Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

upload

Browse Source
This commit is contained in:
Gitea Root Administrator
2026-03-09 18:29:13 +00:00
commit 5ad4f404ad
326 changed files with 178484 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
matrix/README.md Normal file
View File

@@ -0,0 +1,17 @@
# Matrix
## Synapse + Element
Matrix is an open standard and communication protocol for real-time communication.
### Synapse
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. We began rapid development in 2014, reaching v1.0.0 in 2019. Development on Synapse and the Matrix protocol itself continues in earnest today.
### Element
Element is a Matrix-based end-to-end encrypted messenger and secure collaboration app
improvements:
metrics
resource limits
email
enable capcha

140
matrix/backupSchedule.yaml Normal file
View File

@@ -0,0 +1,140 @@
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: matrix-backup-csi-hourly
namespace: velero
labels:
velero.io/storage-location: ceph-bucket
spec:
# Schedule is a Cron expression defining when to run the Backup
schedule: 0 15-22 * * * # every hour
# Specifies whether to use OwnerReferences on backups created by this Schedule.
# Notice: if set to true, when schedule is deleted, backups will be deleted too. Optional.
useOwnerReferencesInBackup: true
template:
csiSnapshotTimeout: 10m0s
defaultVolumesToFsBackup: false
hooks: {}
includedNamespaces:
- matrix
metadata: {}
storageLocation: ceph-bucket
ttl: 8h0m0s
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: matrix-backup-csi-daily
namespace: velero
labels:
velero.io/storage-location: ceph-bucket
spec:
# Schedule is a Cron expression defining when to run the Backup
schedule: 0 0 * * * # every hour
# Specifies whether to use OwnerReferences on backups created by this Schedule.
# Notice: if set to true, when schedule is deleted, backups will be deleted too. Optional.
useOwnerReferencesInBackup: true
template:
csiSnapshotTimeout: 10m0s
defaultVolumesToFsBackup: false
hooks: {}
includedNamespaces:
- matrix
metadata: {}
storageLocation: ceph-bucket
ttl: 168h0m0s
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: matrix-backup-csi-weekly
namespace: velero
labels:
velero.io/storage-location: ceph-bucket
spec:
# Schedule is a Cron expression defining when to run the Backup
schedule: 0 0 * * 1 # every hour
# Specifies whether to use OwnerReferences on backups created by this Schedule.
# Notice: if set to true, when schedule is deleted, backups will be deleted too. Optional.
useOwnerReferencesInBackup: true
template:
csiSnapshotTimeout: 10m0s
defaultVolumesToFsBackup: false
hooks: {}
includedNamespaces:
- matrix
metadata: {}
storageLocation: ceph-bucket
ttl: 730h0m0s
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: matrix-backup-restic-daily
namespace: velero
labels:
velero.io/storage-location: aux-balancer-minio
spec:
# Schedule is a Cron expression defining when to run the Backup
schedule: 0 0 * * * # every hour
# Specifies whether to use OwnerReferences on backups created by this Schedule.
# Notice: if set to true, when schedule is deleted, backups will be deleted too. Optional.
useOwnerReferencesInBackup: true
template:
csiSnapshotTimeout: 10m0s
snapshotVolumes: false
defaultVolumesToFsBackup: true
hooks: {}
includedNamespaces:
- matrix
metadata: {}
storageLocation: aux-balancer-minio
ttl: 168h0m0s
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: matrix-backup-restic-weekly
namespace: velero
labels:
velero.io/storage-location: aux-balancer-minio
spec:
# Schedule is a Cron expression defining when to run the Backup
schedule: 0 0 * * 1 # every hour
# Specifies whether to use OwnerReferences on backups created by this Schedule.
# Notice: if set to true, when schedule is deleted, backups will be deleted too. Optional.
useOwnerReferencesInBackup: true
template:
csiSnapshotTimeout: 10m0s
snapshotVolumes: false
defaultVolumesToFsBackup: true
hooks: {}
includedNamespaces:
- matrix
metadata: {}
storageLocation: aux-balancer-minio
ttl: 730h0m0s
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: matrix-backup-restic-monthly
namespace: velero
labels:
velero.io/storage-location: aux-balancer-minio
spec:
# Schedule is a Cron expression defining when to run the Backup
schedule: 0 0 1 * * # every hour
# Specifies whether to use OwnerReferences on backups created by this Schedule.
# Notice: if set to true, when schedule is deleted, backups will be deleted too. Optional.
useOwnerReferencesInBackup: true
template:
csiSnapshotTimeout: 10m0s
snapshotVolumes: false
defaultVolumesToFsBackup: true
hooks: {}
includedNamespaces:
- matrix
metadata: {}
storageLocation: aux-balancer-minio
ttl: 4380h0m0s

