From 8eae454769377aa7a1f358511f5e8ad21e1439f3 Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Wed, 19 May 2021 15:42:13 +0000 Subject: [PATCH 1/6] matrix: bump appservice-irc Also drive-by bump appservice-telegram, which was already bumped on prod. Change-Id: Ic8222775e7e3dbaa44361e6ccd84bdd6617924c3 --- app/matrix/lib/matrix-ng.libsonnet | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/matrix/lib/matrix-ng.libsonnet b/app/matrix/lib/matrix-ng.libsonnet index 28550f64..eb1a0255 100644 --- a/app/matrix/lib/matrix-ng.libsonnet +++ b/app/matrix/lib/matrix-ng.libsonnet @@ -65,9 +65,8 @@ local synapse = import "./synapse.libsonnet"; synapse: "matrixdotorg/synapse:v1.25.0", riot: "vectorim/riot-web:v1.7.18", casProxy: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4", - appserviceIRC: "matrixdotorg/matrix-appservice-irc:release-0.23.0", - # That's v0.8.2 - we just don't trust that host to not re-tag images. - appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330", + appserviceIRC: "matrixdotorg/matrix-appservice-irc:release-0.26.0", + appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:c6e25cb57e1b67027069e8dc2627338df35d156315c004a6f2b34b6aeaa79f77", wellKnown: "registry.k0.hswaw.net/q3k/wellknown:1611960794-adbf560851a46ad0e58b42f0daad7ef19535687c", }, From 25cd650ec943d1e13a2f2e9d3617b7bcbd63f010 Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Wed, 19 May 2021 16:05:38 +0000 Subject: [PATCH 2/6] matrix: add bootstrapJob config flag to appservices This allows us to bypass the issue where Kubernetes jobs cannot be updated once completed, so bumping appservice image versions was painful. But really, though, this is probably someting that kubecfg/kartongips should handle. Change-Id: I2778c5433f699db89120a3c44e55d2fbe2a10015 --- app/matrix/lib/appservice-irc.libsonnet | 9 +++++++-- app/matrix/lib/appservice-telegram.libsonnet | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/app/matrix/lib/appservice-irc.libsonnet b/app/matrix/lib/appservice-irc.libsonnet index b9e5b84c..bc07305b 100644 --- a/app/matrix/lib/appservice-irc.libsonnet +++ b/app/matrix/lib/appservice-irc.libsonnet @@ -6,6 +6,11 @@ local kube = import "../../../kube/kube.libsonnet"; local cfg = bridge.cfg, cfg:: { metadata: {}, + // Whether the bootstrap job should be created/updated. Kubernetes + // doesn't like changing the configuration of jobs, so once this + // appservice has been set up, this flag should be flipped to + // false. + bootstrapJob: true, config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] { ircService+: { [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem" @@ -40,7 +45,7 @@ local kube = import "../../../kube/kube.libsonnet"; }, }, - bootstrapJob: kube.Job("appservice-irc-%s-bootstrap" % [name]) { + bootstrapJob: if cfg.bootstrapJob then (kube.Job("appservice-irc-%s-bootstrap" % [name]) { metadata+: cfg.metadata { labels: { "job-name": "appservice-irc-%s-bootstrap" % [name], @@ -64,7 +69,7 @@ local kube = import "../../../kube/kube.libsonnet"; }, }, }, - }, + }) else {}, deployment: kube.Deployment("appservice-irc-%s" % [name]) { metadata+: cfg.metadata, diff --git a/app/matrix/lib/appservice-telegram.libsonnet b/app/matrix/lib/appservice-telegram.libsonnet index 6700fbc5..7c1221cc 100644 --- a/app/matrix/lib/appservice-telegram.libsonnet +++ b/app/matrix/lib/appservice-telegram.libsonnet @@ -6,6 +6,11 @@ local kube = import "../../../kube/kube.libsonnet"; local cfg = bridge.cfg, cfg:: { metadata: {}, + // Whether the bootstrap job should be created/updated. Kubernetes + // doesn't like changing the configuration of jobs, so once this + // appservice has been set up, this flag should be flipped to + // false. + bootstrapJob: true, image: error "image must be set", storageClassName: error "storageClassName must be set", @@ -64,7 +69,7 @@ local kube = import "../../../kube/kube.libsonnet"; }, }, - bootstrapJob: kube.Job("appservice-telegram-%s-bootstrap" % [name]) { + bootstrapJob: if cfg.bootstrapJob then (kube.Job("appservice-telegram-%s-bootstrap" % [name]) { metadata+: cfg.metadata { labels: { "job-name": "appservice-telegram-%s-bootstrap" % [name], @@ -91,7 +96,7 @@ local kube = import "../../../kube/kube.libsonnet"; }, }, }, - }, + }) else {}, deployment: kube.Deployment("appservice-telegram-%s" % [name]) { metadata+: cfg.metadata, From 4154673593a05bdf8c8e42c4cb875db538d8f8ec Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Wed, 19 May 2021 16:10:01 +0000 Subject: [PATCH 3/6] matrix: appservice-irc: set debugService.enable if needed This is the case for any IRC server that has ignoreIdleUsersOnStartup set, because of what seems like an appservice-irc bug. Change-Id: If5063a3bc2d79c7f2fc79ec7560bf9bfe2b25aba --- app/matrix/lib/appservice-irc.libsonnet | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/app/matrix/lib/appservice-irc.libsonnet b/app/matrix/lib/appservice-irc.libsonnet index bc07305b..2ef6905d 100644 --- a/app/matrix/lib/appservice-irc.libsonnet +++ b/app/matrix/lib/appservice-irc.libsonnet @@ -12,8 +12,23 @@ local kube = import "../../../kube/kube.libsonnet"; // false. bootstrapJob: true, config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] { + local appservicecfg = self, ircService+: { - [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem" + [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem", + debugApi+: { + # Unfortunately, we have to enable the debugApi if any + # configured server wants to use + # ignoreIdleUsersOnStartup. This is seemingly an + # appservice-irc bug: + # https://github.com/matrix-org/matrix-appservice-irc/issues/1240 + enabled: std.length(std.filter( + function (k) ( + local v = appservicecfg.ircService.servers[k]; + v.membershipLists.ignoreIdleUsersOnStartup.enabled == true + ), + std.objectFields(appservicecfg.ircService.servers) + )) > 