From cab7764e90e9832a700e9acb85031c48251b53ba Mon Sep 17 00:00:00 2001
From: Magic_RB <magic_rb@redalder.org>
Date: Sun, 14 May 2023 16:27:29 +0200
Subject: [PATCH] Perform Matrix restructure

Signed-off-by: Magic_RB <magic_rb@redalder.org>
---
 .../homelab-1/job/matrix-heisenbridge.hcl     |  64 +++++++
 .../homelab-1/job/matrix-mautrix-facebook.hcl | 106 ++++++++++
 .../homelab-1/job/matrix-mautrix-signal.hcl   | 113 +++++++++++
 .../job/{conduit.hcl => matrix-synapse.hcl}   | 181 ++++--------------
 .../homelab-1/{conduit.tf => matrix.tf}       |  99 +++++++++-
 5 files changed, 412 insertions(+), 151 deletions(-)
 create mode 100644 nomad/regions/homelab-1/job/matrix-heisenbridge.hcl
 create mode 100644 nomad/regions/homelab-1/job/matrix-mautrix-facebook.hcl
 create mode 100644 nomad/regions/homelab-1/job/matrix-mautrix-signal.hcl
 rename nomad/regions/homelab-1/job/{conduit.hcl => matrix-synapse.hcl} (84%)
 rename nomad/regions/homelab-1/{conduit.tf => matrix.tf} (60%)

diff --git a/nomad/regions/homelab-1/job/matrix-heisenbridge.hcl b/nomad/regions/homelab-1/job/matrix-heisenbridge.hcl
new file mode 100644
index 0000000..a092228
--- /dev/null
+++ b/nomad/regions/homelab-1/job/matrix-heisenbridge.hcl
@@ -0,0 +1,64 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+job "matrix-heisenbridge" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  group "heisenbridge" {
+    count = 1
+
+    volume "matrix-registrations" {
+      type = "csi"
+      source = "matrix-registrations"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "multi-node-multi-writer"
+    }
+
+    restart {
+      attempts = 5
+      delay = "5s"
+    }
+
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "matrix-heisenbridge"
+      port = "9898"
+
+      connect {
+        sidecar_service {}
+      }
+    }
+
+    task "heisenbridge" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "matrix-registrations"
+        destination = "/var/lib/registrations"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.heisenbridge.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+      }
+
+      resources {
+        cpu = 128
+        memory = 128
+      }
+    }
+  }
+}
diff --git a/nomad/regions/homelab-1/job/matrix-mautrix-facebook.hcl b/nomad/regions/homelab-1/job/matrix-mautrix-facebook.hcl
new file mode 100644
index 0000000..1a8a500
--- /dev/null
+++ b/nomad/regions/homelab-1/job/matrix-mautrix-facebook.hcl
@@ -0,0 +1,106 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+job "matrix-mautrix-facebook" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  group "mautrix-facebook" {
+    count = 1
+
+    volume "matrix-mautrix-facebook" {
+      type = "csi"
+      source = "matrix-mautrix-facebook"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    volume "matrix-registrations" {
+      type = "csi"
+      source = "matrix-registrations"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "multi-node-multi-writer"
+    }
+
+    restart {
+      attempts = 5
+      delay = "5s"
+    }
+
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "matrix-mautrix-facebook"
+      port = "29319"
+
+      # check {
+      #   type = "http"
+      #   address_mode = "alloc"
+      #   path = "/public"
+      #   port = "29319"
+      #   interval = "2s"
+      #   timeout = "2s"
+      # }
+
+      connect {
+        sidecar_service {}
+      }
+    }
+
+    task "mautrix-facebook" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "matrix-mautrix-facebook"
+        destination = "/var/lib/mautrix-facebook"
+        read_only = false
+      }
+
+      volume_mount {
