--- # Source: matrix-synapse/charts/matrix-synapse/templates/secrets.yaml apiVersion: v1 kind: Secret metadata: name: matrix-synapse labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm stringData: config.yaml: | ## Registration ## registration_shared_secret: "o61stwMR2ytdK3w9CtrjQJos" ## API Configuration ## ## Database configuration ## database: name: "psycopg2" args: user: "app" password: "@@POSTGRES_PASSWORD@@" database: "app" host: "matrix-synapse-postgresql-17-cluster-rw" port: 5432 sslmode: "prefer" cp_min: 5 cp_max: 10 ## Redis configuration ## redis: enabled: true host: "redis-replication-matrix-synapse-master" port: 6379 password: "@@REDIS_PASSWORD@@" --- # Source: matrix-synapse/charts/matrix-synapse/templates/configuration.yaml apiVersion: v1 kind: ConfigMap metadata: name: matrix-synapse labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm data: log.yaml: | version: 1 formatters: precise: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' filters: context: (): synapse.util.logcontext.LoggingContextFilter request: "" handlers: console: class: logging.StreamHandler formatter: precise filters: [context] level: INFO loggers: synapse: level: INFO root: level: INFO handlers: [console] homeserver.yaml: | # NOTE: # Secrets are stored in separate configs to better fit K8s concepts ## Server ## server_name: "alexlebens.dev" public_baseurl: "https://matrix.alexlebens.dev" pid_file: /homeserver.pid web_client: False soft_file_limit: 0 log_config: "/synapse/config/log.yaml" report_stats: false instance_map: main: host: matrix-synapse-replication port: 9093 ## Ports ## listeners: - port: 8008 tls: false bind_addresses: ["::"] type: http x_forwarded: true resources: - names: - client - federation compress: false - port: 9090 tls: false bind_addresses: ["::"] type: http resources: - names: [metrics] compress: false - port: 9093 tls: false bind_addresses: ["::"] type: http resources: - names: [replication] compress: false ## Files ## media_store_path: "/synapse/data/media" uploads_path: "/synapse/data/uploads" ## Registration ## enable_registration: true ## Metrics ### enable_metrics: true ## Signing Keys ## signing_key_path: "/synapse/keys/signing.key" # The trusted servers to download signing keys from. trusted_key_servers: [] ## Workers ## ## Extra config ## enable_metrics: true enable_registration_without_verification: true password_config: enabled: false sso: client_whitelist: - https://chat.alexlebens.dev/ update_profile_information: true --- # Source: matrix-synapse/charts/matrix-synapse/templates/well-known-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: matrix-synapse-wellknown-lighttpd labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm component: well-known data: lighttpd.conf: | server.port = 8080 server.modules = ( "mod_rewrite", "mod_status", "mod_accesslog", "mod_extforward", "mod_setenv" ) include "conf.d/00-mime-types.conf" server.username = "lighttpd" server.groupname = "lighttpd" server.document-root = "/var/www/localhost/htdocs" server.pid-file = "/run/lighttpd.pid" url.rewrite-once = ( "^/\.well-known/matrix/client" => "/client.json", "^/\.well-known/matrix/server" => "/server.json" ) status.status-url = "/server-status" extforward.forwarder = ( "all" => "trust") setenv.add-response-header = ( "access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization", "access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS", "access-control-allow-origin" => "*" ) setenv.set-response-header = ( "content-type" => "application/json" ) server.json: |- {"m.server":"matrix.alexlebens.dev:443"} client.json: |- {"m.homeserver":{"base_url":"https://matrix.alexlebens.dev"}} --- # Source: matrix-synapse/charts/matrix-synapse/templates/pvc.yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: matrix-synapse labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "10Gi" storageClassName: "ceph-block" --- # Source: matrix-synapse/charts/matrix-hookshot/templates/common.yaml apiVersion: v1 kind: Service metadata: name: matrix-hookshot labels: app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: matrix-synapse app.kubernetes.io/service: matrix-hookshot helm.sh/chart: matrix-hookshot-4.4.0 namespace: matrix-synapse spec: type: ClusterIP ports: - port: 9002 targetPort: 9002 protocol: TCP name: appservice - port: 9993 targetPort: 9993 protocol: TCP name: homeserver - port: 9001 targetPort: 9001 protocol: TCP name: metrics - port: 9000 targetPort: 9000 protocol: TCP name: webhook selector: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/name: matrix-synapse --- # Source: matrix-synapse/charts/matrix-synapse/templates/service.yaml apiVersion: v1 kind: Service metadata: name: matrix-synapse labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - port: 8008 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/component: synapse app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse --- # Source: matrix-synapse/charts/matrix-synapse/templates/service.yaml apiVersion: v1 kind: Service metadata: