Update Matrix Synapse version and add new requirements
This commit is contained in:
parent
7f6e6af336
commit
a09ed65baa
16 changed files with 205 additions and 683 deletions
|
@ -5,7 +5,7 @@ icon: https://matrix.org/images/matrix-logo.svg
|
||||||
appVersion: 1.99.0
|
appVersion: 1.99.0
|
||||||
|
|
||||||
type: application
|
type: application
|
||||||
version: 4.0.1
|
version: 4.0.4
|
||||||
maintainers:
|
maintainers:
|
||||||
- name: Tommy Skaug
|
- name: Tommy Skaug
|
||||||
email: tommy@skaug.me
|
email: tommy@skaug.me
|
||||||
|
|
|
@ -1,6 +1,11 @@
|
||||||
Matrix Synapse
|
Matrix Synapse
|
||||||
==============
|
==============
|
||||||
|
|
||||||
|
pip3 install pynacl
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
|
[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
|
||||||
|
|
||||||
For questions/help on the chart, feel free to drop in at [#matrix-on-kubernetes:fiksel.info](https://matrix.to/#/#matrix-on-kubernetes:fiksel.info).
|
For questions/help on the chart, feel free to drop in at [#matrix-on-kubernetes:fiksel.info](https://matrix.to/#/#matrix-on-kubernetes:fiksel.info).
|
||||||
|
|
61
charts/matrix-synapse/scripts/generate-signingkey.py
Normal file
61
charts/matrix-synapse/scripts/generate-signingkey.py
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
# This file is licensed under the Affero General Public License (AGPL) version 3.
|
||||||
|
#
|
||||||
|
# Copyright (C) 2023 New Vector, Ltd
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU Affero General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 3 of the
|
||||||
|
# License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the GNU Affero General Public License for more details:
|
||||||
|
# <https://www.gnu.org/licenses/agpl-3.0.html>.
|
||||||
|
#
|
||||||
|
# Originally licensed under the Apache License, Version 2.0:
|
||||||
|
# <http://www.apache.org/licenses/LICENSE-2.0>.
|
||||||
|
#
|
||||||
|
# [This file includes modifications made by New Vector Limited]
|
||||||
|
#
|
||||||
|
#
|
||||||
|
import argparse
|
||||||
|
import secrets
|
||||||
|
import string
|
||||||
|
import base64
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from signedjson.key import generate_signing_key, write_signing_keys
|
||||||
|
|
||||||
|
def random_string(length: int) -> str:
|
||||||
|
"""Generate a cryptographically secure string of random letters.
|
||||||
|
|
||||||
|
Drawn from the characters: `a-z` and `A-Z`
|
||||||
|
"""
|
||||||
|
return "".join(secrets.choice(string.ascii_letters) for _ in range(length))
|
||||||
|
|
||||||
|
def main() -> None:
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"-o",
|
||||||
|
"--output_file",
|
||||||
|
type=str,
|
||||||
|
default="-",
|
||||||
|
help="Where to write the output to",
|
||||||
|
)
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
key_id = "a_" + random_string(4)
|
||||||
|
key = (generate_signing_key(key_id),)
|
||||||
|
if args.output_file == "-":
|
||||||
|
write_signing_keys(sys.stdout, key)
|
||||||
|
else:
|
||||||
|
with open(
|
||||||
|
args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
|
||||||
|
) as signing_key_file:
|
||||||
|
write_signing_keys(signing_key_file, key)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
2
charts/matrix-synapse/scripts/requirements.txt
Normal file
2
charts/matrix-synapse/scripts/requirements.txt
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
signedjson
|
||||||
|
python-secrets
|
|
@ -1,41 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
check_key() {
|
|
||||||
set +e
|
|
||||||
|
|
||||||
echo "Checking for existing signing key..."
|
|
||||||
key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)"
|
|
||||||
[ $? -ne 0 ] && return 1
|
|
||||||
[ -z "$key" ] && return 2
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
create_key() {
|
|
||||||
echo "Waiting for new signing key to be generated..."
|
|
||||||
begin=$(date +%s)
|
|
||||||
end=$((begin + 300)) # 5 minutes
|
|
||||||
while true; do
|
|
||||||
[ -f /synapse/keys/signing.key ] && return 0
|
|
||||||
[ "$(date +%s)" -gt $end ] && return 1
|
|
||||||
sleep 5
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
store_key() {
|
|
||||||
echo "Storing signing key in Kubernetes secret..."
|
|
||||||
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}"
|
|
||||||
}
|
|
||||||
|
|
||||||
if check_key; then
|
|
||||||
echo "Key already in place, exiting."
