titan-iac/services/comms/helmrelease.yaml

# services/comms/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: othrys-synapse
  namespace: comms
spec:
  interval: 30m
  chart:
    spec:
      chart: matrix-synapse
      version: 3.12.17
      sourceRef:
        kind: HelmRepository
        name: ananace
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 15m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 15m
  values:
    serverName: live.bstein.dev
    publicServerName: matrix.live.bstein.dev

    config:
      publicBaseurl: https://matrix.live.bstein.dev

    externalPostgresql:
      host: postgres-service.postgres.svc.cluster.local
      port: 5432
      username: synapse
      existingSecret: synapse-db
      existingSecretPasswordKey: POSTGRES_PASSWORD
      database: synapse

    redis:
      enabled: true
      auth:
        enabled: true
        existingSecret: synapse-redis
        existingSecretPasswordKey: redis-password

    postgresql:
      enabled: false

    persistence:
      enabled: true
      storageClass: asteria
      accessMode: ReadWriteOnce
      size: 50Gi

    synapse:
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxSurge: 0
          maxUnavailable: 1
      podSecurityContext:
        fsGroup: 666
        runAsUser: 666
        runAsGroup: 666
      resources:
        requests:
          cpu: 500m
          memory: 1Gi
        limits:
          cpu: "2"
          memory: 3Gi
      extraEnv:
        - name: TURN_SECRET
          valueFrom:
            secretKeyRef:
              name: turn-shared-secret
              key: TURN_STATIC_AUTH_SECRET
        - name: MAS_SHARED_SECRET
          valueFrom:
            secretKeyRef:
              name: mas-secrets-runtime
              key: matrix_shared_secret
        - name: MACAROON_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: synapse-macaroon
              key: macaroon_secret_key
      extraCommands:
        - >-
          esc() { printf "%s" "$1" | sed "s/'/''/g"; };
          printf '%s\n'
          "matrix_authentication_service:"
          "  enabled: true"
          "  endpoint: http://matrix-authentication-service:8080/"
          "  secret: '$(esc "${MAS_SHARED_SECRET:-}")'"
          "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'"
          "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'"
          > /synapse/config/conf.d/runtime-secrets.yaml
      nodeSelector:
        hardware: rpi5
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5", "rpi4"]

    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      csHosts:
        - matrix.live.bstein.dev
      hosts:
        - matrix.live.bstein.dev
      wkHosts:
        - live.bstein.dev
        - bstein.dev
      tls:
        - secretName: matrix-live-tls
          hosts:
            - matrix.live.bstein.dev
            - live.bstein.dev

    extraConfig:
      allow_guest_access: true
      allow_public_rooms_without_auth: true
      auto_join_rooms:
        - "#othrys:live.bstein.dev"
      autocreate_auto_join_rooms: true
      default_room_version: "11"
      experimental_features:
        msc3266_enabled: true
        msc4143_enabled: true
        msc4222_enabled: true
      max_event_delay_duration: 24h
      password_config:
        enabled: false
      rc_message:
        per_second: 0.5
        burst_count: 30
      rc_delayed_event_mgmt:
        per_second: 1
        burst_count: 20
      rc_login:
        address:
          burst_count: 20
          per_second: 5
        account:
          burst_count: 20
          per_second: 5
        failed_attempts:
          burst_count: 20
          per_second: 5
      room_list_publication_rules:
        - action: allow
      turn_uris:
        - "turn:turn.live.bstein.dev:3478?transport=udp"
        - "turn:turn.live.bstein.dev:3478?transport=tcp"
        - "turns:turn.live.bstein.dev:5349?transport=tcp"
      turn_allow_guests: true
      turn_user_lifetime: 86400000
      well_known_client:
        "m.homeserver":
          "base_url": "https://matrix.live.bstein.dev"
        "org.matrix.msc2965.authentication":
          "issuer": "https://matrix.live.bstein.dev/"
          "account": "https://matrix.live.bstein.dev/account/"
        "org.matrix.msc4143.rtc_foci":
          - type: "livekit"
            livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"

