matrix

Author: ildoc

ansible/inventory/group_vars/all.yml

@@ -121,9 +121,8 @@ external_secrets:
   vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/external-secrets:vault_token') }}"
 
 invidious:
-  # db_user: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/invidious:db_user') }}"
   db_user: invidious_user
-  db_password: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/invidious:db_password') }}"
+  db_password: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/invidious:postgres_password') }}"
   db_name: invidious_db
   db_host: "192.168.0.30"
   visitor_data: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/invidious:visitor_data') }}"
@@ -154,59 +153,44 @@ db:
           - pg_trgm
           - btree_gin
 
-      # - name: harbor_registry
-      #   owner: harbor_user
-      #   encoding: UTF8
-      #   lc_collate: en_US.UTF-8
-      #   lc_ctype: en_US.UTF-8
-        
-      # - name: harbor_notary_server
-      #   owner: harbor_user
-      #   encoding: UTF8
-      #   lc_collate: en_US.UTF-8
-      #   lc_ctype: en_US.UTF-8
-
-      # - name: harbor_notary_signer
-      #   owner: harbor_user
-      #   encoding: UTF8
-      #   lc_collate: en_US.UTF-8
-      #   lc_ctype: en_US.UTF-8
-
       - name: authentik_db
         owner: authentik_user
         encoding: UTF8
         lc_collate: en_US.UTF-8
         lc_ctype: en_US.UTF-8
-
 
+      - name: matrix_db
+        owner: matrix_user
+        encoding: UTF8
+        lc_collate: en_US.UTF-8
+        lc_ctype: en_US.UTF-8
+
     users:
       # Utenti applicativi con accesso completo al loro database
       - name: invidious_user
-        password: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/invidious:db_password') }}"
+        password: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/invidious:postgres_password') }}"
         databases:
           - invidious_db
         privileges: ALL
         table_privs: ALL
         sequence_privs: ALL
 
-      # - name: harbor_user
-      #   password: "{{ lookup('community.hashi_vault.hashi_vault', 'cross/data/apps/harbor:db_password') }}"
-      #   databases:
-      #     - harbor_registry
-      #     - harbor_notary_server
-      #     - harbor_notary_signer
-      #   privileges: ALL
-      #   table_privs: ALL
-      #   sequence_privs: ALL
-
       - name: authentik_user
-        password: "{{ lookup('community.hashi_vault.hashi_vault', 'cross/data/apps/authentik:db_password') }}"
+        password: "{{ lookup('community.hashi_vault.hashi_vault', 'cross/data/apps/authentik:postgres_password') }}"
         databases:
           - authentik_db
         privileges: ALL
         table_privs: ALL
         sequence_privs: ALL
 
+      - name: matrix_user
+        password: "{{ lookup('community.hashi_vault.hashi_vault', 'cross/data/apps/matrix:postgres_password') }}"
+        databases:
+          - matrix_db
+        privileges: ALL
+        table_privs: ALL
+        sequence_privs: ALL
+
 redis:
   config:
     appendonly: true

gl-sast-report.json

@@ -0,0 +1,52 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: element-config
+  namespace: apps
+data:
+  config.json: |
+    {
+      "default_server_config": {
+        "m.homeserver": {
+          "base_url": "https://matrix.ildoc.it",
+          "server_name": "matrix.ildoc.it"
+        }
+      },
+      "brand": "Element",
+      "default_country_code": "IT",
+      "default_federate": true,
+      "default_theme": "dark",
+      "disable_custom_urls": false,
+      "disable_guests": true,
+      "disable_login_language_selector": false,
+      "disable_3pid_login": false,
+      "enable_presence_by_hs_url": {
+        "https://matrix.ildoc.it": true
+      },
+      "setting_defaults": {
+        "breadcrumbs": true,
+        "UIFeature.urlPreviews": true,
+        "UIFeature.feedback": false,
+        "UIFeature.voip": true,
+        "UIFeature.widgets": true,
+        "UIFeature.flair": false,
+        "UIFeature.communities": false,
+        "UIFeature.advanced": true
+      },
+      "show_labs_settings": true,
+      "features": {
+        "feature_video_rooms": true,
+        "feature_element_call_video_rooms": true,
+        "feature_group_calls": true
+      },
+      "room_directory": {
+        "servers": [
+          "matrix.ildoc.it"
+        ]
+      },
+      "enable_encryption_by_default_for_dms": true,
+      "permalink_prefix": "https://matrix.to",
+      "update_base_url": "https://packages.element.io/desktop/update/",
+      "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+    }

