--- # tasks file for ansible-role-matrix-stack - name: Deploy Matrix Stack kubernetes.core.helm: name: matrix chart_ref: oci://ghcr.io/element-hq/ess-helm/matrix-stack release_namespace: "{{ release_namespace }}" create_namespace: true values: certManager: clusterIssuer: ca-issuer serverName: "{{ server_name }}" ingress: className: nginx annotations: nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off; initSecrets: enabled: true serviceAccount: ## Whether a ServiceAccount should be created by the chart or not create: true ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically name: "" ## Annotations to add to the service account annotations: {} matrixRTC: ingress: host: rtc.eom.dev elementWeb: ingress: host: element.eom.dev matrixAuthenticationService: ## Additional configuration to provide to Matrix Authentication Service. ## Each key under additional is an additional config to merge into Matrix Authentication Service config.yaml ## Full details on available configuration options can be found at https://element-hq.github.io/matrix-authentication-service/reference/configuration.html ## This can be provided in-line in the Helm Chart and/or via an existing Secret ## e.g. ## additional: ## 0-customConfig: ## config: | ## ## 1-customConfig: ## configSecret: custom-config ## configSecretKey: shared.yaml ## ## Most settings are configurable but some settings are owned by the chart and can't overwritten additional: email: from: '"Matrix Authentication Service" ' reply_to: '"No reply" ' transport: smtp mode: tls hostname: postfix.eom.dev port: 587 username: matrix-authentication-service password: "{{ matrix_auth_service_admin_password }}" upstream_oauth2: providers: - id: 01JG22H4F0G8PYCZ5HVTQVHBC4 issuer: https://google.com/ client_id: "{{ matrix_google_oidc_client_id }}" client_secret: "{{ matrix_google_oidc_client_secret }}" token_endpoint_auth_method: client_secret_basic discovery_mode: oidc claims_imports: subject: template: "{{ '{{ user.sub }}' | quote }}" # -- The localpart is the local part of the user's Matrix ID. # For example, on the `example.com` server, if the localpart is `alice`, # the user's Matrix ID will be `@alice:example.com`. localpart: action: require template: "{{ '{{ user.preferred_username }}' | quote }}" # -- The display name is the user's display name. displayname: action: suggest template: "{{ '{{ user.name }}' | quote }}" # -- An email address to import. email: action: suggest template: "{{ '{{ user.email }}' | quote }}" # -- Whether the email address must be marked as verified. # Possible values are: # - `import`: mark the email address as verified if the upstream provider # has marked it as verified, using the `email_verified` claim. # This is the default. # - `always`: mark the email address as verified # - `never`: mark the email address as not verified set_email_verification: import ingress: host: mas.eom.dev postgres: storage: size: 2Ti synapse: ## Configures the media store for Synapse media: ## Configures the PersistentVolumeClaim to be used for storage storage: ## Name of an existing PersistentVolumeClaim in this namespace that should be used # existingClaim: ## The size of a PersistentVolumeClaim to be constructed ## Ignored if existingClaim is provided size: 256Gi ## The StorageClass to be used by the constructed PersistentVolumeClaim. ## Will use the cluster default if not provided ## Ignored if existingClaim is provided # storageClass: ## Whether to instruct Helm to keep or delete the constructed PersistentVolumeClaim when uninstalling the chart ## Ignored if existingClaim is provided resourcePolicy: keep ## The maximum size (in bytes ending in M or K) that Synapse will accept for media uploads ## You may need to adjust your ingress controller to also allow uploads of this size maxUploadSize: 100M ## Key used to sign events and federation requests. ## This needs to be the full signing key starting `ed25519 ...`. ## This secret is optional, and will be generated by the `initSecrets` job ## if it is empty. ## It can either be provided inline in the Helm chart e.g.: ## signingKey: ## value: SecretValue ## ## Or it can be provided via an existing Secret e.g.: ## signingKey: ## secret: existing-secret ## secretKey: key-in-secret signingKey: {} ingress: host: synapse.eom.dev custom-config: config: | smtp_host: postfix.eom.dev smtp_port: 587 smtp_user: synapse smtp_pass: {{ synapse_admin_password }} client_base_url: https://element.eom.dev/