    worker:
      enabled: false

    signingkey:
      job:
        enabled: false
      existingSecret: othrys-synapse-signingkey
      existingSecretKey: signing.key
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: othrys-element
  namespace: comms
spec:
  interval: 30m
  chart:
    spec:
      chart: element-web
      version: 1.4.26
      sourceRef:
        kind: HelmRepository
        name: ananace
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 10m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 10m
  values:
    replicaCount: 1

    defaultServer:
      url: https://matrix.live.bstein.dev
      name: live.bstein.dev

    config:
      default_theme: dark
      brand: Othrys
      disable_custom_urls: true
      disable_login_language_selector: true
      disable_guests: false
      show_labs_settings: true
      features:
        feature_group_calls: true
        feature_video_rooms: true
        feature_element_call_video_rooms: true
      room_directory:
        servers:
          - live.bstein.dev
      jitsi: {}
      element_call:
        url: https://call.live.bstein.dev
        participant_limit: 16
        brand: Othrys Call

    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
        - live.bstein.dev
      tls:
        - secretName: live-othrys-tls
          hosts: [live.bstein.dev]

    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 512Mi

    nodeSelector:
      hardware: rpi5

    affinity:
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 50
            preference:
              matchExpressions:
                - key: hardware
                  operator: In
                  values: ["rpi5", "rpi4"]
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`# services/comms/helmrelease.yaml`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: othrys-synapse`
			`namespace: comms`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: matrix-synapse`
			`version: 3.12.17`
			`sourceRef:`
			`kind: HelmRepository`
			`name: ananace`
			`namespace: flux-system`
			`install:`
			`remediation: { retries: 3 }`
			`timeout: 15m`
			`upgrade:`
			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
			`cleanupOnFail: true`
			`timeout: 15m`
			`values:`
			`serverName: live.bstein.dev`
			`publicServerName: matrix.live.bstein.dev`

			`config:`
			`publicBaseurl: https://matrix.live.bstein.dev`

			`externalPostgresql:`
			`host: postgres-service.postgres.svc.cluster.local`
			`port: 5432`
			`username: synapse`
			`existingSecret: synapse-db`
			`existingSecretPasswordKey: POSTGRES_PASSWORD`
			`database: synapse`

			`redis:`
			`enabled: true`
			`auth:`
			`enabled: true`
			`existingSecret: synapse-redis`
			`existingSecretPasswordKey: redis-password`

			`postgresql:`
			`enabled: false`

			`persistence:`
			`enabled: true`
			`storageClass: asteria`
			`accessMode: ReadWriteOnce`
			`size: 50Gi`

			`synapse:`
			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 0`
			`maxUnavailable: 1`
			`podSecurityContext:`
			`fsGroup: 666`
			`runAsUser: 666`
			`runAsGroup: 666`
			`resources:`
			`requests:`
			`cpu: 500m`
			`memory: 1Gi`
			`limits:`
			`cpu: "2"`
			`memory: 3Gi`
comms: restore MAS and OIDC secrets in synapse 2026-01-13 20:55:36 -03:00			`extraEnv:`
			`- name: TURN_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: turn-shared-secret`
			`key: TURN_STATIC_AUTH_SECRET`
			`- name: MAS_SHARED_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: mas-secrets-runtime`
			`key: matrix_shared_secret`
			`- name: MACAROON_SECRET_KEY`
			`valueFrom:`
			`secretKeyRef:`
			`name: synapse-macaroon`
			`key: macaroon_secret_key`
			`extraCommands:`
comms: fix synapse runtime config injection 2026-01-13 20:59:35 -03:00			`- >-`
			`esc() { printf "%s" "$1" \| sed "s/'/''/g"; };`
			`printf '%s\n'`
			`"matrix_authentication_service:"`
			`" enabled: true"`
			`" endpoint: http://matrix-authentication-service:8080/"`
			`" secret: '$(esc "${MAS_SHARED_SECRET:-}")'"`
			`"turn_shared_secret: '$(esc "${TURN_SECRET:-}")'"`
			`"macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'"`
			`> /synapse/config/conf.d/runtime-secrets.yaml`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`nodeSelector:`
			`hardware: rpi5`
			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5", "rpi4"]`