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! create_key; then
|
|
||||||
echo "Timed out waiting for a signing key to appear."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
store_key
|
|
|
@ -1,29 +1,4 @@
|
||||||
** Note, this chart may take a while to finish setup, please be patient **
|
** Note, this chart may take a while to finish setup, please be patient **
|
||||||
{{- if .Values.signingkey.job.enabled }}
|
|
||||||
** Also, remember to disable the signingkey job (signingkey.job.enabled=false) **
|
|
||||||
{{- end }}
|
|
||||||
{{- if not .Values.ingress.enabled }}
|
|
||||||
|
|
||||||
Synapse has been installed without an ingress, you will need to manage
|
|
||||||
accesses to the services yourself.
|
|
||||||
{{- else }}
|
|
||||||
|
|
||||||
Your Synapse install is now starting, you should soon be able to access it on
|
|
||||||
the following URL(s);
|
|
||||||
{{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }}
|
|
||||||
{{- if $.Values.ingress.tls }}
|
|
||||||
https://{{ . }}
|
|
||||||
{{- else }}
|
|
||||||
http://{{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{ if not .Values.wellknown.enabled }}
|
|
||||||
Note that for federation to work you will need to either add an SRV record or
|
|
||||||
set up a /.well-known/matrix/server response.
|
|
||||||
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
|
||||||
for more information.
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if .Values.config.enableRegistration }}
|
{{- if .Values.config.enableRegistration }}
|
||||||
You should be able to connect to your Synapse install with any compatible
|
You should be able to connect to your Synapse install with any compatible
|
||||||
|
|
|
@ -125,6 +125,7 @@ data:
|
||||||
## Registration ##
|
## Registration ##
|
||||||
|
|
||||||
enable_registration: {{ .Values.config.enableRegistration | default false }}
|
enable_registration: {{ .Values.config.enableRegistration | default false }}
|
||||||
|
registration_requires_token: {{ .Values.config.enableRegistration | default false }}
|
||||||
|
|
||||||
## Metrics ###
|
## Metrics ###
|
||||||
|
|
||||||
|
@ -136,6 +137,7 @@ data:
|
||||||
|
|
||||||
# The trusted servers to download signing keys from.
|
# The trusted servers to download signing keys from.
|
||||||
trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }}
|
trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }}
|
||||||
|
suppress_key_server_warning: true
|
||||||
|
|
||||||
## Workers ##
|
## Workers ##
|
||||||
{{- $default := .Values.workers.default }}
|
{{- $default := .Values.workers.default }}
|
||||||
|
@ -144,7 +146,7 @@ data:
|
||||||
{{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }}
|
{{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }}
|
||||||
|
|
||||||
# For pusher worker
|
# For pusher worker
|
||||||
start_pushers: false
|
start_pushers: true
|
||||||
{{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }}
|
{{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }}
|
||||||
|
|
||||||
# For appservice worker
|
# For appservice worker
|
||||||
|
|
20
charts/matrix-synapse/templates/db-init.yaml
Normal file
20
charts/matrix-synapse/templates/db-init.yaml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: {{ include "matrix-synapse.fullname" . }}-db-init
|
||||||
|
labels:
|
||||||
|
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install
|
||||||
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
restartPolicy: Never
|
||||||
|
containers:
|
||||||
|
- name: general-db-init
|
||||||
|
image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}"
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: {{ .Values.externalPostgresql.existingSecret }}
|
||||||
|
backoffLimit: 3
|
|
@ -25,7 +25,6 @@ spec:
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
|
|
||||||
{{- with .Values.synapse.annotations }}
|
{{- with .Values.synapse.annotations }}
|
||||||
{{ . | toYaml | nindent 8 }}
|
{{ . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -158,12 +157,12 @@ spec:
|
||||||
name: {{ include "matrix-synapse.fullname" . }}
|
name: {{ include "matrix-synapse.fullname" . }}
|
||||||
- name: secrets
|
- name: secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ include "matrix-synapse.fullname" . }}
|
secretName: {{ $.Values.existingSecrets }}
|
||||||
- name: signingkey
|
- name: signingkey
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
|
secretName: {{ $.Values.signingkey.existingSecret | quote }}
|
||||||
items:
|
items:
|
||||||
