initial commit

lp/matrix/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: lp-matrix
+  title: Matrix (lp)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

lp/matrix/lp/README.md

@@ -0,0 +1,72 @@
+#Installatie:
+You only need to expose port 443 (HTTPS) on your public IP.
+All Matrix client communication and server-to-server federation is done over HTTPS.
+
+Dus ingressroute van entrypoint 443 naar poort 8008 is voldoende. 
+Je hoeft niks open te zetten op de internet router
+
+#configuratie STUN & TURN:
+
+als je de container directory "data" mount op een pvc dan vind je daar de bestanden:
+
+homeserver.db      homeserver.db-wal  matrix-lp.allarddcs.nl.log.config   media_store
+homeserver.db-shm  homeserver.yaml    matrix-lp.allarddcs.nl.signing.key
+
+homeserver.yaml bevat:
+
+turn_uris:
+  - "turn:coturn-lp.allarddcs.nl:3478?transport=udp"
+  - "turn:coturn-lp.allarddcs.nl:3478?transport=tcp"
+stun_uris:
+  - "stun:stun.l.google.com:19302"
+  - "stun:stun1.l.google.com:19302"
+  - "stun:stun2.l.google.com:19302"
+
+#registratie admin:
+
+kubectl exec -it matrix-644984f6b7-d7jcp -n matrix -- register_new_matrix_user http://localhost:8008  -u admin -p Matrix01@ \
+        -a -k f0hE.OTU8UXQ44yIHPWtO+8CKhM-b:QZNngk_qhE8EvgmP-3h@
+
+#registratie gewone gebruiker:
+
+kubectl exec -it matrix-644984f6b7-d7jcp -n matrix -- register_new_matrix_user http://localhost:8008  -u diederick -p Matrix01@ \
+        --no-admin -k f0hE.OTU8UXQ44yIHPWtO+8CKhM-b:QZNngk_qhE8EvgmP-3h@
+
+#algemeen:
+
+usage: register_new_matrix_user [-h] [-u USER] [--exists-ok] [-p PASSWORD | --password-file PASSWORD_FILE] [-t USER_TYPE]                                [-a | --no-admin] (-c CONFIG | -k SHARED_SECRET)
+                                [server_url]
+
+Used to register new users with a given homeserver when registration has been disabled. The homeserver must be configured with
+the 'registration_shared_secret' option set.
+
+positional arguments:
+  server_url            URL to use to talk to the homeserver. By default, tries to find a suitable URL from the configuration
+                        file. Otherwise, defaults to 'http://localhost:8008'.
+
+options:
+  -h, --help            show this help message and exit
+  -u USER, --user USER  Local part of the new user. Will prompt if omitted.
+  --exists-ok           Do not fail if user already exists.
+  -p PASSWORD, --password PASSWORD
+                        New password for user. Will prompt for a password if this flag and `--password-file` are both omitted.
+  --password-file PASSWORD_FILE
+                        File containing the new password for user. If set, will override `--password`.
+  -t USER_TYPE, --user_type USER_TYPE
+                        User type as specified in synapse.api.constants.UserTypes
+  -a, --admin           Register new user as an admin. Will prompt if --no-admin is not set either.
+  --no-admin            Register new user as a regular user. Will prompt if --admin is not set either.
+  -c CONFIG, --config CONFIG
+                        Path to server config file. Used to read in shared secret.
+  -k SHARED_SECRET, --shared-secret SHARED_SECRET
+                        Shared secret as defined in server config file.
+#COTURN:
+
+#check udp:
+
+nc -zvu coturn-lp.allarddcs.nl 3478
+nc -zv coturn-lp.allarddcs.nl 3478
+nc -zv coturn-lp.allarddcs.nl 5349
+
+#checken certificaat:
+kubectl describe secret coturn-cert -n matrix

