jaggar/iac-cljs-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jaggar:262468686f468b6ec49968041371addc7c25f63d
Branches Tags
jaggar:master
...
compare: jaggar:ae903af93cf53162dced171e4fe0dabe653ebe69
Branches Tags
jaggar:master

22 Commits
262468686f ... ae903af93c

Author SHA1 Message Date
GigiaJ
ae903af93c Add Matrix stack 2025-11-30 05:23:52 -06:00
GigiaJ
11af17cd8a Add new resources 2025-11-30 05:23:39 -06:00
GigiaJ
b0f9fa7205 Add to firewall 2025-11-30 05:23:25 -06:00
GigiaJ
87fdd5b2fe Fix Prometheus 2025-11-30 05:23:13 -06:00
GigiaJ
97ebd04d99 Fix Nextcloud (wtf broadcom) 2025-11-30 05:22:46 -06:00
GigiaJ
e5ce37638e Define coturn (not enabling for awhile tho) 2025-11-30 05:22:28 -06:00
GigiaJ
a920a01815 quickly outline mmr-db 2025-11-30 05:21:57 -06:00
GigiaJ
0ac3993314 Define DB for just mautrix 2025-11-30 05:21:22 -06:00
GigiaJ
bc6fc1dafe Split DB into two and delete the single resource here 2025-11-30 05:21:08 -06:00
GigiaJ
350c7db62a Define MMR 2025-11-30 05:20:12 -06:00
GigiaJ
01e405d125 Moved livekit into element-call 2025-11-30 05:19:53 -06:00
GigiaJ
089f7045cc Since no more Caddy, Well-known needs to be split into its own resource 2025-11-30 05:19:30 -06:00
GigiaJ
2be11cec39 Begin defining our homeserver 2025-11-30 05:19:05 -06:00
GigiaJ
0b5e4285c7 Define Livekit Server 2025-11-30 05:18:47 -06:00
GigiaJ
a3422f0e84 Define Livekit JWT 2025-11-30 05:18:31 -06:00
GigiaJ
5261340c9e Define Element call 2025-11-30 05:18:20 -06:00
GigiaJ
3caeb8cc0d Define Element 2025-11-30 05:17:58 -06:00
GigiaJ
6e6410c824 Define Cinny 2025-11-30 05:15:29 -06:00
GigiaJ
68946832dc add homeassistant 2025-11-30 05:15:17 -06:00
GigiaJ
93da50fba1 Swap to using s3 w/ pvc and juicefs 2025-11-30 05:15:01 -06:00
GigiaJ
2db2c19461 Add name to service port 2025-11-30 05:13:26 -06:00
GigiaJ
ab7c7a1e04 Add name to service port 2025-11-30 05:13:16 -06:00
23 changed files with 606 additions and 143 deletions
Expand all files Collapse all files

14
src/main/core.cljs
View File

@@ -10,7 +10,8 @@
initialize-resources-definition initialize-resources-definition
shared-resources-definition shared-resources-definition
preparation-resources-definition preparation-resources-definition
deployment-resources-definition]] deployment-resources-definition
matrix-resources-definition]]
) )
(:require-macros [pulumicljs.execution.general :refer [p->]])) (:require-macros [pulumicljs.execution.general :refer [p->]]))
@@ -49,7 +50,8 @@
#(execute #(execute
shared-resources-definition shared-resources-definition
(fn [output] (let [secrets (p-> output .-harbor "vault:prepare" "stringData")] (fn [output] (let [secrets (p-> output .-harbor "vault:prepare" "stringData")]
#js {:url (p-> secrets .-host (fn [x] (str "https://" x))) #js {
:url (p-> secrets .-host (fn [x] (str "https://" x)))
:username (p-> secrets .-username) :username (p-> secrets .-username)
:password (p-> secrets .-password)}))))) :password (p-> secrets .-password)})))))
@@ -67,6 +69,13 @@
"/home/jaggar/dotfiles/iac" "/home/jaggar/dotfiles/iac"
#(execute deployment-resources-definition (fn [output] {})))) #(execute deployment-resources-definition (fn [output] {}))))
(def matrix-stack
(define-stack
"hetzner-k3s"
"matrix"
"/home/jaggar/dotfiles/iac"
#(execute matrix-resources-definition (fn [output] {}))))
(defn deploy-stack (defn deploy-stack
([stack-definition inputs] ([stack-definition inputs]
@@ -112,6 +121,7 @@
1000) 1000)
prepare-outputs (deploy-stack prepare-deployment-stack reused-configs 3000) prepare-outputs (deploy-stack prepare-deployment-stack reused-configs 3000)
deployment-outputs (deploy-stack deployment-stack reused-configs 2000) deployment-outputs (deploy-stack deployment-stack reused-configs 2000)
matrix-outputs (deploy-stack matrix-stack reused-configs 2000)
_ (.kill port-forward)] _ (.kill port-forward)]
"All stacks deployed and cleaned up successfully.")) "All stacks deployed and cleaned up successfully."))

