Add initial role for Dendrite as alternative Matrix server

group_vars/matrix_servers

@@ -1508,6 +1508,48 @@ matrix_postgres_additional_databases: |
       'password': matrix_synapse_database_password,
     }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else [])
     +
+    ([{
+      'name': matrix_dendrite_naffka_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_appservice_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_federationsender_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_keyserver_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_mediaapi_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_room_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_singingkeyserver_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_syncapi_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_account_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_device_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else [])
+    +
     ([{
       'name': matrix_ma1sd_database_name,
       'username': matrix_ma1sd_database_username,
@@ -2125,3 +2167,59 @@ matrix_postgres_backup_databases: |
 # /matrix-postgres-backup
 #
 ######################################################################
+
+######################################################################
+#
+# matrix-dendrite
+#
+######################################################################
+
+# Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
+# you can expose Dendrite's ports to the host.
+#
+# For exposing the Matrix Client API's port (plain HTTP) to the local host.
+matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
+#
+# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
+matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}"
+
+matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}"
+
+# Even if TURN doesn't support TLS (it does by default),
+# it doesn't hurt to try a secure connection anyway.
+matrix_dendrite_turn_uris: |
+  {{
+    [
+      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ]
+    if matrix_coturn_enabled
+    else []
+  }}
+
+matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
+
+matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}"
+
+matrix_dendrite_systemd_required_services_list: |
+  {{
+    (['docker.service'])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+    +
+    (['matrix-goofys'] if matrix_s3_media_store_enabled else [])
+  }}
+
+matrix_dendrite_systemd_wanted_services_list: |
+  {{
+    (['matrix-coturn.service'] if matrix_coturn_enabled else [])
+  }}
+
+######################################################################
+#
+# /matrix-dendrite
+#
+######################################################################

