titan-iac/services/comms/helmrelease.yaml

# services/comms/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: othrys-synapse
  namespace: comms
spec:
  interval: 30m
  chart:
    spec:
      chart: matrix-synapse
      version: 3.12.17
      sourceRef:
        kind: HelmRepository
        name: ananace
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 15m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 15m
  values:
    serverName: live.bstein.dev
    publicServerName: matrix.live.bstein.dev

    config:
      publicBaseurl: https://matrix.live.bstein.dev

    externalPostgresql:
      host: postgres-service.postgres.svc.cluster.local
      port: 5432
      username: synapse
      existingSecret: synapse-db
      existingSecretPasswordKey: POSTGRES_PASSWORD
      database: synapse

    redis:
      enabled: true
      auth:
        enabled: true
        existingSecret: synapse-redis
        existingSecretPasswordKey: redis-password

    postgresql:
      enabled: false

    persistence:
      enabled: true
      storageClass: asteria
      accessMode: ReadWriteOnce
      size: 50Gi

    synapse:
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxSurge: 0
          maxUnavailable: 1
      podSecurityContext:
        fsGroup: 666
        runAsUser: 666
        runAsGroup: 666
      resources:
        requests:
          cpu: 500m
          memory: 1Gi
        limits:
          cpu: "2"
          memory: 3Gi
      nodeSelector:
        hardware: rpi5
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5", "rpi4"]

    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      csHosts:
        - matrix.live.bstein.dev
      hosts:
        - matrix.live.bstein.dev
      wkHosts:
        - live.bstein.dev
        - bstein.dev
      tls:
        - secretName: matrix-live-tls
          hosts:
            - matrix.live.bstein.dev
            - live.bstein.dev

    extraConfig:
      allow_guest_access: true
      allow_public_rooms_without_auth: true
      auto_join_rooms:
        - "#othrys:live.bstein.dev"
      autocreate_auto_join_rooms: true
      default_room_version: "11"
      experimental_features:
        msc3266_enabled: true
        msc4143_enabled: true
        msc4222_enabled: true
      max_event_delay_duration: 24h
      password_config:
        enabled: true
      oidc_enabled: true
      oidc_providers:
        - idp_id: keycloak
          idp_name: Keycloak
          issuer: https://sso.bstein.dev/realms/atlas
          client_id: synapse
          client_secret: "@@OIDC_CLIENT_SECRET@@"
          client_auth_method: client_secret_post
          scopes: ["openid", "profile", "email"]
          authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
          token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
          userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
          user_mapping_provider:
            config:
              localpart_template: "{{ user.preferred_username }}"
              display_name_template: "{{ user.name }}"
          allow_existing_users: true
      rc_message:
        per_second: 0.5
        burst_count: 30
      rc_delayed_event_mgmt:
        per_second: 1
        burst_count: 20
      rc_login:
        address:
          burst_count: 20
          per_second: 5
        account:
          burst_count: 20
          per_second: 5
        failed_attempts:
          burst_count: 20
          per_second: 5
      room_list_publication_rules:
        - action: allow
      well_known_client:
        "m.homeserver":
          "base_url": "https://matrix.live.bstein.dev"
        "org.matrix.msc4143.rtc_foci":
          - type: "livekit"
            livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"

    worker:
      enabled: false

    signingkey:
      job:
        generateImage:
          repository: matrixdotorg/synapse
          tag: v1.144.0
        publishImage:
          repository: registry.bstein.dev/bstein/kubectl
          tag: 1.35.0
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: othrys-element
  namespace: comms
spec:
  interval: 30m
  chart:
    spec:
      chart: element-web
      version: 1.4.26
      sourceRef:
        kind: HelmRepository
        name: ananace
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 10m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 10m
  values:
    replicaCount: 1

    defaultServer:
      url: https://matrix.live.bstein.dev
      name: live.bstein.dev

    config:
      default_theme: dark
      brand: Othrys
      disable_custom_urls: true
      disable_login_language_selector: true
      disable_guests: false
      show_labs_settings: true
      features:
        feature_group_calls: true
        feature_video_rooms: true
        feature_element_call_video_rooms: true
      room_directory:
        servers:
          - live.bstein.dev
      jitsi: {}
      element_call:
        url: https://call.live.bstein.dev
        participant_limit: 16
        brand: Othrys Call

    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
        - live.bstein.dev
      tls:
        - secretName: live-othrys-tls
          hosts: [live.bstein.dev]

    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 512Mi

    nodeSelector:
      hardware: rpi5

    affinity:
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 50
            preference:
              matchExpressions:
                - key: hardware
                  operator: In
                  values: ["rpi5", "rpi4"]
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`# services/comms/helmrelease.yaml`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: othrys-synapse`
			`namespace: comms`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: matrix-synapse`
			`version: 3.12.17`
			`sourceRef:`
			`kind: HelmRepository`
			`name: ananace`
			`namespace: flux-system`
			`install:`
			`remediation: { retries: 3 }`
			`timeout: 15m`
			`upgrade:`
			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
			`cleanupOnFail: true`
			`timeout: 15m`
			`values:`
			`serverName: live.bstein.dev`
			`publicServerName: matrix.live.bstein.dev`