4
src/main/infra/init.cljs
View File

@@ -69,7 +69,9 @@
{:direction "in" :protocol "udp" :port "51820" :sourceIps ["0.0.0.0/0" "::/0"]} {:direction "in" :protocol "udp" :port "51820" :sourceIps ["0.0.0.0/0" "::/0"]}
{:direction "in" :protocol "tcp" :port "80" :sourceIps ["0.0.0.0/0" "::/0"]} {:direction "in" :protocol "tcp" :port "80" :sourceIps ["0.0.0.0/0" "::/0"]}
{:direction "in" :protocol "tcp" :port "443" :sourceIps ["0.0.0.0/0" "::/0"]} {:direction "in" :protocol "tcp" :port "443" :sourceIps ["0.0.0.0/0" "::/0"]}
{:direction "in" :protocol "icmp" :sourceIps ["0.0.0.0/0" "::/0"]}]})) {:direction "in" :protocol "icmp" :sourceIps ["0.0.0.0/0" "::/0"]}
{:direction "in" :protocol "udp" :port "31000-31100" :sourceIps ["0.0.0.0/0" "::/0"]}
]}))
master (hcloud/Server. master (hcloud/Server.
"k3s-master-de" "k3s-master-de"

3
src/main/k8s/add_ons/csi_driver/extra/redis.cljs
View File

@@ -39,4 +39,5 @@
{:metadata {:name "juicefs-redis" :namespace "kube-system"} {:metadata {:name "juicefs-redis" :namespace "kube-system"}
:spec {:type "ClusterIP" :spec {:type "ClusterIP"
:selector {:app "juicefs-redis"} :selector {:app "juicefs-redis"}
:ports [{:port 6379 :targetPort 6379}]}}}) :ports [{:name 'app-name
:port 6379 :targetPort 6379}]}}})

3
src/main/k8s/add_ons/proxy.cljs
View File

@@ -54,6 +54,7 @@
:k8s:service-opts :k8s:service-opts
{:spec {:spec
{:ports {:ports
[{:port 80 [{:name 'app-name
:port 80
:targetPort 80}]}}}) :targetPort 80}]}}})

55
src/main/k8s/services/gitea/service.cljs
View File

@@ -1,25 +1,54 @@
(ns k8s.services.gitea.service) (ns k8s.services.gitea.service)
(def config (def config
{:stack [:vault:prepare :k8s:deployment :k8s:service :k8s:httproute] {:stack [:vault:prepare :k8s:pvc :k8s:deployment :k8s:service :k8s:httproute]
:image-port 3000 :image-port 3000
:app-namespace "generic" :app-namespace "generic"
:app-name "gitea" :app-name "gitea"
:k8s:deployment-opts {:spec {:template {:spec {:initContainers [
{:name "init-permissions" :k8s:pvc-opts
{"gitea-data" {:storageClass "juicefs-sc" :accessModes ["ReadWriteMany"] :storage "1Ti"}
"gitea-config" {:storageClass "juicefs-sc" :accessModes ["ReadWriteMany"] :storage "1Gi"}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:initContainers
[{:name "init-permissions"
:image "busybox:latest" :image "busybox:latest"
:command ["sh" "-c" "chown -R 1000:1000 /var/lib/gitea && chown -R 1000:1000 /etc/gitea"] :command ["sh" "-c" "chown -R 1000:1000 /var/lib/gitea && chown -R 1000:1000 /etc/gitea"]
:volumeMounts [{:name "gitea-data" :mountPath "/var/lib/gitea"} :volumeMounts [{:name "gitea-data" :mountPath "/var/lib/gitea"}
{:name "gitea-config" :mountPath "/etc/gitea"}] {:name "gitea-config" :mountPath "/etc/gitea"}]
:securityContext {:runAsUser 0 :runAsGroup 0}} :securityContext {:runAsUser 0 :runAsGroup 0}}]
]
:containers [{:name 'app-name :image '(str repo "/" app-name ":latest-rootless") :containers
[{:name 'app-name
:image '(str repo "/" app-name ":latest-rootless")
:env [{:name "TZ" :value "America/Chicago"}]
:envFrom [{:secretRef {:name "gitea-secrets"}}]
:ports [{:name "http" :containerPort 3000}
{:name "ssh" :containerPort 2222}]
:volumeMounts [{:name "gitea-data" :mountPath "/var/lib/gitea"} :volumeMounts [{:name "gitea-data" :mountPath "/var/lib/gitea"}
{:name "gitea-config" :mountPath "/etc/gitea"} {:name "gitea-config" :mountPath "/etc/gitea"}]}]
{:name "timezone" :mountPath "/etc/timezone" :readOnly true}
{:name "localtime" :mountPath "/etc/localtime" :readOnly true}]}] :volumes
:volumes [{:name "gitea-data" :hostPath {:path "/opt/gitea/data" :type "DirectoryOrCreate"}} [{:name "gitea-data" :persistentVolumeClaim {:claimName "gitea-data"}}
{:name "gitea-config" :hostPath {:path "/opt/gitea/config" :type "DirectoryOrCreate"}} {:name "gitea-config" :persistentVolumeClaim {:claimName "gitea-config"}}]}}}}
{:name "timezone" :hostPath {:path "/etc/timezone" :type "File"}}
{:name "localtime" :hostPath {:path "/etc/localtime" :type "File"}}]}}}} :k8s:service-opts
{:spec
{:type "NodePort"
:selector {:app "gitea"}
:ports [
{:name 'app-name :port 3000 :targetPort 3000}
{:name "ssh"
:port 22
:targetPort 2222
:nodePort 30022
}]}}
:k8s:httproute-opts {:spec {::hostnames ['host]}}}) :k8s:httproute-opts {:spec {::hostnames ['host]}}})

