name: matrix-synapse-postgresql-18-cluster + ensure: present + owner: app + template: template1 + encoding: UTF8 + databaseReclaimPolicy: retain diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml new file mode 100644 index 000000000..5a1993097 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-hookshot + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot + helm.sh/chart: matrix-hookshot-5.0.1 + namespace: matrix-synapse +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: matrix-hookshot + app.kubernetes.io/instance: matrix-synapse + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-hookshot + spec: + enableServiceLinks: false + serviceAccountName: matrix-synapse + automountServiceAccountToken: false + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - image: halfshot/matrix-hookshot:7.3.2@sha256:44283e5131a1a5818bbbf6d9d1e07dccdc29ac5bb6002fcf159af6ac09cf8085 + name: main + resources: + requests: + cpu: 5m + memory: 90Mi + volumeMounts: + - mountPath: /data/config.yml + mountPropagation: None + name: config + readOnly: true + subPath: config.yml + - mountPath: /data + name: data + - mountPath: /data/passkey.pem + mountPropagation: None + name: passkey + readOnly: true + subPath: passkey.pem + - mountPath: /data/registration.yml + mountPropagation: None + name: registration + readOnly: true + subPath: registration.yml + volumes: + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-hookshot-config + name: config + - name: data + persistentVolumeClaim: + claimName: matrix-hookshot + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-hookshot-config + name: passkey + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-hookshot-config + name: registration diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-hookshot-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-hookshot-cloudflared.yaml new file mode 100644 index 000000000..ba8ea5fed --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-hookshot-cloudflared.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-synapse-hookshot-cloudflared + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: hookshot-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-hookshot-3.3.0 + namespace: matrix-synapse +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: hookshot-cloudflared + app.kubernetes.io/instance: matrix-synapse + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: hookshot-cloudflared + spec: + enableServiceLinks: false + serviceAccountName: matrix-synapse-hookshot-cloudflared + automountServiceAccountToken: false + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - args: + - tunnel + - --protocol + - auto + - --no-autoupdate + - --metrics + - 0.0.0.0:20241 + - run + - --token + - $(CF_MANAGED_TUNNEL_TOKEN) + env: + - name: CF_MANAGED_TUNNEL_TOKEN + valueFrom: + secretKeyRef: + key: cf-tunnel-token + name: matrix-synapse-hookshot-cloudflared-secret + image: cloudflare/cloudflared:2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9 + imagePullPolicy: IfNotPresent + name: main + resources: + requests: + cpu: 1m + memory: 20Mi diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-synapse-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-synapse-cloudflared.yaml new file mode 100644 index 000000000..28f47c1f6 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-synapse-cloudflared.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-synapse-synapse-cloudflared + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: synapse-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-synapse-3.3.0 + namespace: matrix-synapse +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: synapse-cloudflared + app.kubernetes.io/instance: matrix-synapse + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: synapse-cloudflared + spec: + enableServiceLinks: false + serviceAccountName: matrix-synapse-synapse-cloudflared + automountServiceAccountToken: false + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - args: + - tunnel + - --protocol + - auto + - --no-autoupdate + - --metrics + - 0.0.0.0:20241 + - run + - --token + - $(CF_MANAGED_TUNNEL_TOKEN) + env: + - name: CF_MANAGED_TUNNEL_TOKEN + valueFrom: + secretKeyRef: + key: cf-tunnel-token + name: matrix-synapse-synapse-cloudflared-secret + image: cloudflare/cloudflared:2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9 + imagePullPolicy: IfNotPresent + name: main + resources: + requests: + cpu: 1m + memory: 20Mi diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-wellknown-lighttpd.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-wellknown-lighttpd.yaml new file mode 100644 index 000000000..bd8e402a8 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse-wellknown-lighttpd.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-synapse-wellknown-lighttpd + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: well-known +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: well-known + template: + metadata: + annotations: + checksum/config: 30849a37d788a3ff7622f702abf411bd3fc6c93173d49e295bc4d1c61d1529d3 + labels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: well-known + spec: + securityContext: {} + containers: + - name: lighttpd + image: "ghcr.io/rtsp/docker-lighttpd:1.4.76@sha256:b4b58d217a35dbd6cade82927677de404a46fb3d2b1d5fcb42042b6a6f17b2fb" + imagePullPolicy: Always + securityContext: {} + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + tcpSocket: + port: http + livenessProbe: + httpGet: + path: /server-status + port: http + volumeMounts: + - mountPath: /etc/lighttpd/lighttpd.conf + name: files + subPath: lighttpd.conf + - mountPath: /var/www/localhost/htdocs/client.json + name: files + subPath: client.json + - mountPath: /var/www/localhost/htdocs/server.json + name: files + subPath: server.json + - mountPath: /run + name: run + resources: {} + volumes: + - name: files + configMap: + name: matrix-synapse-wellknown-lighttpd + - name: run + emptyDir: {} diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml new file mode 100644 index 000000000..6dd5be442 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml @@ -0,0 +1,204 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-synapse + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: synapse +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: synapse + template: + metadata: + annotations: + checksum/config: c2bf259e19fc144cd80d708b2110c3cbf03e829dc9dc6fe54d9106401abfd968 + checksum/secrets: d19395a7fdb0715e61f76af36efc576c66dcb74fbd8b78a3078300584cf3af45 + labels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: synapse + spec: + serviceAccountName: matrix-synapse + securityContext: {} + initContainers: + - name: volume-permissions + command: + - sh + - -c + - | + chown 666:666 -R /synapse/data + image: "alpine:3.23.4@sha256:c7989ac7a27b473e1795973c98d714f62b4dd0b134594d36880505ce0bfd716b" + imagePullPolicy: Always + resources: {} + securityContext: + runAsNonRoot: false + runAsUser: 0 + volumeMounts: + - name: media + mountPath: /synapse/data + containers: + - name: synapse + command: + - sh + - -c + - | + export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + exec python -B -m synapse.app.homeserver \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: matrix-synapse-postgresql-18-cluster-app + key: password + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: matrix-synapse-valkey-config + key: password + image: "ghcr.io/element-hq/synapse:v1.152.1@sha256:ea13612748d2c3cd7d37314e4d2bb3833831e7fe9c1cc2ba2a05a0e51ab78297" + imagePullPolicy: IfNotPresent + securityContext: {} + ports: + - name: http + containerPort: 8008 + protocol: TCP + - name: replication + containerPort: 9093 + protocol: TCP + - name: metrics + containerPort: 9090 + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: http + readinessProbe: + httpGet: + path: /health + port: http + startupProbe: + failureThreshold: 12 + httpGet: + path: /health + port: http + volumeMounts: + - name: config + mountPath: /synapse/config + - name: tmpconf + mountPath: /synapse/config/conf.d + - name: secrets + mountPath: /synapse/secrets + - name: signingkey + mountPath: /synapse/keys + - name: media + mountPath: /synapse/data + - name: tmpdir + mountPath: /tmp + - mountPath: /synapse/config/conf.d/config.yaml + mountPropagation: None + name: synapse-config + readOnly: true + subPath: config.yaml + - mountPath: /synapse/config/conf.d/oidc.yaml + mountPropagation: None + name: oidc-config + readOnly: true + subPath: oidc.yaml + - mountPath: /synapse/config/conf.d/hookshot-registration.yaml + mountPropagation: None + name: hookshot-config + readOnly: true + subPath: hookshot-registration.yaml + - mountPath: /synapse/config/conf.d/mautrix-discord-registration.yaml + mountPropagation: None + name: mautrix-discord-config + readOnly: true + subPath: mautrix-discord-registration.yaml + - mountPath: /synapse/config/conf.d/mautrix-whatsapp-registration.yaml + mountPropagation: None + name: mautrix-whatsapp-config + readOnly: true + subPath: mautrix-whatsapp-registration.yaml + - mountPath: /synapse/config/conf.d/double-puppet-registration.yaml + mountPropagation: None + name: double-puppet-config + readOnly: true + subPath: double-puppet-registration.yaml + resources: + requests: + cpu: 10m + memory: 130Mi + volumes: + - name: config + configMap: + name: matrix-synapse + - name: secrets + secret: + secretName: matrix-synapse + - name: signingkey + secret: + secretName: "matrix-synapse-signing-key" + items: + - key: "signing.key" + path: signing.key + - name: tmpconf + emptyDir: {} + - name: tmpdir + emptyDir: {} + - name: media + persistentVolumeClaim: + claimName: matrix-synapse + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-config + name: synapse-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-oidc-config + name: oidc-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-hookshot-config + name: hookshot-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-mautrix-discord-config + name: mautrix-discord-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-mautrix-whatsapp-config + name: mautrix-whatsapp-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-double-puppet-config + name: double-puppet-config diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-external.yaml new file mode 100644 index 000000000..e16afe3e1 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-external.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-hookshot-backup-secret-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup-secret-external +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/matrix-hookshot" + data: + - secretKey: ENDPOINT + remoteRef: + key: /backblaze/config + property: ENDPOINT + - secretKey: BUCKET + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_SECRET_ACCESS_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-local.yaml new file mode 100644 index 000000000..b57324eda --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-local.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-hookshot-backup-secret-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/matrix-hookshot" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_LOCAL + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-remote.yaml new file mode 100644 index 000000000..9261ee89a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-backup-secret-remote.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-hookshot-backup-secret-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup-secret-remote +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/matrix-hookshot" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_REMOTE + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_REMOTE + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-external.yaml new file mode 100644 index 000000000..1f6c92214 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-external.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-backup-secret-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup-secret-external +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/matrix-synapse" + data: + - secretKey: ENDPOINT + remoteRef: + key: /backblaze/config + property: ENDPOINT + - secretKey: BUCKET + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_SECRET_ACCESS_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-local.yaml new file mode 100644 index 000000000..475fa57ef --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-local.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-backup-secret-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/matrix-synapse" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_LOCAL + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-remote.yaml new file mode 100644 index 000000000..c23b0d6f8 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-backup-secret-remote.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-backup-secret-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup-secret-remote +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/matrix-synapse" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_REMOTE + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_REMOTE + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-hookshot-cloudflared-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-hookshot-cloudflared-secret.yaml new file mode 100644 index 000000000..2f661ed4b --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-hookshot-cloudflared-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-hookshot-cloudflared-secret + namespace: matrix-synapse + labels: + helm.sh/chart: cloudflared-hookshot-3.3.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "3.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-hookshot-cloudflared-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: cf-tunnel-token + remoteRef: + key: /cloudflare/tunnels/matrix-synapse-hookshot + property: token diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-postgresql-18-backup-garage-local-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-postgresql-18-backup-garage-local-secret.yaml new file mode 100644 index 000000000..92d2e5ffd --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-postgresql-18-backup-garage-local-secret.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-postgresql-18-backup-garage-local-secret + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-postgresql-18-backup-garage-local-secret + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-postgresql-18-recovery-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-postgresql-18-recovery-secret.yaml new file mode 100644 index 000000000..cd76dcaaa --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-postgresql-18-recovery-secret.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-postgresql-18-recovery-secret + namespace: matrix-synapse + labels: + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-postgresql-18-recovery-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /garage/home-infra/postgres-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml new file mode 100644 index 000000000..020e567c9 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-signing-key + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-signing-key + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: signing.key + remoteRef: + key: /cl01tl/matrix-synapse/key + property: signing-key diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-synapse-cloudflared-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-synapse-cloudflared-secret.yaml new file mode 100644 index 000000000..6de029862 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-synapse-cloudflared-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-synapse-cloudflared-secret + namespace: matrix-synapse + labels: + helm.sh/chart: cloudflared-synapse-3.3.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "3.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-synapse-cloudflared-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: cf-tunnel-token + remoteRef: + key: /cloudflare/tunnels/matrix-synapse-synapse + property: token diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml new file mode 100644 index 000000000..84c1e9db6 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: matrix-synapse-valkey-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-valkey-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: default + remoteRef: + key: /cl01tl/matrix-synapse/valkey + property: password + - secretKey: password + remoteRef: + key: /cl01tl/matrix-synapse/valkey + property: password diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-external.yaml new file mode 100644 index 000000000..80c30bbcf --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-external.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mautrix-discord-backup-secret-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup-secret-external +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/mautrix-discord" + data: + - secretKey: ENDPOINT + remoteRef: + key: /backblaze/config + property: ENDPOINT + - secretKey: BUCKET + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_SECRET_ACCESS_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-local.yaml new file mode 100644 index 000000000..91b4b5a82 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-local.