ildoc
diff --git a/‎kubernetes/matrix/cloudflared-configmap.yaml‎
Lines changed: 42 additions & 0 deletions b/‎kubernetes/matrix/cloudflared-configmap.yaml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎kubernetes/matrix/cloudflared-deployment.yaml‎
Lines changed: 56 additions & 0 deletions b/‎kubernetes/matrix/cloudflared-deployment.yaml‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎kubernetes/matrix/cloudflared-secret.yaml‎
Lines changed: 38 additions & 0 deletions b/‎kubernetes/matrix/cloudflared-secret.yaml‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎kubernetes/matrix/configmap.yaml‎
Lines changed: 112 additions & 0 deletions b/‎kubernetes/matrix/configmap.yaml‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎kubernetes/matrix/deployment.yaml‎
Lines changed: 128 additions & 0 deletions b/‎kubernetes/matrix/deployment.yaml‎
Lines changed: 128 additions & 0 deletions
@@ -0,0 +1,42 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cloudflared-matrix-stack-config
+  namespace: apps
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+data:
+  config.yaml: |
+    tunnel: YOUR-TUNNEL-ID
+    credentials-file: /etc/cloudflared/credentials/credentials.json
+    
+    # Metrics endpoint
+    metrics: 0.0.0.0:2000
+    
+    # Ingress rules per Matrix + Element
+    ingress:
+      # Element Web - deve essere PRIMA per evitare conflitti
+      - hostname: element.ildoc.it
+        service: http://element-web.apps.svc.cluster.local:80
+        originRequest:
+          noTLSVerify: false
+          connectTimeout: 30s
+      
+      # Matrix Client API
+      - hostname: matrix.ildoc.it
+        service: http://matrix-synapse.apps.svc.cluster.local:8008
+        originRequest:
+          noTLSVerify: false
+          connectTimeout: 30s
+          tlsTimeout: 10s
+      
+      # Matrix Federation API (path-based routing)
+      - hostname: matrix.ildoc.it
+        path: /_matrix/federation/*
+        service: http://matrix-synapse.apps.svc.cluster.local:8448
+        originRequest:
+          noTLSVerify: false
+      
+      # Catch-all (obbligatorio)
+      - service: http_status:404
@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudflared-matrix-stack
+  namespace: apps
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+spec:
+  selector:
+    matchLabels:
+      app: cloudflared-matrix-stack
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+  revisionHistoryLimit: 3
+  template:
+    metadata:
+      labels:
+        app: cloudflared-matrix-stack
+    spec:
+      containers:
+        - name: cloudflared
+          image: cloudflare/cloudflared:2024.12.2
+          args:
+            - tunnel
+            - --config
+            - /etc/cloudflared/config.yaml
+            - run
+          volumeMounts:
+            - name: config
+              mountPath: /etc/cloudflared
+              readOnly: true
+            - name: credentials
+              mountPath: /etc/cloudflared/credentials
+              readOnly: true
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          livenessProbe:
+            httpGet:
+              path: /ready
+              port: 2000
+            initialDelaySeconds: 30
+            periodSeconds: 30
+      volumes:
+        - name: config
+          configMap:
+            name: cloudflared-matrix-stack-config
+        - name: credentials
+          secret:
+            secretName: cloudflared-matrix-stack-credentials
@@ -0,0 +1,38 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-cloudflared-matrix-stack-credentials
+  namespace: apps
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault-kubernetes-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: cloudflared-matrix-stack-credentials
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        credentials.json: |
+          {
+            "AccountTag": "{{ .account_tag }}",
+            "TunnelSecret": "{{ .tunnel_secret }}",
+            "TunnelID": "{{ .tunnel_id }}"
+          }
+  data:
+  - secretKey: account_tag
+    remoteRef:
+      key: kubernetes/data/apps/matrix/cloudflared
+      property: account_tag
+  - secretKey: tunnel_secret
+    remoteRef:
+      key: kubernetes/data/apps/matrix/cloudflared
+      property: tunnel_secret
+  - secretKey: tunnel_id
+    remoteRef:
+      key: kubernetes/data/apps/matrix/cloudflared
+      property: tunnel_id
@@ -0,0 +1,112 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-config
+  namespace: apps
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+data:
+  homeserver.yaml: |
+    server_name: "matrix.ildoc.it"
+    public_baseurl: "https://matrix.ildoc.it"
+    
+    listeners:
+      - port: 8008
+        tls: false
+        type: http
+        x_forwarded: true
+        bind_addresses: ['0.0.0.0']
+        resources:
+          - names: [client, federation]
+            compress: false
+
+    # Database - usa env vars
+    database:
+      name: psycopg2
