small-hack · jessebot · Jun 20, 2024 · Jun 17, 2024 · Jun 19, 2024 · Jun 19, 2024
@@ -26,7 +26,7 @@
 
 
 !!! Note
-    We recently added support for [sliding sync](https://github.com/) and [matrix authentication service](https://github.com/).
+    We recently added support for [sliding sync](https://github.com/) and [matrix authentication service](https://github.com/). To use these, please use `matrix/app_of_apps_beta/` for `apps.matrix.argo.path`.
 
 ## Required Values
 
@@ -38,17 +38,29 @@ The main variables you need to worry about when setting up matrix are your `host
 - element_hostname
 - federation_hostname
 
+**If using Matrix authentication Service and Sliding Sync**:
+
+- auth_hostname
+- sliding_sync_hostname
+
 These are all storage related and you can leave them at the defaults for small servers:
 
+**Signing key storage**:
 - signing_key_pvc_enabled
 - signing_key_storage
 - signing_key_access_mode
+
+**Media storage**:
 - media_pvc_enabled
 - media_storage
 - media_access_mode
+
+**Synapse config storage**:
 - synapse_config_pvc_enabled
 - synapse_config_storage
 - synapse_config_access_mode
+
+**S3 storage**:
 - s3_provider
 - s3_bucket
 - s3_endpoint
@@ -63,9 +75,26 @@ These are all one time values that you need to provide, related entirely to mail
 
 - smtp_user
 - smtp_host
-
 See below for providing smtp_password without putting it in plain text.
 
+If you want to federate, you also need to provide:
+- [trusted_key_servers](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=trusted#trusted_key_servers)
+
+You can provide a list of maps like this for trusted_key_servers:
+
+```yaml
+apps:
+  matrix:
+    init:
+      values:
+        - server_name: matrix.friend.com
+          verify_keys:
+            ed25519:auto: abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr
+```
+
+The trusted_key_servers option currently displays in the TUI, but is not editable via the TUI yet.
+
+
 #### Sensitive values
 
 Sensitive values can be provided via environment variables using a `value_from` map on any value under `init.values` or `backups`. Example of providing the SMTP password:

@@ -1,6 +1,6 @@
 [tool.poetry]
 name          = "smol_k8s_lab"
-version       = "5.6.2"
+version       = "5.7.0"
 description   = "CLI and TUI to quickly install slimmer Kubernetes distros and then manage apps declaratively using Argo CD"
 authors       = ["Jesse Hitch <[email protected]>",
                  "Max Roby <[email protected]>"]
@@ -43,7 +43,7 @@ requests           = "^2.32"
 rich               = "^13.0"
 ruamel-yaml        = "^0.18"
 ruamel-yaml-string = "^0.1"
-textual            = "^0.69.0"
+textual            = "^0.70"
 xdg-base-dirs      = "^6.0"
 pygame             = "^2.5"
 python-ulid        = "^2.6"

@@ -924,6 +924,12 @@ apps:
         smtp_password:
           value_from:
             env: MATRIX_SMTP_PASSWORD
+        # expects a list like this:
+        #
+        # - server_name: "matrix.dog.friend"
+        #   verify_keys:
+        #     "ed25519:a_abcd": "somekeyherethatisnotactuallythis"
+        trusted_key_servers: []
     backups:
       # cronjob syntax schedule to run matrix pvc backups
       pvc_schedule: 10 0 * * *

@@ -39,6 +39,7 @@ def configure_matrix(argocd: ArgoCD,
     # verify if initialization is enabled
     init = cfg.get('init', {'enabled': True, 'restore': {'enabled': False}})
     init_enabled = init.get('enabled', True)
+    init_values = init.get('values', {})
 
     # check if we're restoring and get values for that
     restore_dict = init.get('restore', {"enabled": False})
@@ -65,8 +66,7 @@ def configure_matrix(argocd: ArgoCD,
 
     # initial secrets to deploy this app from scratch
     if init_enabled and not app_installed:
-        init_values = init.get('values', {})
-
+        argocd.k8s.create_namespace(matrix_namespace)
 
         backup_vals = process_backup_vals(cfg['backups'], 'matrix', argocd)
 
@@ -199,6 +199,18 @@ def configure_matrix(argocd: ArgoCD,
                          'account_management_url': zitadel.hostname}
                         )
 
+    if init_enabled:
+        # if there's trusted key servers, create a secret for them
+        trusted_key_servers = init_values.get("trusted_key_servers", [])
+
+        # if init is enabled, always create trusted_key_servers secret
+        if trusted_key_servers:
+            argocd.k8s.create_secret(name="trusted-key-servers",
+                                     namespace=matrix_namespace,
+                                     str_data={"trusted_key_servers": trusted_key_servers},
+                                     inline_key="trustedKeyServers"
+                                     )
+
     if not app_installed:
         # if the user is restoring, the process is a little different
         if init_enabled and restore_enabled:
@@ -292,13 +304,22 @@ def refresh_bweso(argocd: ArgoCD, matrix_hostname: str, bitwarden: BwCLI):
         log.info("No matrix sync id found")
         sync_id = "Not Applicable"
 