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
|
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
|
||||||
path: signing.key
|
path: signing.key
|
||||||
- name: tmpconf
|
- name: tmpconf
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
|
|
@ -1,195 +0,0 @@
|
||||||
{{- if .Values.ingress.enabled -}}
|
|
||||||
{{- $fullName := include "matrix-synapse.fullname" . -}}
|
|
||||||
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
|
|
||||||
{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
|
|
||||||
{{- if $v1Ingress -}}
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
{{- else -}}
|
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
{{- end }}
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: {{ $fullName }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
{{- with .Values.ingress.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if .Values.ingress.className }}
|
|
||||||
ingressClassName: {{ .Values.ingress.className }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.ingress.tls }}
|
|
||||||
tls:
|
|
||||||
{{- range .Values.ingress.tls }}
|
|
||||||
- hosts:
|
|
||||||
{{- range .hosts }}
|
|
||||||
- {{ . | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .secretName }}
|
|
||||||
secretName: {{ .secretName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
rules:
|
|
||||||
{{- $csHosts := .Values.ingress.csHosts }}
|
|
||||||
{{- if .Values.ingress.includeServerName }}
|
|
||||||
{{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $s2sHosts := .Values.ingress.hosts }}
|
|
||||||
{{- if .Values.ingress.includeServerName }}
|
|
||||||
{{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $wkHosts := .Values.ingress.wkHosts }}
|
|
||||||
{{- if .Values.ingress.includeServerName }}
|
|
||||||
{{- $wkHosts = concat (list .Values.serverName) $wkHosts }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
|
|
||||||
{{- range $hosts }}
|
|
||||||
{{- $host := . }}
|
|
||||||
- host: {{ . | quote }}
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
{{- $default := $.Values.workers.default }}
|
|
||||||
{{- range $worker, $config := $.Values.workers }}
|
|
||||||
{{- $name := $worker | replace "_" "-" }}
|
|
||||||
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
|
|
||||||
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
|
|
||||||
{{- if has $host $csHosts }}
|
|
||||||
{{- range $config.csPaths }}
|
|
||||||
{{- if $.Values.ingress.traefikPaths }}
|
|
||||||
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $service }}
|
|
||||||
port:
|
|
||||||
number: 8083
|
|
||||||
pathType: ImplementationSpecific
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $service }}
|
|
||||||
servicePort: 8083
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
- path: {{ . | quote }}
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $service }}
|
|
||||||
port:
|
|
||||||
number: 8083
|
|
||||||
pathType: ImplementationSpecific
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $service }}
|
|
||||||
servicePort: 8083
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if has $host $s2sHosts }}
|
|
||||||
{{- range $config.paths }}
|
|
||||||
{{- if $.Values.ingress.traefikPaths }}
|
|
||||||
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $service }}
|
|
||||||
port:
|
|
||||||
number: 8083
|
|
||||||
pathType: ImplementationSpecific
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $service }}
|
|
||||||
servicePort: 8083
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
- path: {{ . | quote }}
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $service }}
|
|
||||||
port:
|
|
||||||
number: 8083
|
|
||||||
pathType: ImplementationSpecific
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $service }}
|
|
||||||
servicePort: 8083
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if has . $csHosts }}
|
|
||||||
{{- with $.Values.ingress.csPaths }}
|
|
||||||
{{ . | toYaml | nindent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if has . $s2sHosts }}
|
|
||||||
{{- with $.Values.ingress.paths }}
|
|
||||||
{{ . | toYaml | nindent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if or (has . $csHosts) (has . $s2sHosts) }}
|
|
||||||
- path: /_matrix
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $fullName }}
|
|
||||||
port:
|
|
||||||
number: {{ $.Values.service.port }}
|
|
||||||
pathType: Prefix
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $fullName }}
|
|
||||||
servicePort: {{ $.Values.service.port }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
|