34
src/main/k8s/services/homeassistant/service.cljs Normal file
View File

@@ -0,0 +1,34 @@
(ns k8s.services.homeassistant.service)
(def config
{:stack [:vault:prepare :k8s:pvc :k8s:deployment :k8s:service :k8s:httproute]
:image-port 8123
:app-namespace "home"
:app-name "homeassistant"
:k8s:pvc-opts
{"ha-config" {:storageClass "hcloud-volumes"
:accessModes ["ReadWriteOnce"]
:storage "10Gi"}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:containers
[{:name 'app-name
:image '(str repo "/home-assistant:stable")
:env [{:name "TZ" :value "America/Chicago"}]
:volumeMounts [{:name "config" :mountPath "/config"}]}]
:volumes
[{:name "config" :persistentVolumeClaim {:claimName "ha-config"}}]}}}}
:k8s:service-opts
{:spec {:selector {:app 'app-name}
:ports [{:name 'app-name :port 8123 :targetPort 8123}]}}
:k8s:httproute-opts
{:spec
{:hostnames ['host]
:rules [{:matches [{:path {:type "PathPrefix" :value "/"}}]
:backendRefs [{:name 'app-name :port 8123}]}]}}})

31
src/main/k8s/services/matrix/cinny/service.cljs
View File

@@ -1,12 +1,29 @@
(ns k8s.services.matrix.cinny.service) (ns k8s.services.matrix.cinny.service)
(def config (def config
{:stack [:vault-secrets :docker-image :deployment :service :ingress] {:stack [:vault:prepare
:image-port 80 :harbor:robot-account
:docker:image
[:k8s :deployment :service :httproute]]
:app-namespace "matrix" :app-namespace "matrix"
:app-name "cinny" :app-name "cinny"
:image-opts {:build {:args {:FOUNDRY_USERNAME 'FOUNDRY_USERNAME :docker:image-opts {:context {:location "https://github.com/GigiaJ/cinny.git"}
:FOUNDRY_PASSWORD 'FOUNDRY_PASSWORD}} :imageName '(str registry-base "/" registry-namespace "/" app-name ":latest")
:imageName '(str repo "/" app-name ":latest")} :registry {:server '(str registry-base "/" registry-namespace)
:deployment-opts {:spec {:template {:spec {:imagePullSecrets [{:name "harbor-creds-secrets"}] :username '(-> :harbor:robot-account .-name)
:containers [{:name 'app-name :image '(str repo "/" app-name ":latest")}]}}}}}) :password '(-> :harbor:robot-account .-secret)}
:tags ['(str registry-base "/" registry-namespace "/" app-name)]
:push true}
:harbor:robot-account-opts {:name 'app-name
:permissions [{:kind "project"
:namespace 'registry-namespace
:access [{:action "pull" :resource "repository"}
{:action "push" :resource "repository"}
{:action "list" :resource "repository"}]}]}
:k8s:deployment-opts {:spec {:template {:spec {:imagePullSecrets [{:name "harbor-creds-secrets"}]
:containers [{:name 'app-name
:image '(str registry-base "/" registry-namespace "/" app-name ":latest")
:ports [{:containerPort 80}]}]}}}}
:k8s:httproute-opts {:spec {::hostnames ['host]}}})

13
src/main/k8s/services/matrix/database/service.cljs
View File

@@ -1,13 +0,0 @@
(ns k8s.services.matrix.database.service)
;; env_file:
;; - .env
;; volumes:
;; - ${PWD}/db-data/:/var/lib/postgresql/data/
(def config
{:stack [:deployment :service :ingress]
:image-port 80
:app-namespace "matrix"
:app-name "postgres"
:deployment-opts {:spec {:template {:spec {:containers [{:name 'app-name :image '(str repo "/" 'app-name ":latest")}]}}}}})