lp/matrix/lp/element.yaml

@@ -0,0 +1,98 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: element
+  namespace: matrix
+  labels:
+    app: element
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: element
+  template:
+    metadata:
+      labels:
+        app: element
+    spec:
+      containers:
+        - name: element
+          image: vectorim/element-web
+          securityContext:
+            runAsUser: 0  # Run as root (user ID 0)
+            runAsGroup: 0  # Run as root group (group ID 0)
+          ports:
+            - containerPort: 80
+          env:
+            - name: SYNAPSE_SERVER
+              value: "https://matrix-lp.allarddcs.nl"
+            - name: BASE_URL
+              value: "https://element-lp.allarddcs.nl"
+          volumeMounts:
+            - name: element-config
+              mountPath: /config
+      volumes:
+        - name: element-config
+          configMap:
+            name: element-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: element-config
+data:
+  config.json: |
+    {
+      "default_homeserver": "https://matrix-lp.allarddcs.nl",
+      "branding": {
+        "brand": "AllardDCS",
+        "icon": "/path/to/logo.png"
+      }
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: element
+  namespace: matrix
+spec:
+  ports:
+  - name: http
+    targetPort: 80
+    port: 80
+  selector:
+    app: element
+  type: ClusterIP
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: element-http
+  namespace: matrix
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`element-lp.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: element
+      port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: element-tls
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`element-lp.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: element
+      port: 80
+  tls:
+    secretName: element-lp.allarddcs.nl-tls
+

lp/matrix/lp/ingressroute-http.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: acme-challenge
+  namespace: cert-manager
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: PathPrefix(`/\.well-known/acme-challenge/`)
+      kind: Rule
+      services:
+        - name: cert-manager
+          port: 80

lp/matrix/lp/matrix-certificate.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: matrix-lp.allarddcs.nl-tls
+  namespace: matrix
+spec:
+  dnsNames:
+  - matrix-lp.allarddcs.nl
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: matrix-lp.allarddcs.nl-tls
+  usages:
+  - digital signature
+  - key encipherment

lp/matrix/lp/matrix.yaml

@@ -0,0 +1,116 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix
+  namespace: matrix
+  labels:
+    app: matrix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matrix
+  template:
+    metadata:
+      labels:
+        app: matrix
+    spec:
+      containers:
+        - name: matrix
+          image: matrixdotorg/synapse:latest
+#          args:
+#          - generate
+          env:
+          - name: SYNAPSE_SERVER_NAME
+            value: "matrix-lp.allarddcs.nl"
+#          - name: SYNAPSE_REPORT_STATS
+#            value: "yes"
+          volumeMounts:
+          - mountPath: /data
+            name: matrix
+      volumes:
+      - name: matrix
+        persistentVolumeClaim:
+          claimName: matrix-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix
+  namespace: matrix
+spec:
+  ports:
+  - name: http
+    targetPort: 8008
+    port: 8008
+  selector:
+    app: matrix
+  type: NodePort
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-http
+  namespace: matrix
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`matrix-lp.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 8008
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-tls
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`matrix-lp.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 8008
+  tls:
+    secretName: matrix-lp.allarddcs.nl-tls
+#    certResolver: letsencrypt
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: matrix-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/matrix/lp
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: matrix-pvc
+  namespace: matrix
+spec:
+  storageClassName: ""
+  volumeName: matrix-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+

lp/matrix/lp/recoverykey.txt

@@ -0,0 +1,2 @@
+account: test
+recovery key: EsTz j5um bhAd WG9u GiHo bkt5 EjRa 7Bhh UxbH 89PT QEn2 zm2e

