diff --git a/matrix/config.yaml b/matrix/config.yaml new file mode 100644 index 0000000..ff3a3a7 --- /dev/null +++ b/matrix/config.yaml @@ -0,0 +1,88 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: "synapse-werts-config" + namespace: synapse +spec: + refreshInterval: "5s" + secretStoreRef: + name: k8s-store + kind: SecretStore + data: + - {"secretKey": "registration_shared_secret", "remoteRef": {"key": "synapse-werts-secrets", "property": "registration_shared_secret"}} + - {"secretKey": "pepper", "remoteRef": {"key": "synapse-werts-secrets", "property": "password_config__pepper"}} + - {"secretKey": "macaroon_secret_key", "remoteRef": {"key": "synapse-werts-secrets", "property": "macaroon_secret_key"}} + - {"secretKey": "form_secret", "remoteRef": {"key": "synapse-werts-secrets", "property": "form_secret"}} + + - {"secretKey": "oidc_client_id", "remoteRef": {"key": "synapse-werts-secrets-oidc", "property": "client_id"}} + - {"secretKey": "oidc_client_secret", "remoteRef": {"key": "synapse-werts-secrets-oidc", "property": "client_secret"}} + + - {"secretKey": "db_user", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "user"}} + - {"secretKey": "db_password", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "password"}} + - {"secretKey": "db_dbname", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "dbname"}} + - {"secretKey": "db_host", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "host"}} + target: + name: synapse-werts-config + template: + type: Opaque + data: + "homeserver.yaml": | + macaroon_secret_key: "{{.macaroon_secret_key}}" + form_secret: "{{.form_secret}}" + registration_shared_secret: "{{.registration_shared_secret}}" + password_config: + enabled: true + pepper: "{{ .pepper }}" + + server_name: werts.us + public_baseurl: https://chat.werts.us/ + pid_file: /data/homeserver.pid + + media_store_path: "/data/media_store" + report_stats: false + trusted_key_servers: + - server_name: "matrix.org" + signing_key_path: "/data/my.matrix.host.signing.key" + limit_remote_rooms: + enabled: true + complexity: 0.0 + complexity_error: "only admins are allowed to join federated rooms" + admins_can_join: true + allow_public_rooms_without_auth: false + allow_public_rooms_over_federation: false + + + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + + resources: + - names: [client, federation] + compress: false + database: + name: psycopg2 + args: + user: "{{ .db_user }}" + password: "{{ .db_password }}" + database: "{{ .db_dbname }}" + host: "{{ .db_host }}" + cp_min: 5 + cp_max: 10 + oidc_providers: + - idp_id: my_idp + idp_name: "werts.us" + discover: true + issuer: "https://auth.werts.us/realms/werts" + scopes: ["openid", "profile"] + skip_verification: true + user_mapping_provider: + config: + subject_claim: "preferred_username" + localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" + display_name_template: "{{"{{"}} user.name {{"}}"}}" + email_template: "{{"{{"}} user.email {{"}}"}}" + client_id: "{{ .oidc_client_id }}" + client_secret: "{{ .oidc_client_secret }}" diff --git a/matrix/secrets-oidc-sealed.yaml b/matrix/secrets-oidc-sealed.yaml new file mode 100644 index 0000000..771ecf9 --- /dev/null +++ b/matrix/secrets-oidc-sealed.yaml @@ -0,0 +1,17 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: synapse-werts-secrets-oidc + namespace: synapse +spec: + encryptedData: + client_id: AgB0ydrAv3Gcz2mMtgfODxKWztp4IkAP9bPJ680xjKKjK9XnxPBsX9N3YOknMI33W5IQbO6kGaXQv0XCOVxsFyLh5U0DUOp3QIhzR7izLNhGPUqgveXm53A6ALgCB/EK1IXfNMAJZdkXpUDWIQv+zRtbLgpQ+3/p39ORbHdqyOxpHxsnCA5EJtVe2qIj68RVrkTXa7l2DWpD2S3ISCuIzobyN8Tlv9NW9LsRyq7aFaAI5ngYyGOcOAw4CSQ/H0mhv3ICoBBFtmMkv4SvsLvfHHxobibr+iDJ3+X3sExgQ4OkTpDfVhi2EcOgtcm/Vvp+1S5DZPfP9Cs5qfA0USdNNAl8Yt4OMAXtfyN9gkb5aKvNyk/VJA4Zmqre8fs1qmgAFwHfshzF2/Ag4CqjHdNNqrcTbSUxhL0W30MkAPUAvduVdePM9wCm8FZ3D4oar9D7kK3SlgpYHVKthTml06ppWdFrGSGa+9R0EKYT+SNpqErhYcisf3R6rLdk3n5DAUP4Srf7ET7xDiH7ntnqLI/PNn9163K6MVf7qlN9VgJdc5DpV2J3+yW8J3fdieVBqcvUwhAlkFLxlx9pY6bhIcwi0ZTNSkj8gOhmQDmOpa1hqo+Eyrc+P5zPDBa4+Nl2jWeQ7xAgmxpvJwWlj2vi6VB7XdSAc3uv0IFh0b3E5JE3x/yLYbX/DQODYZDM3vTXHjpMqENM00Tuzfg= + client_secret: AgBSUKoK1Ije4xhotG5IWvUt3+Saky4qxR/Otxq/ZCcsmeLX77Hg5FYCpzeoqG7DnJy2Y6ndZ6wVW2g6lD/Ch6+wrPN7sjo7Pl1qdr6n8cker9xDww0fkOvLMADVEuAxJZeU6fmGDiebaYtv3Y+gvbQHu4GcZkqEWQo/F5/xRAj2zBRCr8WmthOFnai0eVnqe/ay6PVBwCoTFlM6uMmDWF/Veb7C81QxIadtfcgGtt38eKoeSRflwYXxRaSfPR8i4xm9vICjUfkY1qHJkHVxhIT35EOQJALKfxq1Lftbv7LeN/pgWPUm/k9b32GSQcXykRza04fyZVKyeCEc9FlboOUrYLXdfNkxEwYJb0qEv+x28QoWCfnX2OH3u7fueJD1hCGi9OSqg5IWgqFwqJiBWIkpsPmd5LfF7+DTl+SVlMeGX7ldWfoXWoNiJMhjngKQTttccZ2IwpC+Rv7Ue9AB/4bo+uIKe0woxwPOr1HQwe1Rw8GFZ7LdsU3/TvEOy6dJqige062PlJfgtOnjVJVyyVIq6g5gnkguO9cgssDheBKfKrkcDRxL+9aGFuqaiw4pHKx6DscAS/ujn0DiEc1slX2owxaIUdCrkREKcECgr92zFHlJpi5gHV9PSXvES2h29LnycQkUIOpFq0wOSkRDOPizt/DNPTxbAP28F4828znU1+SIuJsxklt/uqOOElGbnK/ms9wcB0dvKprt255Q2pqtNVY9/Qt3CcxOs2o9T/nBsxN+V10+Af1X4+T40phmpR4BJUpxPr55HpNjBhaiXNiPY4Shvm7a3oiLWUnANbJNI/GOuUx9zw== + template: + metadata: + creationTimestamp: null + name: synapse-werts-secrets-oidc + namespace: synapse + type: Opaque + diff --git a/matrix/secrets-sealed.yaml b/matrix/secrets-sealed.yaml new file mode 100644 index 0000000..0721a38 --- /dev/null +++ b/matrix/secrets-sealed.yaml @@ -0,0 +1,19 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: synapse-werts-secrets + namespace: synapse +spec: + encryptedData: + form_secret: AgBhY/ppJWTsYA0ItjZI4XPPmFKAf4yH6dDV+cK37W7KKXRtLuUISpvE7VfVkOKsdoDNfirwQDyTKdfL/TU2glt3Xi50xrtaqG3VkkzXp+vd2wIdFHFUqHBhU3WkyVxd42+hszLz9lBHokHkO/ZO4UTBv3nlSTk46abhXiKCcou0z8sPhO9Ed90Xft1MwxydazcG8aJp/BwcpHD+wGattI29cSUvLNYhW6ViUdxul4J3+dOoBDXnrkf4+3PSwYb7OCSWHRupg1KMXpUVcu0/2n3TdPLr3O/leaJDfhGIpO5ZSLHHmouZMuN8RHBQZVg11e9/cfmVqN/qKzuFAeuCfQ13khqvroXlne/OTdPNdvmnSd98TkvCpbDs/SBb5h/AtlSYJM2KbLLTwT85VwoZWYn9iVP4j5bok9EFY97WIrYluONepp8bhOLcnZiei3Pn4qn0UYEo2eXzA00pkyEedZzn2Mte6QhvgoKfZ7pMkYnpmI/8R7QpQOyW+Kf8vIzQIAe16blsQhpqd4R1/ddnwvE0+fHwrZ889jy2S5v4in13NMAfpABBRg0O8ntinhZsx3Cf0nNe/3t6lJAQXWeyhnJtU41WzBntOME7axwDKnzaGPuLQn+BArL616S7S9RPZEH7llr12ABdO3mKuncUGXc4sCTER5tjESBlnFiQIcp8GAwjofJmYYYjpBJNUZIxTZxAZdlRwecZ61CBDIWo7bYXL6WT8cQfPv+7CkxbJ/nt/yEDmeY1/xW6c5n6UisFOYefNQ== + macaroon_secret_key: AgCeK1HntBncfkXJmZrejkcLH53s0fN1yr1jENKPon2CPTXpQ/vA58xXHEbxAUJMDsw9PUzCbYLyEk8oPL6i7TZW9D8f/fvsnlZhOIjHObV6s/7XPLe5z+KWUDXMDOGmjMS32Z1w5wLih0/iAch5txOZVX9bk1fAXLf9Lre+0/4qL8p9ieBdcnieM0a7swZdfINckGFNgEjpTU4fdcAMDWAKcgL0v5b5w5etMZ48KIRjmZIiJvXPIxT1teCYxCTFrQD/N4USN9rQ+HXLIyGj8UdEv3HA0T0k/xSOfwlC2Qy9SvjdX+UIDTVxdvXDdBNulorowYlbzmuFaqscnDI50dtrw73s6VjreW91iUJ0kDRAiOgUrTWnaXXOGKU/2hQOorTVfRcUAW5kpkLM355rZGwdzeEP/7qxxBnHwAGGV5vfaGhsP8UNZwRDd+L2R5bYx05IXP73wxXE+NihCHgvDS3wmCSCoPnlGyzrG3oed0Nbi3+mbKqfQCB8IBfzkXX5WoeI6GQF+HwHBY+/msR/hsda+YbqTp+gm13COXFGsijsKUAv7FC3HJ6tM/XXKEDM+DeN2samhLp8NLRwLkxJRzBcVFWifAjBj5ONjdryoN0oZKmbm5D+BpWPBjKDjLG7kjoux/SD7bz/1u0Kbd2TyVMxEl7SP5yAkRruUybQQVWvmz7jKAZnUwPIeu5cxuD8yefXpdfZkJuToPJcblVsmBq7Hq9o5rCaArjJC3qa4BVd+ybauBgXNRMOBamHEeGkv0aO5Q== + password_config__pepper: AgCXcCt67yMenHJe/om73r0aR0re98D29GOwwAgYmpaOYCrqWzfjPsbNsHTJhBihcTm4asMrqD3Q1w4IRmCynvB1umretCDhMw1BFoeeePDvIq8F+HN/uEByaHBkcBWGwYZcrgH22qieX1oKr5fcpFqXchdGnZfQUnWC4hqaiuCJtH74P7M/skzuJXqrsR//0AbL83siqogIykqCrYdeHvYAuwwFlT4x/obsVkOF2CXEgxt4tTRUtUQ4IZk9gAzOm+UG5E5R4da9zaBA1wzqmKX9tHFli6vgDJIVkOf/pcazX2fk38f/PyKqyvnmp0TOV6xPdulwajE4NsE5sCSGoHsRYlI7Hkv1BtVvY7ZmzX2P8CpAYchLUb0swKlwP8oehtTx2Wz0CksxPTZB4rYS13aw1446A3CxiS+KDZgDpFm8eMdqw8creUv0gM0xHIlCBf06om3xGr0/ecOeBftvZT9nbWRalOneYctEdv53sj8gx5X2M4amTfejPR62viL9vAAYLTSLylH4k/kJMKA+lgOaHrL5qXlhqUGIn9HE+tI0B6sMZCWWpt7mANGkmSaSnqINd8KUExy8KjkFmsKnyxG166OJHEwF+L3Atb2n+RvAQbAe1wck0LpV6nqZ3AvmSD6Wef4QpFhgvbm5uGNPCt43GtaNzEFAThGrIotdlVUjpn+4cyuPmmxKdA17OlkwrPkd8zqaxQpKIYoWjU7YZwX9OprhNBqvORpc79335JI9XQ== + registration_shared_secret: AgALJfyfX/hBVqavMkjOjEGEWoOat6yAbik7ueKv2YzHuND+lEJTIRI6yjgmmeKQed8zhjpZ0BHt5fWsm0cRj7FXjnaEtLJONFoZE6gS8+QNjU2Ictw7NUc9LF2XlS6UR+df09Z9/P+di43Dvoe04yp4brcVtr14OCijndsrbwKc0K2ReG2nFcqsQSsS0cJw0UqWQhfX/dEmMO/hwJxx+dANdh8ieOCbabQTPr+Io49v70CcvZl8AQM4E9zLA866rRqNvs6nY6AWv/BIABVy5+ftx0PcfLTpCZP59+ZKgpDLUBfGDM0xVfLDPn63urC9ct/hBG4O+Ct3ZU3GT+i66SaIPw2ttmRRLBsUWBknwayVnALmZ0ZRHEd/2//AHH10XonY4jEXpdUsPX1Nv3XBUYXJyfW6XARV4el1HGtge4+q2IwNXpClkbCGggWM0RJTxb55t6r7trMuBCPVJdqPeAFrlgmB5uYUK5E1uhnPM3iWr5rHCaG1l85SDSJAiUVoqjAauv6GTLBHDYeuiJBlb9c9nCM7i9sJKpJFjdJBs5X1O0OtEVMFombO9CzLHGmZPTJp9Sn0xTLsBHZvME6QgRana7sF4XsdQET+na3F416b9hzWApdx+2d0pfxQzuXJGASO10Rlk50YiXl67m3OdjCe/mp2TO0i4KttZ2OviDc7X98fgOVh/aKjEhgfRYyupDXmFJ498yjL3Z/CHnXT7/ubcLyVIWiwE7CEuo3PI57uQQ== + template: + metadata: + creationTimestamp: null + name: synapse-werts-secrets + namespace: synapse + type: Opaque + diff --git a/matrix/ss.yaml b/matrix/ss.yaml new file mode 100644 index 0000000..b53799a --- /dev/null +++ b/matrix/ss.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: eso-store-sa + namespace: synapse +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: synapse + name: eso-store-role +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: eso-store-rolebinding + namespace: synapse +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: eso-store-role +subjects: +- kind: ServiceAccount + name: eso-store-sa + namespace: synapse +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-store-token + namespace: synapse + annotations: + kubernetes.io/service-account.name: eso-store-sa +type: kubernetes.io/service-account-token +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: k8s-store + namespace: synapse +spec: + provider: + kubernetes: + auth: + token: + bearerToken: + name: secret-store-token + key: token + remoteNamespace: synapse + server: + caProvider: + type: Secret + name: secret-store-token + key: ca.crt