73
src/main/k8s/services/matrix/element/service.cljs
View File

@@ -1,14 +1,69 @@
;; volumes:
;; - ./personal/matrix/element-config.json:/app/config.json
;; environment:
;; ELEMENT_WEB_PORT: 3030
(ns k8s.services.matrix.element.service) (ns k8s.services.matrix.element.service)
(def config (def config
{:stack [:vault-secrets :docker-image :deployment :service :ingress] {:stack [:vault:prepare [:k8s :config-map :deployment :service :httproute]]
:image-port 80 :image-port 80
:app-namespace "matrix" :app-namespace "matrix"
:app-name "element" :app-name "element-web"
:deployment-opts {:spec {:template {:spec {:imagePullSecrets [{:name "harbor-creds-secrets"}] :k8s:config-map-opts {:data {"config.json"
:containers [{:name 'app-name :image '(str repo "/" app-name ":latest")}]}}}}}) '(stringify
{:default_server_name homeserver
:default_server_config
{:m.homeserver
{:base_url (str "https://" homeserver)}
:m.identity_server
{:base_url identity-server}}
:brand brand-name
:integrations_ui_url "https://scalar.vector.im/"
:integrations_rest_url "https://scalar.vector.im/api"
:integrations_widgets_urls
["https://scalar.vector.im/_matrix/integrations/v1"
"https://scalar.vector.im/api"
"https://scalar-staging.vector.im/_matrix/integrations/v1"
"https://scalar-staging.vector.im/api"
"https://scalar-staging.riot.im/scalar/api"]
:bug_report_endpoint_url "https://element.io/bugreports/submit"
:uisi_autorageshake_app "element-auto-uisi"
:show_labs_settings true
:room_directory
{:servers [homeserver]}
:enable_presence_by_hs_url
{"https://matrix.org" false
"https://matrix-client.matrix.org" false}
:terms_and_conditions_links
[{:url (str "https://" homeserver "/privacy")
:text "Privacy Policy"}
{:url (str "https://" homeserver "/cookie-policy")
:text "Cookie Policy"}]
:sentry
{:dsn "https://029a0eb289f942508ae0fb17935bd8c5@sentry.matrix.org/6"
:environment "develop"}
:posthog
{:project_api_key "phc_Jzsm6DTm6V2705zeU5dcNvQDlonOR68XvX2sh1sEOHO"
:api_host (str "https://posthog." homeserver)}
:privacy_policy_url (str "https://" homeserver "/cookie-policy")
:features
{:threadsActivityCentre true
:feature_video_rooms true
:feature_group_calls true
:feature_element_call_video_rooms true}
:setting_defaults
{:RustCrypto.staged_rollout_percent 100
:Registration.mobileRegistrationHelper true}
:element_call
{:url (str "https://livekit." homeserver)}
:map_style_url "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"})}}
:k8s:deployment-opts {:spec
{:template
{:spec
{:volumes [{:name "config-vol"
:configMap {:name 'app-name}}]
:containers [{:name 'app-name :image '(str repo "/" app-name ":latest")
:env [{:name "ELEMENT_WEB_PORT" :value "80"}]
:volumeMounts [{:name "config-vol"
:mountPath "/app/config.json"
:subPath "config.json"}]}]}}}}
:k8s:httproute-opts {:spec {::hostnames ['host]}}})

22
src/main/k8s/services/matrix/element_call/livekit_jwt/service.cljs Normal file
View File

@@ -0,0 +1,22 @@
(ns k8s.services.matrix.element-call.livekit-jwt.service)
(def config
{:stack [:vault:prepare [:k8s :deployment :service :httproute]]
:image-port 8080
:app-namespace "matrix"
:app-name "livekit-jwt"
:k8s:deployment-opts {:spec
{:template
{:spec
{:containers [{:name 'app-name :image '(str repo "/" "lk-jwt-service" ":latest")
:env [{:name "LIVEKIT_KEY" :value 'key-name}
{:name "LIVEKIT_SECRET" :value 'dev-key}
{:name "LIVEKIT_JWT_PORT" :value "8080"}
{:name "LIVEKIT_URL" :value 'livekit-url}]}]}}}}
:k8s:httproute-opts
{:spec
{:hostnames ['host]
:rules [{:matches [{:path {:type "PathPrefix" :value "/livekit/jwt"}}]
:backendRefs [{:name 'app-name :port 80}]}
{:matches [{:path {:type "PathPrefix" :value "/sfu/get"}}]
:backendRefs [{:name 'app-name :port 80}]}]}}})

76
src/main/k8s/services/matrix/element_call/livekit_server/service.cljs Normal file
View File

@@ -0,0 +1,76 @@
(ns k8s.services.matrix.element-call.livekit-server.service)
(defn generate-all-ports [tcp-port start-udp end-udp]
(concat
[{:name "http"
:port tcp-port
:targetPort tcp-port
:containerPort tcp-port
:protocol "TCP"}]
(map (fn [p]
{:name (str "udp-" p)
:port p
:targetPort p
:nodePort p
:containerPort p
:protocol "UDP"})
(range start-udp (inc end-udp)))))
(def all-ports (generate-all-ports 7880 31000 31100))
(def config
{:stack [:vault:prepare [:k8s :config-map :deployment :service :httproute]]
:image-port nil
:app-namespace "matrix"
:app-name "livekit-server"
:k8s:config-map-opts
{:metadata {:name "livekit-config"}
:data {"livekit.yaml"
'(stringify
{:port 7880
:bind_addresses ["0.0.0.0"]
:rtc {:tcp_port 7881
:port_range_start 31000
:port_range_end 31100
:use_external_ip true} ;; Required for Hetzner Public IP discovery
:logging {:level "debug"}
:turn {:enabled false
:udp_port 443
:tls_port 5349}
:keys {:devkey dev-key}})}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:volumes [{:name "config-vol" :configMap {:name "livekit-config"}}]
:containers [{:name 'app-name
:image '(str repo "/" app-name ":latest")
:command ["/livekit-server"]
:args ["--config" "/etc/livekit.yaml"]
:ports (map #(select-keys % [:name :containerPort :protocol])
all-ports)
:volumeMounts [{:name "config-vol"
:mountPath "/etc/livekit.yaml"
:subPath "livekit.yaml"}]}]}}}}
:k8s:service-opts
{:spec {:type "NodePort"
:selector {:app 'app-name}
:ports (map #(select-keys % [:name :port :targetPort :nodePort :protocol])
all-ports)}}
:k8s:httproute-opts
{:spec
{:hostnames ['host]
:rules [{:matches [{:path {:type "PathPrefix" :value "/livekit/sfu"}}]
:filters [{:type "URLRewrite"
:urlRewrite {:path {:type "ReplacePrefixMatch"
:replacePrefixMatch "/"}}}]
:backendRefs [{:name 'app-name :port 7880}]}]}}})

