public
/
stack
5
0
Fork 1
Code Issues 4 Pull Requests 1 Packages Projects Releases Wiki Activity

kustomize/synapse: initial commit

This commit is contained in:
Danny Grove 2024-01-21 21:55:00 -08:00
parent 701b304c9d
commit 43bb6b8810
Signed by: drgrove
GPG Key ID: E1F4160251DB4C2E
11 changed files with 632 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
kustomizations/matrix/synapse/config-secrets.enc.yaml Normal file
View File

@ -0,0 +1,121 @@
apiVersion: v1
kind: Secret
metadata:
name: config
type: Opaque
stringData:
homeserver.yaml: ENC[AES256_GCM,data:9O2YODDpJf6FzX6DojwGaIYkRs99K/GP+HCBCb4PO5fNJPmyEaN3DllpZjSn1WlgMIMi46gs7wfZJjoJRVz5wq+owwmZw+4lrAnYN8niNKcYoakuHn57WSzlrrqZDMY5i0VKZ1S+QATGll5Wl19AjHIuVEbJ5nQeeORVq+n7voG4/MX3PcZINjKdr4PnTwCx21TrPb9lRunH+oGhbHjMvx4yxNzqOvrvuFMSqkC/lDWrrSfCcn14qbLhq//OAk+c49IUkHTjJVbaK4mx1dbi7LA3rsZmb5cM9iFLPImWZnlpGM3SZasO91paiV8EaH+EkyA/4TpWODi+0KCiwVrLnOxEvmx6NweGOIaWgk04DgFomD468F1i0VVksk5/FwM8QvS8cIZ6Wqk/mAtbki5pnpvSZMrWXV4WSja+IcpoPYZjYdzttiHhxqoQ9Kkka3AqPEm1Nj6ggYtgjfE78dWVxN0jcKTXLV6C2T59jqpwyT9zmIpTJZ6AbZL6hafBprJenwD4mUO+pGzW1zs2nzDDr49nRSLtnRub5ecdYgZTPoInxxJYqbgZIjCYfwc7Y49JeSxklQXspCYZf+xmS0O4w8FzgwWYKCcajju4cRKHe46oN6QUftcmJILyt4LVSCuKzGsIKRnPazPKWqPUDjAs7j/i+jCha6gIctF5wvihfrCXHqD0gHa92kR/M581C6Ch2LFTupyUZtyZEbE+Y1oPlYyn2psBohVm/izl96QKuX7Ujco5Iahf7A55CTMuoBqXtvhpNwZVcmLf3SWiFTN2LfrkG2rXarvq+2TsgMcFeNia094Yk0gISR8UTu7uhhKuoPoFMN+3cCnXqiqMHoehbT9KyV7QuXG+M/jvGnUKPeTtp/Grmd4arvLpFp9UKAXbVkvFCFyTW+562qRnh0Int88ycr6FBdQl1HTN+mQfz4lNLxNomxu+0iDMaNP0+YTncSRragpjV267IUvWzzu5Dl1StD8YUZ2/J+66helA3IGBVlIqoeoAJyrP+GNuhwInTFVBlVxDyn8N/VqJuFw3B8c2W7BX6+68asZROeaTHDu2rYfxVWhGss7oKTxz4RdiK510tLh5OtI7M5f2b8gnhqwTbsiHM4UaCXGP4JdmIsyLcUEeg9K1jQx/LsYCBi9ZaegzbhIvgi3r12495Fzw5gWfZ5Xsf7gvQYR41A==,iv:QemGZaVH7IHvLdTjhr+R7FMyuJlGk9UsZMn5aILwwNg=,tag:N3dCm2v044ZrOgPjWSrjuw==,type:str]
mautrix-slack-bridge.yaml: ""