|
||||||
- path: /_synapse
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $fullName }}
|
|
||||||
port:
|
|
||||||
number: {{ $.Values.service.port }}
|
|
||||||
pathType: Prefix
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $fullName }}
|
|
||||||
servicePort: {{ $.Values.service.port }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if has . $wkHosts }}
|
|
||||||
{{- if $.Values.wellknown.enabled }}
|
|
||||||
- path: /.well-known/matrix
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $wkName }}
|
|
||||||
port:
|
|
||||||
number: {{ $.Values.wellknown.service.port | default 80 }}
|
|
||||||
pathType: Prefix
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $wkName }}
|
|
||||||
servicePort: {{ $.Values.wellknown.service.port | default 80 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
- path: /.well-known/matrix
|
|
||||||
backend:
|
|
||||||
{{- if $v1Ingress }}
|
|
||||||
service:
|
|
||||||
name: {{ $fullName }}
|
|
||||||
port:
|
|
||||||
number: {{ $.Values.service.port }}
|
|
||||||
pathType: Prefix
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $fullName }}
|
|
||||||
servicePort: {{ $.Values.service.port }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,153 +0,0 @@
|
||||||
{{- if .Values.signingkey.job.enabled }}
|
|
||||||
{{- if .Values.signingkey.existingSecret }}
|
|
||||||
{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
|
|
||||||
{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: {{ $name }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: signingkey-job
|
|
||||||
annotations:
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
helm.sh/hook-delete-policy: hook-succeeded
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
name: {{ $name }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: signingkey-job
|
|
||||||
annotations:
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
helm.sh/hook-delete-policy: hook-succeeded
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
resourceNames:
|
|
||||||
- {{ $secretName }}
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ $name }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: signingkey-job
|
|
||||||
annotations:
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
helm.sh/hook-delete-policy: hook-succeeded
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: {{ $name }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: {{ $name }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: batch/v1
|
|
||||||
kind: Job
|
|
||||||
metadata:
|
|
||||||
name: {{ $name }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: signingkey-job
|
|
||||||
annotations:
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
helm.sh/hook-delete-policy: hook-succeeded
|
|
||||||
{{- with .Values.signingkey.job.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
ttlSecondsAfterFinished: 0
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 8 }}
|
|
||||||
app.kubernetes.io/component: signingkey-job
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- command:
|
|
||||||
- sh
|
|
||||||
- -c
|
|
||||||
- |
|
|
||||||
echo "Generating signing key..."
|
|
||||||
if which generate_signing_key.py >/dev/null; then
|
|
||||||
generate_signing_key.py -o /synapse/keys/signing.key
|
|
||||||
else
|
|
||||||
generate_signing_key -o /synapse/keys/signing.key
|
|
||||||
fi
|
|
||||||
image: "{{ .Values.signingkey.job.generateImage.repository }}:{{ .Values.signingkey.job.generateImage.tag | default "latest" }}"
|
|
||||||
imagePullPolicy: {{ .Values.signingkey.job.generateImage.pullPolicy }}
|
|
||||||
name: signing-key-generate
|
|
||||||
resources:
|
|
||||||
{{- toYaml .Values.signingkey.resources | nindent 12 }}
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /synapse/keys
|
|
||||||
name: matrix-synapse-keys
|
|
||||||
- command:
|
|
||||||
- sh
|
|
||||||
- -c
|
|
||||||
- |
|
|
||||||
printf "Checking rights to update secret... "
|
|
||||||
kubectl auth can-i update secret/${SECRET_NAME}
|
|
||||||
/scripts/signing-key.sh
|
|
||||||
env:
|
|
||||||
- name: SECRET_NAME
|
|
||||||
value: {{ $secretName }}
|
|
||||||
image: "{{ .Values.signingkey.job.publishImage.repository }}:{{ .Values.signingkey.job.publishImage.tag | default "latest" }}"
|
|
||||||
imagePullPolicy: {{ .Values.signingkey.job.publishImage.pullPolicy }}
|
|
||||||
name: signing-key-upload
|
|
||||||
resources:
|
|
||||||
{{- toYaml .Values.signingkey.resources | nindent 12 }}
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /scripts
|
|
||||||
name: scripts