roles/matrix-dendrite/defaults/main.yml

@@ -0,0 +1,158 @@
+# Dendrite is a second-generation Matrix homeserver currently in Beta
+# See: https://github.com/matrix-org/dendrite
+
+matrix_dendrite_enabled: false
+
+matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
+matrix_dendrite_docker_image_name_prefix: "docker.io/"
+matrix_dendrite_docker_image_tag: "v0.3.6"
+matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
+
+matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
+matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config"
+matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage"
+matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store"
+matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext"
+
+# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
+matrix_dendrite_container_client_api_host_bind_port: ""
+
+# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container).
+#
+# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled)
+# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "8448"), or empty string to not expose.
+matrix_dendrite_container_federation_api_tls_host_bind_port: ""
+
+# A list of extra arguments to pass to the container
+matrix_dendrite_container_extra_arguments: []
+
+# List of systemd services that matrix-dendrite.service depends on
+matrix_dendrite_systemd_required_services_list: ["docker.service"]
+
+# List of systemd services that matrix-dendrite.service wants
+matrix_dendrite_systemd_wanted_services_list: []
+
+# Specifies which template files to use when configuring Dendrite.
+# If you'd like to have your own different configuration, feel free to copy and paste
+# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
+# and then change the specific host's `vars.yaml` file like this:
+# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
+matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
+
+matrix_dendrite_macaroon_secret_key: ""
+matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}"
+matrix_dendrite_allow_guest_access: false
+matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}"
+
+matrix_dendrite_max_file_size_bytes: 10485760
+
+# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
+matrix_dendrite_tmp_directory_size_mb: 500
+
+# Log levels
+matrix_dendrite_log_level: "warning"
+matrix_dendrite_log_path: "/var/log/dendrite"
+
+# Rate limits
+matrix_dendrite_rate_limiting_enabled: true
+matrix_dendrite_rate_limiting_threshold: 5
+matrix_dendrite_rate_limiting_cooloff_ms: 500
+
+# Controls whether people with access to the homeserver can register by themselves.
+matrix_dendrite_registration_disabled: false
+
+# reCAPTCHA API for validating registration attempts
+matrix_dendrite_enable_registration_captcha: false
+matrix_dendrite_recaptcha_public_key: ""
+matrix_dendrite_recaptcha_private_key: ""
+
+# A list of additional "volumes" to mount in the container.
+# This list gets populated dynamically based on Dendrite extensions that have been enabled.
+# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
+#
+# Note: internally, this uses the `-v` flag for mounting the specified volumes.
+# It's better (safer) to use the `--mount` flag for mounting volumes.
+# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`.
+# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro']
+matrix_dendrite_container_additional_volumes: []
+
+# A list of appservice config files (in-container filesystem paths).
+# This list gets populated dynamically based on Dendrite extensions that have been enabled.
+# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`.
+matrix_dendrite_app_service_config_files: []
+
+# Enable exposure of metrics
+matrix_dendrite_metrics_enabled: false
+matrix_dendrite_metrics_username: "metrics"
+matrix_dendrite_metrics_password: "metrics"
+
+# Postgres database information
+matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}"
+matrix_dendrite_database_hostname: "matrix-postgres"
+matrix_dendrite_database_user: "dendrite"
+matrix_dendrite_database_password: "itsasecret"
+matrix_dendrite_naffka_database: "dendrite_naffka"
+matrix_dendrite_appservice_database: "dendrite_appservice"
+matrix_dendrite_federationsender_database: "dendrite_federationsender"
+matrix_dendrite_keyserver_database: "dendrite_keyserver"
+matrix_dendrite_mediaapi_database: "dendrite_mediaapi"
+matrix_dendrite_room_database: "dendrite_room"
+matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver"
+matrix_dendrite_syncapi_database: "dendrite_syncapi"
+matrix_dendrite_account_database: "dendrite_account"
+matrix_dendrite_device_database: "dendrite_device"
+
+matrix_dendrite_turn_uris: []
+matrix_dendrite_turn_shared_secret: ""
+matrix_dendrite_turn_allow_guests: False
+
+matrix_s3_media_store_enabled: false
+matrix_s3_media_store_custom_endpoint_enabled: false
+matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
+matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}"
+matrix_s3_media_store_custom_endpoint: "your-custom-endpoint"
+matrix_s3_media_store_bucket_name: "your-bucket-name"
+matrix_s3_media_store_aws_access_key: "your-aws-access-key"
+matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
+matrix_s3_media_store_region: "eu-central-1"
+
+# Controls whether the self-check feature should validate TLS certificates.
+matrix_dendrite_disable_tls_validation: false
+
+matrix_dendrite_trusted_id_servers:
+  - "matrix.org"
+  - "vector.im"
+
+# Default Dendrite configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}"
+
+matrix_dendrite_configuration_extension_yaml: |
+  # Your custom YAML configuration for Dendrite goes here.
+  # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_dendrite_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # server_notices:
+  #   system_mxid_localpart: notices
+  #   system_mxid_display_name: "Server Notices"
+  #   system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
+  #   room_name: "Server Notices"
+
+matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml|from_yaml if matrix_dendrite_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final Dendrite configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`.
+matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml|from_yaml|combine(matrix_dendrite_configuration_extension, recursive=True) }}"

roles/matrix-dendrite/tasks/dendrite/setup.yml

@@ -0,0 +1,6 @@
+---
+- import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml"
+  when: matrix_dendrite_enabled|bool
+
+- import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml"
+  when: "not matrix_dendrite_enabled|bool"