+        volume = "matrix-registrations"
+        destination = "/var/lib/registrations"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.mautrix-facebook.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+      }
+
+      vault {
+        policies = ["matrix-mautrix-facebook-policy"]
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/cluster/matrix/mautrix-facebook/main" }}
+MAUTRIX_FACEBOOK_APPSERVICE_AS_TOKEN={{ .Data.data.as_token }}
+MAUTRIX_FACEBOOK_APPSERVICE_HS_TOKEN={{ .Data.data.hs_token }}
+{{ end }}
+EOF
+# {{ with secret "kv/data/cluster/matrix/mautrix-facebook/postgresql" }}
+# MAUTRIX_FACEBOOK_APPSERVICE_DATABASE_OPTS={{ .Data.data.pgpass }}
+# {{ end }}
+        destination = "secrets/environment"
+        env = true
+      }
+
+      resources {
+        cpu = 256
+        memory = 256
+      }
+    }
+  }
+}
diff --git a/nomad/regions/homelab-1/job/matrix-mautrix-signal.hcl b/nomad/regions/homelab-1/job/matrix-mautrix-signal.hcl
new file mode 100644
index 0000000..61ae846
--- /dev/null
+++ b/nomad/regions/homelab-1/job/matrix-mautrix-signal.hcl
@@ -0,0 +1,113 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+job "matrix-mautrix-signal" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  group "mautrix-signal" {
+    count = 1
+
+    volume "matrix-mautrix-signal" {
+      type = "csi"
+      source = "matrix-mautrix-signal"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    volume "matrix-registrations" {
+      type = "csi"
+      source = "matrix-registrations"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "multi-node-multi-writer"
+    }
+
+    restart {
+      attempts = 5
+      delay = "5s"
+    }
+
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "matrix-mautrix-signal"
+      port = "29328"
+
+      # check {
+      #   type = "http"
+      #   address_mode = "alloc"
+      #   path = "/public"
+      #   port = "29319"
+      #   interval = "2s"
+      #   timeout = "2s"
+      # }
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "matrix-postgresql"
+              local_bind_port  = 5432
+            }
+          }
+        }
+      }
+    }
+
+    task "mautrix-signal" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "matrix-mautrix-signal"
+        destination = "/var/lib/mautrix-signal"
+        read_only = false
+      }
+
+      volume_mount {
+        volume = "matrix-registrations"
+        destination = "/var/lib/registrations"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.mautrix-signal.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+      }
+
+      vault {
+        policies = ["matrix-mautrix-signal-policy"]
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/cluster/matrix/mautrix-signal/main" }}
+MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN={{ .Data.data.as_token }}
+MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN={{ .Data.data.hs_token }}
+{{ end }}
+{{ with secret "kv/data/cluster/matrix/mautrix-signal/postgresql" }}
+PGPASSWORD={{ .Data.data.pgpass }}
+{{ end }}
+EOF
+        destination = "secrets/environment"
+        env = true
+      }
+
+      resources {
+        cpu = 256
+        memory = 256
+      }
+    }
+  }
+}
diff --git a/nomad/regions/homelab-1/job/conduit.hcl b/nomad/regions/homelab-1/job/matrix-synapse.hcl
similarity index 84%
rename from nomad/regions/homelab-1/job/conduit.hcl
rename to nomad/regions/homelab-1/job/matrix-synapse.hcl
index 357dc46..80d9714 100644
--- a/nomad/regions/homelab-1/job/conduit.hcl
+++ b/nomad/regions/homelab-1/job/matrix-synapse.hcl
@@ -6,153 +6,10 @@ variable "flake_sha" {
   type = string
 }
 