32
src/main/k8s/services/matrix/element_call/service.cljs
View File

@@ -1,18 +1,26 @@
(ns k8s.services.matrix.element-call.service) (ns k8s.services.matrix.element-call.service)
;; volumes:
;; - ./personal/matrix/elementcall/config.json:/app/config.json
(def config (def config
{:stack [:vault-secrets :deployment :service :ingress] {:stack [:vault:prepare [:k8s :config-map :deployment :service :httproute]]
:image-port 80 :image-port 80
:app-namespace "matrix" :app-namespace "matrix"
:app-name "element-call" :app-name "element-call"
:deployment-opts {:spec {:template {:spec {:containers [{:name 'app-name :image '(str repo "/" app-name ":sha-1702b15") :k8s:config-map-opts {:data {"config.json"
:volumeMounts [{:name "data" :mountPath "/data"}]}] '(stringify
:initContainers [{:name "init-permissions" {:default_server_config
:image "busybox:latest" {:m.homeserver
:command ["sh" "-c" "chown -R 1000:1000 /data"] {:base_url (str "https://" homeserver)
:volumeMounts [{:name "data" :mountPath "/data"}] :server_name homeserver}}
:securityContext {:runAsUser 0 :runAsGroup 0}}] :features
:volumes [{:name "data" :hostPath {:path "/opt/mmr/data" :type "DirectoryOrCreate"}}]}}}}}) {:feature_use_device_session_member_events true}
:ssla "https://static.element.io/legal/element-software-and-services-license-agreement-uk-1.pdf"})}}
:k8s:deployment-opts {:spec
{:template
{:spec
{:volumes [{:name "config-vol"
:configMap {:name 'app-name}}]
:containers [{:name 'app-name :image '(str repo "/" app-name ":latest")
:volumeMounts [{:name "config-vol"
:mountPath "/app/config.json"
:subPath "config.json"}]}]}}}}
:k8s:httproute-opts {:spec {::hostnames ['host]}}})

52
src/main/k8s/services/matrix/home_server/service.cljs
View File

@@ -1,10 +1,48 @@
;; homeserver: (ns k8s.services.matrix.home-server.service)
;; volumes:
;; - db:/var/lib/conduwuit
(def config (def config
{:stack [:vault-secrets :docker-image :deployment :service :ingress] {:stack [:vault:prepare [:k8s :pvc :deployment :service :httproute]]
:image-port 80 :image-port 6167
:app-namespace "matrix" :app-namespace "matrix"
:app-name "tuwunel" :app-name "tuwunel"
:deployment-opts {:spec {:template {:spec {:containers [{:name 'app-name :image '(str repo "/" 'app-name ":latest")}]}}}}})
:k8s:pvc-opts
{"conduwuit-db" {:storageClass "hcloud-volumes"
:accessModes ["ReadWriteOnce"]
:storage "20Gi"}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:containers
[{:name 'app-name
:image '(str repo "/tuwunel:latest")
:envFrom [{:secretRef {:name '(str app-name "-secrets")}}]
:volumeMounts [{:name "db" :mountPath "/var/lib/conduwuit"}
#_{:name "discord-reg"
:mountPath "/etc/conduwuit/discord-registration.yaml"
:subPath "registration.yaml"}]}]
:volumes
[{:name "db" :persistentVolumeClaim {:claimName "conduwuit-db"}}
#_{:name "discord-reg" :configMap {:name "discord-bridge-config"}}
]}}}}
:k8s:service-opts
{:spec {:ports [{:name 'app-name :port 'port :targetPort 'port}]}}
:k8s:httproute-opts
{:spec
{:hostnames ['homeserver]
:rules [{:matches [{:path {:type "PathPrefix" :value "/_matrix/media"}}]
:backendRefs [{:name "mmr" :port 8000}]}
{:matches [{:path {:type "PathPrefix" :value "/_matrix/client/v1/media"}}]
:backendRefs [{:name "mmr" :port 8000}]}
{:matches [{:path {:type "PathPrefix" :value "/.well-known/matrix"}}]
:backendRefs [{:name "matrix-well-known" :port 80}]}
{:matches [{:path {:type "PathPrefix" :value "/"}}]
:backendRefs [{:name 'app-name :port 'port}]}]}}})

26
src/main/k8s/services/matrix/home_server/well_known/service.cljs Normal file
View File

@@ -0,0 +1,26 @@
(ns k8s.services.matrix.home-server.well-known.service)
(def config
{:stack [:vault:prepare :k8s:config-map :k8s:deployment :k8s:service]
:app-namespace "matrix"
:app-name "matrix-well-known"
:k8s:config-map-opts
{:metadata {:name "well-known-json"}
:data {"server" "{\"m.server\": \"hampter.quest:443\"}"
"client" '(stringify
{:m.homeserver {:base_url (str "https://" homeserver)}
:org.matrix.msc4143.rtc_foci [{:type "livekit"
:livekit_service_url livekit-url}]})}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:containers
[{:name "nginx"
:image "nginx:alpine"
:volumeMounts [{:name "config" :mountPath "/usr/share/nginx/html/.well-known/matrix"}]}]
:volumes [{:name "config" :configMap {:name "well-known-json"}}]}}}}
:k8s:service-opts
{:spec {:ports [{:port 80 :targetPort 80}]}}})