mautrix-telegram-bridge.yaml: ENC[AES256_GCM,data:l+PW2hMSJJ86E17ghwGCHyzs7cO4h3MmLXQOHbZU2V06WliHnwcJw4agn1VixNTW2aJGZzJOezgqg/ZZIM5kCcENTjP13Pyd7I637bdE2XQQT9/KnrCiVFViQSJ+FqKobGVYUWuQkZGB6y3Dw+xo31wVuCP6xUKg7bqj5VgMoDhOVi3C8ckWFnvUqgIxKSTgABN1kQYGreW1jpeAJ8BtmR1mXZ+O/Qq6qNlZlGG/0i8fRwiCzm18r2R+KEtsF0DFneVI3mHqvyeSv19gn2YgNIF6E7Y0lMQBfDAhz/T+dN0uUt23huBA94xVuNEkLA6OlTkOPmVm5Y3+1TDDc1JEyVSaMyODHUFU27NhIcS85b6ImcKjhoezYIxhYU5agGzi/C8ltpt97f2wj3ONna3YRr0p19H3AW3z4X4aPpY779RZ3Ix5f8+/qRd/aiD1hTwUbUk7tILs7Gc1aa/pzOwG4/usK1AYsiO0Eryazeix50s0VvhB9kMNIs5FE+9We8aVwxQubrc3biB9HvpuUgfcQt336udHqjmpzu/xAohc9KaqiSj4gOYxKorm6JO4Y0FoPTWS7Cadq0Wbs5aZOT8SAKZUYcAQZot6n7NFVudc5wZ22SPvTSSoHinipBwYHmoesRzQjX72ZFeHcHDBi5wnWI33EaxEcmryltKyeiesoX1Dl/E5F/mMLUxkCap/pJusum/SHi38iuiKBZ545bn6xOm8kwl8hHpxfNjaNAzZEZRmyAFCgiVYr2pdm935uv2ZVMOEoD75zcds/DGACUgD/VuNVfGLRP/ZT9yh6XCk6SM9RX5Ycv8=,iv:o1rRZEi7DXUo5VrgmKwZT8/+Lvfr1i4n2Xfi+Kn7bzM=,tag:ihE864vT1LNY47MfmLPDGw==,type:str]
appservice-matrix-bridge.yaml: ENC[AES256_GCM,data:e4ceqgp7Mw7QeS6x+6csIRbD1O4Ifp3ruEEDle6GxqD703Emn7/58hHaydmNB/By2JnHvl/d1t5RYIUqwZp25NHjxemKjnS7iLMzCjmf4KhKzWHGnGDwegbEOK7eFKM0LThgcjWKZF9Lu3JSUvcJfmXTIqjLdUh/Min41Kg09IZW3bAMLlbVioV2JUNAdWpGYet9HTKTQVFx7/Dycn28HlFTf8Pn7WM2zH+dCOqtwb8IqJI9fnvCrLLmT1nn6dsG3wZfKUXFK2RVEeoL1wSRvpNRpt3sB2fURO4GNWs+6NkPqdeiQCPGV3GkcqRzCpDWkZ5vUSYiGaSZXEJoR3UBvtx7OM8QVbGQk2TsHXBOlnlrRJXiXjrEH5x2zxD+1vB2D3vqoVhONRuRas4UcnKoocTt+HZ5Vp4cDKLxZGNrQapaMGjVv8l+LFaUVHTr3e6Hi1/qFD2Mcg0AJpFUtSzD21vzpqM=,iv:U04ozvNRpnflofWhAM5TR9gfi82gqpGqa+YHxPdjHaQ=,tag:+q3hHKXlC1oFzFD0qZZi+Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-01-22T05:50:40Z"
mac: ENC[AES256_GCM,data:RzkcL1XLj84Xxg7CpBwirNWi46+O+2e3BcSaZkoCOrh434rxRTTX8Ifz8COW4M8+kGhZc/OKAvCsJ3mNEjFEoztm9+L1reoHRyAKl5cYL6B9uFdZqi4Qw0SH2JjtsGrbxAhYE9F7bDHnjhuOBllWHf+QZErzC4FOLZPOWaKbDRE=,iv:pyGnS5Kb15kOo9aMlELH15C7XjNpHkPALuzd1Y4gsDA=,tag:3km2NDpwEtCXrmZrQTksWg==,type:str]
pgp:
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aARAAkFACzQmqyF9BqaD1qEjIO4e6owS/n4h3U6ee0Y7fhO8y
a5RJ4/HvMmfXcYeHm+CZjsFaui4YJkPS93clGTJzV4w15yXJUunIVjAmkvSrVh6P
GqRUtNpi1y+JCS3sjlAfvm3h9b08dNxFv7rTwZtDiP8zmcNuB0zbLBFR7G6ixetx
ZxL7piPYX75Rqoz8A/+V7VAtsoX8t3xv5xgjHzzfhiM3TeoQUgLnF8aN5huiSptf
dMmNMa0GGu5QaUjYJ3iHjv5eMtCJ79KwpuCfv5iX34Q++rTe5VUWoQabNAiE/Frt