|
|
||||||
readOnly: true
|
|
||||||
- mountPath: /synapse/keys
|
|
||||||
name: matrix-synapse-keys
|
|
||||||
readOnly: true
|
|
||||||
restartPolicy: Never
|
|
||||||
serviceAccount: {{ $name }}
|
|
||||||
volumes:
|
|
||||||
- name: scripts
|
|
||||||
configMap:
|
|
||||||
name: {{ include "matrix-synapse.fullname" . }}-scripts
|
|
||||||
defaultMode: 0755
|
|
||||||
- name: matrix-synapse-keys
|
|
||||||
emptyDir: {}
|
|
||||||
parallelism: 1
|
|
||||||
completions: 1
|
|
||||||
backoffLimit: 1
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
helm.sh/hook-delete-policy: never
|
|
||||||
helm.sh/resource-policy: keep
|
|
||||||
argocd.argoproj.io/hook: Skip
|
|
||||||
argocd.argoproj.io/hook-delete-policy: Never
|
|
||||||
name: {{ $secretName }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: signingkey-job
|
|
||||||
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
|
|
||||||
{{ if $secret -}}
|
|
||||||
data:
|
|
||||||
signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }}
|
|
||||||
{{ end -}}
|
|
||||||
{{- end }}
|
|
|
@ -1,66 +0,0 @@
|
||||||
{{- if .Values.wellknown.enabled }}
|
|
||||||
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: {{ $wkName }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
component: well-known
|
|
||||||
data:
|
|
||||||
lighttpd.conf: |
|
|
||||||
server.port = 8080
|
|
||||||
{{ if .Values.wellknown.useIpv6}}
|
|
||||||
server.use-ipv6 = "enable"
|
|
||||||
{{ end }}
|
|
||||||
server.modules = (
|
|
||||||
"mod_rewrite",
|
|
||||||
"mod_status",
|
|
||||||
"mod_accesslog",
|
|
||||||
"mod_extforward",
|
|
||||||
"mod_setenv"
|
|
||||||
)
|
|
||||||
include "conf.d/00-mime-types.conf"
|
|
||||||
server.username = "lighttpd"
|
|
||||||
server.groupname = "lighttpd"
|
|
||||||
server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
|
|
||||||
server.pid-file = "/run/lighttpd.pid"
|
|
||||||
url.rewrite-once = (
|
|
||||||
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
|
|
||||||
{{- range $key := initial $keys }}
|
|
||||||
"^/\.well-known/matrix/{{ $key }}" => "/{{ $key }}.json",
|
|
||||||
{{- end }}
|
|
||||||
"^/\.well-known/matrix/{{ last $keys }}" => "/{{ last $keys }}.json"
|
|
||||||
)
|
|
||||||
status.status-url = "/server-status"
|
|
||||||
extforward.forwarder = ( "all" => "trust")
|
|
||||||
setenv.add-response-header = (
|
|
||||||
"access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization",
|
|
||||||
"access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS",
|
|
||||||
"access-control-allow-origin" => "*"
|
|
||||||
)
|
|
||||||
setenv.set-response-header = (
|
|
||||||
"content-type" => "application/json"
|
|
||||||
)
|
|
||||||
server.json: |-
|
|
||||||
{{- if .Values.wellknown.server }}
|
|
||||||
{{ toJson .Values.wellknown.server | nindent 4 }}
|
|
||||||
{{- else }}
|
|
||||||
{{ dict "m.server" (printf "%s:%d" (.Values.wellknown.host | default (.Values.publicServerName | default .Values.serverName)) (.Values.wellknown.port | default 443)) | toJson | indent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
client.json: |-
|
|
||||||
{{- if .Values.wellknown.client }}
|
|
||||||
{{ toJson .Values.wellknown.client | nindent 4 }}
|
|
||||||
{{- else }}
|
|
||||||
{{ dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | indent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- range $key, $value := .Values.wellknown.extraData }}
|
|
||||||
{{ $key }}.json: |-
|
|
||||||
{{- if $value | kindIs "string" -}}
|
|
||||||
{{ $value | nindent 4 }}
|
|
||||||
{{- else -}}
|
|
||||||
{{ $value | toJson | nindent 4 }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
|
@ -1,95 +0,0 @@
|
||||||
{{- if .Values.wellknown.enabled }}
|
|
||||||
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ $wkName }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: well-known
|
|
||||||
spec:
|
|
||||||
type: {{ .Values.wellknown.service.type | default "ClusterIP" }}
|
|
||||||
ports:
|
|
||||||
- port: {{ .Values.wellknown.service.port | default 80 }}
|
|
||||||
targetPort: http
|
|
||||||
protocol: TCP
|
|
||||||
name: http
|
|
||||||
selector:
|
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: well-known
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ $wkName }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: well-known
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.wellknown.replicaCount | default 1 }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
|
|
||||||
app.kubernetes.io/component: well-known
