From 8e2ea971c9b7e914dbcb777cbb461db70c3b5929 Mon Sep 17 00:00:00 2001
From: djpbessems <danny@bessems.eu>
Date: Tue, 8 Dec 2020 23:03:57 +0100
Subject: [PATCH] Installed Matrix (Synapse/Element) w/ required housekeeping

---
 README.md                                     |  26 ++-
 ingress/Traefik2.x/configMap-Traefik.yml      |   1 +
 ...lient.yml => secret-DDclient.yml.template} |   2 +-
 services/Lighttpd/configMap-Lighttpd.yml      |   3 +
 services/Matrix/configMap-Matrix.yml          |  56 ++++++
 services/Matrix/deploy-Matrix.yml             | 177 ++++++++++++++++++
 services/Matrix/middleware-Matrix.yml         |  18 ++
 services/Unifi/deploy-Unifi.yml               |   6 +-
 8 files changed, 284 insertions(+), 5 deletions(-)
 rename services/DDclient/{secret-DDclient.yml => secret-DDclient.yml.template} (91%)
 create mode 100644 services/Matrix/configMap-Matrix.yml
 create mode 100644 services/Matrix/deploy-Matrix.yml
 create mode 100644 services/Matrix/middleware-Matrix.yml

diff --git a/README.md b/README.md
index d879268..0e82653 100644
--- a/README.md
+++ b/README.md
@@ -101,8 +101,8 @@ parameters:
 Then make this the new default `storageClass`:
 ```
 kubectl patch storageclass longhorn-dailybackup -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
-kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
-kubectl delete storageclass longhorn
+#kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+#kubectl delete storageclass longhorn
 ```
 
 ### 2) Ingress Controller
@@ -253,6 +253,13 @@ kubectl apply -f services/Lighttpd/configMap-Lighttpd.yml
 kubectl apply -f services/Lighttpd/deploy-Lighttpd.yml
 kubectl apply -f services/Lighttpd/cronJob-Spotweb.yml
 ```
+##### 4.8) [Matrix]()    <small>(federated chat)</small>
+*WIP*
+```
+kubectl apply -f services/Matrix/configMap-Matrix.yml
+kubectl apply -f services/Matrix/middleware-Matrix.yml
+kubectl apply -f services/Matrix/deploy-Matrix.yml
+```
 ##### 4.8) PVR `namespace`    <small>(automated media management)</small>
 *Containers use shared resources to be able to interact with downloaded files*
 ```
@@ -303,6 +310,21 @@ kubectl apply -f services/Theia/deploy-Theia.yml
 ```
 kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
 ```
+##### 4.12) [Unifi-Controller]()    <small>(wlan AP management)</small>
+```
+kubectl apply -f services/Unifi/deploy-Unifi.yml
+```
+*Change STUN port to non-default:*
+```
+kubectl exec --namespace unifi -it unifi-<uuid> -- /bin/bash
+sed -e 's/# unifi.stun.port=3478/unifi.stun.port=3479/' -i /data/system.properties
+exit
+kubectl rollout restart deployment --namespace unifi unifi
+```
+*Update STUN url on devices:*    <small>doesn't seem to work</small>
+ssh <username>@<ipaddress>
+sed -e 's|stun://<ipaddress>|stun://<ipaddress>:3479|' -i /etc/persistent/cfg/mgmt
+```
 ### 5) Miscellaneous
 *Various notes/useful links*  
 