+    # try:
+    #     trusted_key_servers_id = bitwarden.get_item(
+    #             f'matrix-trusted-key-servers-{matrix_hostname}', False
+    #             )[0]['id']
+    # except TypeError:
+    #     log.info("No matrix trusted key servers id found")
+    #     trusted_key_servers_id = "not applicable"
+
     # identity provider name and id are nested in the oidc item fields
     for field in oidc_id['fields']:
         if field['name'] == 'idp_id':
             idp_id = field['value']
         if field['name'] == 'idp_name':
             idp_name = field['value']
 
+    # 'matrix_trusted_key_servers_bitwarden_id': trusted_key_servers_id,
     argocd.update_appset_secret(
             {'matrix_registration_credentials_bitwarden_id': reg_id,
              'matrix_smtp_credentials_bitwarden_id': smtp_id,
@@ -343,6 +364,16 @@ def setup_bitwarden_items(argocd: ArgoCD,
     """
     sub_header("Creating matrix secrets in Bitwarden")
 
+    # if trusted_key_servers:
+    #     trusted_key_servers_id = bitwarden.create_login(
+    #             name='matrix-trusted-key-servers',
+    #             item_url=matrix_hostname,
+    #             user="nousername",
+    #             password=trusted_key_servers
+    #             )
+    # else:
+    #     trusted_key_servers_id = "not applicable"
+
     # S3 credentials
     if "http" not in s3_endpoint:
         s3_endpoint = "https://" + s3_endpoint
@@ -498,6 +529,7 @@ def setup_bitwarden_items(argocd: ArgoCD,
                     )[0]['id']
 
     # update the matrix values for the argocd appset
+    # 'matrix_trusted_key_servers_bitwarden_id': trusted_key_servers_id}
     argocd.update_appset_secret(
             {'matrix_registration_credentials_bitwarden_id': reg_id,
              'matrix_smtp_credentials_bitwarden_id': smtp_id,
@@ -512,7 +544,8 @@ def setup_bitwarden_items(argocd: ArgoCD,
              'matrix_oidc_credentials_bitwarden_id': oidc_id,
              'matrix_authentication_service_bitwarden_id': mas_id,
              'matrix_idp_name': idp_name,
-             'matrix_idp_id': idp_id})
+             'matrix_idp_id': idp_id}
+            )
 
     # reload the bitwarden ESO provider
     try:

@@ -3,6 +3,7 @@
                                                          ArgoCDProjectConfig)
 from smol_k8s_lab.tui.app_widgets.input_widgets import SmolK8sLabInputsWidget
 from smol_k8s_lab.tui.app_widgets.backup_and_restore import BackupWidget, RestoreApp
+from smol_k8s_lab.tui.app_widgets.trusted_key_servers import TrustedKeyServersWidget
 from smol_k8s_lab.tui.util import placeholder_grammar, create_sanitized_list
 
 # external libraries
@@ -129,7 +130,9 @@ class InitValues(Static):
     def __init__(self, app_name: str, init_dict: dict) -> None:
         self.app_name = app_name
         self.init_enabled = init_dict['enabled']
-        self.init_values = init_dict.get('values', None)
+        self.init_values = init_dict.get('values', {})
+        if app_name == "matrix":
+            self.trusted_keys_srvr = self.init_values.get('trusted_key_servers', [])
 
         super().__init__()
 
@@ -162,11 +165,12 @@ def compose(self) -> ComposeResult:
                 if self.init_values:
                     # these are special values that are only set up via
                     # smol-k8s-lab and do not live in a secret on the k8s cluster
-                    init_vals =  SmolK8sLabInputsWidget(
+                    init_vals = SmolK8sLabInputsWidget(
                             app_name=self.app_name,
                             title="Init Values",
                             id=f"{cid}-init-values-collapsible",
-                            inputs=self.init_values)
+                            inputs=self.init_values
+                            )
 
                     init_vals.tooltip = (
                                 "Init values for special one-time setup of "
@@ -175,6 +179,17 @@ def compose(self) -> ComposeResult:
                                 )
                     yield init_vals
 
+    def on_mount(self):
+        """
+        add trusted servers if they exist
+        """
+        # matrix is special as we take special keys
+        if self.app_name == "matrix":
+            if self.trusted_keys_srvr and isinstance(self.trusted_keys_srvr, list):
+                self.get_widget_by_id(f"{self.app_name}-init-inputs").mount(
+                        TrustedKeyServersWidget(self.app_name, self.trusted_keys_srvr)
+                        )
+
     @on(Switch.Changed)
     def show_or_hide_init_inputs(self, event: Switch.Changed) -> None:
         """

@@ -226,7 +226,9 @@ def on_mount(self) -> None:
 
         if self.inputs:
             for key, value in self.inputs.items():
-                grid.mount(self.generate_row(key, value))
+                # ignore this particular key
+                if key != "trusted_key_servers":
+                    grid.mount(self.generate_row(key, value))
 
         if self.add_fields_button:
             grid.mount(Button("➕ new field"))