0, + }, }, }, image: error "image must be set", From e7f14471e1e5cb551af5b0c90f152234d1cd8e0d Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Wed, 19 May 2021 16:07:30 +0000 Subject: [PATCH 4/6] matrix.hackerspace.pl: disable bootstrap jobs Change-Id: I93472c8ca03b9d0a2d4bea1504ec93102d68f258 --- app/matrix/matrix.hackerspace.pl.jsonnet | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet index f150f6de..5862feba 100644 --- a/app/matrix/matrix.hackerspace.pl.jsonnet +++ b/app/matrix/matrix.hackerspace.pl.jsonnet @@ -38,6 +38,7 @@ matrix { nodeSelector: { "kubernetes.io/hostname": "bc01n02.hswaw.net", }, + bootstrapJob: false, config+: { homeserver+: { url: "https://%s" % [cfg.webDomain], @@ -61,6 +62,7 @@ matrix { image: cfg.images.appserviceTelegram, storageClassName: cfg.storageClassName, metadata: app.metadata("appservice-telegram-prod"), + bootstrapJob: false, config+: { homeserver+: { From 6be8b2e301ad6c1a7379e36f761bd72e8bc72ebc Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Wed, 19 May 2021 16:32:20 +0000 Subject: [PATCH 5/6] matrix.hackerspace.pl: give appservce-irc admin access to q3k and inf Change-Id: I54334f4e8d1abd037ae2c821cb3569312bd2fe3b --- app/matrix/matrix.hackerspace.pl.jsonnet | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet index 5862feba..1478401b 100644 --- a/app/matrix/matrix.hackerspace.pl.jsonnet +++ b/app/matrix/matrix.hackerspace.pl.jsonnet @@ -45,6 +45,10 @@ matrix { domain: "%s" % [cfg.serverName], }, ircService+: { + permissions: { + "@q3k:hackerspace.pl": "admin", + "@informatic:hackerspace.pl": "admin", + }, servers+: { "irc.freenode.net"+: { ircClients+: { From 856b2164591512d025fae9c1ba27fbc12a876cf6 Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Wed, 19 May 2021 22:03:20 +0000 Subject: [PATCH 6/6] matrix.hackerspace.pl: add secret appservice-irc mappings These contain a channel key for a secret channel. We also had to migrate the appservice-irc config to a secret. Change-Id: I92c7cdf9679f65d9e655e22d690cef2e83180135 --- app/matrix/lib/appservice-irc.libsonnet | 6 ++-- app/matrix/matrix.hackerspace.pl.jsonnet | 1 + .../appservice-irc-freenode-mappings.jsonnet | 32 +++++++++++++++++++ 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 app/matrix/secrets/cipher/appservice-irc-freenode-mappings.jsonnet diff --git a/app/matrix/lib/appservice-irc.libsonnet b/app/matrix/lib/appservice-irc.libsonnet index 2ef6905d..fd51e4e3 100644 --- a/app/matrix/lib/appservice-irc.libsonnet +++ b/app/matrix/lib/appservice-irc.libsonnet @@ -40,9 +40,9 @@ local kube = import "../../../kube/kube.libsonnet"; passwordEncryptionKeySecret: null, }, - config: kube.ConfigMap("appservice-irc-%s" % [name]) { + config: kube.Secret("appservice-irc-%s" % [name]) { metadata+: cfg.metadata, - data: { + data_: { "config.yaml": std.manifestJsonEx(cfg.config, ""), }, }, @@ -93,7 +93,7 @@ local