Rc3JB8o8rfL6WME9qIIa5k654JlVDKqOvTH3mtHkOIWhD2+CEK89Siq3G35Kkct8
Ym7UNa6gE8IdSGkCOH81G4ZheU6Z8OKF1Z7dO+o7IdgIURTwLEFeBIC2PtWOKOJP
PnzqZNk1w4n4XK6hQg4bmIj8VaZXXgHEXcO/jaGCoRyr36BHCE1Sj1ae5cMUgDje
p6WKVO6gXfRg7SRJqQNUh03Lz0YKIjsI/429UPyf9mtXbHfvVyrW3+wyByok86FG
cGL1Y/N7thxAxXqHy4OZFCE0NMP2bobMzzGJTtDY9oPsGwTb6xk1g0wE5zg6IoQa
9hnObBJhdpvYcD6juz+V0wkeI30essnz7ZTtsLdfCox6mnP5BMTtzxmcRrCpNvHS
UQFIZa0XryYoXv3rcw6yUpkqv6aYzD3L4PnqYtGUEtbMoTb8NXa9Cp+1OeypqZ0g
7uO5zCKJgL6sBaPnJL5/n+afafzYcIOsQc2O+q0s4O1d5Q==
=3E6w
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUAQ//abo3n5r8YdQ6p+/X031/n8MCvWKw+ERGSvDuT2r7g8m8
DqrBQmX578jHVmZkC2B6fYqEBuQAeyEJyQ56MLMuGMNSET8dgNS4Uj/gwvsuEDQf
NhU10WLkfQ3g2/o654BVzPC2b3UQTL4mmXqp0+ID79uynn0/WZ0TQQ8xj/uUaDS1
h6/uC7mmDGTHaxF3gFuYkvWMghU0bqX5BfrAPdICAr8FIqxUGIvUD6KkBu9hWTYP
RLtfwpU/DAcT/7pNtic25WzzQt7W0mok3zUZZq5r2UqO35x2XOrgC5DQ69QYf7JZ
a9S236gEpAS0Kl1IWSvY2kDzj/J27T3nonY2kX3a+UqVWX15LEmVmNNUMwjz91/b
0G+26vustzinHBs30EHGBqhyELjRW0RjcmlVGNXvZwhgGL5/LNIEcfBi19tIang1
dRYE9TasSeRbyTU/A/CXFDeuGtC8K552SzXjv1zP6gkwZFb0/zd0/XHPSyGyOLbM
1PC3JhkA8GEYQ7l9y5BdPXxZseuoSHDPHfMRIcnogx6w6rfBdd9+78M1WjnGzhYi
/utORBaiwU9Zk+Xm3B+WbkDl5+jio+UIp9nHoYAGfuJ9A6TZYBIavB6K171wALke
Kl6hoTxef/VGwdfXB9ikUy0bi0Km1vVpZGVzIjSFXiSlLkaamhxUFSgDPGZN21rS
UQHeXKkhgKXTEVvi+kypRbN2/174bElGTWz1C2TWPNJAcvvKmRw66t5g8pahnXbm
SYQoB5JaAl0URu6zHWBYhCjQjiyePhnxHV4tgGtEYAdY3g==
=xXRR
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtARAAsxa6N9jRT1AUqfWI7gIfJK6i6g0F5oxRYJ5A2mjhc89k
ZAN4/tO9GC+Fg8+lLhPHdiz6v2T1+92AFXET3jm+ax6rYei2woMHNXKzgqxjkQEQ
xQ/3LcQ3+FOTrvy7Gir9HQ/DoWSePBF7tx16unxH75hi6AgOiT0nFoEbXP3CJXie
lVOO5r5jKgBg9LENj/U+9LHjXB6W0PbVdhxdeStk2TTKcmuDnrGeqKZ3SyZ9V33p
DEfydW+T0ac156Eb2tdszzW5e87oPmW78wvLkotboZcPVWBadRtJkzVn3JXoMAda
gN+W2+I4/4iQN8ITBQ+2i5GsdbHtnrmPkzSbtSqhujwZ1k/a7uRmHy46ejDK9QnT
lQzm2OKyjTlCDhnxnKj0eTE4nN0CDyxGBNlNVG2piKd8i+HpqrjKJ9IUcMj7oO3U
8rtQ2A0LHquNvu6ZatP6fUk3tKgLaEslV4ORXMlILdZXlYqgznmvWJaII3XVeu8l
G/tHPkOhrcQDIecBeYcTLZYXtPtmY1UNJZfbDazG/9J0rdq/r9NmnB7woy7FSYEp
yRNji1i/89nVLsu94ra1D6FHyxgIFTSLkD7s1iCMTsz0UdwfbxqdLIWumYrm04XF