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
checksum/config: {{ include (print .Template.BasePath "/well-known-config.yaml") . | sha256sum }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
|
|
||||||
app.kubernetes.io/component: well-known
|
|
||||||
spec:
|
|
||||||
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
|
|
||||||
securityContext:
|
|
||||||
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
|
|
||||||
containers:
|
|
||||||
- name: lighttpd
|
|
||||||
image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
|
|
||||||
imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
|
|
||||||
securityContext:
|
|
||||||
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
|
|
||||||
ports:
|
|
||||||
- containerPort: 8080
|
|
||||||
name: http
|
|
||||||
protocol: TCP
|
|
||||||
readinessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: http
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /server-status
|
|
||||||
port: http
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /etc/lighttpd/lighttpd.conf
|
|
||||||
name: files
|
|
||||||
subPath: lighttpd.conf
|
|
||||||
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
|
|
||||||
{{- range $key := $keys }}
|
|
||||||
- mountPath: {{ $.Values.wellknown.htdocsPath }}/{{ $key }}.json
|
|
||||||
name: files
|
|
||||||
subPath: {{ $key }}.json
|
|
||||||
{{- end }}
|
|
||||||
- mountPath: /run
|
|
||||||
name: run
|
|
||||||
resources:
|
|
||||||
{{- toYaml .Values.wellknown.resources | nindent 12 }}
|
|
||||||
volumes:
|
|
||||||
- name: files
|
|
||||||
configMap:
|
|
||||||
name: {{ $wkName }}
|
|
||||||
- name: run
|
|
||||||
emptyDir: {}
|
|
||||||
{{- with .Values.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -22,7 +22,7 @@ data:
|
||||||
{{- $app := $config.app | default $worker }}
|
{{- $app := $config.app | default $worker }}
|
||||||
|
|
||||||
{{ $name }}.worker: |
|
{{ $name }}.worker: |
|
||||||
worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}"
|
worker_app: "synapse.app.generic_worker"
|
||||||
{{- if $config.name -}}
|
{{- if $config.name -}}
|
||||||
{{- if (gt ($config.replicaCount | int) 1) -}}
|
{{- if (gt ($config.replicaCount | int) 1) -}}
|
||||||
{{- fail "Replica count must be 1 if a worker has a unique name." -}}
|
{{- fail "Replica count must be 1 if a worker has a unique name." -}}
|
||||||
|
|
|
@ -27,7 +27,6 @@ spec:
|
||||||
annotations:
|
annotations:
|
||||||
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
|
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
|
||||||
checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
|
checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
|
||||||
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
|
|
||||||
{{- with ($config.annotations | default $default.annotations) }}
|
{{- with ($config.annotations | default $default.annotations) }}
|
||||||
{{ . | toYaml | nindent 8 }}
|
{{ . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -160,6 +159,7 @@ spec:
|
||||||
mountPath: /synapse/secrets
|
mountPath: /synapse/secrets
|
||||||
- name: signingkey
|
- name: signingkey
|
||||||
mountPath: /synapse/keys
|
mountPath: /synapse/keys
|
||||||
|
readOnly: false
|
||||||
{{- if eq $name "media-repository" }}
|
{{- if eq $name "media-repository" }}
|
||||||
- name: media
|
- name: media
|
||||||
mountPath: /synapse/data
|
mountPath: /synapse/data
|
||||||
|
@ -188,10 +188,10 @@ spec:
|
||||||
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
|
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
|
||||||
- name: secrets
|
- name: secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ include "matrix-synapse.fullname" $ }}
|
secretName: {{ $.Values.existingSecrets }}
|
||||||
- name: signingkey
|
- name: signingkey
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
|
secretName: {{ $.Values.signingkey.existingSecret | quote }}
|
||||||
items:
|
items:
|
||||||
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
|
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
|
||||||
path: signing.key
|
path: signing.key
|
||||||
|
|
|
@ -1,4 +1,12 @@
|
||||||
---
|
initContainers:
|
||||||
|
dbInit:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/onedr0p/postgres-init
|
||||||
|
tag: "16"
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: synapse-secret
|
||||||
|
|
||||||
## Docker image configuration, used for Synapse and workers.
|
## Docker image configuration, used for Synapse and workers.
|
||||||
##
|
##
|
||||||
image:
|
image:
|
||||||
|
@ -124,7 +132,7 @@ config:
