studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(matrix): add tuwunel Matrix homeserver deployment manifests

Browse Source 
Kubernetes manifests for tuwunel — a Rust Matrix homeserver using RocksDB
for storage. Includes deployment, service, PVC, ConfigMap (tuwunel.toml),
Hydra OAuth2Client for SSO, and Vault secrets for credentials injection.

Key design decisions:
- enableServiceLinks: false to prevent K8s TUWUNEL_* env var conflicts
- strategy: Recreate for RocksDB exclusive lock (no rolling updates)
- Identity provider configured entirely via env vars (client_id/secret
  from hydra-maester Secret, not hardcoded)
- OpenSearch model_id injected via ConfigMap from CLI post-apply hook
- SSO-only auth (login_with_password=false, single_sso=true)
- OpenSearch hybrid neural+BM25 search (768-dim, all-mpnet-base-v2)
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-10 18:52:21 +00:00
parent 91983ddf29
commit d2148335de
9 changed files with 265 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
base/matrix/tuwunel-config.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tuwunel-config
namespace: matrix
data:
tuwunel.toml: |
[global]
server_name = "sunbeam.pt"
database_path = "/data"
address = "0.0.0.0"
port = 6167
max_request_size = 104857600
allow_registration = false
allow_guest_registration = false
login_with_password = false
single_sso = true
allow_encryption = true
# Search — OpenSearch with hybrid neural search
search_backend = "opensearch"
search_opensearch_url = "http://opensearch.data.svc.cluster.local:9200"
search_opensearch_index = "tuwunel_messages"
search_opensearch_hybrid = true
# model_id is injected via TUWUNEL_SEARCH_OPENSEARCH_MODEL_ID env var
# (set by sunbeam CLI post-apply hook from OpenSearch ML state)
search_opensearch_embedding_dim = 768
search_opensearch_pipeline = "tuwunel_embedding_pipeline"
search_opensearch_batch_size = 100
search_opensearch_flush_interval_ms = 1000
# TURN via LiveKit's built-in TURN server
turn_uris = ["turn:meet.DOMAIN_SUFFIX:3478?transport=udp", "turns:meet.DOMAIN_SUFFIX:5349?transport=tcp"]
turn_secret = ""
# Well-known delegation
[global.well_known]
client = "https://messages.DOMAIN_SUFFIX"
server = "messages.DOMAIN_SUFFIX:443"
livekit_url = "wss://livekit.DOMAIN_SUFFIX"
# OIDC via Ory Hydra — identity_provider is configured entirely
# via env vars because client_id/client_secret are injected from
# the hydra-maester-managed oidc-tuwunel Secret.