226
matrix/db.yaml Normal file
View File

@@ -0,0 +1,226 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: matrix-db
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: matrix
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: matrix-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db
namespace: matrix
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
storageClassName: matrix-db
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: db
namespace: matrix
labels:
app: db
spec:
replicas: 1
selector:
matchLabels:
app: db
template:
metadata:
labels:
app: db
spec:
containers:
- name: db
image: postgres
imagePullPolicy: "IfNotPresent"
ports:
- name: mysql
containerPort: 5432
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: matrix-db
key: root.pw
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: matrix-db
key: username
optional: false
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: matrix-db
key: user.pw
optional: false
- name: POSTGRES_DB
value: synapse
- name: POSTGRES_INITDB_ARGS
value: "--lc-collate=C --lc-ctype=C --encoding=UTF8"
#livenessProbe:
# exec:
# command: ["sh", "-c", "exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"]
# initialDelaySeconds: 120
# periodSeconds: 10
# timeoutSeconds: 1
# successThreshold: 1
# failureThreshold: 3
#readinessProbe:
# exec:
# command: ["sh", "-c", "exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"]
# initialDelaySeconds: 30
# periodSeconds: 10
# timeoutSeconds: 1
# successThreshold: 1
# failureThreshold: 3
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: db
readOnly: false
---
apiVersion: v1
kind: Service
metadata:
name: db
namespace: matrix
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
ipFamilyPolicy: SingleStack
ports:
- name: postgres
port: 5432
protocol: TCP
targetPort: 5432
selector:
app: db
sessionAffinity: None
type: ClusterIP
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: matrix-db-backup
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: matrix
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: matrix-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db-backup
namespace: matrix
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
storageClassName: matrix-db-backup
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: db-backup
namespace: matrix
labels:
app: db-backup
spec:
replicas: 1
selector:
matchLabels:
app: db-backup
template:
metadata:
labels:
app: db-backup
spec:
containers:
- name: db-backup
image: prodrigestivill/postgres-backup-local
imagePullPolicy: "IfNotPresent"
env:
- name: SCHEDULE
value: "@daily"
- name: BACKUP_KEEP_DAYS
value: "7"
- name: POSTGRES_DB
value: "synapse"
- name: POSTGRES_HOST
value: db
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: matrix-db
key: root.pw
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: matrix-db
key: username
optional: false
- name: HEALTHCHECK_PORT
value: "8080"
volumeMounts:
- mountPath: /backups
name: backup
volumes:
- name: backup
persistentVolumeClaim:
claimName: db-backup
readOnly: false

130
matrix/element.yaml Normal file
View File

@@ -0,0 +1,130 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config-element
namespace: matrix
data:
config.json: |
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.undercloud.cf:443",
"server_name": "matrix.undercloud.cf"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Undercloud Communication",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"uisi_autorageshake_app": "element-auto-uisi",
"default_country_code": "GB",
"show_labs_settings": true,
"features": {},
"default_federate": true,
"default_theme": "dark",
"room_directory": {
"servers": ["matrix.org","matrix.undercloud.cf"]
},
"enable_presence_by_hs_url": {
"https://matrix.org": false,
"https://matrix-client.matrix.org": false,
"https://matrix.undercloud.cf": true
},
"setting_defaults": {
"breadcrumbs": true
},
"jitsi": {
"preferred_domain": "jitsi.undercloud.cf"
},
"element_call": {
"url": "https://call.element.io",
"participant_limit": 8,
"brand": "Element Call"
},
"map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: element
namespace: matrix
labels:
app: element
spec:
replicas: 1
selector:
matchLabels:
app: element
template:
metadata:
labels:
app: element
spec:
containers:
- name: element
image: vectorim/element-web:v1.11.20
imagePullPolicy: IfNotPresent
readinessProbe:
httpGet:
path: /
port: element
initialDelaySeconds: 2
periodSeconds: 3
livenessProbe:
httpGet:
path: /
port: element
initialDelaySeconds: 10
periodSeconds: 10
ports:
- containerPort: 80
name: element
volumeMounts:
- mountPath: "/app/config.json"
name: config-element
subPath: config.json
volumes:
- name: config-element
configMap:
name: config-element
items:
- key: "config.json"
path: "config.json"
---
apiVersion: v1
kind: Service
metadata:
name: element
namespace: matrix
labels:
app: element
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: element
sessionAffinity: None
type: ClusterIP