wM2eTB8OAGe8mdfi1q4te0FEDMLTpdYBhYDDjHmBv4fXwKPcWkgixvNJtT6xPgLS
UQEvOn03hQ8MCQ5kh1R1FoTOw1UpgV0eqJSateC2wkBKbZ/4NWPbnZA7XAW6Jb98
JidKJ8TiYiI33hxUhu4nUeZWjNcd7MgHyl1Do2r7SfyICw==
=TXST
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA5Wf+FyJ+zFJAQ/+I9khYJfqjCHhrAaElVWKgn4c+7C+oilVNE0132pQZfLb
u17yv6AYY5zThK6Lg0GZMKaKFn+JuF9wonTyixJQccJ+w2MxsJQRNQZTV/t19HrQ
B+6YFLVPNyOglr7jf+o5BnOdIvpR0Cog5JDzn0j4iwpRWRSGW1sWXiABKWUIW0Ks
nR7Rm/k3Jm8zYO6LtoyYog5HGUEHRMuOY6Yoj/EEbfDLKFU5WZ+hfKnbGGM9KW31
RkXoCtjm2AstZTia5+Y0E3wNb9bbvpbkewyQd5KqaHmHaX3MzuoYKNHGVEgPMfla
Y26aED5uSLETv+C1U/jYJyxyVJxNYb2JBrS8a7+p+mo00Cvbs/pbM/cr5Y/Ogu7Q
Ed0+Ixst3LzSTOcYAAiEC/LpWztaIp/4h/cAfE7eKnsoFUVcv2lLpLHyI7fS/sJH
Ywp8tlqlfx7DaCqYEVjPMSfI9qBbJomoQ77szHL+Gyi4ibyF0iRz0/NnF5lmu5H5
sDAYiqnHEIpk1v+gWXoj/CQq7a5jJf044cYylcO+al27cugr+jr5TBQQVv+wDNJV
LqpAxmmz8yUJ6RlTSg5JwNlNCCOONv6f+lX0Cjk7V0kPcOMgbVn19Su7zIvhM7wd
m9mzuVWWx2SBGzORdK9W4tt7lybU7aCvusT1jP1nwXF/JCz9lyEbb1syaNIAiXHS
UQE2Va23CUVgB+cV/ImXBCEuAjZhiSMFVCtWOZrcqPS8EZX9s6WzscpsEmFnDE7t
GVR3u1IyjxTsuTxxYU0ldSjHqYFjQrgRD3ZBzwZcgeajqw==
=bF9b
-----END PGP MESSAGE-----
fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA8KRInHl7Vz+ARAAoMRyGipvXTgUChfL1Lryej14FI9+8dvWQculBjPQzg6x
oxdPzz07ifIX8D64zfToE+qc439l/RYwiMx9XyGscEim0D1GIFPwxOm4DCXT+/5m
wlLkOBP7oMwirqSazS7dNF1hE83717QTi1GqC0UqhoMINtxrhQIv1Y6xxREqD1Wd
eW3M45p1i8iSZkzF7n0EhIK3J59Wl3vxt9FUX3YRWk1JH0oaqIc1VCH3TJc73DAx
9e1jIVQSo4R8BfQc5Y64xRh0eq/87Ud2E2x9JbZmpnw4FN/OHg9QqRMaZ9r6EQ/l
VerhJFkfSj3UVAfODzViKXyNTKRak1GOcQBE5lfAXynAW1nfTTx0re0rl6/tvOwC
i02a/raksTI8afak1RMclNFqlihsegGU239ZGDRPb4apL32nYY0SMim58vET8rv5
eTiQE1udg+1ttIRAGq/PxzHKlc6FUEdyJ6i2Da16c0K76FpF3Gnxxhw+Tleixx3h
6+PbhC2qEgt7LS8TNg9J2WTDy4Hlw5YEmzOAM9NA6UYrH9BHsR87sbdriz6pAC55
CnFkWptrME4CjUP72qIezRYt/4784ABTw6poQ51jP30641YhgPoYLrWS8hWQYaE3
jcrum3JQnLTjsE88OclcreKNvNj+b1t0uxuHa/6UdMnyRCd8osJ22s6JJHLGgB/S
UQHvy+Rv0QJ65DjsJ4TfdRBLcKXaF7Ar5SaANqGi8EYwjVbhfImwx5VSEsvQclEU
7JihoETtCrRwJM1BkJz3nuBAaYDm1Y+lWHSyVZ6xi8G0eg==
=n6cE
-----END PGP MESSAGE-----
fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
encrypted_regex: ^(data|stringData)$
version: 3.8.1