roles/matrix-dendrite/tasks/dendrite/setup_install.yml

@@ -0,0 +1,85 @@
+---
+# This will throw a Permission Denied error if already mounted using fuse
+- name: Check Dendrite media store path
+  stat:
+    path: "{{ matrix_dendrite_media_store_path }}"
+  register: local_path_media_store_stat
+  ignore_errors: yes
+
+# This is separate and conditional, to ensure we don't execute it
+# if the path already exists or we failed to check, because it's mounted using fuse.
+- name: Ensure Dendrite media store path exists
+  file:
+    path: "{{ matrix_dendrite_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
+
+- name: Ensure Dendrite log path exists
+  file:
+    path: "{{ matrix_dendrite_log_path }}"
+    state: directory
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Dendrite Docker image is pulled
+  docker_image:
+    name: "{{ matrix_dendrite_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}"
+
+- name: Check if a Dendrite signing key exists
+  stat:
+    path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+  register: matrix_dendrite_signing_key_stat
+
+# We do this so that the signing key would get generated.
+# We don't use the `docker_container` module, because using it with `cap_drop` requires
+# a very recent version, which is not available for a lot of people yet.
+- name: Generate Dendrite signing key
+  command: |
+    docker run
+    --rm
+    --name=matrix-config
+    --entrypoint=generate-keys
+    --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data
+    {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem
+    generate
+  when: "not matrix_dendrite_signing_key_stat.stat.exists"
+
+- name: Ensure Dendrite server key exists
+  file:
+    path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Dendrite configuration installed
+  copy:
+    content: "{{ matrix_dendrite_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-dendrite.service installed
+  template:
+    src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+    mode: 0644
+  register: matrix_dendrite_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-dendrite.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_dendrite_systemd_service_result.changed"
+
+- name: Ensure matrix-dendrite-create-account script created
+  template:
+    src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2"
+    dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account"
+    mode: 0750

roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml

@@ -0,0 +1,28 @@
+- name: Check existence of matrix-dendrite service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+  register: matrix_dendrite_service_stat
+
+- name: Ensure matrix-dendrite is stopped
+  service:
+    name: matrix-dendrite
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure matrix-dendrite.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+    state: absent
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-dendrite.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure Dendrite Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_dendrite_docker_image }}"
+    state: absent

roles/matrix-dendrite/tasks/goofys/setup.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml"
+  when: matrix_s3_media_store_enabled|bool
+
+- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml"
+  when: "not matrix_s3_media_store_enabled|bool"

roles/matrix-dendrite/tasks/goofys/setup_install.yml

@@ -0,0 +1,41 @@
+- name: Ensure Goofys Docker image is pulled
+  docker_image:
+    name: "{{ matrix_s3_goofys_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}"
+
+# This will throw a Permission Denied error if already mounted
+- name: Check Matrix Goofys external storage mountpoint path
+  stat:
+    path: "{{ matrix_dendrite_media_store_path }}"
+  register: local_path_matrix_dendrite_media_store_path_stat
+  ignore_errors: yes
+
+- name: Ensure Matrix Goofys external storage mountpoint exists
+  file:
+    path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists"
+
+- name: Ensure goofys environment variables file created
+  template:
+    src: "{{ role_path }}/templates/goofys/env-goofys.j2"
+    dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys"
+    owner: root
+    mode: 0600
+
+- name: Ensure matrix-goofys.service installed
+  template:
+    src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-goofys.service"
+    mode: 0644
+  register: matrix_goofys_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-goofys.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_goofys_systemd_service_result.changed"

roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml

@@ -0,0 +1,33 @@
+- name: Check existence of matrix-goofys service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-goofys.service"
+  register: matrix_goofys_service_stat
+
+- name: Ensure matrix-goofys is stopped
+  service:
+    name: matrix-goofys
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_goofys_service_stat.stat.exists"
+
+- name: Ensure matrix-goofys.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-goofys.service"
+    state: absent
+  when: "matrix_goofys_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-goofys.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_goofys_service_stat.stat.exists"
+
+- name: Ensure goofys environment variables file doesn't exist
+  file:
+    path: "{{ matrix_dendrite_config_dir_path }}/env-goofys"
+    state: absent
+
+- name: Ensure Goofys Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_s3_goofys_docker_image }}"
+    state: absent