42
matrix/filesystem.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: matrix
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPools:
- name: replicated
failureDomain: host
replicated:
size: 3
preserveFilesystemOnDelete: false
metadataServer:
activeCount: 1
activeStandby: true
placement:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - mds-node
tolerations:
- key: node-role.kubernetes.io/storage-node
operator: Exists
effect: NoSchedule
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
#resources:
# limits:
# cpu: "80m"
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"

51
matrix/ingress.yaml Normal file
View File

@@ -0,0 +1,51 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: matrix
namespace: matrix
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- matrix.undercloud.cf
secretName: matrix-tls
rules:
- host: matrix.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: synapse
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: element
namespace: matrix
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- element.undercloud.cf
secretName: element-tls
rules:
- host: element.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: element
port:
number: 80

6
matrix/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: matrix
labels:
prometheus: prometheus

10
matrix/secrets.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: matrix-db
namespace: matrix
type: Opaque
data:
root.pw: bWF0cml4Um9vdFBX
username: bWF0cml4
user.pw: bWF0cml4VXNlclBX

224
matrix/synapse.yaml Normal file
View File

@@ -0,0 +1,224 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: matrix
data:
homeserver.yaml: |
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "undercloud.cf"
pid_file: /data/homeserver.pid
public_baseurl: "https://undercloud.cf"
#allow_public_rooms_without_auth: true
#allow_public_rooms_over_federation: true
enable_registration: true
enable_registration_without_verification: true
#allow_guest_access: true
enable_metrics: true
modules:
- module: "ldap_auth_provider.LdapAuthProviderModule"
config:
enabled: true
#mode: "search"
uri: "ldap://ldap.undercloud.cf:389"
start_tls: true
base: "ou=users,dc=undercloud,dc=cf"
attributes:
uid: "cn"
mail: "mail"
name: "displayName"
bind_dn: cn=synapse,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf
bind_password: aPasswordForTheSynapseUser5
filter: "(objectClass=inetOrgPerson)"
tls_options:
validate: false
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
#database:
# name: sqlite3
# args:
# database: /data/homeserver.db
database:
name: psycopg2
args:
user: matrix
password: matrixUserPW
database: synapse
host: db
cp_min: 5
cp_max: 10
log_config: "/data/matrix.undercloud.cf.log.config"
media_store_path: /data/media_store
registration_shared_secret: ",=UrbCS67WrW1&&3Xi&*Q17AE@QZ1ni0@BFHviDD+sE=aFfc;Y"
report_stats: true
macaroon_secret_key: "QbLPh;thU&X_mZ~Cf+BqBLEzfDN9yMc-Kf.bB6HA5yTiH_7@:-"
form_secret: "u5EhY4vAm1-qLOVQJPzsu7zwGeBkC:=PSJizLERyv#G.5R,2L@"
signing_key_path: "/data/matrix.undercloud.cf.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: synapse
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: matrix
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: matrix-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
namespace: matrix
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
storageClassName: synapse
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: synapse
namespace: matrix
labels:
app: synapse
spec:
replicas: 1
selector:
matchLabels:
app: synapse
template:
metadata:
labels:
app: synapse
spec:
initContainers:
- name: gen-config
image: matrixdotorg/synapse:v1.83.0
args: ["generate"]
ports:
- containerPort: 8008
env:
- name: SYNAPSE_SERVER_NAME
value: "matrix.undercloud.cf"
- name: SYNAPSE_REPORT_STATS
value: "yes"
volumeMounts:
- mountPath: "/data"
name: data
- mountPath: "/data/homeserver.yaml"
name: homeserver
subPath: homeserver.yaml
containers:
- name: synapse
image: matrixdotorg/synapse
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8008
#lifecycle:
# postStart:
# exec:
# command:
# - "/bin/startup.sh"
livenessProbe:
httpGet:
path: /_matrix/client/versions
port: 8008
scheme: HTTP
initialDelaySeconds: 120
name: matrix-synapse
readinessProbe:
httpGet:
path: /_matrix/client/versions
port: 8008
scheme: HTTP
initialDelaySeconds: 10
volumeMounts:
- mountPath: "/data"
name: data
- mountPath: "/data/homeserver.yaml"
name: homeserver
subPath: homeserver.yaml
readinessProbe:
httpGet:
path: /_matrix/client/versions
port: 8008
scheme: HTTP
initialDelaySeconds: 10
volumes:
- name: data
persistentVolumeClaim:
claimName: data
- name: homeserver
configMap:
name: config
items:
- key: "homeserver.yaml"
path: "homeserver.yaml"
---
apiVersion: v1
kind: Service
metadata:
name: synapse
namespace: matrix
labels:
app: synapse
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8008
selector:
app: synapse
sessionAffinity: None
type: ClusterIP