element-ess-helm/docs/advanced.md

Advanced setup

Contents

• Values documentation
• Using a dedicated PostgreSQL database
• Configuring the storage path when using k3s
• Monitoring
• Components Configuration
  • Configuring Element Web
  • Configuring Synapse
  • Configuring Matrix Authentication Service
  • Configuring Matrix RTC
    • Networking

Values documentation

The Helm chart values documentation is available in:

• The GitHub repository values files.
• The chart README.
• Artifacthub.io.

Configuration samples are available in the GitHub repository.

Using a dedicated PostgreSQL database

Each of these databases can be on independent instances or separate databases on the same PostgreSQL instance. They must not be in the same database in the same PostgreSQL instance.

You need to create 2 databases:

• For Synapse https://element-hq.github.io/synapse/latest/postgres.html

• For MAS https://element-hq.github.io/matrix-authentication-service/setup/database.html

To configure your own PostgreSQL Database in your installation, copy the file charts/matrix-stack/ci/fragments/quick-setup-postgresql.yaml to postgresql.yaml in your ESS configuration values directory and configure it accordingly.

Configuring the storage path when using K3s

K3s by default deploys the storage in /var/lib/rancher/k3s/storage/. If you want to change the path, you will have to run the K3s setup with the parameter --default-local-storage-path <your path>.

Configuring Traefik ingress timeouts when using K3s

If you are experiencing timeouts when uploading large files to ESS, you will want to customize Traefik timeouts creating the file traefik-config.yaml in /var/lib/rancher/k3s/server/manifests. If the file already exists because you have configured custom ports for Traefik, add the example below to the existing file.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      web:
        transport:
          respondingTimeouts:
            readTimeout: "<timeout in seconds>s"
            writeTimeout: "<timeout in seconds>s"
            idleTimeout: "<timeout in seconds>s"
      websecure:
        transport:
          respondingTimeouts:
            readTimeout: "<timeout in seconds>s"
            writeTimeout: "<timeout in seconds>s"
            idleTimeout: "<timeout in seconds>s"

The above values correspond to the Traefik installation managed by K3s. If you are installing Traefik by other means, the exact structure of the configuration may differ.

Monitoring

The chart provides ServiceMonitor automatically to monitor the metrics exposed by ESS Community.

If your cluster has Prometheus Operator or Victoria Metrics Operator installed, the metrics will automatically be scraped.

Configuration

ESS Community allows you to easily configure its individual components. You basically have to create a values file for each component in which you specify your custom configuration. Below you find sections for each component.

If you have created new values files for custom configuration, make sure to apply them by passing them with the helm upgrade command (see Setting up the stack).

Configuring Element Web

Element Web configuration is written in JSON. The documentation can be found in the Element Web repository.

To configure Element Web, create a values file with the JSON config to inject as a string under “additional”:

elementWeb:
  additional:
    user-config.json: |
      {
        "some": "settings"
      }

Configuring Synapse

Synapse configuration is written in YAML. The documentation can be found here.

synapse:
  additional:
    user-config.yaml:
      config: |
        # Add your settings below, taking care of the spacing indentation
        some: settings

Configuring Matrix Authentication Service

Matrix Authentication Service configuration is written in YAML. The documentation can be found here.

matrixAuthenticationService:
  additional:
    user-config.yaml:
      config: |
        # Add your settings below, taking care of the spacing indentation
        some: settings

While Matrix Authentication Service supports registration tokens, by default they still require users to validate an email address as part of the registration flow. To remove this requirement you can do:

matrixAuthenticationService:
  additional:
    auth.yaml:
      config: |
        account:
          password_registration_enabled: true
          registration_token_required: true
          password_registration_email_required: false
          password_change_allowed: true

account.password_registration_email_required must never be set to false on a publicly federating deployment without restrictions like registration_token_required: true or your deployment will be abused and become a source of spam.

Configuring Matrix RTC

Matrix RTC SFU configuration is written in YAML. The documentation can be found here.

matrixRTC:
  sfu:
    additional:
      user-config.yaml:
        config: |
          # Add your settings below, taking care of the spacing indentation
          some: settings

Networking

Matrix RTC SFU will by default advertise the IP resolved after a STUN Request to the Google STUN Servers.

If you want to disable this behaviour, set useStunToDiscoverPublicIP to false :

matrixRTC:
  sfu:
    useStunToDiscoverPublicIP: false

Without STUN, Matrix RTC will advertise the Host IP as the publicly reachable IP. If your host is behind NAT, you can configured a manual IP address for the server public IP by setting manualIP:

matrixRTC:
  sfu:
    manualIP: "<your node public IP>"

Optionally, if you don't want to use Google's STUN servers you can override this with stun_servers:

matrixRTC:
  sfu:
    additional:
      stun.yaml:
        config: |
          rtc:
            stun_servers:
            - "example.com:3478"