8
src/main/k8s/services/matrix/livekit_jwt/service.cljs
View File

@@ -1,8 +0,0 @@
(ns k8s.services.matrix.livekit-jwt.service)
(def config
{:stack [:vault-secrets :docker-image :deployment :service :ingress]
:image-port 80
:app-namespace "matrix"
:app-name "livekit-jwt"
:deployment-opts {:spec {:template {:spec {:containers [{:name 'app-name :image '(str repo "/" lk-jwt-service ":0.2.3")}]}}}}})

16
src/main/k8s/services/matrix/livekit_server/service.cljs
View File

@@ -1,16 +0,0 @@
;; livekit:
;; command: --config /etc/livekit.yaml
;; - ./personal/matrix/elementcall/livekit.yaml:/etc/livekit.yaml
;; ports:
;; - 50100-50200:50100-50200/udp
(ns k8s.services.matrix.livekit-server.service)
(def config
{:stack [:vault-secrets :docker-image :deployment :service :ingress]
:image-port 80
:app-namespace "matrix"
:app-name "livekit-server"
:deployment-opts {:spec {:template {:spec {:containers [{:name 'app-name :image '(str repo "/" 'app-name ":latest")}]}}}}})

38
src/main/k8s/services/matrix/mautrix_discord/database/service.cljs Normal file
View File

@@ -0,0 +1,38 @@
(ns k8s.services.matrix.mautrix-discord.database.service)
(def config
{:stack [:vault:prepare :k8s:pvc :k8s:config-map :k8s:deployment :k8s:service]
:app-namespace "matrix"
:app-name "mautrix-discord"
:image-port 29334
:k8s:config-map-opts
{:metadata {:name "discord-bridge-config"}
:data {"config.yaml" "YAML-HERE" ;;TODO
"registration.yaml" "YAML-HERE"}}
:k8s:pvc-opts
{"discord-bridge-data" {:storageClass "juicefs-sc"
:accessModes ["ReadWriteMany"]
:storage "1Gi"}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:containers
[{:name 'app-name
:image "dock.mau.dev/mautrix/discord:latest"
:args ["/usr/bin/mautrix-discord" "-c" "/data/config.yaml" "-r" "/data/registration.yaml"]
:volumeMounts [{:name "data" :mountPath "/data"}
{:name "config" :mountPath "/data/config.yaml" :subPath "config.yaml"}
{:name "config" :mountPath "/data/registration.yaml" :subPath "registration.yaml"}]}]
:volumes
[{:name "data" :persistentVolumeClaim {:claimName "discord-bridge-data"}}
{:name "config" :configMap {:name "discord-bridge-config"}}]}}}}
:k8s:service-opts
{:spec {:selector {:app 'app-name}
:ports [{:port 29334 :targetPort 29334}]}}})

30
src/main/k8s/services/matrix/mmr/database/service.cljs Normal file
View File

@@ -0,0 +1,30 @@
(ns k8s.services.matrix.mmr.database.service)
(def config
{:stack [:vault:prepare :k8s:pvc :k8s:deployment :k8s:service]
:app-namespace "matrix"
:app-name "mmr-db"
:k8s:pvc-opts
{"mmr-pg-data" {:storageClass "hcloud-volumes"
:accessModes ["ReadWriteOnce"]
:storage "10Gi"}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:containers
[{:name 'app-name
:image "postgres:14-alpine"
:env [{:name "POSTGRES_USER" :value "mmr"}
{:name "POSTGRES_PASSWORD" :value "mmr_password"}
{:name "POSTGRES_DB" :value "media_repo"}]
:volumeMounts [{:name "db" :mountPath "/var/lib/postgresql/data"}]}]
:volumes
[{:name "db" :persistentVolumeClaim {:claimName "mmr-pg-data"}}]}}}}
:k8s:service-opts
{:spec {:selector {:app 'app-name}
:ports [{:port 5432 :targetPort 5432}]}}})