name: matrix-synapse-replication labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - port: 9093 targetPort: replication protocol: TCP name: replication selector: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/component: synapse --- # Source: matrix-synapse/charts/matrix-synapse/templates/well-known.yaml apiVersion: v1 kind: Service metadata: name: matrix-synapse-wellknown-lighttpd labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: well-known spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/component: well-known --- # Source: matrix-synapse/charts/cloudflared-hookshot/templates/common.yaml apiVersion: apps/v1 kind: Deployment metadata: name: matrix-synapse-cloudflared-hookshot labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudflared-hookshot app.kubernetes.io/version: 2025.10.0 helm.sh/chart: cloudflared-hookshot-1.23.0 namespace: matrix-synapse spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: main app.kubernetes.io/name: cloudflared-hookshot app.kubernetes.io/instance: matrix-synapse template: metadata: labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/name: cloudflared-hookshot spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - args: - tunnel - --protocol - http2 - --no-autoupdate - run - --token - $(CF_MANAGED_TUNNEL_TOKEN) env: - name: CF_MANAGED_TUNNEL_TOKEN valueFrom: secretKeyRef: key: cf-tunnel-token name: matrix-synapse-cloudflared-hookshot-secret image: cloudflare/cloudflared:2025.11.1 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 10m memory: 128Mi --- # Source: matrix-synapse/charts/cloudflared-synapse/templates/common.yaml apiVersion: apps/v1 kind: Deployment metadata: name: matrix-synapse-cloudflared-synapse labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cloudflared-synapse app.kubernetes.io/version: 2025.10.0 helm.sh/chart: cloudflared-synapse-1.23.0 namespace: matrix-synapse spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: main app.kubernetes.io/name: cloudflared-synapse app.kubernetes.io/instance: matrix-synapse template: metadata: labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/name: cloudflared-synapse spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - args: - tunnel - --protocol - http2 - --no-autoupdate - run - --token - $(CF_MANAGED_TUNNEL_TOKEN) env: - name: CF_MANAGED_TUNNEL_TOKEN valueFrom: secretKeyRef: key: cf-tunnel-token name: matrix-synapse-cloudflared-synapse-secret image: cloudflare/cloudflared:2025.11.1 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 10m memory: 128Mi --- # Source: matrix-synapse/charts/matrix-hookshot/templates/common.yaml --- apiVersion: apps/v1 kind: Deployment metadata: name: matrix-hookshot labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: matrix-synapse helm.sh/chart: matrix-hookshot-4.4.0 namespace: matrix-synapse spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: main app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse template: metadata: labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/name: matrix-synapse spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - image: halfshot/matrix-hookshot:7.2.0 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 10m memory: 128Mi volumeMounts: - mountPath: /data/config.yml mountPropagation: None name: config readOnly: true subPath: config.yml - mountPath: /data/passkey.pem mountPropagation: None name: passkey readOnly: true subPath: passkey.pem - mountPath: /data/registration.yml mountPropagation: None name: registration readOnly: true subPath: registration.yml volumes: - name: config secret: secretName: matrix-hookshot-config-secret - name: passkey secret: secretName: matrix-hookshot-config-secret - name: registration secret: secretName: matrix-hookshot-config-secret --- # Source: matrix-synapse/charts/matrix-synapse/templates/deployment.yaml # Server: alexlebens.dev apiVersion: apps/v1 kind: Deployment metadata: name: matrix-synapse labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: synapse spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/component: synapse template: metadata: annotations: checksum/config: e77b3b25301ed2f4b5eac2f16ed5d058374ed1ffcd7e9ca4d8eef44867647feb checksum/secrets: 1379c893132491c2215656107a91e3edd3059f6e46bf6d81fc706e81ff9f7454 labels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/component: synapse spec: serviceAccountName: default securityContext: {} initContainers: - name: volume-permissions command: - sh - -c - | chown 666:666 -R /synapse/data image: "alpine:latest" imagePullPolicy: Always resources: {} securityContext: runAsNonRoot: false runAsUser: 0 volumeMounts: - name: media mountPath: /synapse/data containers: - name: synapse command: - sh - -c - | export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ cat /synapse/secrets/*.yaml | \ sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ > /synapse/config/conf.d/secrets.yaml exec python -B -m synapse.app.homeserver \ -c /synapse/config/homeserver.yaml \ -c /synapse/config/conf.d/ env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: matrix-synapse-postgresql-17-cluster-app key: password - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: matrix-synapse-redis-secret key: password image: "ghcr.io/element-hq/synapse:v1.143.0" imagePullPolicy: IfNotPresent securityContext: {} ports: - name: http containerPort: 8008 protocol: TCP - name: replication containerPort: 9093 protocol: TCP - name: metrics containerPort: 9090 protocol: TCP livenessProbe: httpGet: path: /health port: http readinessProbe: httpGet: path: /health port: http startupProbe: failureThreshold: 12 httpGet: path: /health port: http volumeMounts: - name: config mountPath: /synapse/config - name: tmpconf mountPath: /synapse/config/conf.d - name: secrets mountPath: /synapse/secrets - name: signingkey mountPath: /synapse/keys - name: media mountPath: /synapse/data - name: tmpdir mountPath: /tmp - mountPath: /synapse/config/conf.d/oidc.yaml name: matrix-synapse-config-secret readOnly: true subPath: oidc.yaml - mountPath: /synapse/config/conf.d/config.yaml name: matrix-synapse-config-secret readOnly: true subPath: config.yaml - mountPath: /synapse/config/conf.d/hookshot-registration.yaml name: matrix-hookshot-config-secret readOnly: true subPath: hookshot-registration.yaml - mountPath: /synapse/config/conf.d/double-puppet-registration.yaml name: double-puppet-registration-secret readOnly: true subPath: double-puppet-registration.yaml resources: requests: cpu: 10m memory: 128Mi volumes: - name: config configMap: name: matrix-synapse - name: secrets secret: secretName: matrix-synapse - name: signingkey secret: secretName: "matrix-synapse-signingkey" items: - key: "signing.key" path: signing.key - name: tmpconf emptyDir: {} - name: tmpdir emptyDir: {} - name: media persistentVolumeClaim: claimName: matrix-synapse - name: matrix-synapse-config-secret secret: secretName: matrix-synapse-config-secret - name: matrix-hookshot-config-secret secret: secretName: matrix-hookshot-config-secret - name: double-puppet-registration-secret secret: secretName: double-puppet-registration-secret --- # Source: matrix-synapse/charts/matrix-synapse/templates/well-known.yaml apiVersion: apps/v1 kind: Deployment metadata: name: matrix-synapse-wellknown-lighttpd labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: well-known spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/component: well-known template: metadata: annotations: checksum/config: 12a2f127585ae5d777c577a32e69a1fffb3d4ec75253d8d1ef7f618cf852f322 labels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/component: well-known spec: securityContext: {} containers: - name: lighttpd image: "ghcr.io/rtsp/docker-lighttpd:latest" imagePullPolicy: Always securityContext: {} ports: - containerPort: 8080 name: http protocol: TCP readinessProbe: tcpSocket: port: http livenessProbe: httpGet: path: /server-status port: http volumeMounts: - mountPath: /etc/lighttpd/lighttpd.conf name: files subPath: lighttpd.conf - mountPath: /var/www/localhost/htdocs/client.json name: files subPath: client.json - mountPath: /var/www/localhost/htdocs/server.json name: files subPath: server.json - mountPath: /run name: run resources: {} volumes: - name: files configMap: name: matrix-synapse-wellknown-lighttpd - name: run emptyDir: {} --- # Source: matrix-synapse/charts/matrix-synapse/templates/signing-key-job.yaml # Create secret if signing key job is enabled, or if we're running in ArgoCD and we don't have an existing secret --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/cluster.yaml apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: name: matrix-synapse-postgresql-17-cluster namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: instances: 3 imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" imagePullPolicy: IfNotPresent postgresUID: 26 postgresGID: 26 plugins: - name: barman-cloud.cloudnative-pg.io enabled: true isWALArchiver: false parameters: barmanObjectName: "matrix-synapse-postgresql-17-external-backup" serverName: "matrix-synapse-postgresql-17-backup-2" - name: barman-cloud.cloudnative-pg.io enabled: true isWALArchiver: true parameters: barmanObjectName: "matrix-synapse-postgresql-17-garage-local-backup" serverName: "matrix-synapse-postgresql-17-backup-1" externalClusters: - name: recovery plugin: name: barman-cloud.cloudnative-pg.io parameters: barmanObjectName: "matrix-synapse-postgresql-17-recovery" serverName: matrix-synapse-postgresql-17-backup-1 storage: size: 10Gi storageClass: local-path walStorage: size: 2Gi storageClass: local-path resources: limits: hugepages-2Mi: 256Mi requests: cpu: 200m memory: 256Mi affinity: enablePodAntiAffinity: true topologyKey: kubernetes.io/hostname primaryUpdateMethod: switchover primaryUpdateStrategy: unsupervised logLevel: info enableSuperuserAccess: false enablePDB: true postgresql: parameters: hot_standby_feedback: "on" max_slot_wal_keep_size: 2000MB shared_buffers: 128MB monitoring: enablePodMonitor: true disableDefaultQueries: false bootstrap: recovery: database: app source: matrix-synapse-postgresql-17-backup-1 externalClusters: - name: matrix-synapse-postgresql-17-backup-1 plugin: name: barman-cloud.cloudnative-pg.io enabled: true isWALArchiver: false parameters: barmanObjectName: "matrix-synapse-postgresql-17-recovery" serverName: matrix-synapse-postgresql-17-backup-1 --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-config-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-config-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: oidc.yaml remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/config metadataPolicy: None property: oidc.yaml - secretKey: config.yaml remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/config metadataPolicy: None property: config.yaml --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-signingkey namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-signingkey app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: signing.key remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/config metadataPolicy: None property: signing-key --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-hookshot-config-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-hookshot-config-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: config.yml remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/hookshot metadataPolicy: None property: config - secretKey: registration.yml remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/hookshot metadataPolicy: None property: registration - secretKey: hookshot-registration.yaml remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/hookshot metadataPolicy: None property: registration - secretKey: passkey.pem remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/hookshot metadataPolicy: None property: passkey # --- # apiVersion: external-secrets.io/v1 # kind: ExternalSecret # metadata: # name: mautrix-discord-config-secret # namespace: matrix-synapse # labels: # app.kubernetes.io/name: matrix-synapse # app.kubernetes.io/instance: matrix-synapse # spec: # secretStoreRef: # kind: ClusterSecretStore # name: vault # data: # - secretKey: config.yaml # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/matrix-synapse/mautrix-discord # metadataPolicy: None # property: config # - secretKey: mautrix-discord-registration.yaml # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/matrix-synapse/mautrix-discord # metadataPolicy: None # property: registration # --- # apiVersion: external-secrets.io/v1 # kind: ExternalSecret # metadata: # name: mautrix-whatsapp-config-secret # namespace: matrix-synapse # labels: # app.kubernetes.io/name: matrix-synapse # app.kubernetes.io/instance: matrix-synapse # spec: # secretStoreRef: # kind: ClusterSecretStore # name: vault # data: # - secretKey: config.yaml # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/matrix-synapse/mautrix-whatsapp # metadataPolicy: None # property: config # - secretKey: mautrix-whatsapp-registration.yaml # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/matrix-synapse/mautrix-whatsapp # metadataPolicy: None # property: registration --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: double-puppet-registration-secret namespace: matrix-synapse labels: app.kubernetes.io/name: double-puppet-registration-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: double-puppet-registration.yaml remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/double-puppet metadataPolicy: None property: registration --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-redis-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-redis-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: password remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/matrix-synapse/redis metadataPolicy: None property: password --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-cloudflared-synapse-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-cloudflared-synapse-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: cf-tunnel-token remoteRef: conversionStrategy: Default decodingStrategy: None key: /cloudflare/tunnels/matrix-synapse metadataPolicy: None property: token --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-cloudflared-hookshot-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-cloudflared-hookshot-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: cf-tunnel-token remoteRef: conversionStrategy: Default decodingStrategy: None key: /cloudflare/tunnels/matrix-hookshot metadataPolicy: None property: token --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-backup-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-backup-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault target: template: mergePolicy: Merge engineVersion: v2 data: RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/matrix-synapse/matrix-synapse" data: - secretKey: BUCKET_ENDPOINT remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/volsync/restic/config metadataPolicy: None property: S3_BUCKET_ENDPOINT - secretKey: RESTIC_PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/volsync/restic/config metadataPolicy: None property: RESTIC_PASSWORD - secretKey: AWS_DEFAULT_REGION remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/volsync/restic/config metadataPolicy: None property: AWS_DEFAULT_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/volsync-backups metadataPolicy: None property: access_key - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/volsync-backups metadataPolicy: None property: secret_key # --- # apiVersion: external-secrets.io/v1 # kind: ExternalSecret # metadata: # name: mautrix-discord-data-backup-secret # namespace: matrix-synapse # labels: # app.kubernetes.io/name: matrix-synapse # app.kubernetes.io/instance: matrix-synapse # spec: # secretStoreRef: # kind: ClusterSecretStore # name: vault # target: # template: # mergePolicy: Merge # engineVersion: v2 # data: # RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/matrix-synapse/mautrix-discord-data" # data: # - secretKey: BUCKET_ENDPOINT # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/volsync/restic/config # metadataPolicy: None # property: S3_BUCKET_ENDPOINT # - secretKey: RESTIC_PASSWORD # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/volsync/restic/config # metadataPolicy: None # property: RESTIC_PASSWORD # - secretKey: AWS_DEFAULT_REGION # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/volsync/restic/config # metadataPolicy: None # property: AWS_DEFAULT_REGION # - secretKey: AWS_ACCESS_KEY_ID # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /digital-ocean/home-infra/volsync-backups # metadataPolicy: None # property: access_key # - secretKey: AWS_SECRET_ACCESS_KEY # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /digital-ocean/home-infra/volsync-backups # metadataPolicy: None # property: secret_key # --- # apiVersion: external-secrets.io/v1 # kind: ExternalSecret # metadata: # name: mautrix-whatsapp-data-backup-secret # namespace: matrix-synapse # labels: # app.kubernetes.io/name: matrix-synapse # app.kubernetes.io/instance: matrix-synapse # spec: # secretStoreRef: # kind: ClusterSecretStore # name: vault # target: # template: # mergePolicy: Merge # engineVersion: v2 # data: # RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/matrix-synapse/mautrix-whatsapp-data" # data: # - secretKey: BUCKET_ENDPOINT # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/volsync/restic/config # metadataPolicy: None # property: S3_BUCKET_ENDPOINT # - secretKey: RESTIC_PASSWORD # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/volsync/restic/config # metadataPolicy: None # property: RESTIC_PASSWORD # - secretKey: AWS_DEFAULT_REGION # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /cl01tl/volsync/restic/config # metadataPolicy: None # property: AWS_DEFAULT_REGION # - secretKey: AWS_ACCESS_KEY_ID # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /digital-ocean/home-infra/volsync-backups # metadataPolicy: None # property: access_key # - secretKey: AWS_SECRET_ACCESS_KEY # remoteRef: # conversionStrategy: Default # decodingStrategy: None # key: /digital-ocean/home-infra/volsync-backups # metadataPolicy: None # property: secret_key --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-postgresql-17-cluster-backup-secret namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/postgres-backups metadataPolicy: None property: access - secretKey: ACCESS_SECRET_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/postgres-backups metadataPolicy: None property: secret --- # Source: matrix-synapse/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: matrix-synapse-postgresql-17-cluster-backup-secret-garage namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret-garage app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/postgres-backups metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_SECRET_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/postgres-backups metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: ACCESS_REGION remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/postgres-backups metadataPolicy: None property: ACCESS_REGION --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/object-store.yaml apiVersion: barmancloud.cnpg.io/v1 kind: ObjectStore metadata: name: "matrix-synapse-postgresql-17-external-backup" namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: retentionPolicy: 30d configuration: destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster endpointURL: https://nyc3.digitaloceanspaces.com s3Credentials: accessKeyId: name: matrix-synapse-postgresql-17-cluster-backup-secret key: ACCESS_KEY_ID secretAccessKey: name: matrix-synapse-postgresql-17-cluster-backup-secret key: ACCESS_SECRET_KEY --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/object-store.yaml apiVersion: barmancloud.cnpg.io/v1 kind: ObjectStore metadata: name: "matrix-synapse-postgresql-17-garage-local-backup" namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: retentionPolicy: 3d configuration: destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster endpointURL: http://garage-main.garage:3900 s3Credentials: accessKeyId: name: matrix-synapse-postgresql-17-cluster-backup-secret-garage key: ACCESS_KEY_ID secretAccessKey: name: matrix-synapse-postgresql-17-cluster-backup-secret-garage key: ACCESS_SECRET_KEY region: name: matrix-synapse-postgresql-17-cluster-backup-secret-garage key: ACCESS_REGION --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/object-store.yaml apiVersion: barmancloud.cnpg.io/v1 kind: ObjectStore metadata: name: "matrix-synapse-postgresql-17-recovery" namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: configuration: destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster endpointURL: http://garage-main.garage:3900 wal: compression: snappy maxParallel: 1 data: compression: snappy jobs: 1 s3Credentials: accessKeyId: name: matrix-synapse-postgresql-17-cluster-backup-secret-garage key: ACCESS_KEY_ID secretAccessKey: name: matrix-synapse-postgresql-17-cluster-backup-secret-garage key: ACCESS_SECRET_KEY --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/prometheus-rule.yaml apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: matrix-synapse-postgresql-17-alert-rules namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: groups: - name: cloudnative-pg/matrix-synapse-postgresql-17 rules: - alert: CNPGClusterBackendsWaitingWarning annotations: summary: CNPG Cluster a backend is waiting for longer than 5 minutes. description: |- Pod {{ $labels.pod }} has been waiting for longer than 5 minutes expr: | cnpg_backends_waiting_total > 300 for: 1m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterDatabaseDeadlockConflictsWarning annotations: summary: CNPG Cluster has over 10 deadlock conflicts. description: |- There are over 10 deadlock conflicts in {{ $labels.pod }} expr: | cnpg_pg_stat_database_deadlocks > 10 for: 1m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterHACritical annotations: summary: CNPG Cluster has no standby replicas! description: |- CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe risk of data loss and downtime if the primary instance fails. The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less instances. The replaced instance may need some time to catch-up with the cluster primary instance. This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this case you may want to silence it. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md expr: | max by (job) (cnpg_pg_replication_streaming_replicas{namespace="matrix-synapse"} - cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"}) < 1 for: 5m labels: severity: critical namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterHAWarning annotations: summary: CNPG Cluster less than 2 standby replicas. description: |- CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting your cluster at risk if another instance fails. The cluster is still able to operate normally, although the `-ro` and `-r` endpoints operate at reduced capacity. This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may need some time to catch-up with the cluster primary instance. This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. In this case you may want to silence it. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md expr: | max by (job) (cnpg_pg_replication_streaming_replicas{namespace="matrix-synapse"} - cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"}) < 2 for: 5m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterHighConnectionsCritical annotations: summary: CNPG Instance maximum number of connections critical! description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of the maximum number of connections. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md expr: | sum by (pod) (cnpg_backends_total{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 for: 5m labels: severity: critical namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterHighConnectionsWarning annotations: summary: CNPG Instance is approaching the maximum number of connections. description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of the maximum number of connections. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md expr: | sum by (pod) (cnpg_backends_total{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 for: 5m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterHighReplicationLag annotations: summary: CNPG Cluster high replication lag description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" is experiencing a high replication lag of {{`{{`}} $value {{`}}`}}ms. High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md expr: | max(cnpg_pg_replication_lag{namespace="matrix-synapse",pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 for: 5m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterInstancesOnSameNode annotations: summary: CNPG Cluster instances are located on the same node. description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} instances on the same node {{`{{`}} $labels.node {{`}}`}}. A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md expr: | count by (node) (kube_pod_info{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 for: 5m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterLongRunningTransactionWarning annotations: summary: CNPG Cluster query is taking longer than 5 minutes. description: |- CloudNativePG Cluster Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query. expr: |- cnpg_backends_max_tx_duration_seconds > 300 for: 1m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterLowDiskSpaceCritical annotations: summary: CNPG Instance is running out of disk space! description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md expr: | max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) / sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) * on(namespace, persistentvolumeclaim) group_left(volume) kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} ) > 0.9 for: 5m labels: severity: critical namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterLowDiskSpaceWarning annotations: summary: CNPG Instance is running out of disk space. description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" is running low on disk space. Check attached PVCs. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md expr: | max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) / sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) * on(namespace, persistentvolumeclaim) group_left(volume) kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} ) > 0.7 for: 5m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterOffline annotations: summary: CNPG Cluster has no running instances! description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" has no ready instances. Having an offline cluster means your applications will not be able to access the database, leading to potential service disruption and/or data loss. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md expr: | (count(cnpg_collector_up{namespace="matrix-synapse",pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 for: 5m labels: severity: critical namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterPGDatabaseXidAgeWarning annotations: summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. description: |- Over 300,000,000 transactions from frozen xid on pod {{ $labels.pod }} expr: | cnpg_pg_database_xid_age > 300000000 for: 1m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterPGReplicationWarning annotations: summary: CNPG Cluster standby is lagging behind the primary. description: |- Standby is lagging behind by over 300 seconds (5 minutes) expr: | cnpg_pg_replication_lag > 300 for: 1m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterReplicaFailingReplicationWarning annotations: summary: CNPG Cluster has a replica is failing to replicate. description: |- Replica {{ $labels.pod }} is failing to replicate expr: | cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up for: 1m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster - alert: CNPGClusterZoneSpreadWarning annotations: summary: CNPG Cluster instances in the same zone. description: |- CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" has instances in the same availability zone. A disaster in one availability zone will lead to a potential service disruption and/or data loss. runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md expr: | 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 for: 5m labels: severity: warning namespace: matrix-synapse cnpg_cluster: matrix-synapse-postgresql-17-cluster --- # Source: matrix-synapse/templates/redis-replication.yaml apiVersion: redis.redis.opstreelabs.in/v1beta2 kind: RedisReplication metadata: name: redis-replication-matrix-synapse namespace: matrix-synapse labels: app.kubernetes.io/name: redis-replication-matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: clusterSize: 3 podSecurityContext: runAsUser: 1000 fsGroup: 1000 kubernetesConfig: image: quay.io/opstree/redis:v8.0.3 imagePullPolicy: IfNotPresent redisSecret: name: matrix-synapse-redis-secret key: password resources: requests: cpu: 50m memory: 128Mi storage: volumeClaimTemplate: spec: storageClassName: ceph-block accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi redisExporter: enabled: true image: quay.io/opstree/redis-exporter:v1.48.0 --- # Source: matrix-synapse/templates/redis-replication.yaml apiVersion: redis.redis.opstreelabs.in/v1beta2 kind: RedisReplication metadata: name: redis-replication-hookshot namespace: matrix-synapse labels: app.kubernetes.io/name: redis-replication-hookshot app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: clusterSize: 3 podSecurityContext: runAsUser: 1000 fsGroup: 1000 kubernetesConfig: image: quay.io/opstree/redis:v8.0.3 imagePullPolicy: IfNotPresent resources: requests: cpu: 50m memory: 128Mi storage: volumeClaimTemplate: spec: storageClassName: ceph-block accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi redisExporter: enabled: true image: quay.io/opstree/redis-exporter:v1.48.0 --- # Source: matrix-synapse/templates/replication-source.yaml apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource metadata: name: matrix-synapse-backup-source namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse-backup-source app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: sourcePVC: matrix-synapse trigger: schedule: 0 4 * * * restic: pruneIntervalDays: 7 repository: matrix-synapse-backup-secret retain: hourly: 1 daily: 3 weekly: 2 monthly: 2 yearly: 4 copyMethod: Snapshot storageClassName: ceph-block volumeSnapshotClassName: ceph-blockpool-snapshot # --- # apiVersion: volsync.backube/v1alpha1 # kind: ReplicationSource # metadata: # name: mautrix-discord-data-backup-source # namespace: matrix-synapse # labels: # app.kubernetes.io/name: mautrix-discord-data-backup-source # app.kubernetes.io/instance: matrix-synapse # app.kubernetes.io/part-of: matrix-synapse # spec: # sourcePVC: mautrix-discord-data # trigger: # schedule: 0 4 * * * # restic: # pruneIntervalDays: 7 # repository: mautrix-discord-data-backup-secret # retain: # hourly: 1 # daily: 3 # weekly: 2 # monthly: 2 # yearly: 4 # moverSecurityContext: # runAsUser: 1337 # runAsGroup: 1337 # copyMethod: Snapshot # storageClassName: ceph-block # volumeSnapshotClassName: ceph-blockpool-snapshot # --- # apiVersion: volsync.backube/v1alpha1 # kind: ReplicationSource # metadata: # name: mautrix-whatsapp-data-backup-source # namespace: matrix-synapse # labels: # app.kubernetes.io/name: mautrix-whatsapp-data-backup-source # app.kubernetes.io/instance: matrix-synapse # app.kubernetes.io/part-of: matrix-synapse # spec: # sourcePVC: mautrix-whatsapp-data # trigger: # schedule: 0 4 * * * # restic: # pruneIntervalDays: 7 # repository: mautrix-whatsapp-data-backup-secret # retain: # hourly: 1 # daily: 3 # weekly: 2 # monthly: 2 # yearly: 4 # moverSecurityContext: # runAsUser: 1337 # runAsGroup: 1337 # copyMethod: Snapshot # storageClassName: ceph-block # volumeSnapshotClassName: ceph-blockpool-snapshot --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/scheduled-backup.yaml apiVersion: postgresql.cnpg.io/v1 kind: ScheduledBackup metadata: name: "matrix-synapse-postgresql-17-daily-backup-scheduled-backup" namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: immediate: false suspend: false schedule: "0 0 0 * * *" backupOwnerReference: self cluster: name: matrix-synapse-postgresql-17-cluster method: plugin pluginConfiguration: name: barman-cloud.cloudnative-pg.io parameters: barmanObjectName: "matrix-synapse-postgresql-17-external-backup" --- # Source: matrix-synapse/charts/postgres-17-cluster/templates/scheduled-backup.yaml apiVersion: postgresql.cnpg.io/v1 kind: ScheduledBackup metadata: name: "matrix-synapse-postgresql-17-live-backup-scheduled-backup" namespace: matrix-synapse labels: helm.sh/chart: postgres-17-cluster-6.16.0 app.kubernetes.io/name: matrix-synapse-postgresql-17 app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/version: "6.16.0" app.kubernetes.io/managed-by: Helm spec: immediate: true suspend: false schedule: "0 0 0 * * *" backupOwnerReference: self cluster: name: matrix-synapse-postgresql-17-cluster method: plugin pluginConfiguration: name: barman-cloud.cloudnative-pg.io parameters: barmanObjectName: "matrix-synapse-postgresql-17-garage-local-backup" --- # Source: matrix-synapse/templates/service-monitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: matrix-synapse namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: selector: matchLabels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse endpoints: - targetPort: 9090 interval: 3m scrapeTimeout: 1m path: /_synapse/metrics --- # Source: matrix-synapse/templates/service-monitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: matrix-hookshot namespace: matrix-synapse labels: app.kubernetes.io/name: matrix-hookshot app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: selector: matchLabels: app.kubernetes.io/name: matrix-hookshot app.kubernetes.io/instance: matrix-synapse endpoints: - targetPort: 9001 interval: 3m scrapeTimeout: 1m path: /metrics --- # Source: matrix-synapse/templates/service-monitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: redis-replication-matrix-synapse namespace: matrix-synapse labels: app.kubernetes.io/name: redis-replication-matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse redis-operator: "true" env: production spec: selector: matchLabels: redis_setup_type: replication endpoints: - port: redis-exporter interval: 30s scrapeTimeout: 10s --- # Source: matrix-synapse/charts/matrix-synapse/templates/tests/test-connection.yaml apiVersion: v1 kind: Pod metadata: name: "matrix-synapse-test-connection" labels: helm.sh/chart: matrix-synapse-3.12.16 app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "1.143.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": test-success spec: containers: - name: wget image: busybox command: ['wget'] args: ['matrix-synapse:8008/_matrix/client/versions'] restartPolicy: Never