137705bfe0
Personal homeserver with bridges deferred. Single host
matrix.{cluster.domain} with path-based routing: /_matrix, /_synapse,
/.well-known/matrix → Synapse; / → Element Web. Both share matrix-tls.
Stack: ananace/matrix-synapse + element-web charts, CNPG postgres
(LC_COLLATE=C), in-cluster alpine redis (no auth, replaces bitnami
subchart), mittwald-generated synapse-secrets for registration_shared/
macaroon/form_secret, custom idempotent signing-key init Job (replaces
chart's bitnami/kubectl publisher).
Sync waves:
-3 Namespace
-2 synapse-secrets (mittwald head-start), signing-key RBAC
-1 signing-key Job, CNPG Cluster, redis
0 Synapse, Element, Ingress
Synapse pod waits in extraCommands until synapse-secrets is populated,
then writes zz-overrides.yaml to override chart placeholders for the
three secret values without churning the chart-managed Secret on every
render. Resources tightened for 1-2 user scale: Synapse 256Mi/512Mi,
Postgres 64Mi/128Mi.
ArgoCD destination.namespace overridden to matrix via prototype-level
argocd overlay so both apps share the matrix ns instead of creating
unused matrix-synapse and element-web namespaces.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
85 lines
2.5 KiB
YAML
85 lines
2.5 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
argocd.argoproj.io/sync-options: Replace=true,Force=true
|
|
argocd.argoproj.io/sync-wave: "-1"
|
|
name: synapse-signing-key-init
|
|
namespace: matrix
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -e
|
|
SECRET="synapse-signing-key"
|
|
if kubectl get secret "${SECRET}" -n "${NAMESPACE}" >/dev/null 2>&1; then
|
|
echo "Secret ${SECRET} already exists, skipping"
|
|
exit 0
|
|
fi
|
|
kubectl create secret generic "${SECRET}" \
|
|
--namespace="${NAMESPACE}" \
|
|
--from-file=signing.key=/shared/signing.key
|
|
echo "Created secret ${SECRET}"
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
image: alpine/k8s:1.32.3
|
|
name: store
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /shared
|
|
name: shared
|
|
readOnly: true
|
|
initContainers:
|
|
- command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -e
|
|
if [ -f /shared/signing.key ]; then
|
|
exit 0
|
|
fi
|
|
if command -v generate_signing_key >/dev/null 2>&1; then
|
|
generate_signing_key -o /shared/signing.key
|
|
else
|
|
generate_signing_key.py -o /shared/signing.key
|
|
fi
|
|
image: ghcr.io/element-hq/synapse:v1.152.0
|
|
name: generate
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /shared
|
|
name: shared
|
|
restartPolicy: OnFailure
|
|
securityContext:
|
|
fsGroup: 991
|
|
runAsGroup: 991
|
|
runAsNonRoot: true
|
|
runAsUser: 991
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccountName: synapse-signing-key-init
|
|
volumes:
|
|
- emptyDir:
|
|
medium: Memory
|
|
sizeLimit: 1Mi
|
|
name: shared
|
|
ttlSecondsAfterFinished: 300
|