# services/communication/values-synapse.yaml
serverName: live.bstein.dev
publicServerName: matrix.live.bstein.dev

config:
  publicBaseurl: https://matrix.live.bstein.dev

externalPostgresql:
  host: postgres-service.postgres.svc.cluster.local
  port: 5432
  username: synapse
  existingSecret: synapse-db
  existingSecretPasswordKey: POSTGRES_PASSWORD
  database: synapse

redis:
  enabled: true
  auth:
    enabled: true
    existingSecret: synapse-redis
    existingSecretPasswordKey: redis-password

postgresql:
  enabled: false

persistence:
  enabled: true
  storageClass: asteria
  accessMode: ReadWriteOnce
  size: 50Gi

synapse:
  podSecurityContext:
    fsGroup: 666
    runAsUser: 666
    runAsGroup: 666
  resources:
    requests:
      cpu: 500m
      memory: 1Gi
    limits:
      cpu: "2"
      memory: 3Gi
  nodeSelector:
    hardware: rpi5
  affinity:
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 50
          preference:
            matchExpressions:
              - key: hardware
                operator: In
                values: ["rpi5","rpi4"]

ingress:
  enabled: true
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  csHosts:
    - matrix.live.bstein.dev
  hosts:
    - matrix.live.bstein.dev
  wkHosts:
    - live.bstein.dev
    - bstein.dev
  tls:
    - secretName: matrix-live-tls
      hosts:
        - matrix.live.bstein.dev
        - live.bstein.dev

extraConfig:
  allow_guest_access: true
  allow_public_rooms_without_auth: true
  auto_join_rooms:
    - "#othrys:live.bstein.dev"
  autocreate_auto_join_rooms: true
  default_room_version: "11"
  experimental_features:
    msc3266_enabled: true
    msc4143_enabled: true
    msc4222_enabled: true
  max_event_delay_duration: 24h
  password_config:
    enabled: true
  oidc_enabled: true
  oidc_providers:
    - idp_id: keycloak
      idp_name: Keycloak
      issuer: https://sso.bstein.dev/realms/atlas
      client_id: synapse
      client_secret: "@@OIDC_CLIENT_SECRET@@"
      client_auth_method: client_secret_post
      scopes: ["openid", "profile", "email"]
      authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
      token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
      userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
      user_mapping_provider:
        config:
          localpart_template: "{{ user.preferred_username }}"
          display_name_template: "{{ user.name }}"
      allow_existing_users: true
  rc_message:
    per_second: 0.5
    burst_count: 30
  rc_delayed_event_mgmt:
    per_second: 1
    burst_count: 20
  rc_login:
    address:
      burst_count: 20
      per_second: 5
    account:
      burst_count: 20
      per_second: 5
    failed_attempts:
      burst_count: 20
      per_second: 5
  room_list_publication_rules:
    - action: allow
  well_known_client:
    "m.homeserver":
      "base_url": "https://matrix.live.bstein.dev"
    "org.matrix.msc4143.rtc_foci":
      - type: "livekit"
        livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"

worker:
  enabled: false