|
||||||
## signing key request.
|
## signing key request.
|
||||||
##
|
##
|
||||||
trustedKeyServers:
|
trustedKeyServers:
|
||||||
- server_name: matrix.org
|
- server_name: matrix.org
|
||||||
# verify_keys:
|
# verify_keys:
|
||||||
# "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
|
# "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
|
||||||
|
|
||||||
|
@ -427,96 +435,96 @@ workers:
|
||||||
generic: true
|
generic: true
|
||||||
listeners: [client, federation]
|
listeners: [client, federation]
|
||||||
csPaths:
|
csPaths:
|
||||||
## Sync requests
|
## Sync requests
|
||||||
# - "/_matrix/client/(r0|v3)/sync$"
|
# - "/_matrix/client/(r0|v3)/sync$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3)/events$"
|
- "/_matrix/client/(api/v1|r0|v3)/events$"
|
||||||
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
|
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
|
||||||
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
|
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
|
||||||
|
|
||||||
## Client API requests
|
## Client API requests
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
|
||||||
- "/_matrix/client/v1/rooms/.*/hierarchy$"
|
- "/_matrix/client/v1/rooms/.*/hierarchy$"
|
||||||
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
|
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
|
||||||
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
|
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
|
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
|
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/devices$"
|
- "/_matrix/client/(r0|v3|unstable)/devices$"
|
||||||
- "/_matrix/client/versions$"
|
- "/_matrix/client/versions$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
|
||||||
|
|
||||||
## Encryption requests
|
## Encryption requests
|
||||||
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
|
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
|
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
|
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
|
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
|
||||||
|
|
||||||
## Registration/login requests
|
## Registration/login requests
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
|
||||||
- "/_matrix/client/(r0|v3|unstable)/register$"
|
- "/_matrix/client/(r0|v3|unstable)/register$"
|
||||||
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
|
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
|
||||||
|
|
||||||
## Event sending requests
|
## Event sending requests
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
|
||||||
|
|
||||||
## User directory search requests
|
## User directory search requests
|
||||||
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
|
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
|
||||||
|
|
||||||
## Worker event streams
|
## Worker event streams
|
||||||
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
|
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
|
||||||
##
|
##
|
||||||
|
|
||||||
## The typing event stream
|
## The typing event stream
|
||||||
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
|
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
|
||||||
|
|
||||||
## The to_device event stream
|
## The to_device event stream
|
||||||
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
|
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
|
||||||
|
|
||||||
## The account_data event stream
|
## The account_data event stream
|
||||||
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
|
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
|
||||||
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
|
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
|
||||||
|
|
||||||
## The receipts event stream
|
## The receipts event stream
|
||||||
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
|
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
|
||||||
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
|
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
|
||||||
|
|
||||||
## The presence event stream
|
## The presence event stream
|
||||||
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
|
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
|
||||||
|
|
||||||
paths:
|
paths:
|
||||||
## Federation requests
|
## Federation requests
|
||||||
- "/_matrix/federation/v1/event/"
|
- "/_matrix/federation/v1/event/"
|
||||||
- "/_matrix/federation/v1/state/"
|
- "/_matrix/federation/v1/state/"
|
||||||
- "/_matrix/federation/v1/state_ids/"
|
- "/_matrix/federation/v1/state_ids/"
|
||||||
- "/_matrix/federation/v1/backfill/"
|
- "/_matrix/federation/v1/backfill/"
|
||||||
- "/_matrix/federation/v1/get_missing_events/"
|
- "/_matrix/federation/v1/get_missing_events/"
|
||||||
- "/_matrix/federation/v1/publicRooms"
|
- "/_matrix/federation/v1/publicRooms"
|
||||||