98
kustomizations/matrix/synapse/deployment.yaml Normal file
View File

@ -0,0 +1,98 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: synapse
spec:
template:
spec:
containers:
- name: synapse
args:
- run
- --config-path
- /config/homeserver.yaml
- --config-path
- /config/secrets.yaml
env:
- name: SYNAPSE_CACHE_FACTOR
value: "5.00"
ports:
- name: http
containerPort: 8008
protocol: TCP
- name: metrics
containerPort: 9002
protocol: TCP
image: matrixdotorg/synapse
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /_matrix/client/versions
port: 8008
scheme: HTTP
initialDelaySeconds: 120
readinessProbe:
httpGet:
path: /_matrix/client/versions
port: 8008
scheme: HTTP
initialDelaySeconds: 10
resources:
# These are just some arbitrary values, will have to be tuned or removed per-deployment
requests:
memory: 1Gi
cpu: 1000m
limits:
memory: 1Gi
cpu: 1
volumeMounts:
- name: data
mountPath: /data
- name: keys
mountPath: /config/keys
- name: config
mountPath: /config/homeserver.yaml
subPath: homeserver.yaml
- name: config
mountPath: /usr/local/lib/python3.11/site-packages/shared_secret_authenticator.py
subPath: shared_secret_authenticator.py
- name: log-config
mountPath: /config/log.config
subPath: log.config
- name: config-secrets
mountPath: /config/secrets.yaml
subPath: homeserver.yaml
- name: config-secrets
mountPath: /bridges/mautrix-slack-bridge.yaml
subPath: mautrix-slack-bridge.yaml
- name: config-secrets
mountPath: /bridges/mautrix-telegram-bridge.yaml
subPath: mautrix-telegram-bridge.yaml
- name: config-secrets
mountPath: /bridges/appservice-matrix-bridge.yaml
subPath: appservice-matrix-bridge.yaml
- name: tmp
mountPath: /tmp
restartPolicy: Always
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
volumes:
# Will need to be a persistant volume of some kind to support media uploads, unless using matrix-media-repo
- name: data
emptyDir: {}
- name: tmp
emptyDir: {}
- name: keys
secret:
secretName: signing-key
- name: config-secrets
secret:
secretName: config
- configMap:
name: synapse
name: config
- configMap:
name: synapse-log
name: log-config

10
kustomizations/matrix/synapse/federation-service.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: synapse-federation
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP

83
kustomizations/matrix/synapse/files/homeserver.yaml Normal file
View File

@ -0,0 +1,83 @@
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "distrust.co"
pid_file: /data/homeserver.pid
use_presense: true
enable_search: true
public_baseurl: "https://matrix.distrust.co"
# Homeserver blocking
# Set to true to globally block access to the homeserver
hs_disabled: false
hs_disalbed_message: "Homeserver is not currently accessible"
# Federation
allow_public_rooms_over_federation: true
# federation_domain_whitelist: []
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
# Listeners
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
- port: 9002
type: metrics
resources:
- name: [metrics]
compress: true
# Registration
registration:
enabled: false
allowGuests: false
autoJoinRooms: []
# This is handled by Cert Manager
acme:
enabled: false
# Bridges
app_service_config_files:
- /bridges/appservice-matrix-bridge.yaml
- /bridges/mautrix-telegram-bridge.yaml
# - /bridges/mautrix-slack-bridge.yaml
# Turn
turn_user_lifetime: 1h
turn_allow_guests: true
# Metrics/Telemetry
enable_metrics: true
report_stats: false
admin_email: "mailto:matrix@distrust.co"
log_config: "/config/log.config"
media_store_path: /data/media_store
signing_key_path: "/config/keys/signing.key"
trusted_key_servers:
- server_name: "matrix.org"
# vim:ft=yaml

31
kustomizations/matrix/synapse/files/log.config Normal file
View File

@ -0,0 +1,31 @@
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
# This is just here so we can leave `loggers` in the config regardless of whether
# we configure other loggers below (avoid empty yaml dict error).
_placeholder:
level: "INFO"
shared_secret_authenticator:
level: INFO
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [console]
disable_existing_loggers: false

123
kustomizations/matrix/synapse/files/shared_secret_authenticator.py Normal file
View File