50
src/main/k8s/services/matrix/mmr/service.cljs
View File

@@ -2,20 +2,48 @@
(ns k8s.services.matrix.mmr.service) (ns k8s.services.matrix.mmr.service)
(def config (def config
{:stack [:vault-secrets :deployment :service :ingress] {:stack [:vault:prepare [:k8s :config-map :deployment :service :httproute]]
:image-port 80 :image-port 80
:app-namespace "matrix" :app-namespace "matrix"
:app-name "matrix-media-repo" :app-name "matrix-media-repo"
:deployment-opts {:spec {:template {:spec {:containers [{:name 'app-name :image '(str repo "/" app-name ":v1.3.8") :k8s:config-map-opts
:volumeMounts [{:name "data" :mountPath "/data"}]}] {:metadata {:name "mmr-config"}
:initContainers [{:name "init-permissions" :data {"media-repo.yaml"
:image "busybox:latest" '(stringify
:command ["sh" "-c" "chown -R 1000:1000 /data"] {:repo {:port port
:volumeMounts [{:name "data" :mountPath "/data"}] :bindAddress "0.0.0.0"
:securityContext {:runAsUser 0 :runAsGroup 0}}] :logLevel "debug"}
:volumes [{:name "data" :hostPath {:path "/opt/mmr/data" :type "DirectoryOrCreate"}}]}}}}}) :database {:postgres db-login-url}
:homeservers [{:name homeserver
:csApi (str "https://" homeserver)}]
:accessTokens {:appservices [{:id "discord"
:asToken discord-app-service-token
:senderUserId discord-send-user-id
:userNamespaces {:regex user-namespace-regex}}]}
:admins [admin]
:datastores [{:type "s3"
:id s3-id
:forKinds ["all"]
:opts {:tempPath "/tmp/media-repo"
:endpoint s3-endpoint
:accessKeyId s3-access-key
:accessSecret s3-secret-key
:ssl true
:bucketName s3-bucket-name
:region s3-region}}]
:rateLimit {:enabled false}})}}
:k8s:deployment-opts {:spec {:template {:spec {:containers [{:args ["-config" "/etc/media-repo.yaml"]
:name 'app-name
:image '(str repo "/" app-name ":v1.3.8")
:volumeMounts [{:name "config-vol"
:mountPath "/mmr"
:subPath "media-repo.yaml"}
{:name "temp-vol"
:mountPath "/tmp/media-repo"}]}]
:volumes [{:name "config-vol" :configMap {:name "mmr-config"}}
{:name "temp-vol"
:emptyDir {}}]}}}}
:k8s:httproute-opts {:spec {::hostnames ['host]}}})
;;
;; - ./personal/matrix/mmr:/data

69
src/main/k8s/services/matrix/turn/service.cljs
View File

@@ -1,14 +1,67 @@
(ns k8s.services.matrix.turn.service) (ns k8s.services.matrix.turn.service)
;; - ./personal/matrix/coturn.conf:/etc/coturn/turnserver.conf (defn generate-all-ports [start-relay end-relay]
(concat
[{:name "signaling-udp" :port 3478 :targetPort 3478 :nodePort 30478 :containerPort 3478 :protocol "UDP"}
{:name "signaling-tcp" :port 3478 :targetPort 3478 :nodePort 30478 :containerPort 3478 :protocol "TCP"}
{:name "tls-udp" :port 5349 :targetPort 5349 :nodePort 30549 :containerPort 5349 :protocol "UDP"}
{:name "tls-tcp" :port 5349 :targetPort 5349 :nodePort 30549 :containerPort 5349 :protocol "TCP"}]
(map (fn [p]
{:name (str "relay-" p)
:port p
:targetPort p
:nodePort p
:containerPort p
:protocol "UDP"})
(range start-relay (inc end-relay)))))
(def all-ports (generate-all-ports 32000 32050))
(def config (def config
{:stack [:vault-secrets :docker-image :deployment :service :ingress] {:stack [:vault:prepare [:k8s :config-map :deployment :service]]
:image-port 80 :image-port nil
:app-namespace "matrix" :app-namespace "matrix"
:app-name "coturn" :app-name "coturn"
:image-opts {:build {:args {:FOUNDRY_USERNAME 'FOUNDRY_USERNAME
:FOUNDRY_PASSWORD 'FOUNDRY_PASSWORD}} :k8s:config-map-opts
:imageName '(str repo "/" app-name ":latest")} {:metadata {:name "coturn-config"}
:deployment-opts {:spec {:template {:spec {:imagePullSecrets [{:name "harbor-creds-secrets"}] :data {"turnserver.conf"
:containers [{:name 'app-name :image '(str repo "/" app-name ":latest")}]}}}}}) '(str
"listening-port=3478\n"
"tls-listening-port=5349\n"
"min-port=32000\n"
"max-port=32050\n"
(str "external-ip=" public-ip "\n")
(str "realm" homeserver "\n")
(str "server-name=" host "\n")
"log-file=stdout\n"
"use-auth-secret\n"
(str "static-auth-secret=" secret-auth "\n")
"fingerprint\n"
"lt-cred-mech\n")}}
:k8s:deployment-opts
{:spec
{:template
{:spec
{:volumes [{:name "config" :configMap {:name "coturn-config"}}]
:containers [{:name 'app-name
:image "coturn/coturn:latest"
:ports (map #(select-keys % [:name :containerPort :protocol])
all-ports)
:volumeMounts [{:name "config"
:mountPath "/etc/coturn/turnserver.conf"
:subPath "turnserver.conf"}]}]}}}}
:k8s:service-opts
{:spec {:type "NodePort"
:selector {:app 'app-name}
:ports (map #(select-keys % [:name :port :targetPort :nodePort :protocol])
all-ports)}}})