roles/matrix-dendrite/tasks/import_media_store.yml

@@ -0,0 +1,81 @@
+---
+# Pre-checks
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars"
+  when: "server_path_media_store is not defined or server_path_media_store.startswith('<')"
+
+- name: Fail if media store is on Amazon S3
+  fail:
+    msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported."
+  when: matrix_s3_media_store_enabled|bool
+
+- name: Check if the provided media store directory exists
+  stat:
+    path: "{{ server_path_media_store }}"
+  register: server_path_media_store_stat
+
+- name: Fail if provided media store directory doesn't exist on the server
+  fail:
+    msg: "{{ server_path_media_store }} cannot be found on the server"
+  when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir"
+
+- name: Check if media store contains local_content
+  stat:
+    path: "{{ server_path_media_store }}/local_content"
+  register: server_path_media_store_local_content_stat
+
+- name: Check if media store contains remote_content
+  stat:
+    path: "{{ server_path_media_store }}/remote_content"
+  register: server_path_media_store_remote_content_stat
+
+- name: Fail if media store directory doesn't look okay (lacking remote and local content)
+  fail:
+    msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory."
+  when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists"
+
+# Actual import work
+
+- name: Ensure matrix-dendrite is stopped
+  service:
+    name: matrix-dendrite
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+
+# This can only work with local files, not if the media store is on Amazon S3,
+# as it won't be accessible in such a case.
+- name: Ensure provided media store directory is synchronized
+  synchronize:
+    src: "{{ server_path_media_store }}/"
+    dest: "{{ matrix_dendrite_media_store_path }}"
+    delete: yes
+    # It's wasteful to preserve owner/group now. We chown below anyway.
+    owner: no
+    group: no
+    times: yes
+  delegate_to: "{{ inventory_hostname }}"
+
+# This is for the generic case and fails in other cases (remote file systems),
+# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point.
+- name: Ensure media store permissions are correct (generic case)
+  file:
+    path: "{{ matrix_dendrite_media_store_path }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    recurse: yes
+  when: "not matrix_s3_media_store_enabled|bool"
+
+# We don't chown for Goofys, because due to the way it's mounted,
+# all files become owned by whoever needs to own them.
+
+- name: Ensure Dendrite is started (if it previously was)
+  service:
+    name: "{{ item }}"
+    state: started
+    daemon_reload: yes
+  when: "stopping_result.changed"
+  with_items:
+    - matrix-dendrite

roles/matrix-dendrite/tasks/init.yml

@@ -0,0 +1,12 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}"
+  when: matrix_dendrite_enabled|bool
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}"
+  when: matrix_s3_media_store_enabled|bool
+
+- name: Fail when using also using Synapse
+  fail:
+    msg: "To use Dendrite as your matrix server, you should disable Synapse."
+  when: "matrix_dendrite_enabled and matrix_synapse_enabled"

roles/matrix-dendrite/tasks/main.yml

@@ -0,0 +1,50 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-dendrite
+
+- import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-dendrite
+
+- import_tasks: "{{ role_path }}/tasks/import_media_store.yml"
+  when: run_dendrite_import_media_store|bool
+  tags:
+    - import-dendrite-media-store
+
+- import_tasks: "{{ role_path }}/tasks/register_user.yml"
+  when: run_dendrite_register_user|bool
+  tags:
+    - register-user
+
+- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check|bool
+  tags:
+    - self-check
+
+- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check|bool
+  tags:
+    - self-check
+
+- import_tasks: "{{ role_path }}/tasks/update_user_password.yml"
+  when: run_dendrite_update_user_password|bool
+  tags:
+    - update-user-password
+
+- name: Mark matrix-dendrite role as executed
+  set_fact:
+    matrix_dendrite_role_executed: true
+  tags:
+    - always

roles/matrix-dendrite/tasks/register_user.yml

@@ -0,0 +1,25 @@
+---
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Ensure matrix-dendrite is started
+  service:
+    name: matrix-dendrite
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- name: Wait a while, so that Dendrite can manage to start
+  pause:
+    seconds: 7
+  when: "start_result.changed"
+
+- name: Register user
+  command: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username|quote }} {{ password|quote }}"