diff --git a/ingress/Traefik2.x/configMap-Traefik.yml b/ingress/Traefik2.x/configMap-Traefik.yml
index 3bb44bc..5578cd4 100644
--- a/ingress/Traefik2.x/configMap-Traefik.yml
+++ b/ingress/Traefik2.x/configMap-Traefik.yml
@@ -25,6 +25,7 @@ data:
               - main: '*.spamasaurus.com'
                 sans:
                   - 'spamasaurus.com'
+              - main: '*.chat.spamasaurus.com'
               - main: '*.bessems.com'
                 sans:
                   - 'bessems.com'
diff --git a/services/DDclient/secret-DDclient.yml b/services/DDclient/secret-DDclient.yml.template
similarity index 91%
rename from services/DDclient/secret-DDclient.yml
rename to services/DDclient/secret-DDclient.yml.template
index 5790314..ffa884c 100644
--- a/services/DDclient/secret-DDclient.yml
+++ b/services/DDclient/secret-DDclient.yml.template
@@ -14,7 +14,7 @@ stringData:
     ssl=yes
     ttl=1
     login=cloudflare.com.danny@spamasaurus.com
-    password=9ec5ad8d1e8c6240c5488bb61b7bcd7bdc0fc
+    password=<removed>
 
     zone=bessems.com
     bessems.com
diff --git a/services/Lighttpd/configMap-Lighttpd.yml b/services/Lighttpd/configMap-Lighttpd.yml
index ec983ac..6be68b1 100644
--- a/services/Lighttpd/configMap-Lighttpd.yml
+++ b/services/Lighttpd/configMap-Lighttpd.yml
@@ -56,6 +56,9 @@ data:
 