			`config:`
			`publicBaseurl: https://matrix.live.bstein.dev`

			`externalPostgresql:`
			`host: postgres-service.postgres.svc.cluster.local`
			`port: 5432`
			`username: synapse`
			`existingSecret: synapse-db`
			`existingSecretPasswordKey: POSTGRES_PASSWORD`
			`database: synapse`

			`redis:`
			`enabled: true`
			`auth:`
			`enabled: true`
			`existingSecret: synapse-redis`
			`existingSecretPasswordKey: redis-password`

			`postgresql:`
			`enabled: false`

			`persistence:`
			`enabled: true`
			`storageClass: asteria`
			`accessMode: ReadWriteOnce`
			`size: 50Gi`

			`synapse:`
			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 0`
			`maxUnavailable: 1`
			`podSecurityContext:`
			`fsGroup: 666`
			`runAsUser: 666`
			`runAsGroup: 666`
			`resources:`
			`requests:`
			`cpu: 500m`
			`memory: 1Gi`
			`limits:`
			`cpu: "2"`
			`memory: 3Gi`
			`nodeSelector:`
			`hardware: rpi5`
			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5", "rpi4"]`

			`ingress:`
			`enabled: true`
			`className: traefik`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
			`csHosts:`
			`- matrix.live.bstein.dev`
			`hosts:`
			`- matrix.live.bstein.dev`
			`wkHosts:`
			`- live.bstein.dev`
			`- bstein.dev`
			`tls:`
			`- secretName: matrix-live-tls`
			`hosts:`
			`- matrix.live.bstein.dev`
			`- live.bstein.dev`

			`extraConfig:`
			`allow_guest_access: true`
			`allow_public_rooms_without_auth: true`
			`auto_join_rooms:`
			`- "#othrys:live.bstein.dev"`
			`autocreate_auto_join_rooms: true`
			`default_room_version: "11"`
			`experimental_features:`
			`msc3266_enabled: true`
			`msc4143_enabled: true`
			`msc4222_enabled: true`
			`max_event_delay_duration: 24h`
			`password_config:`
			`enabled: true`
			`oidc_enabled: true`
			`oidc_providers:`
			`- idp_id: keycloak`
			`idp_name: Keycloak`
			`issuer: https://sso.bstein.dev/realms/atlas`
			`client_id: synapse`
			`client_secret: "@@OIDC_CLIENT_SECRET@@"`
			`client_auth_method: client_secret_post`
			`scopes: ["openid", "profile", "email"]`
			`authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth`
			`token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token`
			`userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo`
			`user_mapping_provider:`
			`config:`
			`localpart_template: "{{ user.preferred_username }}"`
			`display_name_template: "{{ user.name }}"`
			`allow_existing_users: true`
			`rc_message:`
			`per_second: 0.5`
			`burst_count: 30`
			`rc_delayed_event_mgmt:`
			`per_second: 1`
			`burst_count: 20`
			`rc_login:`
			`address:`
			`burst_count: 20`
			`per_second: 5`
			`account:`
			`burst_count: 20`
			`per_second: 5`
			`failed_attempts:`
			`burst_count: 20`
			`per_second: 5`
			`room_list_publication_rules:`
			`- action: allow`
			`well_known_client:`
			`"m.homeserver":`
			`"base_url": "https://matrix.live.bstein.dev"`
			`"org.matrix.msc4143.rtc_foci":`
			`- type: "livekit"`
			`livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"`

			`worker:`
			`enabled: false`

			`signingkey:`
			`job:`
			`generateImage:`
			`repository: matrixdotorg/synapse`
			`tag: v1.144.0`
			`publishImage:`
			`repository: registry.bstein.dev/bstein/kubectl`
			`tag: 1.35.0`
			`---`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: othrys-element`
			`namespace: comms`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: element-web`
			`version: 1.4.26`
			`sourceRef:`
			`kind: HelmRepository`
			`name: ananace`
			`namespace: flux-system`
			`install:`
			`remediation: { retries: 3 }`
			`timeout: 10m`
			`upgrade:`
			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
			`cleanupOnFail: true`
			`timeout: 10m`
			`values:`
			`replicaCount: 1`

			`defaultServer:`
			`url: https://matrix.live.bstein.dev`
			`name: live.bstein.dev`

			`config:`
			`default_theme: dark`
			`brand: Othrys`
			`disable_custom_urls: true`
			`disable_login_language_selector: true`
			`disable_guests: false`
			`show_labs_settings: true`
			`features:`
			`feature_group_calls: true`
			`feature_video_rooms: true`
			`feature_element_call_video_rooms: true`
			`room_directory:`
			`servers:`
			`- live.bstein.dev`
			`jitsi: {}`
			`element_call:`
			`url: https://call.live.bstein.dev`
			`participant_limit: 16`
			`brand: Othrys Call`

			`ingress:`
			`enabled: true`
			`className: traefik`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
			`hosts:`
			`- live.bstein.dev`
			`tls:`
			`- secretName: live-othrys-tls`
			`hosts: [live.bstein.dev]`

			`resources:`
			`requests:`
			`cpu: 100m`
			`memory: 256Mi`
			`limits:`
			`cpu: 500m`
			`memory: 512Mi`

			`nodeSelector:`
			`hardware: rpi5`

			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5", "rpi4"]`