diff --git a/app/matrix/lib/matrix.libsonnet b/app/matrix/lib/matrix.libsonnet index 300cf315..ed033bb7 100644 --- a/app/matrix/lib/matrix.libsonnet +++ b/app/matrix/lib/matrix.libsonnet @@ -31,12 +31,19 @@ local postgres = import "../../../kube/postgres.libsonnet"; serverName: error "cfg.serverName must be set", storageClassName: "waw-hdd-redundant-3", - synapseImage: "matrixdotorg/synapse:v1.19.2", - riotImage: "vectorim/riot-web:v1.7.7", - casProxyImage: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4", - appserviceIRCImage: "matrixdotorg/matrix-appservice-irc:release-0.17.1", - # That's v0.8.2 - we just don't trust that host to not re-tag images. - appserviceTelegramImage: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330" + images: { + synapse: "matrixdotorg/synapse:v1.19.2", + riot: "vectorim/riot-web:v1.7.7", + casProxy: "registry.k0.hswaw.net/q3k/oauth2-cas-proxy:0.1.4", + appserviceIRC: "matrixdotorg/matrix-appservice-irc:release-0.17.1", + # That's v0.8.2 - we just don't trust that host to not re-tag images. + appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330", + }, + + cas: { + # whether to enable the CAS proxy (ie. connect to hswaw sso via OAuth) + enable: false, + }, }, metadata(component):: { @@ -76,15 +83,35 @@ local postgres = import "../../../kube/postgres.libsonnet"; }, }, + // homeserver.yaml that will be used to run synapse (in synapseConfig ConfigMap). + // This is based off of //app/matrix/lib/synapse/homeserver.yaml with some fields overriden per + // deployment. + // Note this is a templated yaml - {{}}/{%%} style. This templatization is consumed by the Docker + // container startup magic. + homeserverYaml:: (std.native("parseYaml"))(importstr "synapse/homeserver.yaml")[0] { + server_name: cfg.serverName, + public_baseurl: "https://%s" % [cfg.webDomain], + signing_key_path: "/data/%s.signing.key" % [cfg.serverName], + cas_config+: if cfg.cas.enable then { + enabled: true, + server_url: "https://%s/_cas" % [cfg.webDomain], + service_url: "https://%s" % [cfg.webDomain], + } else {}, + app_service_config_files: [ + "/data/appservices/%s.yaml" % [k] + for k in std.objectFields(app.appservices) + ], + }, + synapseConfig: kube.ConfigMap("synapse") { metadata+: app.metadata("synapse"), data: { - "homeserver.yaml": importstr "synapse/homeserver.yaml", + "homeserver.yaml": std.manifestYamlDoc(app.homeserverYaml), "log.config": importstr "synapse/log.config", }, }, - casDeployment: kube.Deployment("oauth2-cas-proxy") { + casDeployment: if cfg.cas.enable then kube.Deployment("oauth2-cas-proxy") { metadata+: app.metadata("oauth2-cas-proxy"), spec+: { replicas: 1, @@ -92,7 +119,7 @@ local postgres = import "../../../kube/postgres.libsonnet"; spec+: { containers_: { proxy: kube.Container("oauth2-cas-proxy") { - image: cfg.casProxyImage, + image: cfg.images.casProxy, ports_: { http: { containerPort: 5000 }, }, @@ -109,7 +136,7 @@ local postgres = import "../../../kube/postgres.libsonnet"; }, }, - casSvc: kube.Service("oauth2-cas-proxy") { + casSvc: if cfg.cas.enable then kube.Service("oauth2-cas-proxy") { metadata+: app.metadata("oauth2-cas-proxy"), target_pod:: app.casDeployment.spec.template, }, @@ -129,7 +156,7 @@ local postgres = import "../../../kube/postgres.libsonnet"; }, containers_: { web: kube.Container("synapse") { - image: cfg.synapseImage, + image: cfg.images.synapse, command: ["/bin/sh", "-c", "/start.py migrate_config && exec /start.py"], ports_: { http: { containerPort: 8008 }, @@ -216,7 +243,7 @@ local postgres = import "../../../kube/postgres.libsonnet"; }, containers_: { web: kube.Container("riot-web") { - image: cfg.riotImage, + image: cfg.images.riot, ports_: { http: { containerPort: 80 }, }, @@ -268,8 +295,9 @@ local postgres = import "../../../kube/postgres.libsonnet"; paths: [ { path: "/", backend: app.riotSvc.name_port }, { path: "/_matrix", backend: app.synapseSvc.name_port }, + ] + (if cfg.cas.enable then [ { path: "/_cas", backend: app.casSvc.name_port }, - ] + ] else []) }, } ], diff --git a/app/matrix/lib/synapse/homeserver.yaml b/app/matrix/lib/synapse/homeserver.yaml index 61528075..2c39c23c 100644 --- a/app/matrix/lib/synapse/homeserver.yaml +++ b/app/matrix/lib/synapse/homeserver.yaml @@ -2,8 +2,8 @@ ## Server ## -server_name: "hackerspace.pl" -public_baseurl: "https://matrix.hackerspace.pl" +server_name: "example.com" +public_baseurl: "https://example.com" pid_file: /homeserver.pid web_client: False soft_file_limit: 0 @@ -117,15 +117,6 @@ room_invite_state_types: - "m.room.avatar" - "m.room.name" - -{% if SYNAPSE_APPSERVICES %} -app_service_config_files: -{% for appservice in SYNAPSE_APPSERVICES %} - "{{ appservice }}" -{% endfor %} -{% else %} -app_service_config_files: [] -{% endif %} - macaroon_secret_key: "{{ SYNAPSE_MACAROON_SECRET_KEY }}" expire_access_token: False @@ -147,6 +138,4 @@ password_config: enabled: false cas_config: - enabled: true - server_url: "https://matrix.hackerspace.pl/_cas" - service_url: "https://matrix.hackerspace.pl" + enabled: false diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet index bbfa27c4..e882636c 100644 --- a/app/matrix/matrix.hackerspace.pl.jsonnet +++ b/app/matrix/matrix.hackerspace.pl.jsonnet @@ -9,12 +9,15 @@ matrix { namespace: "matrix", webDomain: "matrix.hackerspace.pl", serverName: "hackerspace.pl", + cas: { + enable: true, + }, }, appservices: { "irc-freenode": irc.AppServiceIrc("freenode") { cfg+: { - image: cfg.appserviceIRCImage, + image: cfg.images.appserviceIRC, // TODO(q3k): move this appservice to waw-hdd-redundant-3 storageClassName: "waw-hdd-paranoid-2", metadata: app.metadata("appservice-irc-freenode"), @@ -41,7 +44,7 @@ matrix { }, "telegram-prod": telegram.AppServiceTelegram("prod") { cfg+: { - image: cfg.appserviceTelegramImage, + image: cfg.images.appserviceTelegram, storageClassName: cfg.storageClassName, metadata: app.metadata("appservice-telegram-prod"),