       index-file.names += ("spamasaurusRex.login.php")
     }
+    $HTTP["url"] =~ "^/.well-known/" {
+      mimetype.assign   += ( "server" => "application/json" )
+    }
   sw.itch.fyi.conf: |
     $HTTP["host"] == "sw.itch.fyi" {
       server.document-root = "/var/www/sw.itch.fyi/"
diff --git a/services/Matrix/configMap-Matrix.yml b/services/Matrix/configMap-Matrix.yml
new file mode 100644
index 0000000..e57003c
--- /dev/null
+++ b/services/Matrix/configMap-Matrix.yml
@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-matrix-config
+data:
+  config.json: |
+    {
+      "default_server_config": {
+          "m.homeserver": {
+              "base_url": "https://synapse.chat.spamasaurus.com",
+              "server_name": "Familie Bessems"
+          },
+          "m.identity_server": {
+              "base_url": "https://vector.im"
+          }
+      },
+      "disable_custom_urls": true,
+      "disable_guests": false,
+      "disable_login_language_selector": false,
+      "disable_3pid_login": false,
+      "brand": "Element",
+      "integrations_ui_url": "https://scalar.vector.im/",
+      "integrations_rest_url": "https://scalar.vector.im/api",
+      "integrations_widgets_urls": [
+          "https://scalar.vector.im/_matrix/integrations/v1",
+          "https://scalar.vector.im/api",
+          "https://scalar-staging.vector.im/_matrix/integrations/v1",
+          "https://scalar-staging.vector.im/api",
+          "https://scalar-staging.riot.im/scalar/api"
+      ],
+      "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+      "defaultCountryCode": "NL",
+      "showLabsSettings": true,
+      "features": {
+          "feature_new_spinner": true
+      },
+      "default_federate": true,
+      "default_theme": "light",
+      "roomDirectory": {
+          "servers": [
+              "matrix.org"
+          ]
+      },
+      "piwik": false,
+      "enable_presence_by_hs_url": {
+          "https://matrix.org": false,
+          "https://matrix-client.matrix.org": false
+      },
+      "settingDefaults": {
+          "breadcrumbs": true,
+          "UIFeature.communities": false
+      },
+      "jitsi": {
+          "preferredDomain": "jitsi.riot.im"
+      }
+    }
diff --git a/services/Matrix/deploy-Matrix.yml b/services/Matrix/deploy-Matrix.yml
new file mode 100644
index 0000000..85ec180
--- /dev/null
+++ b/services/Matrix/deploy-Matrix.yml
@@ -0,0 +1,177 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix
+spec:
+  ports:
+    - protocol: TCP
+      name: synapse
+      port: 8008
+    - protocol: TCP
+      name: db
+      port: 5432
+    - protocol: TCP
+      name: element
+      port: 80
+  selector:
+    app: matrix
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix
+  labels:
+    app: matrix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matrix
+  template:
+    metadata:
+      labels:
+        app: matrix
+    spec:
+      containers:
+      - name: synapse
+        image: bv11-cr01.bessems.eu/proxy/matrixdotorg/synapse:latest
+#        args:
+#        - generate
+        env:
+#        - name: SYNAPSE_SERVER_NAME
+#          value: spamasaurus.com
+#        - name: SYNAPSE_REPORT_STATS
+#          value: 'no'
+        - name: SYNAPSE_CONFIG_PATH
+          value: /data/homeserver.yaml
+        ports:
+          - name: synapse
+            containerPort: 8008
+        volumeMounts:
+        - mountPath: /data
+          name: flexvolsmb-matrix-data
+      - name: postgres
+        image: bv11-cr01.bessems.eu/proxy/library/postgres:alpine
+        env:
+        - name: POSTGRES_USER
+          value: synapse
+        - name: POSTGRES_PASSWORD
+          value: synapse
+        - name: POSTGRES_INITDB_ARGS
+          value: --encoding=UTF-8 --lc-collate=C --lc-ctype=C
+        ports:
+          - name: db
+            containerPort: 5432
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: flexvolsmb-matrix-db
+      - name: element
+        image: bv11-cr01.bessems.eu/proxy/vectorim/element-web
+        ports:
+          - name: element
+            containerPort: 80
+        volumeMounts:
+        - name: configmap-matrix-config
+          mountPath: /usr/share/nginx/html/config.json
+          subPath: config.json
+      volumes:
+      - name: flexvolsmb-matrix-data
+        persistentVolumeClaim:
+          claimName: flexvolsmb-matrix-data
+      - name: flexvolsmb-matrix-db
+        persistentVolumeClaim:
+          claimName: flexvolsmb-matrix-db
+      - name: configmap-matrix-config
+        configMap:
+          name: configmap-matrix-config
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`synapse.chat.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 8008
+    middlewares:
+    - name: security-headers@file
+    - name: compression@file
+    - name: matrix-cors-headers
+  - match: Host(`chat.spamasaurus.com`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 80
+    middlewares:
+    - name: security-headers@file
+    - name: compression@file
+    - name: matrix-cors-headers
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-matrix-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-matrix-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8
+      server: 192.168.11.225
+      share: /K3s.Volumes/matrix/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-matrix-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-matrix-data
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-matrix-db
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-matrix-db
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0600,dir_mode=0700,uid=70,gid=70,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/matrix/db
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-matrix-db
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-matrix-db
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/services/Matrix/middleware-Matrix.yml b/services/Matrix/middleware-Matrix.yml
new file mode 100644
index 0000000..c4f3e25
--- /dev/null
+++ b/services/Matrix/middleware-Matrix.yml
@@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: matrix-cors-headers
+spec:
+  headers:
+    accessControlAllowHeaders:
+      - "Authorization"
+      - "Content-Type"
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowOriginList:
+      - "https://chat.spamasaurus.com"
+      - "https://synapse.chat.spamasaurus.com"
+    accessControlMaxAge: 100
+    addVaryHeader: true
diff --git a/services/Unifi/deploy-Unifi.yml b/services/Unifi/deploy-Unifi.yml
index 2e3b48e..4aefae7 100644
--- a/services/Unifi/deploy-Unifi.yml
+++ b/services/Unifi/deploy-Unifi.yml
@@ -41,7 +41,7 @@ spec:
   ports:
     - protocol: UDP
       name: stun
-      port: 3478
+      port: 3479
     - protocol: UDP
       name: discovery
       port: 10001
@@ -60,6 +60,8 @@ spec:
   selector:
     matchLabels:
       app: unifi
+  strategy:
+    type: Recreate
   template:
     metadata:
       labels:
@@ -78,7 +80,7 @@ spec:
           - name: syslog
             containerPort: 5514
           - name: stun
-            containerPort: 3478
+            containerPort: 3479
             protocol: UDP
           - name: discovery
             containerPort: 10001