roles/matrix-dendrite/tasks/self_check_client_api.yml

@@ -0,0 +1,20 @@
+---
+- name: Check Matrix Client API
+  uri:
+    url: "{{ matrix_dendrite_client_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}"
+  register: result_matrix_dendrite_client_api
+  ignore_errors: true
+  check_mode: no
+  when: matrix_dendrite_enabled|bool
+
+- name: Fail if Matrix Client API not working
+  fail:
+    msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}"
+  when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)"
+
+- name: Report working Matrix Client API
+  debug:
+    msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working"
+  when: matrix_dendrite_enabled|bool

roles/matrix-dendrite/tasks/self_check_federation_api.yml

@@ -0,0 +1,25 @@
+---
+- name: Check Matrix Federation API
+  uri:
+    url: "{{ matrix_dendrite_federation_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}"
+  register: result_matrix_dendrite_federation_api
+  ignore_errors: true
+  check_mode: no
+  when: matrix_dendrite_enabled|bool
+
+- name: Fail if Matrix Federation API not working
+  fail:
+    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}"
+  when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)"
+
+- name: Fail if Matrix Federation API unexpectedly enabled
+  fail:
+    msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled."
+  when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed"
+
+- name: Report working Matrix Federation API
+  debug:
+    msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working"
+  when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool"

roles/matrix-dendrite/tasks/setup_dendrite.yml

@@ -0,0 +1,19 @@
+---
+- name: Ensure Dendrite paths exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_dendrite_config_dir_path }}", when: true }
+    - { path: "{{ matrix_dendrite_ext_path }}", when: true }
+    # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml),
+    # because if it's using Goofys and it's already mounted (from before),
+    # trying to chown/chmod it here will cause trouble.
+  when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when"
+
+- import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml"

roles/matrix-dendrite/tasks/update_user_password.yml

@@ -0,0 +1,41 @@
+---
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Fail if not using matrix-postgres container
+  fail:
+    msg: "This command is working only when matrix-postgres container is being used"
+  when: "not matrix_postgres_enabled|bool"
+
+- name: Ensure matrix-dendrite is started
+  service:
+    name: matrix-dendrite
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: postgres_start_result
+
+- name: Wait a while, so that Matrix Dendrite can manage to start
+  pause:
+    seconds: 7
+  when: "start_result.changed or postgres_start_result.changed"
+
+- name: Generate password hash
+  shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}"
+  register: password_hash
+
+- name: Update user password hash
+  command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}"

roles/matrix-dendrite/tasks/validate_config.yml

@@ -0,0 +1,16 @@
+---
+- name: Fail if required Dendrite settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) for using Dendrite.
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_dendrite_macaroon_secret_key"
+
+- name: (Deprecation) Catch and report renamed settings
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items: []

roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2

@@ -0,0 +1,342 @@
+# This is the Dendrite configuration file.
+#
+# The configuration is split up into sections - each Dendrite component has a
+# configuration section, in addition to the "global" section which applies to
+# all components.
+#
+# At a minimum, to get started, you will need to update the settings in the
+# "global" section for your deployment, and you will need to check that the
+# database "connection_string" line in each component section is correct. 
+#
+# Each component with a "database" section can accept the following formats
+# for "connection_string":
+#   SQLite:     file:filename.db
+#               file:///path/to/filename.db
+#   PostgreSQL: postgresql://user:pass@hostname/database?params=...
+#
+# SQLite is embedded into Dendrite and therefore no further prerequisites are
+# needed for the database when using SQLite mode. However, performance with
+# PostgreSQL is significantly better and recommended for multi-user deployments.
+# SQLite is typically around 20-30% slower than PostgreSQL when tested with a
+# small number of users and likely will perform worse still with a higher volume
+# of users.
+#
+# The "max_open_conns" and "max_idle_conns" settings configure the maximum 
+# number of open/idle database connections. The value 0 will use the database
+# engine default, and a negative value will use unlimited connections. The
+# "conn_max_lifetime" option controls the maximum length of time a database
+# connection can be idle in seconds - a negative value is unlimited.
+
+# The version of the configuration file. 
+version: 1
+
+# Global Matrix configuration. This configuration applies to all components.
+global:
+  # The domain name of this homeserver.
+  server_name: {{ matrix_domain }}
+
+  # The path to the signing private key file, used to sign requests and events.
+  private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem"
+
+  # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
+  # to old signing private keys that were formerly in use on this domain. These
+  # keys will not be used for federation request or event signing, but will be
+  # provided to any other homeserver that asks when trying to verify old events.
+  # old_private_keys:
+  # - private_key: old_matrix_key.pem
+  #   expired_at: 1601024554498
+
+  # How long a remote server can cache our server signing key before requesting it
+  # again. Increasing this number will reduce the number of requests made by other
+  # servers for our key but increases the period that a compromised key will be
+  # considered valid by other homeservers.
+  key_validity_period: 168h0m0s
+
+  # Lists of domains that the server will trust as identity servers to verify third
+  # party identifiers such as phone numbers and email addresses.
+  trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }}
+
+  # Configuration for Kafka/Naffka.
+  kafka:
+    # List of Kafka broker addresses to connect to. This is not needed if using
+    # Naffka in monolith mode.
+    addresses:
+      - kafka:9092
+
+    # The prefix to use for Kafka topic names for this homeserver. Change this only if
+    # you are running more than one Dendrite homeserver on the same Kafka deployment.
+    topic_prefix: Dendrite
+
+    # Whether to use Naffka instead of Kafka. This is only available in monolith
+    # mode, but means that you can run a single-process server without requiring
+    # Kafka.
+    use_naffka: true
+
+    # Naffka database options. Not required when using Kafka.
+    naffka_database:
+      connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable
+      max_open_conns: 10
+      max_idle_conns: 2
+      conn_max_lifetime: -1
+
+  # Configuration for Prometheus metric collection.
+  metrics:
+    # Whether or not Prometheus metrics are enabled.
+    enabled: {{ matrix_dendrite_metrics_enabled }}
+
+    # HTTP basic authentication to protect access to monitoring.
+    basic_auth:
+      username: {{ matrix_dendrite_metrics_username }}
+      password: {{ matrix_dendrite_metrics_password }}
+
+  # DNS cache options. The DNS cache may reduce the load on DNS servers
+  # if there is no local caching resolver available for use.
+  dns_cache:
+    # Whether or not the DNS cache is enabled.
+    enabled: false
+
+    # Maximum number of entries to hold in the DNS cache, and
+    # for how long those items should be considered valid in seconds.
+    cache_size: 256
+    cache_lifetime: 300
+
+# Configuration for the Appservice API.
+app_service_api:
+  internal_api:
+    listen: http://0.0.0.0:7777
+    connect: http://appservice_api:7777
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_appservice_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # Appservice configuration files to load into this homeserver.
+  config_files: {{ matrix_dendrite_app_service_config_files|to_json }}
+
+# Configuration for the Client API.
+client_api:
+  internal_api:
+    listen: http://0.0.0.0:7771
+    connect: http://client_api:7771
+  external_api:
+    listen: http://0.0.0.0:8071
+
+  # Prevents new users from being able to register on this homeserver, except when
+  # using the registration shared secret below.
+  registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }}
+
+  # If set, allows registration by anyone who knows the shared secret, regardless of
+  # whether registration is otherwise disabled.
+  registration_shared_secret: {{ matrix_dendrite_registration_shared_secret|string|to_json }}
+
+  # Whether to require reCAPTCHA for registration.
+  enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }}
+
+  # Settings for ReCAPTCHA. 
+  recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }}
+  recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }}