33
src/main/k8s/services/nextcloud/service.cljs
View File

@@ -2,19 +2,38 @@
;; Need to automate set-up/restore ;; Need to automate set-up/restore
(def config (def config
{:stack [:vault-secrets :k8s:chart :k8s:httproute] {:stack [:vault:prepare :k8s:chart :k8s:httproute]
:app-namespace "nextcloud" :app-namespace "nextcloud"
:app-name "nextcloud" :app-name "nextcloud"
:image-port 8080 :image-port 80
:vault-load-yaml true :vault-load-yaml true
:k8s:chart-opts {:repositoryOpts {:repo "https://nextcloud.github.io/helm/"} :k8s:chart-opts {:repositoryOpts {:repo "https://nextcloud.github.io/helm/"}
:values {:nextcloud {:host 'host :values
:trustedDomains ['host 'app-name]}} {:nextcloud {:host 'host
:containerPort 80
:trustedDomains ['host 'app-name]
:persistence {:enabled true
:storageClass "juicefs-sc"
:accessMode "ReadWriteMany"
:size "1Ti"}}
:service {:port 80}
:mariadb {:enabled true
:architecture "standalone"
:primary {:persistence {:enabled true
:storageClass "hcloud-volumes"
:size "8Gi"}}
;; Obligatory what the fuck Broadcom, why are you like this. RIP Bitnami
:volumePermissions {:enabled true
:image {:registry "docker.io"
:repository "bitnami/os-shell"
:tag "latest"
:pullPolicy "Always"}}
}
:transformations (fn [args _opts] :transformations (fn [args _opts]
(let [kind (get-in args [:resource :kind])] (let [kind (get-in args [:resource :kind])]
(if (some #{kind} ["StatefulSet" "PersistentVolumeClaim" "Ingress"]) (if (some #{kind} ["StatefulSet" "PersistentVolumeClaim" "Ingress"])
(update-in args [:resource :metadata :annotations] (update-in args [:resource :metadata :annotations]
#(assoc (or % {}) "pulumi.com/skipAwait" "true")) #(assoc (or % {}) "pulumi.com/skipAwait" "true"))
args)))} args)))}}
:k8s:httproute-opts {:spec {::hostnames ['host]}} :k8s:httproute-opts {:spec {::hostnames ['host]}}})
})

6
src/main/k8s/services/prometheus/service.cljs
View File

@@ -1,12 +1,10 @@
(ns k8s.services.prometheus.service) (ns k8s.services.prometheus.service)
(def config (def config
{:stack [:vault-secrets :chart] {:stack [:vault:prepare :k8s:chart]
:app-namespace "prometheus" :app-namespace "prometheus"
:app-name "prometheus" :app-name "prometheus"
:image-port 8080 :k8s:chart-opts {:chart "kube-prometheus-stack"
:vault-load-yaml true
:chart-opts {:chart "kube-prometheus-stack"
:repositoryOpts {:repo "https://prometheus-community.github.io/helm-charts"} :repositoryOpts {:repo "https://prometheus-community.github.io/helm-charts"}
:namespace "monitoring" :namespace "monitoring"
:values {:grafana {:adminPassword 'password :values {:grafana {:adminPassword 'password

27
src/main/stack_resource_definitions.cljs
View File

@@ -5,7 +5,6 @@
[k8s.add-ons.csi-driver.hetzner :as hetzner-csi] [k8s.add-ons.csi-driver.hetzner :as hetzner-csi]
[infra.dns :as dns] [infra.dns :as dns]
[k8s.preparers.harbor :as harbor-prepare] [k8s.preparers.harbor :as harbor-prepare]
[k8s.add-ons.gateway.traefik :as traefik] [k8s.add-ons.gateway.traefik :as traefik]
[k8s.add-ons.cert-manager :as cert-manager] [k8s.add-ons.cert-manager :as cert-manager]
[k8s.add-ons.crd.cert-manager :as cert-manager-crd] [k8s.add-ons.crd.cert-manager :as cert-manager-crd]
@@ -23,7 +22,13 @@
[k8s.services.act-runner.service :as act-runner-service] [k8s.services.act-runner.service :as act-runner-service]
[k8s.services.foundryvtt.service :as foundryvtt-service] [k8s.services.foundryvtt.service :as foundryvtt-service]
[k8s.services.foundryvtt.service-2 :as girls-foundry-service] [k8s.services.foundryvtt.service-2 :as girls-foundry-service]
[k8s.services.productive.service :as productive-service])) [k8s.services.productive.service :as productive-service]
[k8s.services.matrix.cinny.service :as cinny-service]
[k8s.services.matrix.element-call.service :as element-call-service]
[k8s.services.matrix.element.service :as element-service]
[k8s.services.matrix.element-call.livekit-server.service :as livekit-server-service]
[k8s.services.matrix.element-call.livekit-jwt.service :as livekit-jwt-service]
))
(defn general-provider-output-refs [] (defn general-provider-output-refs []
{:vault {:stack :init {:vault {:stack :init
@@ -77,12 +82,22 @@
(def deployment-resources-definition (def deployment-resources-definition
(create-resource-definition (create-resource-definition
[girls-foundry-service/config [girls-foundry-service/config foundryvtt-service/config
foundryvtt-service/config mesite-service/config productive-service/config gitea-service/config act-runner-service/config mesite-service/config productive-service/config
#_nextcloud-service/config nextcloud-service/config
;;gitea-service/config act-runner-service/config
] ]
["base" "init" "shared"] ["base" "init" "shared"]
(general-provider-output-refs))) (general-provider-output-refs)))
(def deployment-matrix-service-registry []) (def matrix-resources-definition
(create-resource-definition
[cinny-service/config
element-call-service/config
element-service/config
livekit-server-service/config
livekit-jwt-service/config]
["base" "init" "shared"]
(general-provider-output-refs)))