titan-iac/services/comms/helmrelease.yaml

# services/comms/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: othrys-synapse
  namespace: comms
spec:
  interval: 30m
  chart:
    spec:
      chart: matrix-synapse
      version: 3.12.17
      sourceRef:
        kind: HelmRepository
        name: ananace
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 15m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 15m
  values:
    serverName: live.bstein.dev
    publicServerName: matrix.live.bstein.dev

    config:
      publicBaseurl: https://matrix.live.bstein.dev

    externalPostgresql:
      host: postgres-service.postgres.svc.cluster.local
      port: 5432
      username: synapse
      existingSecret: synapse-db
      existingSecretPasswordKey: POSTGRES_PASSWORD
      database: synapse

    redis:
      enabled: true
      auth:
        enabled: true
        existingSecret: synapse-redis
        existingSecretPasswordKey: redis-password

    postgresql:
      enabled: false

    persistence:
      enabled: true
      storageClass: asteria
      accessMode: ReadWriteOnce
      size: 50Gi

    synapse:
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxSurge: 0
          maxUnavailable: 1
      podSecurityContext:
        fsGroup: 666
        runAsUser: 666
        runAsGroup: 666
      resources:
        requests:
          cpu: 500m
          memory: 1Gi
        limits:
          cpu: "2"
          memory: 3Gi
      extraEnv:
        - name: OIDC_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: synapse-oidc
              key: client-secret
        - name: TURN_SECRET
          valueFrom:
            secretKeyRef:
              name: turn-shared-secret
              key: TURN_STATIC_AUTH_SECRET
        - name: MAS_SHARED_SECRET
          valueFrom:
            secretKeyRef:
              name: mas-secrets-runtime
              key: matrix_shared_secret
        - name: MACAROON_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: synapse-macaroon
              key: macaroon_secret_key
      extraCommands:
        - |
          yaml_quote() { printf "%s" "$1" | sed "s/'/''/g"; }
          cat > /synapse/config/conf.d/runtime-secrets.yaml <<EOF
          oidc_providers:
            - idp_id: keycloak
              idp_name: Keycloak
              issuer: https://sso.bstein.dev/realms/atlas
              client_id: synapse
              client_secret: '$(yaml_quote "${OIDC_CLIENT_SECRET:-}")'
              client_auth_method: client_secret_post
              scopes: ["openid", "profile", "email"]
              authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
              token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
              userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
              user_mapping_provider:
                config:
                  localpart_template: "{{ user.preferred_username }}"
                  display_name_template: "{{ user.name }}"
              allow_existing_users: true
          matrix_authentication_service:
            enabled: true
            endpoint: http://matrix-authentication-service:8080/
            secret: '$(yaml_quote "${MAS_SHARED_SECRET:-}")'
          turn_shared_secret: '$(yaml_quote "${TURN_SECRET:-}")'
          macaroon_secret_key: '$(yaml_quote "${MACAROON_SECRET_KEY:-}")'
          EOF
      nodeSelector:
        hardware: rpi5
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5", "rpi4"]

    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      csHosts:
        - matrix.live.bstein.dev
      hosts:
        - matrix.live.bstein.dev
      wkHosts:
        - live.bstein.dev
        - bstein.dev
      tls:
        - secretName: matrix-live-tls
          hosts:
            - matrix.live.bstein.dev
            - live.bstein.dev

    extraConfig:
      allow_guest_access: true
      allow_public_rooms_without_auth: true
      auto_join_rooms:
        - "#othrys:live.bstein.dev"
      autocreate_auto_join_rooms: true
      default_room_version: "11"
      experimental_features:
        msc3266_enabled: true
        msc4143_enabled: true
        msc4222_enabled: true
      max_event_delay_duration: 24h
      password_config:
        enabled: true
      oidc_enabled: true
      rc_message:
        per_second: 0.5
        burst_count: 30
      rc_delayed_event_mgmt:
        per_second: 1
        burst_count: 20
      rc_login:
        address:
          burst_count: 20
          per_second: 5
        account:
          burst_count: 20
          per_second: 5
        failed_attempts:
          burst_count: 20
          per_second: 5
      room_list_publication_rules:
        - action: allow
      turn_uris:
        - "turn:turn.live.bstein.dev:3478?transport=udp"
        - "turn:turn.live.bstein.dev:3478?transport=tcp"
        - "turns:turn.live.bstein.dev:5349?transport=tcp"
      turn_allow_guests: true
      turn_user_lifetime: 86400000
      well_known_client:
        "m.homeserver":
          "base_url": "https://matrix.live.bstein.dev"
        "org.matrix.msc2965.authentication":
          "issuer": "https://matrix.live.bstein.dev/"
          "account": "https://matrix.live.bstein.dev/account/"
        "org.matrix.msc4143.rtc_foci":
          - type: "livekit"
            livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"

    worker:
      enabled: false

    signingkey:
      job:
        enabled: false
      existingSecret: othrys-synapse-signingkey
      existingSecretKey: signing.key
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: othrys-element
  namespace: comms
spec:
  interval: 30m
  chart:
    spec:
      chart: element-web
      version: 1.4.26
      sourceRef:
        kind: HelmRepository
        name: ananace
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 10m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 10m
  values:
    replicaCount: 1

    defaultServer:
      url: https://matrix.live.bstein.dev
      name: live.bstein.dev

    config:
      default_theme: dark
      brand: Othrys
      disable_custom_urls: true
      disable_login_language_selector: true
      disable_guests: false
      show_labs_settings: true
      features:
        feature_group_calls: true
        feature_video_rooms: true
        feature_element_call_video_rooms: true
      room_directory:
        servers:
          - live.bstein.dev
      jitsi: {}
      element_call:
        url: https://call.live.bstein.dev
        participant_limit: 16
        brand: Othrys Call

    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
        - live.bstein.dev
      tls:
        - secretName: live-othrys-tls
          hosts: [live.bstein.dev]

    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 512Mi

    nodeSelector:
      hardware: rpi5

    affinity:
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 50
            preference:
              matchExpressions:
                - key: hardware
                  operator: In
                  values: ["rpi5", "rpi4"]