-job "matrix" {
+job "matrix-synapse" {
   datacenters = [ "homelab-1" ]
   type = "service"
 
-  group "mautrix-facebook" {
-    count = 0
-
-    volume "matrix-mautrix-facebook" {
-      type = "csi"
-      source = "matrix-mautrix-facebook"
-      read_only = false
-
-      attachment_mode = "file-system"
-      access_mode     = "single-node-writer"
-    }
-
-    volume "matrix-registrations" {
-      type = "csi"
-      source = "matrix-registrations"
-      read_only = false
-
-      attachment_mode = "file-system"
-      access_mode     = "multi-node-multi-writer"
-    }
-
-    restart {
-      attempts = 5
-      delay = "5s"
-    }
-
-    network {
-      mode = "bridge"
-    }
-
-    service {
-      name = "matrix-mautrix-facebook"
-      port = "29319"
-
-      # check {
-      #   type = "http"
-      #   address_mode = "alloc"
-      #   path = "/public"
-      #   port = "29319"
-      #   interval = "2s"
-      #   timeout = "2s"
-      # }
-
-      connect {
-        sidecar_service {}
-      }
-    }
-
-    task "mautrix-facebook" {
-      driver = "docker"
-
-      volume_mount {
-        volume = "matrix-mautrix-facebook"
-        destination = "/var/lib/mautrix-facebook"
-        read_only = false
-      }
-
-      volume_mount {
-        volume = "matrix-registrations"
-        destination = "/var/lib/registrations"
-        read_only = false
-      }
-
-      config {
-        nix_flake_ref = "${var.flake_ref}#nixngSystems.mautrix-facebook.config.system.build.toplevel"
-        nix_flake_sha = var.flake_sha
-        entrypoint = [ "init" ]
-      }
-
-      vault {
-        policies = ["matrix-mautrix-facebook-policy"]
-      }
-
-      template {
-        data = <<EOF
-{{ with secret "kv/data/cluster/matrix/mautrix-facebook" }}
-MAUTRIX_FACEBOOK_APPSERVICE_AS_TOKEN={{ .Data.data.as_token }}
-MAUTRIX_FACEBOOK_APPSERVICE_HS_TOKEN={{ .Data.data.hs_token }}
-{{ end }}
-EOF
-        destination = "secrets/environment"
-        env = true
-      }
-
-      resources {
-        cpu = 256
-        memory = 256
-      }
-    }
-  }
-
-  group "heisenbridge" {
-    count = 1
-
-    volume "matrix-registrations" {
-      type = "csi"
-      source = "matrix-registrations"
-      read_only = false
-
-      attachment_mode = "file-system"
-      access_mode     = "multi-node-multi-writer"
-    }
-
-    restart {
-      attempts = 5
-      delay = "5s"
-    }
-
-    network {
-      mode = "bridge"
-    }
-
-    service {
-      name = "matrix-heisenbridge"
-      port = "9898"
-
-      connect {
-        sidecar_service {}
-      }
-    }
-
-    task "heisenbridge" {
-      driver = "docker"
-
-      volume_mount {
-        volume = "matrix-registrations"
-        destination = "/var/lib/registrations"
-        read_only = false
-      }
-
-      config {
-        nix_flake_ref = "${var.flake_ref}#nixngSystems.heisenbridge.config.system.build.toplevel"
-        nix_flake_sha = var.flake_sha
-        entrypoint = [ "init" ]
-      }
-
-      resources {
-        cpu = 128
-        memory = 128
-      }
-    }
-  }
-
   group "redis" {
     count = 1
 
@@ -277,6 +134,11 @@ EOF
               local_bind_port  = 29319
             }
 
+            upstreams {
+              destination_name = "matrix-mautrix-signal"
+              local_bind_port  = 29328
+            }
+
             upstreams {
               destination_name = "matrix-heisenbridge"
               local_bind_port  = 9898
@@ -408,6 +270,11 @@ EOF
               local_bind_port  = 29319
             }
 
+            upstreams {
+              destination_name = "matrix-mautrix-signal"
+              local_bind_port  = 29328
+            }
+
             upstreams {
               destination_name = "matrix-heisenbridge"
               local_bind_port  = 9898
@@ -539,6 +406,11 @@ EOF
               local_bind_port  = 29319
             }
 
+            upstreams {
+              destination_name = "matrix-mautrix-signal"
+              local_bind_port  = 29328
+            }
+
             upstreams {
               destination_name = "matrix-heisenbridge"
               local_bind_port  = 9898
@@ -586,7 +458,7 @@ EOF
 
       resources {
         cpu = 1024
-        memory = 512
+        memory = 1024
       }
 
       template {
@@ -670,6 +542,11 @@ EOF
               local_bind_port  = 29319
             }
 
+            upstreams {
+              destination_name = "matrix-mautrix-signal"
+              local_bind_port  = 29328
+            }
+
             upstreams {
               destination_name = "matrix-heisenbridge"
               local_bind_port  = 9898
@@ -717,7 +594,7 @@ EOF
 
       resources {
         cpu = 1024
-        memory = 512
+        memory = 1024
       }
 
       template {
@@ -803,13 +680,16 @@ EOF
 
       template {
         data = <<EOF
-alter user synapse with password '{{ with secret "kv/data/cluster/matrix/synapse" }}{{ .Data.data.pgpass }}{{ end }}';
+alter user "synapse" with password '{{ with secret "kv/data/cluster/matrix/synapse" }}{{ .Data.data.pgpass }}{{ end }}';
+alter user "mautrix-facebook" with password '{{ with secret "kv/data/cluster/matrix/mautrix-facebook/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
+alter user "mautrix-signal" with password '{{ with secret "kv/data/cluster/matrix/mautrix-signal/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
 EOF
         destination = "secrets/init.sql"
+        change_mode   = "noop"
       }
 
       vault {
-        policies = ["matrix-synapse-policy"]
+        policies = ["matrix-postgresql-policy"]
       }
     }
   }
@@ -865,6 +745,11 @@ EOF
               local_bind_port  = 29319
             }
 