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mautrix-discord-backup-secret-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/mautrix-discord" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_LOCAL + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-remote.yaml new file mode 100644 index 000000000..13f24103d --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-backup-secret-remote.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mautrix-discord-backup-secret-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup-secret-remote +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/mautrix-discord" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_REMOTE + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_REMOTE + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-external.yaml new file mode 100644 index 000000000..19a44947a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-external.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mautrix-whatsapp-backup-secret-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup-secret-external +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/mautrix-whatsapp" + data: + - secretKey: ENDPOINT + remoteRef: + key: /backblaze/config + property: ENDPOINT + - secretKey: BUCKET + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /backblaze/home-infra/volsync-backups + property: AWS_SECRET_ACCESS_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-local.yaml new file mode 100644 index 000000000..5269c165d --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-local.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mautrix-whatsapp-backup-secret-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/mautrix-whatsapp" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_LOCAL + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-remote.yaml new file mode 100644 index 000000000..74129ff90 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-backup-secret-remote.yaml @@ -0,0 +1,47 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: mautrix-whatsapp-backup-secret-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup-secret-remote +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "s3:{{ .ENDPOINT }}/{{ .BUCKET }}/cl01tl/matrix-synapse/mautrix-whatsapp" + data: + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_REMOTE + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/volsync-backups + property: BUCKET + - secretKey: RESTIC_PASSWORD + remoteRef: + key: /garage/home-infra/volsync-backups + property: RESTIC_PASSWORD_REMOTE + - secretKey: AWS_DEFAULT_REGION + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/volsync-backups + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/matrix-synapse/ObjectStore-matrix-synapse-postgresql-18-backup-garage-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ObjectStore-matrix-synapse-postgresql-18-backup-garage-local.yaml new file mode 100644 index 000000000..46f3e5215 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ObjectStore-matrix-synapse-postgresql-18-backup-garage-local.yaml @@ -0,0 +1,33 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: matrix-synapse-postgresql-18-backup-garage-local + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-postgresql-18-backup-garage-local + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + retentionPolicy: 7d + instanceSidecarConfiguration: + env: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required + configuration: + destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + s3Credentials: + accessKeyId: + name: matrix-synapse-postgresql-18-backup-garage-local-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: matrix-synapse-postgresql-18-backup-garage-local-secret + key: ACCESS_SECRET_KEY + region: + name: matrix-synapse-postgresql-18-backup-garage-local-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/matrix-synapse/ObjectStore-matrix-synapse-postgresql-18-recovery.yaml b/clusters/cl01tl/manifests/matrix-synapse/ObjectStore-matrix-synapse-postgresql-18-recovery.yaml new file mode 100644 index 000000000..97598ddbd --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ObjectStore-matrix-synapse-postgresql-18-recovery.yaml @@ -0,0 +1,32 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: "matrix-synapse-postgresql-18-recovery" + namespace: matrix-synapse + labels: + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "matrix-synapse-postgresql-18-recovery" +spec: + configuration: + destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + wal: + compression: snappy + maxParallel: 1 + data: + compression: snappy + jobs: 1 + s3Credentials: + accessKeyId: + name: matrix-synapse-postgresql-18-recovery-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: matrix-synapse-postgresql-18-recovery-secret + key: ACCESS_SECRET_KEY + region: + name: matrix-synapse-postgresql-18-recovery-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-matrix-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-matrix-hookshot.yaml new file mode 100644 index 000000000..f1c355162 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-matrix-hookshot.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: matrix-hookshot + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot + helm.sh/chart: matrix-hookshot-5.0.1 + namespace: matrix-synapse +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "500Mi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-matrix-synapse.yaml new file mode 100644 index 000000000..d037f9732 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-matrix-synapse.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: matrix-synapse + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-mautrix-discord.yaml b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-mautrix-discord.yaml new file mode 100644 index 000000000..5ba8f8187 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-mautrix-discord.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mautrix-discord + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord + helm.sh/chart: mautrix-discord-5.0.1 + namespace: matrix-synapse +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "500Mi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-mautrix-whatsapp.yaml b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-mautrix-whatsapp.yaml new file mode 100644 index 000000000..2bd7422cc --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PersistentVolumeClaim-mautrix-whatsapp.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mautrix-whatsapp + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp + helm.sh/chart: mautrix-whatsapp-5.0.1 + namespace: matrix-synapse +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "500Mi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-test-connection.yaml b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-test-connection.yaml new file mode 100644 index 000000000..e28b11926 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "matrix-synapse-test-connection" + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['matrix-synapse:8008/_matrix/client/versions'] + restartPolicy: Never diff --git a/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml new file mode 100644 index 000000000..6d5a0ebf4 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: matrix-synapse-valkey-test-auth-existing + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + containers: + - name: test-auth + image: "docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193" + command: + - sh + - -c + - | + set -e + echo "Testing authentication with usersExistingSecret..." + TLS_FLAGS="" + + # Test basic connection (no auth - will fail if auth is properly configured) + PING_RESULT=$(valkey-cli -h matrix-synapse-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true) + if [ "$PING_RESULT" = "PONG" ]; then + echo "✗ Authentication test failed: server allows unauthenticated access" + exit 1 + fi + + echo "✓ Authentication is enforced (unauthenticated access denied)" + echo "✓ Received expected error: $PING_RESULT" + echo "⚠ Manual verification recommended for usersExistingSecret configuration" + exit 0 + volumeMounts: + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true + volumes: + - name: valkey-users-secret + secret: + secretName: matrix-synapse-valkey-config diff --git a/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..85aa3abb7 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..d42b4752f --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-hookshot-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-hookshot-backup-source-local.yaml new file mode 100644 index 000000000..dc171a1f2 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-hookshot-backup-source-local.yaml @@ -0,0 +1,30 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-hookshot-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup-source-local +spec: + groups: + - name: volsync.alerts + rules: + - alert: VolSyncBackupPodFailed + expr: | + (kube_pod_container_status_last_terminated_exitcode > 0) + * on(pod, namespace) group_left(owner_name) + kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"} + for: 1m + labels: + severity: critical + annotations: + summary: "VolSync Backup Pod failed in {{ $labels.namespace }}" + description: | + A pod for the VolSync backup of PVC 'matrix-hookshot' failed with exit code {{ $value }}. + Job: {{ $labels.owner_name }} + Namespace: {{ $labels.namespace }} diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-backup-source-local.yaml new file mode 100644 index 000000000..4a3ec7d66 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-backup-source-local.yaml @@ -0,0 +1,30 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-synapse-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup-source-local +spec: + groups: + - name: volsync.alerts + rules: + - alert: VolSyncBackupPodFailed + expr: | + (kube_pod_container_status_last_terminated_exitcode > 0) + * on(pod, namespace) group_left(owner_name) + kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"} + for: 1m + labels: + severity: critical + annotations: + summary: "VolSync Backup Pod failed in {{ $labels.namespace }}" + description: | + A pod for the VolSync backup of PVC 'matrix-synapse' failed with exit code {{ $value }}. + Job: {{ $labels.owner_name }} + Namespace: {{ $labels.namespace }} diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-postgresql-18-alert-rules.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-postgresql-18-alert-rules.yaml new file mode 100644 index 000000000..8d8d94b7f --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-postgresql-18-alert-rules.yaml @@ -0,0 +1,270 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-synapse-postgresql-18-alert-rules + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-postgresql-18-alert-rules + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + groups: + - name: cloudnative-pg/matrix-synapse-postgresql-18 + rules: + - alert: CNPGClusterBackendsWaitingWarning + annotations: + summary: CNPG Cluster a backend is waiting for longer than 5 minutes. + description: |- + Pod {{ $labels.pod }} + has been waiting for longer than 5 minutes + expr: | + cnpg_backends_waiting_total{namespace="matrix-synapse"} > 300 + for: 1m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterDatabaseDeadlockConflictsWarning + annotations: + summary: CNPG Cluster has over 10 deadlock conflicts. + description: |- + There are over 10 deadlock conflicts in + {{ $labels.pod }} + expr: | + cnpg_pg_stat_database_deadlocks{namespace="matrix-synapse"} > 10 + for: 1m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterHACritical + annotations: + summary: CNPG Cluster has no standby replicas! + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe + risk of data loss and downtime if the primary instance fails. + + The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint + will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. + + This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less + instances. The replaced instance may need some time to catch-up with the cluster primary instance. + + This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this + case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="matrix-synapse"} - cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"}) < 1 + for: 5m + labels: + severity: critical + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterHAWarning + annotations: + summary: CNPG Cluster less than 2 standby replicas. + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting + your cluster at risk if another instance fails. The cluster is still able to operate normally, although + the `-ro` and `-r` endpoints operate at reduced capacity. + + This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may + need some time to catch-up with the cluster primary instance. + + This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. + In this case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="matrix-synapse"} - cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"}) < 2 + for: 5m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsCritical + annotations: + summary: CNPG Instance maximum number of connections critical! + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 95 + for: 5m + labels: + severity: critical + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsWarning + annotations: + summary: CNPG Instance is approaching the maximum number of connections. + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 80 + for: 5m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterHighReplicationLag + annotations: + summary: CNPG Cluster high replication lag + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" is experiencing a high replication lag of + {{`{{`}} $value {{`}}`}}ms. + + High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md + expr: | + max(cnpg_pg_replication_lag{namespace="matrix-synapse",pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 + for: 5m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterInstancesOnSameNode + annotations: + summary: CNPG Cluster instances are located on the same node. + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" has {{`{{`}} $value {{`}}`}} + instances on the same node {{`{{`}} $labels.node {{`}}`}}. + + A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md + expr: | + count by (node) (kube_pod_info{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) > 1 + for: 5m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterLongRunningTransactionWarning + annotations: + summary: CNPG Cluster query is taking longer than 5 minutes. + description: |- + CloudNativePG Cluster Pod {{ $labels.pod }} + is taking more than 5 minutes (300 seconds) for a query. + expr: |- + cnpg_backends_max_tx_duration_seconds{namespace="matrix-synapse"} > 300 + for: 1m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceCritical + annotations: + summary: CNPG Instance is running out of disk space! + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" is running extremely low on disk space. Check attached PVCs! + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.9 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.9 + for: 5m + labels: + severity: critical + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceWarning + annotations: + summary: CNPG Instance is running out of disk space. + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" is running low on disk space. Check attached PVCs. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.7 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.7 + for: 5m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterOffline + annotations: + summary: CNPG Cluster has no running instances! + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" has no ready instances. + + Having an offline cluster means your applications will not be able to access the database, leading to + potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md + expr: | + (count(cnpg_collector_up{namespace="matrix-synapse",pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 + for: 5m + labels: + severity: critical + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterPGDatabaseXidAgeWarning + annotations: + summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. + description: |- + Over 300,000,000 transactions from frozen xid + on pod {{ $labels.pod }} + expr: | + cnpg_pg_database_xid_age{namespace="matrix-synapse"} > 300000000 + for: 1m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterPGReplicationWarning + annotations: + summary: CNPG Cluster standby is lagging behind the primary. + description: |- + Standby is lagging behind by over 300 seconds (5 minutes) + expr: | + cnpg_pg_replication_lag{namespace="matrix-synapse"} > 300 + for: 1m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterReplicaFailingReplicationWarning + annotations: + summary: CNPG Cluster has a replica is failing to replicate. + description: |- + Replica {{ $labels.pod }} + is failing to replicate + expr: | + cnpg_pg_replication_in_recovery{namespace="matrix-synapse"} > cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"} + for: 1m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster + - alert: CNPGClusterZoneSpreadWarning + annotations: + summary: CNPG Cluster instances in the same zone. + description: |- + CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-18-cluster" has instances in the same availability zone. + + A disaster in one availability zone will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md + expr: | + 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-18-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 + for: 5m + labels: + severity: warning + namespace: matrix-synapse + cnpg_cluster: matrix-synapse-postgresql-18-cluster diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..38834efff --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: matrix-synapse-valkey-hookshot + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="matrix-synapse-valkey-hookshot-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="matrix-synapse-valkey-hookshot-metrics"} * 100 + / + redis_memory_max_bytes{service="matrix-synapse-valkey-hookshot-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="matrix-synapse-valkey-hookshot-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..ef1957392 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: matrix-synapse-valkey + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="matrix-synapse-valkey-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="matrix-synapse-valkey-metrics"} * 100 + / + redis_memory_max_bytes{service="matrix-synapse-valkey-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="matrix-synapse-valkey-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-mautrix-discord-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-mautrix-discord-backup-source-local.yaml new file mode 100644 index 000000000..fcf52b146 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-mautrix-discord-backup-source-local.yaml @@ -0,0 +1,30 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: mautrix-discord-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup-source-local +spec: + groups: + - name: volsync.alerts + rules: + - alert: VolSyncBackupPodFailed + expr: | + (kube_pod_container_status_last_terminated_exitcode > 0) + * on(pod, namespace) group_left(owner_name) + kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"} + for: 1m + labels: + severity: critical + annotations: + summary: "VolSync Backup Pod failed in {{ $labels.namespace }}" + description: | + A pod for the VolSync backup of PVC 'mautrix-discord' failed with exit code {{ $value }}. + Job: {{ $labels.owner_name }} + Namespace: {{ $labels.namespace }} diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-mautrix-whatsapp-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-mautrix-whatsapp-backup-source-local.yaml new file mode 100644 index 000000000..485aa35c7 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-mautrix-whatsapp-backup-source-local.yaml @@ -0,0 +1,30 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: mautrix-whatsapp-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup-source-local +spec: + groups: + - name: volsync.alerts + rules: + - alert: VolSyncBackupPodFailed + expr: | + (kube_pod_container_status_last_terminated_exitcode > 0) + * on(pod, namespace) group_left(owner_name) + kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"} + for: 1m + labels: + severity: critical + annotations: + summary: "VolSync Backup Pod failed in {{ $labels.namespace }}" + description: | + A pod for the VolSync backup of PVC 'mautrix-whatsapp' failed with exit code {{ $value }}. + Job: {{ $labels.owner_name }} + Namespace: {{ $labels.namespace }} diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-external.yaml new file mode 100644 index 000000000..3aa28b946 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-external.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: matrix-hookshot-backup-source-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup +spec: + sourcePVC: matrix-hookshot + trigger: + schedule: 35 9 * * 2 + restic: + pruneIntervalDays: 35 + repository: matrix-hookshot-backup-secret-external + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-local.yaml new file mode 100644 index 000000000..1627d190d --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-local.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: matrix-hookshot-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup-source-local +spec: + sourcePVC: matrix-hookshot + trigger: + schedule: 35 8 * * * + restic: + pruneIntervalDays: 7 + repository: matrix-hookshot-backup-secret-local + retain: + daily: 7 + hourly: 0 + monthly: 0 + weekly: 4 + yearly: 0 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-remote.yaml new file mode 100644 index 000000000..bac119464 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-hookshot-backup-source-remote.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: matrix-hookshot-backup-source-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-hookshot-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot-backup +spec: + sourcePVC: matrix-hookshot + trigger: + schedule: 35 10 * * 2 + restic: + pruneIntervalDays: 7 + repository: matrix-hookshot-backup-secret-remote + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-external.yaml new file mode 100644 index 000000000..196a8b148 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-external.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: matrix-synapse-backup-source-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup +spec: + sourcePVC: matrix-synapse + trigger: + schedule: 30 10 * * 2 + restic: + pruneIntervalDays: 35 + repository: matrix-synapse-backup-secret-external + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-local.yaml new file mode 100644 index 000000000..d3dd7e85e --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-local.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: matrix-synapse-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup-source-local +spec: + sourcePVC: matrix-synapse + trigger: + schedule: 30 8 * * * + restic: + pruneIntervalDays: 7 + repository: matrix-synapse-backup-secret-local + retain: + daily: 7 + hourly: 0 + monthly: 0 + weekly: 4 + yearly: 0 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-remote.yaml new file mode 100644 index 000000000..951056010 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-matrix-synapse-backup-source-remote.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: matrix-synapse-backup-source-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-synapse-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse-backup +spec: + sourcePVC: matrix-synapse + trigger: + schedule: 30 9 * * 2 + restic: + pruneIntervalDays: 7 + repository: matrix-synapse-backup-secret-remote + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-external.yaml new file mode 100644 index 000000000..da90cbf6d --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-external.yaml @@ -0,0 +1,32 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: mautrix-discord-backup-source-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup +spec: + sourcePVC: mautrix-discord + trigger: + schedule: 40 9 * * 2 + restic: + pruneIntervalDays: 35 + repository: mautrix-discord-backup-secret-external + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + moverSecurityContext: + runAsGroup: 1337 + runAsUser: 1337 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-local.yaml new file mode 100644 index 000000000..3357d263a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-local.yaml @@ -0,0 +1,32 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: mautrix-discord-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup-source-local +spec: + sourcePVC: mautrix-discord + trigger: + schedule: 40 8 * * * + restic: + pruneIntervalDays: 7 + repository: mautrix-discord-backup-secret-local + retain: + daily: 7 + hourly: 0 + monthly: 0 + weekly: 4 + yearly: 0 + moverSecurityContext: + runAsGroup: 1337 + runAsUser: 1337 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-remote.yaml new file mode 100644 index 000000000..38f61eb11 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-discord-backup-source-remote.yaml @@ -0,0 +1,32 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: mautrix-discord-backup-source-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-discord-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord-backup +spec: + sourcePVC: mautrix-discord + trigger: + schedule: 40 10 * * 2 + restic: + pruneIntervalDays: 7 + repository: mautrix-discord-backup-secret-remote + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + moverSecurityContext: + runAsGroup: 1337 + runAsUser: 1337 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-external.