# services/comms/helmrelease.yaml apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: othrys-synapse namespace: comms spec: interval: 30m chart: spec: chart: matrix-synapse version: 3.12.17 sourceRef: kind: HelmRepository name: ananace namespace: flux-system install: remediation: { retries: 3 } timeout: 15m upgrade: remediation: retries: 3 remediateLastFailure: true cleanupOnFail: true timeout: 15m values: serverName: live.bstein.dev publicServerName: matrix.live.bstein.dev config: publicBaseurl: https://matrix.live.bstein.dev externalPostgresql: host: postgres-service.postgres.svc.cluster.local port: 5432 username: synapse existingSecret: synapse-db existingSecretPasswordKey: POSTGRES_PASSWORD database: synapse redis: enabled: true auth: enabled: true existingSecret: synapse-redis existingSecretPasswordKey: redis-password postgresql: enabled: false persistence: enabled: true storageClass: asteria accessMode: ReadWriteOnce size: 50Gi synapse: strategy: type: RollingUpdate rollingUpdate: maxSurge: 0 maxUnavailable: 1 podSecurityContext: fsGroup: 666 runAsUser: 666 runAsGroup: 666 resources: requests: cpu: 500m memory: 1Gi limits: cpu: "2" memory: 3Gi extraEnv: - name: TURN_SECRET valueFrom: secretKeyRef: name: turn-shared-secret key: TURN_STATIC_AUTH_SECRET - name: MAS_SHARED_SECRET valueFrom: secretKeyRef: name: mas-secrets-runtime key: matrix_shared_secret - name: MACAROON_SECRET_KEY valueFrom: secretKeyRef: name: synapse-macaroon key: macaroon_secret_key extraCommands: - >- esc() { printf "%s" "$1" | sed "s/'/''/g"; }; printf '%s\n' "matrix_authentication_service:" " enabled: true" " endpoint: http://matrix-authentication-service:8080/" " secret: '$(esc "${MAS_SHARED_SECRET:-}")'" "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" > /synapse/config/conf.d/runtime-secrets.yaml nodeSelector: hardware: rpi5 affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi5", "rpi4"] ingress: enabled: true className: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/router.entrypoints: websecure csHosts: - matrix.live.bstein.dev hosts: - matrix.live.bstein.dev wkHosts: - live.bstein.dev - bstein.dev tls: - secretName: matrix-live-tls hosts: - matrix.live.bstein.dev - live.bstein.dev extraConfig: allow_guest_access: true allow_public_rooms_without_auth: true auto_join_rooms: - "#othrys:live.bstein.dev" autocreate_auto_join_rooms: true default_room_version: "11" experimental_features: msc3266_enabled: true msc4143_enabled: true msc4222_enabled: true max_event_delay_duration: 24h password_config: enabled: false rc_message: per_second: 0.5 burst_count: 30 rc_delayed_event_mgmt: per_second: 1 burst_count: 20 rc_login: address: burst_count: 20 per_second: 5 account: burst_count: 20 per_second: 5 failed_attempts: burst_count: 20 per_second: 5 room_list_publication_rules: - action: allow turn_uris: - "turn:turn.live.bstein.dev:3478?transport=udp" - "turn:turn.live.bstein.dev:3478?transport=tcp" - "turns:turn.live.bstein.dev:5349?transport=tcp" turn_allow_guests: true turn_user_lifetime: 86400000 well_known_client: "m.homeserver": "base_url": "https://matrix.live.bstein.dev" "org.matrix.msc2965.authentication": "issuer": "https://matrix.live.bstein.dev/" "account": "https://matrix.live.bstein.dev/account/" "org.matrix.msc4143.rtc_foci": - type: "livekit" livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt" worker: enabled: false signingkey: job: enabled: false existingSecret: othrys-synapse-signingkey existingSecretKey: signing.key --- apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: othrys-element namespace: comms spec: interval: 30m chart: spec: chart: element-web version: 1.4.26 sourceRef: kind: HelmRepository name: ananace namespace: flux-system install: remediation: { retries: 3 } timeout: 10m upgrade: remediation: retries: 3 remediateLastFailure: true cleanupOnFail: true timeout: 10m values: replicaCount: 1 defaultServer: url: https://matrix.live.bstein.dev name: live.bstein.dev config: default_theme: dark brand: Othrys disable_custom_urls: true disable_login_language_selector: true disable_guests: false show_labs_settings: true features: feature_group_calls: true feature_video_rooms: true feature_element_call_video_rooms: true room_directory: servers: - live.bstein.dev jitsi: {} element_call: url: https://call.live.bstein.dev participant_limit: 16 brand: Othrys Call ingress: enabled: true className: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - live.bstein.dev tls: - secretName: live-othrys-tls hosts: [live.bstein.dev] resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi nodeSelector: hardware: rpi5 affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi5", "rpi4"]