Merge changes I92c7cdf9,I54334f4e,I93472c8c,If5063a3b,I2778c543, ...

* changes: matrix.hackerspace.pl: add secret appservice-irc mappings matrix.hackerspace.pl: give appservce-irc admin access to q3k and inf matrix.hackerspace.pl: disable bootstrap jobs matrix: appservice-irc: set debugService.enable if needed matrix: add bootstrapJob config flag to appservices matrix: bump appservice-irc
2021-05-19 22:14:14 +00:00 · 2021-05-19 22:14:14 +00:00 · e1d8680110
parent ba2f4d8215 856b216459
commit e1d8680110
5 changed files with 74 additions and 11 deletions
--- a/app/matrix/lib/appservice-irc.libsonnet
+++ b/app/matrix/lib/appservice-irc.libsonnet
@ -6,9 +6,29 @@ local kube = import "../../../kube/kube.libsonnet";
        local cfg = bridge.cfg,
        cfg:: {
            metadata: {},
+            // Whether the bootstrap job should be created/updated. Kubernetes
+            // doesn't like changing the configuration of jobs, so once this
+            // appservice has been set up, this flag should be flipped to
+            // false.
+            bootstrapJob: true,
            config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] {
+                local appservicecfg = self,
                ircService+: {
-                    [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem"
+                    [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem",
+                    debugApi+: {
+                        # Unfortunately, we have to enable the debugApi if any
+                        # configured server wants to use
+                        # ignoreIdleUsersOnStartup. This is seemingly an
+                        # appservice-irc bug:
+                        # https://github.com/matrix-org/matrix-appservice-irc/issues/1240
+                        enabled: std.length(std.filter(
+                            function (k) (
+                                local v = appservicecfg.ircService.servers[k];
+                                v.membershipLists.ignoreIdleUsersOnStartup.enabled == true
+                            ),
+                            std.objectFields(appservicecfg.ircService.servers)
+                        )) > 0,
+                    },
                },
            },
            image: error "image must be set",
@ -20,9 +40,9 @@ local kube = import "../../../kube/kube.libsonnet";
            passwordEncryptionKeySecret: null,
        },

-        config: kube.ConfigMap("appservice-irc-%s" % [name]) {
+        config: kube.Secret("appservice-irc-%s" % [name]) {
            metadata+: cfg.metadata,
-            data: {
+            data_: {
                "config.yaml": std.manifestJsonEx(cfg.config, ""),
            },
        },
@ -40,7 +60,7 @@ local kube = import "../../../kube/kube.libsonnet";
            },
        },

-        bootstrapJob: kube.Job("appservice-irc-%s-bootstrap" % [name]) {
+        bootstrapJob: if cfg.bootstrapJob then (kube.Job("appservice-irc-%s-bootstrap" % [name]) {
            metadata+: cfg.metadata {
                labels: {
                    "job-name": "appservice-irc-%s-bootstrap" % [name],
@ -64,7 +84,7 @@ local kube = import "../../../kube/kube.libsonnet";
                    },
                },
            },
-        },
+        }) else {},

        deployment: kube.Deployment("appservice-irc-%s" % [name]) {
            metadata+: cfg.metadata,
@ -73,7 +93,7 @@ local kube = import "../../../kube/kube.libsonnet";
                template+: {
                    spec+: {
                        volumes_: {
-                            config: kube.ConfigMapVolume(bridge.config),
+                            config: kube.SecretVolume(bridge.config),
                            data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
                            registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
                        } + (if cfg.passwordEncryptionKeySecret != null then {
--- a/app/matrix/lib/appservice-telegram.libsonnet
+++ b/app/matrix/lib/appservice-telegram.libsonnet
@ -6,6 +6,11 @@ local kube = import "../../../kube/kube.libsonnet";
        local cfg = bridge.cfg,
        cfg:: {
            metadata: {},
+            // Whether the bootstrap job should be created/updated. Kubernetes
+            // doesn't like changing the configuration of jobs, so once this
+            // appservice has been set up, this flag should be flipped to
+            // false.
+            bootstrapJob: true,
            image: error "image must be set",
            storageClassName: error "storageClassName must be set",

