152 lines
6.0 KiB
YAML
152 lines
6.0 KiB
YAML
---
|
|
# tasks file for ansible-role-matrix-stack
|
|
- name: Deploy Matrix Stack
|
|
kubernetes.core.helm:
|
|
name: matrix
|
|
chart_ref: oci://ghcr.io/element-hq/ess-helm/matrix-stack
|
|
release_namespace: "{{ release_namespace }}"
|
|
create_namespace: true
|
|
values:
|
|
certManager:
|
|
clusterIssuer: ca-issuer
|
|
serverName: "{{ server_name }}"
|
|
ingress:
|
|
className: nginx
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off;
|
|
initSecrets:
|
|
enabled: true
|
|
serviceAccount:
|
|
## Whether a ServiceAccount should be created by the chart or not
|
|
create: true
|
|
|
|
## What name to give the ServiceAccount. If not provided the chart will provide the name automatically
|
|
name: ""
|
|
|
|
## Annotations to add to the service account
|
|
annotations: {}
|
|
|
|
matrixRTC:
|
|
ingress:
|
|
host: rtc.eom.dev
|
|
|
|
elementWeb:
|
|
ingress:
|
|
host: element.eom.dev
|
|
|
|
matrixAuthenticationService:
|
|
|
|
## Additional configuration to provide to Matrix Authentication Service.
|
|
## Each key under additional is an additional config to merge into Matrix Authentication Service config.yaml
|
|
## Full details on available configuration options can be found at https://element-hq.github.io/matrix-authentication-service/reference/configuration.html
|
|
## This can be provided in-line in the Helm Chart and/or via an existing Secret
|
|
## e.g.
|
|
## additional:
|
|
## 0-customConfig:
|
|
## config: |
|
|
## <any valid configuration>
|
|
## 1-customConfig:
|
|
## configSecret: custom-config
|
|
## configSecretKey: shared.yaml
|
|
##
|
|
## Most settings are configurable but some settings are owned by the chart and can't overwritten
|
|
additional:
|
|
email:
|
|
from: '"Matrix Authentication Service" <matrix-authentication-service@eom.dev>'
|
|
reply_to: '"No reply" <no-reply@eom.dev>'
|
|
transport: smtp
|
|
mode: tls
|
|
hostname: postfix.eom.dev
|
|
port: 587
|
|
username: matrix-authentication-service
|
|
password: "{{ matrix_auth_service_admin_password }}"
|
|
upstream_oauth2:
|
|
providers:
|
|
- id: 01JG22H4F0G8PYCZ5HVTQVHBC4
|
|
issuer: https://google.com/
|
|
client_id: "{{ matrix_google_oidc_client_id }}"
|
|
client_secret: "{{ matrix_google_oidc_client_secret }}"
|
|
token_endpoint_auth_method: client_secret_basic
|
|
discovery_mode: oidc
|
|
claims_imports:
|
|
subject:
|
|
template: "{{ '{{ user.sub }}' | quote }}"
|
|
|
|
# -- The localpart is the local part of the user's Matrix ID.
|
|
# For example, on the `example.com` server, if the localpart is `alice`,
|
|
# the user's Matrix ID will be `@alice:example.com`.
|
|
localpart:
|
|
action: require
|
|
template: "{{ '{{ user.preferred_username }}' | quote }}"
|
|
|
|
# -- The display name is the user's display name.
|
|
displayname:
|
|
action: suggest
|
|
template: "{{ '{{ user.name }}' | quote }}"
|
|
|
|
# -- An email address to import.
|
|
email:
|
|
action: suggest
|
|
template: "{{ '{{ user.email }}' | quote }}"
|
|
# -- Whether the email address must be marked as verified.
|
|
# Possible values are:
|
|
# - `import`: mark the email address as verified if the upstream provider
|
|
# has marked it as verified, using the `email_verified` claim.
|
|
# This is the default.
|
|
# - `always`: mark the email address as verified
|
|
# - `never`: mark the email address as not verified
|
|
set_email_verification: import
|
|
ingress:
|
|
host: mas.eom.dev
|
|
postgres:
|
|
storage:
|
|
size: 2Ti
|
|
|
|
synapse:
|
|
## Configures the media store for Synapse
|
|
media:
|
|
## Configures the PersistentVolumeClaim to be used for storage
|
|
storage:
|
|
## Name of an existing PersistentVolumeClaim in this namespace that should be used
|
|
# existingClaim:
|
|
|
|
## The size of a PersistentVolumeClaim to be constructed
|
|
## Ignored if existingClaim is provided
|
|
size: 256Gi
|
|
|
|
## The StorageClass to be used by the constructed PersistentVolumeClaim.
|
|
## Will use the cluster default if not provided
|
|
## Ignored if existingClaim is provided
|
|
# storageClass:
|
|
|
|
## Whether to instruct Helm to keep or delete the constructed PersistentVolumeClaim when uninstalling the chart
|
|
## Ignored if existingClaim is provided
|
|
resourcePolicy: keep
|
|
|
|
## The maximum size (in bytes ending in M or K) that Synapse will accept for media uploads
|
|
## You may need to adjust your ingress controller to also allow uploads of this size
|
|
maxUploadSize: 100M
|
|
## Key used to sign events and federation requests.
|
|
## This needs to be the full signing key starting `ed25519 ...`.
|
|
## This secret is optional, and will be generated by the `initSecrets` job
|
|
## if it is empty.
|
|
## It can either be provided inline in the Helm chart e.g.:
|
|
## signingKey:
|
|
## value: SecretValue
|
|
##
|
|
## Or it can be provided via an existing Secret e.g.:
|
|
## signingKey:
|
|
## secret: existing-secret
|
|
## secretKey: key-in-secret
|
|
signingKey: {}
|
|
ingress:
|
|
host: synapse.eom.dev
|
|
custom-config:
|
|
config: |
|
|
smtp_host: postfix.eom.dev
|
|
smtp_port: 587
|
|
smtp_user: synapse
|
|
smtp_pass: {{ synapse_admin_password }}
|
|
client_base_url: https://element.eom.dev/
|
|
|