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-external.yaml new file mode 100644 index 000000000..934ace4c8 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-external.yaml @@ -0,0 +1,32 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: mautrix-whatsapp-backup-source-external + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup +spec: + sourcePVC: mautrix-whatsapp + trigger: + schedule: 45 9 * * 2 + restic: + pruneIntervalDays: 35 + repository: mautrix-whatsapp-backup-secret-external + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + moverSecurityContext: + runAsGroup: 1337 + runAsUser: 1337 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-local.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-local.yaml new file mode 100644 index 000000000..0ce2d7c2b --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-local.yaml @@ -0,0 +1,32 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: mautrix-whatsapp-backup-source-local + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup-source-local +spec: + sourcePVC: mautrix-whatsapp + trigger: + schedule: 45 8 * * * + restic: + pruneIntervalDays: 7 + repository: mautrix-whatsapp-backup-secret-local + retain: + daily: 7 + hourly: 0 + monthly: 0 + weekly: 4 + yearly: 0 + moverSecurityContext: + runAsGroup: 1337 + runAsUser: 1337 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-remote.yaml b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-remote.yaml new file mode 100644 index 000000000..4862ec505 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ReplicationSource-mautrix-whatsapp-backup-source-remote.yaml @@ -0,0 +1,32 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: mautrix-whatsapp-backup-source-remote + namespace: matrix-synapse + labels: + helm.sh/chart: volsync-target-whatsapp-2.0.0 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp-backup +spec: + sourcePVC: mautrix-whatsapp + trigger: + schedule: 45 10 * * 2 + restic: + pruneIntervalDays: 7 + repository: mautrix-whatsapp-backup-secret-remote + retain: + daily: 0 + hourly: 0 + monthly: 0 + weekly: 12 + yearly: 0 + moverSecurityContext: + runAsGroup: 1337 + runAsUser: 1337 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ScheduledBackup-matrix-synapse-postgresql-18-scheduled-backup-live-backup.yaml b/clusters/cl01tl/manifests/matrix-synapse/ScheduledBackup-matrix-synapse-postgresql-18-scheduled-backup-live-backup.yaml new file mode 100644 index 000000000..dcdbedb7e --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ScheduledBackup-matrix-synapse-postgresql-18-scheduled-backup-live-backup.yaml @@ -0,0 +1,24 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: "matrix-synapse-postgresql-18-scheduled-backup-live-backup" + namespace: matrix-synapse + labels: + app.kubernetes.io/name: "matrix-synapse-postgresql-18-scheduled-backup-live-backup" + helm.sh/chart: postgres-18-cluster-7.12.1 + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse + app.kubernetes.io/version: "7.12.1" + app.kubernetes.io/managed-by: Helm +spec: + immediate: true + suspend: false + schedule: "0 0 15 * * *" + backupOwnerReference: self + cluster: + name: matrix-synapse-postgresql-18-cluster + method: plugin + pluginConfiguration: + name: barman-cloud.cloudnative-pg.io + parameters: + barmanObjectName: "matrix-synapse-postgresql-18-backup-garage-local" diff --git a/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml new file mode 100644 index 000000000..d0a11e3f2 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: matrix-synapse + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm +stringData: + config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"app\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"app\"\n host: \"matrix-synapse-postgresql-18-cluster-rw\"\n port: 5432\n sslmode: \"prefer\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"matrix-synapse-valkey\"\n port: 6379\n password: \"@@REDIS_PASSWORD@@\"\n" diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml new file mode 100644 index 000000000..1514bf1f6 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml @@ -0,0 +1,27 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-hookshot-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-hookshot-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yml + fileName: config.yml + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: config.yml + - objectName: registration.yml + fileName: registration.yml + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: hookshot-registration.yaml + - objectName: passkey.pem + fileName: passkey.pem + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: passkey.pem diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml new file mode 100644 index 000000000..b2aee216a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yaml + fileName: config.yaml + secretPath: secret/data/cl01tl/matrix-synapse/config + secretKey: config.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-double-puppet-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-double-puppet-config.yaml new file mode 100644 index 000000000..b4d580698 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-double-puppet-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-double-puppet-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-double-puppet-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: double-puppet-registration.yaml + fileName: double-puppet-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/double-puppet + secretKey: double-puppet-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-hookshot-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-hookshot-config.yaml new file mode 100644 index 000000000..1067835ff --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-hookshot-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-hookshot-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-hookshot-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: hookshot-registration.yaml + fileName: hookshot-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: hookshot-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-mautrix-discord-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-mautrix-discord-config.yaml new file mode 100644 index 000000000..fd6d1b177 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-mautrix-discord-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-mautrix-discord-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-mautrix-discord-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: mautrix-discord-registration.yaml + fileName: mautrix-discord-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord + secretKey: mautrix-discord-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-mautrix-whatsapp-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-mautrix-whatsapp-config.yaml new file mode 100644 index 000000000..efaeedade --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-mautrix-whatsapp-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-mautrix-whatsapp-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-mautrix-whatsapp-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: mautrix-whatsapp-registration.yaml + fileName: mautrix-whatsapp-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp + secretKey: mautrix-whatsapp-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-oidc-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-oidc-config.yaml new file mode 100644 index 000000000..9693156ec --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-oidc-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-oidc-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-oidc-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: oidc.yaml + fileName: oidc.yaml + secretPath: secret/data/cl01tl/matrix-synapse/config + secretKey: oidc.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml new file mode 100644 index 000000000..00260abdc --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml @@ -0,0 +1,23 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: mautrix-discord-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: mautrix-discord-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yaml + fileName: config.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord + secretKey: config.yaml + - objectName: mautrix-discord-registration.yaml + fileName: mautrix-discord-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord + secretKey: mautrix-discord-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml new file mode 100644 index 000000000..749160c55 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml @@ -0,0 +1,23 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: mautrix-whatsapp-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: mautrix-whatsapp-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yaml + fileName: config.