@ -0,0 +1,123 @@
# -*- coding: utf-8 -*-
#
# Shared Secret Authenticator module for Matrix Synapse
# Copyright (C) 2018 Slavi Pantaleev
#
# https://devture.com/
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
from typing import Awaitable, Callable, Optional, Tuple
import hashlib
import hmac
import logging
import synapse
from synapse import module_api
logger = logging.getLogger(__name__)
class SharedSecretAuthProvider:
def __init__(self, config: dict, api: module_api):
for k in ('shared_secret',):
if k not in config:
raise KeyError('Required `{0}` configuration key not found'.format(k))
m_login_password_support_enabled = bool(config['m_login_password_support_enabled']) if 'm_login_password_support_enabled' in config else False
com_devture_shared_secret_auth_support_enabled = bool(config['com_devture_shared_secret_auth_support_enabled']) if 'com_devture_shared_secret_auth_support_enabled' in config else True
self.api = api
self.shared_secret = config['shared_secret']
auth_checkers: Optional[Dict[Tuple[str, Tuple], CHECK_AUTH_CALLBACK]] = {}
if com_devture_shared_secret_auth_support_enabled:
auth_checkers[("com.devture.shared_secret_auth", ("token",))] = self.check_com_devture_shared_secret_auth
if m_login_password_support_enabled:
auth_checkers[("m.login.password", ("password",))] = self.check_m_login_password
enabled_login_types = [k[0] for k in auth_checkers]
if len(enabled_login_types) == 0:
raise RuntimeError('At least one login type must be enabled')
logger.info('Enabled login types: %s', enabled_login_types)
api.register_password_auth_provider_callbacks(
auth_checkers=auth_checkers,
)
async def check_com_devture_shared_secret_auth(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
if login_type != "com.devture.shared_secret_auth":
return None
return await self._log_in_username_with_token("com.devture.shared_secret_auth", username, login_dict.get("token"))
async def check_m_login_password(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
if login_type != "m.login.password":
return None
return await self._log_in_username_with_token("m.login.password", username, login_dict.get("password"))
async def _log_in_username_with_token(
self,
login_type: str,
username: str,
token: str,
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
logger.info('Authenticating user `%s` with login type `%s`', username, login_type)
full_user_id = self.api.get_qualified_user_id(username)
# The password (token) is supposed to be an HMAC of the full user id, keyed with the shared secret.
given_hmac = token.encode('utf-8')
h = hmac.new(self.shared_secret.encode('utf-8'), full_user_id.encode('utf-8'), hashlib.sha512)
computed_hmac = h.hexdigest().encode('utf-8')
if not hmac.compare_digest(computed_hmac, given_hmac):
logger.info('Bad hmac value for user: %s', full_user_id)
return None
user_info = await self.api.get_userinfo_by_id(full_user_id)
if user_info is None:
logger.info('Refusing to authenticate missing user: %s', full_user_id)
return None
logger.info('Authenticated user: %s', full_user_id)
return full_user_id, None

21
kustomizations/matrix/synapse/kustomization.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/name: synapse
app.kubernetes.io/part-of: matrix
resources:
- deployment.yaml
- federation-service.yaml
- service.yaml
configMapGenerator:
- files:
- files/homeserver.yaml
- files/shared_secret_authenticator.py
name: synapse
- files:
- files/log.config
name: synapse-log
generators:
- secret-generator.yml

4
kustomizations/matrix/synapse/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: matrix

7
kustomizations/matrix/synapse/secret-generator.yml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: sydent-ksops-secrets
files:
- config-secrets.enc.yaml
- secret-key.enc.yaml

