diff --git a/variables.yml b/variables.yml index 0aa5d6b..f1bda8d 100644 --- a/variables.yml +++ b/variables.yml @@ -1,30 +1,59 @@ --- +# Name of the instance instance: matrix matrix: + # Server name will determine your Matrix ID (@user:server_name), it cannot be changed later server_name: matrix.[[ .consul.domain ]] + + # The public URL where user should go to reach the web interface public_url: https://matrix.[[ .consul.domain ]] + + # Are guests allowed allow_guests: false + # Consul settings, to connect to the postgres service consul: connect: upstreams: - destination_name: postgres[[ .consul.suffix ]] local_bind_port: 5432 + # SYnpase settings synapse: + # The docker image to use image: '[[ .docker.repo ]]matrix-synapse:1.98.0-1' + # Additional env var to set in the container env: {} + # You can define a custom yaml config which will be merged over the default one. + # Eg, to setup OIDC auth + # config: + # oidc_providers: + # - idp_id: oidc + # idp_name: ACME + # issuer: https://sso.example.org + # client_id: matrix + # client_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.oidc_secret }}{{ end }}' + # scope: + # - openid + # - email + # - profile + # user_mapping_provider: + # config: + # display_name_template: '{{"{{"}} user.name {{"}}"}}' + # email_template: '{{"{{"}} user.email {{"}}"}}' config: {} + # Secrets used by Synapse macaroon_secret_key: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.macaroon_secret_key }}{{ end }}' form_secret: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.form_secret }}{{ end }}' + # URL preview settings url_preview: enabled: true ip_range_blacklist: @@ -45,6 +74,7 @@ matrix: - username: '*' - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + # Postgres database to use db: host: 127.0.0.1 port: 5432 @@ -52,32 +82,46 @@ matrix: user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}' password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}' + # Wait for the postgres service to be ready before starting wait_for: - service: postgres[[ .consul.suffix ]] + # Resource allocation resources: cpu: 500 memory: 384 + # Element settings. + # Note : element will be served by the nginx container, so all the image, resources etc. are set there element: map_style_url: https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx + # Nginx will servce static files (well-known, element, synapse-admin), and proxy requests to synapse nginx: + + # The image to use image: '[[ .docker.repo ]]matrix-element:1.11.52-1' + # Resource allocation resources: cpu: 20 memory: 16 + # Traefik settings, to expose the service traefik: enabled: true + + # Element will need some custom CSP csp: script-src: "'self' https://usercontent.riot.im https://scalar.vector.im" worker-src: "'self' blob:" connect-src: "'self' https://scalar.vector.im https://api.maptiler.com" img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com" frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io" + + # List of middleware to apply middlewares: [] + # Override base_middlewares to remove csp-relaxed@file base_middlewares: - rate-limit-high@file @@ -86,6 +130,8 @@ matrix: - hsts@file - compression@file + # Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API) + # so you can restrict it further admin: base_middlewares: - rate-limit-high@file @@ -95,7 +141,9 @@ matrix: - compression@file middlewares: [] + # Volumes used for data persistance volumes: + # Synapse will use this volume to store media, signing keys etc. data: type: csi source: "[[ .instance ]]-synapse-data"