+  recaptcha_bypass_secret: ""
+  recaptcha_siteverify_api: ""
+
+  # TURN server information that this homeserver should send to clients. 
+  turn:
+    turn_user_lifetime: ""
+    turn_uris: {{ matrix_dendrite_turn_uris|to_json }}
+    turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }}
+    turn_username: ""
+    turn_password: ""
+
+  # Settings for rate-limited endpoints. Rate limiting will kick in after the
+  # threshold number of "slots" have been taken by requests from a specific 
+  # host. Each "slot" will be released after the cooloff time in milliseconds.
+  rate_limiting:
+    enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }}
+    threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }}
+    cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }}
+
+# Configuration for the EDU server.
+edu_server:
+  internal_api:
+    listen: http://0.0.0.0:7778
+    connect: http://edu_server:7778
+
+# Configuration for the Federation API.
+federation_api:
+  internal_api:
+    listen: http://0.0.0.0:7772
+    connect: http://federation_api:7772
+  external_api:
+    listen: http://0.0.0.0:8072
+
+  # List of paths to X.509 certificates to be used by the external federation listeners.
+  # These certificates will be used to calculate the TLS fingerprints and other servers
+  # will expect the certificate to match these fingerprints. Certificates must be in PEM
+  # format.
+  federation_certificates: []
+
+# Configuration for the Federation Sender.
+federation_sender:
+  internal_api:
+    listen: http://0.0.0.0:7775
+    connect: http://federation_sender:7775
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationsender_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # How many times we will try to resend a failed transaction to a specific server. The
+  # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc.
+  send_max_retries: 16
+
+  # Disable the validation of TLS certificates of remote federated homeservers. Do not
+  # enable this option in production as it presents a security risk!
+  disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} 
+
+  # Use the following proxy server for outbound federation traffic.
+  proxy_outbound:
+    enabled: false
+    protocol: http
+    host: localhost
+    port: 8080
+
+# Configuration for the Key Server (for end-to-end encryption).
+key_server:
+  internal_api:
+    listen: http://0.0.0.0:7779
+    connect: http://key_server:7779
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for the Media API.
+media_api:
+  internal_api:
+    listen: http://0.0.0.0:7774
+    connect: http://media_api:7774
+  external_api:
+    listen: http://0.0.0.0:8074
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # Storage path for uploaded media. May be relative or absolute.
+  base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}"
+
+  # The maximum allowed file size (in bytes) for media uploads to this homeserver
+  # (0 = unlimited).
+  max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }}
+
+  # Whether to dynamically generate thumbnails if needed.
+  dynamic_thumbnails: false
+
+  # The maximum number of simultaneous thumbnail generators to run.
+  max_thumbnail_generators: 10
+
+  # A list of thumbnail sizes to be generated for media content.
+  thumbnail_sizes:
+  - width: 32
+    height: 32
+    method: crop
+  - width: 96
+    height: 96
+    method: crop
+  - width: 640
+    height: 480
+    method: scale
+
+# Configuration for the Room Server.
+room_server:
+  internal_api:
+    listen: http://0.0.0.0:7770
+    connect: http://room_server:7770
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for the Server Key API (for server signing keys).
+signing_key_server:
+  internal_api:
+    listen: http://0.0.0.0:7780
+    connect: http://signing_key_server:7780
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_singingkeyserver_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # Perspective keyservers to use as a backup when direct key fetches fail. This may
+  # be required to satisfy key requests for servers that are no longer online when
+  # joining some rooms.
+  key_perspectives:
+  - server_name: matrix.org
+    keys:
+    - key_id: ed25519:auto
+      public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
+    - key_id: ed25519:a_RXGa
+      public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
+      
+  # This option will control whether Dendrite will prefer to look up keys directly
+  # or whether it should try perspective servers first, using direct fetches as a
+  # last resort.
+  prefer_direct_fetch: false
+
+# Configuration for the Sync API.
+sync_api:
+  internal_api:
+    listen: http://0.0.0.0:7773
+    connect: http://sync_api:7773
+  external_api:
+      listen: http://0.0.0.0:8073
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for the User API.
+user_api:
+  internal_api:
+    listen: http://0.0.0.0:7781
+    connect: http://user_api:7781
+  account_database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_account_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+  device_database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_device_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for Opentracing.
+# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
+# how this works and how to set it up.
+tracing:
+  enabled: false
+  jaeger:
+    serviceName: ""
+    disabled: false
+    rpc_metrics: false
+    tags: []
+    sampler: null
+    reporter: null
+    headers: null
+    baggage_restrictions: null
+    throttler: null
+
+# Logging configuration, in addition to the standard logging that is sent to
+# stdout by Dendrite.
+logging:
+- type: file
+  level: {{ matrix_dendrite_log_level }}
+  params:
+    path: /var/log/dendrite

roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2

@@ -0,0 +1,58 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Dendrite server
+{% for service in matrix_dendrite_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_dendrite_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite
+ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite
+{% if matrix_s3_media_store_enabled %}
+# Allow for some time before starting, so that media store can mount.
+# Mounting can happen later too, but if we start writing,
+# we'd write files to the local filesystem and fusermount will complain.
+ExecStartPre={{ matrix_host_command_sleep }} 3
+{% endif %}
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_dendrite_container_client_api_host_bind_port %}
+			-p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \
+			{% endif %}
+			{% if matrix_dendrite_container_federation_api_tls_host_bind_port %}
+			-p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \
+			{% endif %}
+			--mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \
+			--mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
+			--mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \
+			{% for volume in matrix_dendrite_container_additional_volumes %}
+			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
+			{% endfor %}
+			{% for arg in matrix_dendrite_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_dendrite_docker_image }} \
+			--config /data/dendrite.yaml
+
+ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite
+ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite
+ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-dendrite
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2

@@ -0,0 +1,12 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 2 ]; then
+	echo "Usage: "$0" <username> <password>"
+	exit 1
+fi
+
+user=$1
+password=$2
+
+docker exec matrix-dendrite create-account  --config /data/dendrite.yaml --user "$user" --password "$password"

roles/matrix-dendrite/templates/goofys/env-goofys.j2

@@ -0,0 +1,3 @@
+#jinja2: lstrip_blocks: "True"
+AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }}
+AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }}

roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2

@@ -0,0 +1,39 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Goofys media store
+After=docker.service
+Requires=docker.service
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_docker }} kill %n
+ExecStartPre=-{{ matrix_host_command_docker }} rm %n
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name %n \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \
+			--mount type=bind,src=/etc/group,dst=/etc/group,ro \
+			--mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \
+			--security-opt apparmor:unconfined \
+			--cap-add mknod \
+			--cap-add sys_admin \
+			--device=/dev/fuse \
+			--env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \
+			--entrypoint /bin/sh \
+			{{ matrix_s3_goofys_docker_image }} \
+			-c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3'
+
+TimeoutStartSec=5min
+ExecStop=-{{ matrix_host_command_docker }} stop %n
+ExecStop=-{{ matrix_host_command_docker }} kill %n
+ExecStop=-{{ matrix_host_command_docker }} rm %n
+ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }}
+Restart=always
+RestartSec=5
+SyslogIdentifier=matrix-goofys
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-dendrite/vars/main.yml

@@ -0,0 +1,11 @@
+---
+matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions"
+matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"
+
+# Tells whether this role had executed or not. Toggled to `true` during runtime.
+matrix_dendrite_role_executed: false
+
+matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path|dirname }}"
+matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path|basename }}"
+
+matrix_dendrite_signing_key_file_name: "{{ matrix_dendrite_signing_key|basename }}"

setup.yml

@@ -41,6 +41,7 @@
     - matrix-bot-go-neb
     - matrix-bot-mjolnir
     - matrix-synapse
+    - matrix-dendrite
     - matrix-synapse-admin
     - matrix-prometheus-node-exporter
     - matrix-prometheus