kubernetes/applications/element/configmap.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: element-web
+  namespace: apps
+spec:
+  selector:
+    matchLabels:
+      app: element-web
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+  revisionHistoryLimit: 3
+  template:
+    metadata:
+      labels:
+        app: element-web
+    spec:
+      containers:
+        - name: element-web
+          image: vectorim/element-web:v1.11.88
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          volumeMounts:
+            - name: config
+              mountPath: /app/config.json
+              subPath: config.json
+              readOnly: true
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+      volumes:
+        - name: config
+          configMap:
+            name: element-config

kubernetes/applications/element/deployment.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: element-web
+  namespace: apps
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app: element-web

kubernetes/applications/element/service.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cloudflared-matrix-stack-config
+  namespace: apps
+data:
+  config.yaml: |
+    tunnel: YOUR-TUNNEL-ID
+    credentials-file: /etc/cloudflared/credentials/credentials.json
+    
+    # Metrics endpoint
+    metrics: 0.0.0.0:2000
+    
+    # Ingress rules per Matrix + Element
+    ingress:
+      # Element Web - deve essere PRIMA per evitare conflitti
+      - hostname: element.ildoc.it
+        service: http://element-web.apps.svc.cluster.local:80
+        originRequest:
+          noTLSVerify: false
+          connectTimeout: 30s
+      
+      # Matrix Client API
+      - hostname: matrix.ildoc.it
+        service: http://matrix-synapse.apps.svc.cluster.local:8008
+        originRequest:
+          noTLSVerify: false
+          connectTimeout: 30s
+          tlsTimeout: 10s
+      
+      # Matrix Federation API (path-based routing)
+      - hostname: matrix.ildoc.it
+        path: /_matrix/federation/*
+        service: http://matrix-synapse.apps.svc.cluster.local:8448
+        originRequest:
+          noTLSVerify: false
+      
+      # Catch-all (obbligatorio)
+      - service: http_status:404

kubernetes/applications/matrix/cloudflared/configmap.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudflared-matrix-stack
+  namespace: apps
+spec:
+  selector:
+    matchLabels:
+      app: cloudflared-matrix-stack
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+  revisionHistoryLimit: 3
+  template:
+    metadata:
+      labels:
+        app: cloudflared-matrix-stack
+    spec:
+      containers:
+        - name: cloudflared
+          image: cloudflare/cloudflared:2024.12.2
+          args:
+            - tunnel
+            - --config
+            - /etc/cloudflared/config.yaml
+            - run
+          volumeMounts:
+            - name: config
+              mountPath: /etc/cloudflared
+              readOnly: true
+            - name: credentials
+              mountPath: /etc/cloudflared/credentials
+              readOnly: true
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          livenessProbe:
+            httpGet:
+              path: /ready
+              port: 2000
+            initialDelaySeconds: 30
+            periodSeconds: 30
+      volumes:
+        - name: config
+          configMap:
+            name: cloudflared-matrix-stack-config
+        - name: credentials
+          secret:
+            secretName: cloudflared-matrix-stack-credentials

kubernetes/applications/matrix/cloudflared/deployment.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-cloudflared-matrix-stack-credentials
+  namespace: apps
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault-kubernetes-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: cloudflared-matrix-stack-credentials
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        credentials.json: |
+          {
+            "AccountTag": "{{ .account_tag }}",
+            "TunnelSecret": "{{ .tunnel_secret }}",
+            "TunnelID": "{{ .tunnel_id }}"
+          }
+  data:
+  - secretKey: account_tag
+    remoteRef:
+      key: kubernetes/data/apps/matrix-stack/cloudflared
+      property: account_tag
+  - secretKey: tunnel_secret
+    remoteRef:
+      key: kubernetes/data/apps/matrix-stack/cloudflared
+      property: tunnel_secret
+  - secretKey: tunnel_id
+    remoteRef:
+      key: kubernetes/data/apps/matrix-stack/cloudflared
+      property: tunnel_id