+            upstreams {
+              destination_name = "matrix-mautrix-signal"
+              local_bind_port  = 29328
+            }
+
             upstreams {
               destination_name = "matrix-heisenbridge"
               local_bind_port  = 9898
diff --git a/nomad/regions/homelab-1/conduit.tf b/nomad/regions/homelab-1/matrix.tf
similarity index 60%
rename from nomad/regions/homelab-1/conduit.tf
rename to nomad/regions/homelab-1/matrix.tf
index 1937640..ac81f07 100644
--- a/nomad/regions/homelab-1/conduit.tf
+++ b/nomad/regions/homelab-1/matrix.tf
@@ -98,6 +98,31 @@ resource "nomad_volume" "matrix-mautrix-facebook" {
   }
 }
 
+resource "nomad_volume" "matrix-mautrix-signal" {
+  type        = "csi"
+  plugin_id   = "org.democratic-csi.nfs"
+  volume_id   = "matrix-mautrix-signal"
+  name        = "matrix-mautrix-signal"
+  external_id = "matrix-mautrix-signal"
+
+  capability {
+    access_mode = "single-node-writer"
+    attachment_mode = "file-system"
+  }
+
+  context = {
+    server = "blowhole.hosts.in.redalder.org"
+    share = "/mnt/kyle/infrastructure/matrix/mautrix-signal"
+    node_attach_driver = "nfs"
+    provisioner_driver = "node-manual"
+  }
+
+  mount_options {
+    fs_type = "nfs"
+    mount_flags = [ "hard", "vers=4.2", "rsize=16384", "wsize=16384", "async" ]
+  }
+}
+
 resource "nomad_volume" "matrix-redis" {
   type        = "csi"
   plugin_id   = "org.democratic-csi.nfs"
@@ -123,10 +148,25 @@ resource "nomad_volume" "matrix-redis" {
   }
 }
 
+resource "vault_policy" "matrix-mautrix-signal-policy" {
+  name = "matrix-mautrix-signal-policy"
+  policy = <<EOF
+path "kv/data/cluster/matrix/mautrix-signal/main" {
+  capabilities = ["read"]
+}
+path "kv/data/cluster/matrix/mautrix-signal/postgresql" {
+  capabilities = ["read"]
+}
+EOF
+}
+
 resource "vault_policy" "matrix-mautrix-facebook-policy" {
   name = "matrix-mautrix-facebook-policy"
   policy = <<EOF
-path "kv/data/cluster/matrix/mautrix-facebook" {
+path "kv/data/cluster/matrix/mautrix-facebook/main" {
+  capabilities = ["read"]
+}
+path "kv/data/cluster/matrix/mautrix-facebook/postgresql" {
   capabilities = ["read"]
 }
 EOF
@@ -141,8 +181,61 @@ path "kv/data/cluster/matrix/synapse" {
 EOF
 }
 
-resource "nomad_job" "conduit" {
-  jobspec = file("${path.module}/job/conduit.hcl")
+resource "vault_policy" "matrix-postgresql-policy" {
+  name = "matrix-postgresql-policy"
+  policy = <<EOF
+path "kv/data/cluster/matrix/synapse" {
+  capabilities = ["read"]
+}
+
+path "kv/data/cluster/matrix/mautrix-facebook/postgresql" {
+  capabilities = ["read"]
+}
+
+path "kv/data/cluster/matrix/mautrix-signal/postgresql" {
+  capabilities = ["read"]
+}
+EOF
+}
+
+resource "nomad_job" "matrix-synapse" {
+  jobspec = file("${path.module}/job/matrix-synapse.hcl")
+
+  hcl2 {
+    enabled = true
+    vars = {
+      flake_ref = "${var.flake_host}?ref=${var.flake_ref}&rev=${var.flake_rev}"
+      flake_sha = var.flake_sha
+    }
+  }
+}
+
+resource "nomad_job" "matrix-mautrix-facebook" {
+  jobspec = file("${path.module}/job/matrix-mautrix-facebook.hcl")
+
+  hcl2 {
+    enabled = true
+    vars = {
+      flake_ref = "${var.flake_host}?ref=${var.flake_ref}&rev=${var.flake_rev}"
+      flake_sha = var.flake_sha
+    }
+  }
+}
+
+resource "nomad_job" "matrix-mautrix-signal" {
+  jobspec = file("${path.module}/job/matrix-mautrix-signal.hcl")
+
+  hcl2 {
+    enabled = true
+    vars = {
+      flake_ref = "${var.flake_host}?ref=${var.flake_ref}&rev=${var.flake_rev}"
+      flake_sha = var.flake_sha
+    }
+  }
+}
+
+resource "nomad_job" "matrix-heisenbridge" {
+  jobspec = file("${path.module}/job/matrix-heisenbridge.hcl")
 
   hcl2 {
     enabled = true