118
kustomizations/matrix/synapse/secret-key.enc.yaml Normal file
View File

@ -0,0 +1,118 @@
apiVersion: v1
kind: Secret
metadata:
name: signing-key
type: Opaque
stringData:
signing.key: ENC[AES256_GCM,data:yrRjsuapmgDgBNNXGO9YyuZtkZaFPDg80SuJgdYWS3grCnN/hmkQ5x2icAf5i4f6TjAOreYxJYzRwQ==,iv:0ww6IrM9oY47ex1zYRULQx7TdATJ9odkk5k95yDo0ms=,tag:4/MjSSY2SltTuPtMtCRUtw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-01-22T05:45:47Z"
mac: ENC[AES256_GCM,data:GitHfIeAeu4g0bf1obvjd0TS6j5AZ0qo00i4mwIL3MKtCVa3dLfGkx4dE9SD0NZqBMpHdZTWnns145uCXnJTVdyLAlz54AuG/bn7eO642SghLpUvhyhH+c+xxQF2c3UJiR7TBdjJBh0BUBSO/yOBB0ondzocW9T1hDg/ExBjeo8=,iv:77yhCNc2cJ7/uuXOEma5LEyU0YIJSQiw4IYLLASli04=,tag:41IvCCKLfQZUNHsv6DvMsA==,type:str]
pgp:
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aARAAkFACzQmqyF9BqaD1qEjIO4e6owS/n4h3U6ee0Y7fhO8y
a5RJ4/HvMmfXcYeHm+CZjsFaui4YJkPS93clGTJzV4w15yXJUunIVjAmkvSrVh6P
GqRUtNpi1y+JCS3sjlAfvm3h9b08dNxFv7rTwZtDiP8zmcNuB0zbLBFR7G6ixetx
ZxL7piPYX75Rqoz8A/+V7VAtsoX8t3xv5xgjHzzfhiM3TeoQUgLnF8aN5huiSptf
dMmNMa0GGu5QaUjYJ3iHjv5eMtCJ79KwpuCfv5iX34Q++rTe5VUWoQabNAiE/Frt
Rc3JB8o8rfL6WME9qIIa5k654JlVDKqOvTH3mtHkOIWhD2+CEK89Siq3G35Kkct8
Ym7UNa6gE8IdSGkCOH81G4ZheU6Z8OKF1Z7dO+o7IdgIURTwLEFeBIC2PtWOKOJP
PnzqZNk1w4n4XK6hQg4bmIj8VaZXXgHEXcO/jaGCoRyr36BHCE1Sj1ae5cMUgDje
p6WKVO6gXfRg7SRJqQNUh03Lz0YKIjsI/429UPyf9mtXbHfvVyrW3+wyByok86FG
cGL1Y/N7thxAxXqHy4OZFCE0NMP2bobMzzGJTtDY9oPsGwTb6xk1g0wE5zg6IoQa
9hnObBJhdpvYcD6juz+V0wkeI30essnz7ZTtsLdfCox6mnP5BMTtzxmcRrCpNvHS
UQFIZa0XryYoXv3rcw6yUpkqv6aYzD3L4PnqYtGUEtbMoTb8NXa9Cp+1OeypqZ0g
7uO5zCKJgL6sBaPnJL5/n+afafzYcIOsQc2O+q0s4O1d5Q==
=3E6w
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUAQ//abo3n5r8YdQ6p+/X031/n8MCvWKw+ERGSvDuT2r7g8m8
DqrBQmX578jHVmZkC2B6fYqEBuQAeyEJyQ56MLMuGMNSET8dgNS4Uj/gwvsuEDQf
NhU10WLkfQ3g2/o654BVzPC2b3UQTL4mmXqp0+ID79uynn0/WZ0TQQ8xj/uUaDS1
h6/uC7mmDGTHaxF3gFuYkvWMghU0bqX5BfrAPdICAr8FIqxUGIvUD6KkBu9hWTYP
RLtfwpU/DAcT/7pNtic25WzzQt7W0mok3zUZZq5r2UqO35x2XOrgC5DQ69QYf7JZ
a9S236gEpAS0Kl1IWSvY2kDzj/J27T3nonY2kX3a+UqVWX15LEmVmNNUMwjz91/b
0G+26vustzinHBs30EHGBqhyELjRW0RjcmlVGNXvZwhgGL5/LNIEcfBi19tIang1
dRYE9TasSeRbyTU/A/CXFDeuGtC8K552SzXjv1zP6gkwZFb0/zd0/XHPSyGyOLbM
1PC3JhkA8GEYQ7l9y5BdPXxZseuoSHDPHfMRIcnogx6w6rfBdd9+78M1WjnGzhYi
/utORBaiwU9Zk+Xm3B+WbkDl5+jio+UIp9nHoYAGfuJ9A6TZYBIavB6K171wALke
Kl6hoTxef/VGwdfXB9ikUy0bi0Km1vVpZGVzIjSFXiSlLkaamhxUFSgDPGZN21rS
UQHeXKkhgKXTEVvi+kypRbN2/174bElGTWz1C2TWPNJAcvvKmRw66t5g8pahnXbm
SYQoB5JaAl0URu6zHWBYhCjQjiyePhnxHV4tgGtEYAdY3g==
=xXRR
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtARAAsxa6N9jRT1AUqfWI7gIfJK6i6g0F5oxRYJ5A2mjhc89k
ZAN4/tO9GC+Fg8+lLhPHdiz6v2T1+92AFXET3jm+ax6rYei2woMHNXKzgqxjkQEQ
xQ/3LcQ3+FOTrvy7Gir9HQ/DoWSePBF7tx16unxH75hi6AgOiT0nFoEbXP3CJXie
lVOO5r5jKgBg9LENj/U+9LHjXB6W0PbVdhxdeStk2TTKcmuDnrGeqKZ3SyZ9V33p
DEfydW+T0ac156Eb2tdszzW5e87oPmW78wvLkotboZcPVWBadRtJkzVn3JXoMAda