@ -64,7 +69,7 @@ local kube = import "../../../kube/kube.libsonnet";
            },
        },

-        bootstrapJob: kube.Job("appservice-telegram-%s-bootstrap" % [name]) {
+        bootstrapJob: if cfg.bootstrapJob then (kube.Job("appservice-telegram-%s-bootstrap" % [name]) {
            metadata+: cfg.metadata {
                labels: {
                    "job-name": "appservice-telegram-%s-bootstrap" % [name],
@ -91,7 +96,7 @@ local kube = import "../../../kube/kube.libsonnet";
                    },
                },
            },
-        },
+        }) else {},

        deployment: kube.Deployment("appservice-telegram-%s" % [name]) {
            metadata+: cfg.metadata,
--- a/app/matrix/lib/matrix-ng.libsonnet
+++ b/app/matrix/lib/matrix-ng.libsonnet
@ -65,9 +65,8 @@ local synapse = import "./synapse.libsonnet";
            synapse: "matrixdotorg/synapse:v1.25.0",
            riot: "vectorim/riot-web:v1.7.18",
            casProxy: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4",
-            appserviceIRC: "matrixdotorg/matrix-appservice-irc:release-0.23.0",
-            # That's v0.8.2 - we just don't trust that host to not re-tag images.
-            appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330",
+            appserviceIRC: "matrixdotorg/matrix-appservice-irc:release-0.26.0",
+            appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:c6e25cb57e1b67027069e8dc2627338df35d156315c004a6f2b34b6aeaa79f77",
            wellKnown: "registry.k0.hswaw.net/q3k/wellknown:1611960794-adbf560851a46ad0e58b42f0daad7ef19535687c",
        },

--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@ -38,14 +38,20 @@ matrix {
                nodeSelector: {
                    "kubernetes.io/hostname": "bc01n02.hswaw.net",
                },
+                bootstrapJob: false,
                config+: {
                    homeserver+: {
                        url: "https://%s" % [cfg.webDomain],
                        domain: "%s" % [cfg.serverName],
                    },
                    ircService+: {
+                        permissions: {
+                            "@q3k:hackerspace.pl": "admin",
+                            "@informatic:hackerspace.pl": "admin",
+                        },
                        servers+: {
                            "irc.freenode.net"+: {
+                                mappings+: import "secrets/plain/appservice-irc-freenode-mappings.jsonnet",
                                ircClients+: {
                                    maxClients: 150,
                                },
@ -61,6 +67,7 @@ matrix {
                image: cfg.images.appserviceTelegram,
                storageClassName: cfg.storageClassName,
                metadata: app.metadata("appservice-telegram-prod"),
+                bootstrapJob: false,

