集群部署matrix

k8s

PersistentVolumeClaim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: matrix-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 70Gi
  storageClassName: some-random-storage-class

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: matrix-conduit
  labels:
    type: matrix
    app: conduit
spec:
  revisionHistoryLimit: 0
  replicas: 1
  selector:
    matchLabels:
      type: matrix
      app: conduit
  template:
    metadata:
      labels:
        type: matrix
        app: conduit
    spec:
      containers:
      - name: matrix-conduit
        image: matrixconduit/matrix-conduit:latest
        env:
        - name: CONDUIT_SERVER_NAME
          value: some.random.domain.name
        - name: CONDUIT_DATABASE_BACKEND
          value: rocksdb
        - name: CONDUIT_ALLOW_REGISTRATION
          value: 'true'
        - name: CONDUIT_ALLOW_FEDERATION
          value: 'true'
        - name: CONDUIT_MAX_REQUEST_SIZE
          value: '20000000'
        - name: CONDUIT_TRUSTED_SERVERS
          value: '["matrix.org"]'
        ports:
        - containerPort: 6167
        volumeMounts:
        - name: nfs
          mountPath: /var/lib/matrix-conduit/
      volumes:
      - name: nfs
        persistentVolumeClaim:
          claimName: matrix-pvc

IPAddressPool

注：集群需已安裝metallb

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: intern-pool
  namespace: metallb-system
spec:
  addresses:
  - 192.168.10.0/24
  - 192.168.9.1-192.168.9.5
  - fc00:f853:0ccd:e799::/124

L2Advertisement

apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: public
  namespace: metallb-system
spec:
  ipAddressPools:
  - intern-pool

Service

apiVersion: v1
kind: Service
metadata:
  name: matrix-service
  annotations:
    metallb.universe.tf/loadBalancerIPs: 192.168.10.114 # random address in intern-pool
spec:
  type: LoadBalancer
  selector:
    type: matrix
  ports:
    - protocol: TCP
      port: 6167 # 8448
      targetPort: 6167

證書

服務器80沒開所以只能dns

反代traefik

static config

global:
  checkNewVersion: true
  sendAnonymousUsage: true
entryPoints:
  matrix:
    address: :8448

providers:
  file:
    directory: ./traefik-config

dynamic config

放上面定義的providers.file.directory裏面

cert的相對路徑相對于可執行文件

tcp:
  routers:
    main:
      entryPoints:
      - matrix
      service: "matrix"
      rule: 'HostSNI(`some.random.domain.name`)'
      tls: {}
  services:
    matrix:
      loadBalancer:
        servers:
        - address: "192.168.10.114:6167"
tls:
  certificates:
    - certFile: fullchain.pem
      keyFile: privkey.pem

cloudflare

由於動不了域名☞的服務器所以只能對cf動點手脚

先好心地幫忙讓域名A/AAAA記錄走proxy

然後加workers

export interface Env {
	m_server: string,
	m_client: string
}

export default {
	async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise {
		if (request.url.endsWith('server')) {
			return Response.json({
				'm.server': env.m_server
			})
		} else if (request.url.endsWith('client')) {
			return Response.json({
				"m.homeserver": {
					"base_url": env.m_client
				}
			})
		} else {
			return new Response(null, {
				status: 400,
				statusText: 'Bad Request'
			})
		}
	},
};

[vars]
m_server = "some.random.domain.name:8448"
m_client = "https://some.random.domain.name:8448"

然後把some.random.domain/.well-known/matrix/*挂上Workers Routes

測試

問題與解決方法

• Element找不到homeserver some.random.domain

  設置cf的Transform Rules

  If URI Full equals https://some.random.domain/.well-known/matrix/client, then set static Access-Control-Allow-Origin to *