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp + secretKey: config.yaml + - objectName: mautrix-whatsapp-registration.yaml + fileName: mautrix-whatsapp-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp + secretKey: mautrix-whatsapp-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-hookshot.yaml new file mode 100644 index 000000000..f0ebe23b5 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-hookshot.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-hookshot + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot + app.kubernetes.io/service: matrix-hookshot + helm.sh/chart: matrix-hookshot-5.0.1 + namespace: matrix-synapse +spec: + type: ClusterIP + ports: + - port: 9993 + targetPort: 9993 + protocol: TCP + name: appservice + - port: 9001 + targetPort: 9001 + protocol: TCP + name: metrics + - port: 9000 + targetPort: 9000 + protocol: TCP + name: webhook + - port: 9002 + targetPort: 9002 + protocol: TCP + name: widgets + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-hookshot diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-hookshot-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-hookshot-cloudflared.yaml new file mode 100644 index 000000000..3c499cea1 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-hookshot-cloudflared.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-hookshot-cloudflared + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: hookshot-cloudflared + app.kubernetes.io/service: matrix-synapse-hookshot-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-hookshot-3.3.0 + namespace: matrix-synapse +spec: + type: ClusterIP + ports: + - port: 20241 + targetPort: 20241 + protocol: TCP + name: metrics + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: hookshot-cloudflared diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-replication.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-replication.yaml new file mode 100644 index 000000000..e0b60c45e --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-replication.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-replication + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 9093 + targetPort: replication + protocol: TCP + name: replication + selector: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-synapse-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-synapse-cloudflared.yaml new file mode 100644 index 000000000..2315abc0d --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-synapse-cloudflared.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-synapse-cloudflared + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: synapse-cloudflared + app.kubernetes.io/service: matrix-synapse-synapse-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-synapse-3.3.0 + namespace: matrix-synapse +spec: + type: ClusterIP + ports: + - port: 20241 + targetPort: 20241 + protocol: TCP + name: metrics + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: synapse-cloudflared diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml new file mode 100644 index 000000000..c0d6bad97 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-headless + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: headless +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml new file mode 100644 index 000000000..1f771b9f7 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot-headless + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: headless +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml new file mode 100644 index 000000000..197cbf1f1 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot-metrics + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml new file mode 100644 index 000000000..3f01c0c1b --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot-read + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: read +spec: + type: ClusterIP + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..eae0a9de4 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-hookshot-0 diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml new file mode 100644 index 000000000..e02396264 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-metrics + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml new file mode 100644 index 000000000..f0854598b --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-read + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: read +spec: + type: ClusterIP + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..16e17bf1a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-0 diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-wellknown-lighttpd.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-wellknown-lighttpd.yaml new file mode 100644 index 000000000..4812582da --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-wellknown-lighttpd.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-wellknown-lighttpd + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: well-known +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: well-known diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse.yaml new file mode 100644 index 000000000..2bd164fab --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse + labels: + helm.sh/chart: matrix-synapse-3.12.26 + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "1.152.0" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 8008 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-mautrix-discord.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-mautrix-discord.yaml new file mode 100644 index 000000000..9e0b89c49 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-mautrix-discord.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: mautrix-discord + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord + app.kubernetes.io/service: mautrix-discord + helm.sh/chart: mautrix-discord-5.0.1 + namespace: matrix-synapse +spec: + type: ClusterIP + ports: + - port: 29334 + targetPort: 29334 + protocol: TCP + name: http + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: mautrix-discord diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-mautrix-whatsapp.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-mautrix-whatsapp.yaml new file mode 100644 index 000000000..e03c1581d --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-mautrix-whatsapp.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: mautrix-whatsapp + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp + app.kubernetes.io/service: mautrix-whatsapp + helm.sh/chart: mautrix-whatsapp-5.0.1 + namespace: matrix-synapse +spec: + type: ClusterIP + ports: + - port: 29318 + targetPort: 29318 + protocol: TCP + name: http + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: mautrix-whatsapp diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-hookshot.yaml new file mode 100644 index 000000000..88f3225c6 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-hookshot.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-hookshot + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot + helm.sh/chart: matrix-hookshot-5.0.1 + namespace: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-hookshot-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-hookshot-cloudflared.yaml new file mode 100644 index 000000000..12363d97e --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-hookshot-cloudflared.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse-hookshot-cloudflared + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: hookshot-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-hookshot-3.3.0 + namespace: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-synapse-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-synapse-cloudflared.yaml new file mode 100644 index 000000000..4bbde51d3 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-synapse-cloudflared.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse-synapse-cloudflared + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: synapse-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-synapse-3.3.0 + namespace: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..9f4dba5fc --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..ea33b797b --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml new file mode 100644 index 000000000..1bec77b93 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-mautrix-discord.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-mautrix-discord.yaml new file mode 100644 index 000000000..0cf07fc89 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-mautrix-discord.