kube = import "../../../kube/kube.libsonnet"; template+: { spec+: { volumes_: { - config: kube.ConfigMapVolume(bridge.config), + config: kube.SecretVolume(bridge.config), data: kube.PersistentVolumeClaimVolume(bridge.dataVolume), registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } }, } + (if cfg.passwordEncryptionKeySecret != null then { diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet index 1478401b..ce42de7b 100644 --- a/app/matrix/matrix.hackerspace.pl.jsonnet +++ b/app/matrix/matrix.hackerspace.pl.jsonnet @@ -51,6 +51,7 @@ matrix { }, servers+: { "irc.freenode.net"+: { + mappings+: import "secrets/plain/appservice-irc-freenode-mappings.jsonnet", ircClients+: { maxClients: 150, }, diff --git a/app/matrix/secrets/cipher/appservice-irc-freenode-mappings.jsonnet b/app/matrix/secrets/cipher/appservice-irc-freenode-mappings.jsonnet new file mode 100644 index 00000000..8d3cb316 --- /dev/null +++ b/app/matrix/secrets/cipher/appservice-irc-freenode-mappings.jsonnet @@ -0,0 +1,32 @@ +-----BEGIN PGP MESSAGE----- + +hQEMAzhuiT4RC8VbAQgAs87+NMBP+wny18oRBXEBXXNx8Uu4zJf8kJtxZgsPoUsH +WZoNNUFeCdEvPse7IgEv5k9aaZDHR1mAQmRSwUcQQdAJ4u0Ry4UukyAMnoDsVvHo +0yetyrbuWRO7aM4qI+34IOAPKQKUaj5kLrKXkRIcBVh4+owVPoIDTNPkwmZJTVb2 +lYZqrrdhGrY35ZJhOF6GgpaKvExowzfpIxsSySvUueZmfFhfO3GjoGDgZUosEPB6 +u7cmn5WxiM73+Lj4C6Qa44nvFj+HCVBZAAJ3uMfkx3XRWSCkXOYtx+VHvLkuLjsc +ZuzKg8XNYqwmlyQdsIS2/RWI50sff1aIXjplaKJ7k4UBDANcG2tp6fXqvgEH/1iF +HnUsfuRnO/XldHLLP04n/Vyzv4QrYV3uP4EwkVNSRrURg8TvJHnpaEnq4wyR+OPg +JlQtBntVzfWxrwH0tTMLN5GM4eaTjfe/UlXqnmtAfo2byn17hvF9EAJdG86jLZ0J +3OO3uVb7fMH7wk/R7PwzXPfKunVNJPrXfZvUDirBE4oiFBc2hhQ5QFTabRUIgzgC +73ITigfHyT/c/TxEK2gxGZXoxRzgB35/DtYUlUSMvvujURkULh/H79H2WU5D8eN7 +Oj/zrTAB8D2Udw8ppnrHQk1Bt9/ees4HYhTJRxiYEHVa8wIkJGugfLpjJt8xQRQR +dGT/Bpc23lpSwMF5BB6FAgwD4gPJTlzrs+8BD/0SPCH8Kni9Nw6DYNZ3/BOUq7Xk +deGxLsAAaBGZiOa1VyVBEJDyL0KTQWDFQGfhjsQSAf41rBcuRDzDpKP9pg0yL/Zz +w3YJD1uuxTTIbD6/104+JqQTeHKSsDZJIFI5o1ieZKs6O8F9ojOEmckJtpruyL/e +lxysRssZSNaH3a5J2knmy4rMLABL5+okePt+dNKOjtWFM6ntsN4sxTsXdtI9uL5I +Y1dCUyvGct64FrhmQXzC+SaT0g6oz45y9tDgAjekIaQMd5/VeKBCH4Tk6IncCW5+ +bpiBTY8qCbkXKCGay4xrzyVwoN9+1ez7JdYT7MO7/qopleuCgHjkcXmg0l3jBWAq +IYFjcl9xn4LJMiqPHPVY4E71zqna0qCW/BvksbV68LXDlq03ftZwJhdW6EQhjyF1 +Zeutaz5xqrjixu8Ajwd2X8RAaiYzF2qT/wWl8iGihqBNYnE+5MXEr7enCbBkrjJN +OSsZAe1jbMDKa480lT8/ifYQepsNeoQwn34nj8xlh4xr20OaED13UOiXPgRs0f1f +kthPRM5CphVqEhE8vkw1ooqqNzL4CP134xu0WioJQW8BZWnFxw368bnAj+pDSzxP +8MSprJzwM0H1FuFu/IGFpY8IFHj2OPdEmlLOzmjHQ8iM5+JmZynCv3iUDkOrWHBT +Yj99hWp8QnvvijG0o9LARAG4pH1//SPgVMl9mVCkmVTnXHn3p4kaP00cIlkyCKIZ +JsF4ynrTzrzzPwSa0J8IQw9hrhxM4Q0cxldFNRwrlyH1tPztGVcx9QjpCV3t+doE +020IWVnS4k9n3hVYc5OmaQNhVc8HfljdvP06udLgcj/MXbMaK27VZfmkBnd/KFKc +LiOkY4JaRvAalXku5lRtw4MGpzn3V9FqwQVQTMQs/iTR1G6kPrAWyH5WhrzmjNB2 +u3fFV74Y35BuZj/3S4LUoD6fOquLkwJnE3xXqrBezp3zIG0ExQH2GQ4X88BJY5YC +M2AQ/ciBMS6UBp/t7P2CKvnaNl2QMdbbK6GOlbVyCnEg74PR +=tKI3 +-----END PGP MESSAGE-----