			`ingress:`
			`enabled: true`
			`className: traefik`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
			`csHosts:`
			`- matrix.live.bstein.dev`
			`hosts:`
			`- matrix.live.bstein.dev`
			`wkHosts:`
			`- live.bstein.dev`
			`- bstein.dev`
			`tls:`
			`- secretName: matrix-live-tls`
			`hosts:`
			`- matrix.live.bstein.dev`
			`- live.bstein.dev`

			`extraConfig:`
			`allow_guest_access: true`
			`allow_public_rooms_without_auth: true`
			`auto_join_rooms:`
			`- "#othrys:live.bstein.dev"`
			`autocreate_auto_join_rooms: true`
			`default_room_version: "11"`
			`experimental_features:`
			`msc3266_enabled: true`
			`msc4143_enabled: true`
			`msc4222_enabled: true`
			`max_event_delay_duration: 24h`
			`password_config:`
comms: disable synapse password auth with MAS 2026-01-13 21:02:19 -03:00			`enabled: false`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`rc_message:`
			`per_second: 0.5`
			`burst_count: 30`
			`rc_delayed_event_mgmt:`
			`per_second: 1`
			`burst_count: 20`
			`rc_login:`
			`address:`
			`burst_count: 20`
			`per_second: 5`
			`account:`
			`burst_count: 20`
			`per_second: 5`
			`failed_attempts:`
			`burst_count: 20`
			`per_second: 5`
			`room_list_publication_rules:`
			`- action: allow`
comms: restore MAS and OIDC secrets in synapse 2026-01-13 20:55:36 -03:00			`turn_uris:`
			`- "turn:turn.live.bstein.dev:3478?transport=udp"`
			`- "turn:turn.live.bstein.dev:3478?transport=tcp"`
			`- "turns:turn.live.bstein.dev:5349?transport=tcp"`
			`turn_allow_guests: true`
			`turn_user_lifetime: 86400000`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`well_known_client:`
			`"m.homeserver":`
			`"base_url": "https://matrix.live.bstein.dev"`
comms: restore MAS and OIDC secrets in synapse 2026-01-13 20:55:36 -03:00			`"org.matrix.msc2965.authentication":`
			`"issuer": "https://matrix.live.bstein.dev/"`
			`"account": "https://matrix.live.bstein.dev/account/"`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`"org.matrix.msc4143.rtc_foci":`
			`- type: "livekit"`
			`livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"`

			`worker:`
			`enabled: false`

			`signingkey:`
			`job:`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`enabled: false`
			`existingSecret: othrys-synapse-signingkey`
			`existingSecretKey: signing.key`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`---`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: othrys-element`
			`namespace: comms`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: element-web`
			`version: 1.4.26`
			`sourceRef:`
			`kind: HelmRepository`
			`name: ananace`
			`namespace: flux-system`
			`install:`
			`remediation: { retries: 3 }`
			`timeout: 10m`
			`upgrade:`
			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
			`cleanupOnFail: true`
			`timeout: 10m`
			`values:`
			`replicaCount: 1`

			`defaultServer:`
			`url: https://matrix.live.bstein.dev`
			`name: live.bstein.dev`

			`config:`
			`default_theme: dark`
			`brand: Othrys`
			`disable_custom_urls: true`
			`disable_login_language_selector: true`
			`disable_guests: false`
			`show_labs_settings: true`
			`features:`
			`feature_group_calls: true`
			`feature_video_rooms: true`
			`feature_element_call_video_rooms: true`
			`room_directory:`
			`servers:`
			`- live.bstein.dev`
			`jitsi: {}`
			`element_call:`
			`url: https://call.live.bstein.dev`
			`participant_limit: 16`
			`brand: Othrys Call`

			`ingress:`
			`enabled: true`
			`className: traefik`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
			`hosts:`
			`- live.bstein.dev`
			`tls:`
			`- secretName: live-othrys-tls`
			`hosts: [live.bstein.dev]`

			`resources:`
			`requests:`
			`cpu: 100m`
			`memory: 256Mi`
			`limits:`
			`cpu: 500m`
			`memory: 512Mi`

			`nodeSelector:`
			`hardware: rpi5`

			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5", "rpi4"]`