+      args:
+        user: ${POSTGRES_USER}
+        password: ${POSTGRES_PASSWORD}
+        database: ${POSTGRES_DB}
+        host: ${POSTGRES_HOST}
+        port: ${POSTGRES_PORT}
+        cp_min: 5
+        cp_max: 10
+
+    # Redis - usa env vars con username
+    redis:
+      enabled: true
+      host: ${SYNAPSE_REDIS_HOST}
+      port: ${SYNAPSE_REDIS_PORT}
+      password: ${SYNAPSE_REDIS_PASSWORD}
+
+    log_config: "/data/log.config"
+    media_store_path: "/data/media_store"
+    max_upload_size: "50M"
+    max_image_pixels: "32M"
+    url_preview_enabled: false
+    
+    enable_registration: false
+    enable_registration_without_verification: false
+    registration_requires_token: false
+    
+    # Usa env vars per i secret
+    registration_shared_secret: ${REGISTRATION_SHARED_SECRET}
+    macaroon_secret_key: ${MACAROON_SECRET_KEY}
+    form_secret: ${FORM_SECRET}
+    
+    enable_3pid_lookup: false
+    allow_public_rooms_without_auth: false
+    allow_public_rooms_over_federation: false
+    
+    rc_message:
+      per_second: 0.2
+      burst_count: 10
+    
+    rc_registration:
+      per_second: 0.17
+      burst_count: 3
+    
+    rc_login:
+      address:
+        per_second: 0.17
+        burst_count: 3
+      account:
+        per_second: 0.17
+        burst_count: 3
+      failed_attempts:
+        per_second: 0.17
+        burst_count: 3
+    
+    federation_domain_whitelist: []
+    signing_key_path: "/data/keys/signing.key"
+    
+    trusted_key_servers:
+      - server_name: "matrix.org"
+    
+    report_stats: false
+    enable_metrics: true
+    metrics_port: 9000
+
+  log.config: |
+    version: 1
+    
+    formatters:
+      precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+    
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+        stream: ext://sys.stdout
+    
+    loggers:
+        synapse.storage.SQL:
+            level: INFO
+    
+    root:
+      level: INFO
+      handlers: [console]
+    
+    disable_existing_loggers: false
@@ -0,0 +1,128 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-synapse
+  namespace: apps
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+spec:
+  selector:
+    matchLabels:
+      app: matrix-synapse
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 3
+  template:
+    metadata:
+      labels:
+        app: matrix-synapse
+    spec:
+      containers:
+        - name: synapse
+          image: ghcr.io/element-hq/synapse:v1.123.0
+          env:
+            - name: SYNAPSE_SERVER_NAME
+              value: "matrix.ildoc.it"
+            - name: SYNAPSE_REPORT_STATS
+              value: "no"
+            - name: UID
+              value: "991"
+            - name: GID
+              value: "991"
+            - name: TZ
+              value: "Europe/Rome"
+            
+            # PostgreSQL configuration (da cross-secrets)
+            - name: POSTGRES_HOST
+              value: "192.168.0.40"
+            - name: POSTGRES_PORT
+              value: "5432"
+            - name: POSTGRES_DB
+              value: "matrix_db"
+            - name: POSTGRES_USER
+              value: "matrix_user"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-cross-secrets  # DA CROSS
+                  key: postgres-password
+            
+            - name: SYNAPSE_REDIS_HOST
+              value: "matrix-redis.apps.svc.cluster.local"  # Service interno
+            - name: SYNAPSE_REDIS_PORT
+              value: "6379"
+            - name: SYNAPSE_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-redis-secret
+                  key: password
+            
+            # Synapse secrets (da k8s-secrets)
+            - name: REGISTRATION_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-k8s-secrets  # DA KUBERNETES
+                  key: registration-shared-secret
+            - name: MACAROON_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-k8s-secrets  # DA KUBERNETES
+                  key: macaroon-secret-key
+            - name: FORM_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-k8s-secrets  # DA KUBERNETES
+                  key: form-secret
+          
+          ports:
+            - containerPort: 8008
+              name: http
+              protocol: TCP
+            - containerPort: 8448
+              name: federation
+              protocol: TCP
+          
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: config
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: config
+              mountPath: /data/log.config
+              subPath: log.config
+          
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 4Gi
+            requests:
+              cpu: 500m
+              memory: 1Gi
+          
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+      
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: matrix-synapse
+        - name: config
+          configMap:
+            name: matrix-config