                config+: {
                    homeserver+: {
--- a/app/matrix/secrets/cipher/appservice-irc-freenode-mappings.jsonnet
+++ b/app/matrix/secrets/cipher/appservice-irc-freenode-mappings.jsonnet
@ -0,0 +1,32 @@
+-----BEGIN PGP MESSAGE-----
+
+hQEMAzhuiT4RC8VbAQgAs87+NMBP+wny18oRBXEBXXNx8Uu4zJf8kJtxZgsPoUsH
+WZoNNUFeCdEvPse7IgEv5k9aaZDHR1mAQmRSwUcQQdAJ4u0Ry4UukyAMnoDsVvHo
+0yetyrbuWRO7aM4qI+34IOAPKQKUaj5kLrKXkRIcBVh4+owVPoIDTNPkwmZJTVb2
+lYZqrrdhGrY35ZJhOF6GgpaKvExowzfpIxsSySvUueZmfFhfO3GjoGDgZUosEPB6
+u7cmn5WxiM73+Lj4C6Qa44nvFj+HCVBZAAJ3uMfkx3XRWSCkXOYtx+VHvLkuLjsc
+ZuzKg8XNYqwmlyQdsIS2/RWI50sff1aIXjplaKJ7k4UBDANcG2tp6fXqvgEH/1iF
+HnUsfuRnO/XldHLLP04n/Vyzv4QrYV3uP4EwkVNSRrURg8TvJHnpaEnq4wyR+OPg
+JlQtBntVzfWxrwH0tTMLN5GM4eaTjfe/UlXqnmtAfo2byn17hvF9EAJdG86jLZ0J
+3OO3uVb7fMH7wk/R7PwzXPfKunVNJPrXfZvUDirBE4oiFBc2hhQ5QFTabRUIgzgC
+73ITigfHyT/c/TxEK2gxGZXoxRzgB35/DtYUlUSMvvujURkULh/H79H2WU5D8eN7
+Oj/zrTAB8D2Udw8ppnrHQk1Bt9/ees4HYhTJRxiYEHVa8wIkJGugfLpjJt8xQRQR
+dGT/Bpc23lpSwMF5BB6FAgwD4gPJTlzrs+8BD/0SPCH8Kni9Nw6DYNZ3/BOUq7Xk
+deGxLsAAaBGZiOa1VyVBEJDyL0KTQWDFQGfhjsQSAf41rBcuRDzDpKP9pg0yL/Zz
+w3YJD1uuxTTIbD6/104+JqQTeHKSsDZJIFI5o1ieZKs6O8F9ojOEmckJtpruyL/e
+lxysRssZSNaH3a5J2knmy4rMLABL5+okePt+dNKOjtWFM6ntsN4sxTsXdtI9uL5I
+Y1dCUyvGct64FrhmQXzC+SaT0g6oz45y9tDgAjekIaQMd5/VeKBCH4Tk6IncCW5+
+bpiBTY8qCbkXKCGay4xrzyVwoN9+1ez7JdYT7MO7/qopleuCgHjkcXmg0l3jBWAq
+IYFjcl9xn4LJMiqPHPVY4E71zqna0qCW/BvksbV68LXDlq03ftZwJhdW6EQhjyF1
+Zeutaz5xqrjixu8Ajwd2X8RAaiYzF2qT/wWl8iGihqBNYnE+5MXEr7enCbBkrjJN
+OSsZAe1jbMDKa480lT8/ifYQepsNeoQwn34nj8xlh4xr20OaED13UOiXPgRs0f1f
+kthPRM5CphVqEhE8vkw1ooqqNzL4CP134xu0WioJQW8BZWnFxw368bnAj+pDSzxP
+8MSprJzwM0H1FuFu/IGFpY8IFHj2OPdEmlLOzmjHQ8iM5+JmZynCv3iUDkOrWHBT
+Yj99hWp8QnvvijG0o9LARAG4pH1//SPgVMl9mVCkmVTnXHn3p4kaP00cIlkyCKIZ
+JsF4ynrTzrzzPwSa0J8IQw9hrhxM4Q0cxldFNRwrlyH1tPztGVcx9QjpCV3t+doE
+020IWVnS4k9n3hVYc5OmaQNhVc8HfljdvP06udLgcj/MXbMaK27VZfmkBnd/KFKc
+LiOkY4JaRvAalXku5lRtw4MGpzn3V9FqwQVQTMQs/iTR1G6kPrAWyH5WhrzmjNB2
+u3fFV74Y35BuZj/3S4LUoD6fOquLkwJnE3xXqrBezp3zIG0ExQH2GQ4X88BJY5YC
+M2AQ/ciBMS6UBp/t7P2CKvnaNl2QMdbbK6GOlbVyCnEg74PR
+=tKI3
+-----END PGP MESSAGE-----