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mautrix-discord + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord + helm.sh/chart: mautrix-discord-5.0.1 + namespace: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-mautrix-whatsapp.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-mautrix-whatsapp.yaml new file mode 100644 index 000000000..96cfe870a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-mautrix-whatsapp.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mautrix-whatsapp + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp + helm.sh/chart: mautrix-whatsapp-5.0.1 + namespace: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-hookshot.yaml new file mode 100644 index 000000000..5c8d5f2da --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-hookshot.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-hookshot + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-hookshot + helm.sh/chart: matrix-hookshot-5.0.1 + namespace: matrix-synapse +spec: + jobLabel: app.kubernetes.io/name + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/instance: matrix-hookshot + app.kubernetes.io/name: matrix-hookshot + endpoints: + - interval: 3m + path: /metrics + scrapeTimeout: 1m + targetPort: 9001 diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-hookshot-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-hookshot-cloudflared.yaml new file mode 100644 index 000000000..faf339416 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-hookshot-cloudflared.yaml @@ -0,0 +1,25 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse-hookshot-cloudflared + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: hookshot-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-hookshot-3.3.0 + namespace: matrix-synapse +spec: + jobLabel: app.kubernetes.io/name + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: hookshot-cloudflared + endpoints: + - interval: 30s + path: /metrics + port: metrics + scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-synapse-cloudflared.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-synapse-cloudflared.yaml new file mode 100644 index 000000000..b1c751ba8 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-synapse-cloudflared.yaml @@ -0,0 +1,25 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse-synapse-cloudflared + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: synapse-cloudflared + app.kubernetes.io/version: 2026.5.0 + helm.sh/chart: cloudflared-synapse-3.3.0 + namespace: matrix-synapse +spec: + jobLabel: app.kubernetes.io/name + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: synapse-cloudflared + endpoints: + - interval: 30s + path: /metrics + port: metrics + scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..54c1d5aac --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..25d6ae832 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse.yaml new file mode 100644 index 000000000..87cb6306f --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse.yaml @@ -0,0 +1,19 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + selector: + matchLabels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + endpoints: + - targetPort: 9090 + interval: 3m + scrapeTimeout: 1m + path: /_synapse/metrics diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..1b34db342 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,133 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: matrix-synapse-valkey-hookshot-headless + replicas: 3 + podManagementPolicy: OrderedReady + selector: + matchLabels: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + volumeClaimTemplates: + - metadata: + name: valkey-data + spec: + accessModes: + - ReadWriteOnce + storageClassName: "ceph-block" + resources: + requests: + storage: "1Gi" + template: + metadata: + labels: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + annotations: + checksum/initconfig: "232b540234890780e685c24799102e7c" + spec: + automountServiceAccountToken: false + serviceAccountName: matrix-synapse-valkey-hookshot + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - name: matrix-synapse-valkey-hookshot-init + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: matrix-synapse-valkey-hookshot + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.83.0@sha256:e8c209894d4c0cc55b1259ddd47e0b769ad1ff864b356736ee885462a3b0e48c + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 1m + memory: 10M + env: + - name: REDIS_ALIAS + value: matrix-synapse-valkey-hookshot + volumes: + - name: scripts + configMap: + name: matrix-synapse-valkey-hookshot-init-scripts + defaultMode: 0555 diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..793340a23 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml @@ -0,0 +1,152 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.4 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.4" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: matrix-synapse-valkey-headless + replicas: 3 + podManagementPolicy: OrderedReady + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + volumeClaimTemplates: + - metadata: + name: valkey-data + spec: + accessModes: + - ReadWriteOnce + storageClassName: "ceph-block" + resources: + requests: + storage: "1Gi" + template: + metadata: + labels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + annotations: + checksum/initconfig: "3301efde7fe4519c9f111852791c234c" + spec: + automountServiceAccountToken: false + serviceAccountName: matrix-synapse-valkey + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - name: matrix-synapse-valkey-init + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + - name: valkey-acl + mountPath: /etc/valkey + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true + containers: + - name: matrix-synapse-valkey + image: docker.io/valkey/valkey:9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: valkey-acl + mountPath: /etc/valkey + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.83.0@sha256:e8c209894d4c0cc55b1259ddd47e0b769ad1ff864b356736ee885462a3b0e48c + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 1m + memory: 10M + env: + - name: REDIS_ALIAS + value: matrix-synapse-valkey + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: matrix-synapse-valkey-config + key: default + volumes: + - name: scripts + configMap: + name: matrix-synapse-valkey-init-scripts + defaultMode: 0555 + - name: valkey-acl + emptyDir: + medium: Memory + - name: valkey-users-secret + secret: + secretName: matrix-synapse-valkey-config + defaultMode: 0400 diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml new file mode 100644 index 000000000..a1b5e28f3 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mautrix-discord + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-discord + helm.sh/chart: mautrix-discord-5.0.1 + namespace: matrix-synapse +spec: + revisionHistoryLimit: 3 + replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: mautrix-discord + app.kubernetes.io/instance: matrix-synapse + serviceName: mautrix-discord + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: mautrix-discord + spec: + enableServiceLinks: false + serviceAccountName: matrix-synapse + automountServiceAccountToken: false + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - image: dock.mau.dev/mautrix/discord:v0.7.6@sha256:e4946b0df6a2786c88ed490e0d2692e352f1b79b9ff0e821a33764bd8bd1fffd + name: main + resources: + requests: + cpu: 1m + memory: 40Mi + volumeMounts: + - mountPath: /data + name: data + volumes: + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: mautrix-discord-config + name: config + - name: data + persistentVolumeClaim: + claimName: mautrix-discord diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml new file mode 100644 index 000000000..052d06e7e --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mautrix-whatsapp + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mautrix-whatsapp + helm.sh/chart: mautrix-whatsapp-5.0.1 + namespace: matrix-synapse +spec: + revisionHistoryLimit: 3 + replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: mautrix-whatsapp + app.kubernetes.io/instance: matrix-synapse + serviceName: mautrix-whatsapp + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: mautrix-whatsapp + spec: + enableServiceLinks: false + serviceAccountName: matrix-synapse + automountServiceAccountToken: false + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - image: dock.mau.dev/mautrix/whatsapp:v0.2604.0@sha256:9f28c04c746af9fe8e93163489dae0f4191626e2ca02a9302df62afbeefc9eba + name: main + resources: + requests: + cpu: 1m + memory: 40Mi + volumeMounts: + - mountPath: /data + name: data + volumes: + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: mautrix-whatsapp-config + name: config + - name: data + persistentVolumeClaim: + claimName: mautrix-whatsapp