lp/matrix/prod/README.md

@@ -0,0 +1,47 @@
+
+#registratie admin:
+
+kubectl exec -it matrix-644984f6b7-d7jcp -n matrix -- register_new_matrix_user http://localhost:8008  -u admin -p Matrix01@ \
+        -a -k f0hE.OTU8UXQ44yIHPWtO+8CKhM-b:QZNngk_qhE8EvgmP-3h@
+
+#registratie gewone gebruiker:
+
+kubectl exec -it matrix-644984f6b7-d7jcp -n matrix -- register_new_matrix_user http://localhost:8008  -u diederick -p Matrix01@ \
+        --no-admin -k f0hE.OTU8UXQ44yIHPWtO+8CKhM-b:QZNngk_qhE8EvgmP-3h@
+
+#algemeen:
+
+usage: register_new_matrix_user [-h] [-u USER] [--exists-ok] [-p PASSWORD | --password-file PASSWORD_FILE] [-t USER_TYPE]                                [-a | --no-admin] (-c CONFIG | -k SHARED_SECRET)
+                                [server_url]
+
+Used to register new users with a given homeserver when registration has been disabled. The homeserver must be configured with
+the 'registration_shared_secret' option set.
+
+positional arguments:
+  server_url            URL to use to talk to the homeserver. By default, tries to find a suitable URL from the configuration
+                        file. Otherwise, defaults to 'http://localhost:8008'.
+
+options:
+  -h, --help            show this help message and exit
+  -u USER, --user USER  Local part of the new user. Will prompt if omitted.
+  --exists-ok           Do not fail if user already exists.
+  -p PASSWORD, --password PASSWORD
+                        New password for user. Will prompt for a password if this flag and `--password-file` are both omitted.
+  --password-file PASSWORD_FILE
+                        File containing the new password for user. If set, will override `--password`.
+  -t USER_TYPE, --user_type USER_TYPE
+                        User type as specified in synapse.api.constants.UserTypes
+  -a, --admin           Register new user as an admin. Will prompt if --no-admin is not set either.
+  --no-admin            Register new user as a regular user. Will prompt if --admin is not set either.
+  -c CONFIG, --config CONFIG
+                        Path to server config file. Used to read in shared secret.
+  -k SHARED_SECRET, --shared-secret SHARED_SECRET
+                        Shared secret as defined in server config file.
+#coturn:
+
+check udp:
+
+nc -zvu coturn-prod.allarddcs.nl 3478
+nc -zv coturn-prod.allarddcs.nl 3478
+nc -zv coturn-prod.allarddcs.nl 5349
+

lp/matrix/prod/coturn-cert.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: coturn-cert
+  namespace: matrix
+spec:
+  secretName: coturn-cert
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - "matrix-prod.allarddcs.nl"

lp/matrix/prod/coturn-certificate.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: coturn-prod.allarddcs.nl-tls
+  namespace: matrix
+spec:
+  dnsNames:
+  - cotrun-prod.allarddcs.nl
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: coturn-prod.allarddcs.nl-tls
+  usages:
+  - digital signature
+  - key encipherment