- "/_matrix/federation/v1/query/"
|
- "/_matrix/federation/v1/query/"
|
||||||
- "/_matrix/federation/v1/make_join/"
|
- "/_matrix/federation/v1/make_join/"
|
||||||
- "/_matrix/federation/v1/make_leave/"
|
- "/_matrix/federation/v1/make_leave/"
|
||||||
- "/_matrix/federation/(v1|v2)/send_join/"
|
- "/_matrix/federation/(v1|v2)/send_join/"
|
||||||
- "/_matrix/federation/(v1|v2)/send_leave/"
|
- "/_matrix/federation/(v1|v2)/send_leave/"
|
||||||
- "/_matrix/federation/(v1|v2)/invite/"
|
- "/_matrix/federation/(v1|v2)/invite/"
|
||||||
- "/_matrix/federation/v1/event_auth/"
|
- "/_matrix/federation/v1/event_auth/"
|
||||||
- "/_matrix/federation/v1/exchange_third_party_invite/"
|
- "/_matrix/federation/v1/exchange_third_party_invite/"
|
||||||
- "/_matrix/federation/v1/user/devices/"
|
- "/_matrix/federation/v1/user/devices/"
|
||||||
- "/_matrix/key/v2/query"
|
- "/_matrix/key/v2/query"
|
||||||
- "/_matrix/federation/v1/hierarchy/"
|
- "/_matrix/federation/v1/hierarchy/"
|
||||||
|
|
||||||
## Inbound federation transaction request
|
## Inbound federation transaction request
|
||||||
- "/_matrix/federation/v1/send/"
|
- "/_matrix/federation/v1/send/"
|
||||||
|
|
||||||
## To separate the generic worker into specific concerns - for example federation transaction receiving;
|
## To separate the generic worker into specific concerns - for example federation transaction receiving;
|
||||||
## NB; This worker should have incoming traffic routed based on source IP, which is
|
## NB; This worker should have incoming traffic routed based on source IP, which is
|
||||||
|
@ -580,15 +588,15 @@ workers:
|
||||||
enabled: false
|
enabled: false
|
||||||
listeners: [media]
|
listeners: [media]
|
||||||
csPaths:
|
csPaths:
|
||||||
- "/_matrix/media/.*"
|
- "/_matrix/media/.*"
|
||||||
- "/_synapse/admin/v1/purge_media_cache$"
|
- "/_synapse/admin/v1/purge_media_cache$"
|
||||||
- "/_synapse/admin/v1/room/.*/media"
|
- "/_synapse/admin/v1/room/.*/media"
|
||||||
- "/_synapse/admin/v1/user/.*/media"
|
- "/_synapse/admin/v1/user/.*/media"
|
||||||
- "/_synapse/admin/v1/media/"
|
- "/_synapse/admin/v1/media/"
|
||||||
- "/_synapse/admin/v1/quarantine_media/"
|
- "/_synapse/admin/v1/quarantine_media/"
|
||||||
- "/_synapse/admin/v1/users/.*/media$"
|
- "/_synapse/admin/v1/users/.*/media$"
|
||||||
paths:
|
paths:
|
||||||
- "/_matrix/media/.*"
|
- "/_matrix/media/.*"
|
||||||
|
|
||||||
## This worker deals with user directory searches.
|
## This worker deals with user directory searches.
|
||||||
##
|
##
|
||||||
|
@ -597,7 +605,7 @@ workers:
|
||||||
name: userdir
|
name: userdir
|
||||||
listeners: [client]
|
listeners: [client]
|
||||||
csPaths:
|
csPaths:
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
|
||||||
|
|
||||||
## This worker handles key uploads, and may also stub out presence if that is
|
## This worker handles key uploads, and may also stub out presence if that is
|
||||||
## disabled. If you set extraConfig.use_presence=false then you may want to
|
## disabled. If you set extraConfig.use_presence=false then you may want to
|
||||||
|
@ -607,7 +615,7 @@ workers:
|
||||||
enabled: false
|
enabled: false
|
||||||
listeners: [client]
|
listeners: [client]
|
||||||
csPaths:
|
csPaths:
|
||||||
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
|
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
|
||||||
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
|
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
|
||||||
|
|
||||||
## This will set up a Lighttpd server to respond to any
|
## This will set up a Lighttpd server to respond to any
|
||||||
|
@ -643,13 +651,13 @@ wellknown:
|
||||||
## Dictionaries will be JSON converted, plain strings will be served as they are
|
## Dictionaries will be JSON converted, plain strings will be served as they are
|
||||||
##
|
##
|
||||||
extraData: {}
|
extraData: {}
|
||||||
## MSC1929 example;
|
## MSC1929 example;
|
||||||
# support:
|
# support:
|
||||||
# admins:
|
# admins:
|
||||||
# - matrix_id: '@admin:example.com'
|
# - matrix_id: '@admin:example.com'
|
||||||
# email_address: 'admin@example.com'
|
# email_address: 'admin@example.com'
|
||||||
# role: 'admin'
|
# role: 'admin'
|
||||||
# support_page: 'https://example.com/support'
|
# support_page: 'https://example.com/support'
|
||||||
|
|
||||||
## A custom htdocs path, useful when running another image.
|
## A custom htdocs path, useful when running another image.
|
||||||
##
|
##
|
||||||
|
@ -966,5 +974,5 @@ ingress:
|
||||||
serviceAccount:
|
serviceAccount:
|
||||||
create: false
|
create: false
|
||||||
annotations: {}
|
annotations: {}
|
||||||
# eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse
|
# eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse
|
||||||
# name: non-default-service-name
|
# name: non-default-service-name
|
||||||
|
|
Loading…
Reference in a new issue