gN+W2+I4/4iQN8ITBQ+2i5GsdbHtnrmPkzSbtSqhujwZ1k/a7uRmHy46ejDK9QnT
lQzm2OKyjTlCDhnxnKj0eTE4nN0CDyxGBNlNVG2piKd8i+HpqrjKJ9IUcMj7oO3U
8rtQ2A0LHquNvu6ZatP6fUk3tKgLaEslV4ORXMlILdZXlYqgznmvWJaII3XVeu8l
G/tHPkOhrcQDIecBeYcTLZYXtPtmY1UNJZfbDazG/9J0rdq/r9NmnB7woy7FSYEp
yRNji1i/89nVLsu94ra1D6FHyxgIFTSLkD7s1iCMTsz0UdwfbxqdLIWumYrm04XF
wM2eTB8OAGe8mdfi1q4te0FEDMLTpdYBhYDDjHmBv4fXwKPcWkgixvNJtT6xPgLS
UQEvOn03hQ8MCQ5kh1R1FoTOw1UpgV0eqJSateC2wkBKbZ/4NWPbnZA7XAW6Jb98
JidKJ8TiYiI33hxUhu4nUeZWjNcd7MgHyl1Do2r7SfyICw==
=TXST
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA5Wf+FyJ+zFJAQ/+I9khYJfqjCHhrAaElVWKgn4c+7C+oilVNE0132pQZfLb
u17yv6AYY5zThK6Lg0GZMKaKFn+JuF9wonTyixJQccJ+w2MxsJQRNQZTV/t19HrQ
B+6YFLVPNyOglr7jf+o5BnOdIvpR0Cog5JDzn0j4iwpRWRSGW1sWXiABKWUIW0Ks
nR7Rm/k3Jm8zYO6LtoyYog5HGUEHRMuOY6Yoj/EEbfDLKFU5WZ+hfKnbGGM9KW31
RkXoCtjm2AstZTia5+Y0E3wNb9bbvpbkewyQd5KqaHmHaX3MzuoYKNHGVEgPMfla
Y26aED5uSLETv+C1U/jYJyxyVJxNYb2JBrS8a7+p+mo00Cvbs/pbM/cr5Y/Ogu7Q
Ed0+Ixst3LzSTOcYAAiEC/LpWztaIp/4h/cAfE7eKnsoFUVcv2lLpLHyI7fS/sJH
Ywp8tlqlfx7DaCqYEVjPMSfI9qBbJomoQ77szHL+Gyi4ibyF0iRz0/NnF5lmu5H5
sDAYiqnHEIpk1v+gWXoj/CQq7a5jJf044cYylcO+al27cugr+jr5TBQQVv+wDNJV
LqpAxmmz8yUJ6RlTSg5JwNlNCCOONv6f+lX0Cjk7V0kPcOMgbVn19Su7zIvhM7wd
m9mzuVWWx2SBGzORdK9W4tt7lybU7aCvusT1jP1nwXF/JCz9lyEbb1syaNIAiXHS
UQE2Va23CUVgB+cV/ImXBCEuAjZhiSMFVCtWOZrcqPS8EZX9s6WzscpsEmFnDE7t
GVR3u1IyjxTsuTxxYU0ldSjHqYFjQrgRD3ZBzwZcgeajqw==
=bF9b
-----END PGP MESSAGE-----
fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
- created_at: "2024-01-11T20:55:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA8KRInHl7Vz+ARAAoMRyGipvXTgUChfL1Lryej14FI9+8dvWQculBjPQzg6x
oxdPzz07ifIX8D64zfToE+qc439l/RYwiMx9XyGscEim0D1GIFPwxOm4DCXT+/5m
wlLkOBP7oMwirqSazS7dNF1hE83717QTi1GqC0UqhoMINtxrhQIv1Y6xxREqD1Wd
eW3M45p1i8iSZkzF7n0EhIK3J59Wl3vxt9FUX3YRWk1JH0oaqIc1VCH3TJc73DAx
9e1jIVQSo4R8BfQc5Y64xRh0eq/87Ud2E2x9JbZmpnw4FN/OHg9QqRMaZ9r6EQ/l
VerhJFkfSj3UVAfODzViKXyNTKRak1GOcQBE5lfAXynAW1nfTTx0re0rl6/tvOwC
i02a/raksTI8afak1RMclNFqlihsegGU239ZGDRPb4apL32nYY0SMim58vET8rv5
eTiQE1udg+1ttIRAGq/PxzHKlc6FUEdyJ6i2Da16c0K76FpF3Gnxxhw+Tleixx3h
6+PbhC2qEgt7LS8TNg9J2WTDy4Hlw5YEmzOAM9NA6UYrH9BHsR87sbdriz6pAC55
CnFkWptrME4CjUP72qIezRYt/4784ABTw6poQ51jP30641YhgPoYLrWS8hWQYaE3
jcrum3JQnLTjsE88OclcreKNvNj+b1t0uxuHa/6UdMnyRCd8osJ22s6JJHLGgB/S
UQHvy+Rv0QJ65DjsJ4TfdRBLcKXaF7Ar5SaANqGi8EYwjVbhfImwx5VSEsvQclEU
7JihoETtCrRwJM1BkJz3nuBAaYDm1Y+lWHSyVZ6xi8G0eg==
=n6cE
-----END PGP MESSAGE-----
fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
encrypted_regex: ^(data|stringData)$
version: 3.8.1

16
kustomizations/matrix/synapse/service.yaml Normal file
View File

@ -0,0 +1,16 @@
kind: Service
apiVersion: v1
metadata:
name: synapse
spec:
ports:
- name: http
protocol: TCP
port: 8008
targetPort: 8008
- name: https
protocol: TCP
port: 8448
targetPort: 8448
selector: {}
type: ClusterIP