lp/matrix/prod/coturn.yaml

@@ -0,0 +1,153 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coturn
+  namespace: matrix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: coturn
+  template:
+    metadata:
+      labels:
+        app: coturn
+    spec:
+      containers:
+        - name: coturn
+          image: coturn/coturn:latest
+          ports:
+            - name: turn-udp
+              containerPort: 3478
+              protocol: UDP
+            - name: turn-tcp
+              containerPort: 3478
+              protocol: TCP
+            - name: turns-tcp
+              containerPort: 5349
+              protocol: TCP
+          volumeMounts:
+            - name: coturn-cert
+              mountPath: "/etc/coturn/certs"
+              readOnly: true
+            - name: coturn-config
+              mountPath: /etc/coturn
+            - name: coturn-data
+              mountPath: /var/log
+              subPath: logs
+          args:
+            - "--tls-listening-port=5349"
+            - "--cert=/etc/coturn/certs/tls.crt"
+            - "--pkey=/etc/coturn/certs/tls.key"
+      volumes:
+        - name: coturn-config
+          configMap:
+            name: coturn-config
+        - name: coturn-data
+          persistentVolumeClaim:
+            claimName: coturn-pvc
+        - name: coturn-cert
+          secret:
+            secretName: coturn-cert
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coturn-config
+  namespace: matrix
+data:
+  turnserver.conf: |
+    listening-port=3478
+    tls-listening-port=5349
+    listening-ip=0.0.0.0
+    relay-ip=0.0.0.0
+    total-quota=100
+    bps-capacity=0
+    cert=/etc/coturn/certs/fullchain.pem
+    pkey=/etc/coturn/certs/privkey.pem
+    log-file=/var/log/turnserver.log
+    no-stdout-log
+    verbose
+
+    min-port=49152
+    max-port=65535
+
+    # External IP (public or internal depending on setup)
+    listening-ip=0.0.0.0
+    relay-ip=0.0.0.0
+    external-ip=82.174.234.158
+
+    # Secure authentication
+    use-auth-secret
+    static-auth-secret=heleenvanderpol
+    realm=matrix-prod.allarddcs.nl
+
+    # Enable TLS
+    cert=/etc/coturn/certs/fullchain.pem
+    pkey=/etc/coturn/certs/privkey.pem
+
+    # WebRTC-specific settings
+    fingerprint
+    lt-cred-mech
+    stale-nonce
+
+    # Allow peers to communicate via relay
+    no-multicast-peers
+    no-loopback-peers
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coturn
+  namespace: matrix
+spec:
+  selector:
+    app: coturn
+  type: LoadBalancer
+  ports:
+    - name: coturn-udp
+      port: 3478
+      targetPort: 3478
+      protocol: UDP
+    - name: coturn-tcp
+      port: 3478
+      targetPort: 3478
+      protocol: TCP
+    - name: coturn-tls
+      port: 5349
+      targetPort: 5349
+      protocol: TCP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: coturn-pvc
+  namespace: matrix
+spec:
+  storageClassName: ""
+  volumeName: coturn-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: coturn-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/coturn
+    readOnly: false

lp/matrix/prod/ingressroute-http.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: acme-challenge
+  namespace: cert-manager
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: PathPrefix(`/\.well-known/acme-challenge/`)
+      kind: Rule
+      services:
+        - name: cert-manager
+          port: 80

lp/matrix/prod/matrix-certificate.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: matrix-prod.allarddcs.nl-tls
+  namespace: matrix
+spec:
+  dnsNames:
+  - matrix-prod.allarddcs.nl
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: matrix-prod.allarddcs.nl-tls
+  usages:
+  - digital signature
+  - key encipherment

lp/matrix/prod/matrix.yaml

@@ -0,0 +1,116 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix
+  namespace: matrix
+  labels:
+    app: matrix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matrix
+  template:
+    metadata:
+      labels:
+        app: matrix
+    spec:
+      containers:
+        - name: matrix
+          image: matrixdotorg/synapse:latest
+#          args:
+#          - generate
+          env:
+          - name: SYNAPSE_SERVER_NAME
+            value: "matrix.allarddcs.nl"
+#          - name: SYNAPSE_REPORT_STATS
+#            value: "yes"
+          volumeMounts:
+          - mountPath: /data
+            name: matrix
+      volumes:
+      - name: matrix
+        persistentVolumeClaim:
+          claimName: matrix-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix
+  namespace: matrix
+spec:
+  ports:
+  - name: http
+    targetPort: 8008
+    port: 8008
+  selector:
+    app: matrix
+  type: NodePort
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: matrix-http
+  namespace: matrix
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`matrix-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 8008
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mattrix-tls
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`matrix-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: matrix
+      port: 8008
+  tls:
+    secretName: matrix-prod.allarddcs.nl-tls
+#    certResolver: letsencrypt
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: matrix-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/matrix/prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: matrix-pvc
+  namespace: matrix
+spec:
+  storageClassName: ""
+  volumeName: matrix-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+