Move roles/matrix* to roles/custom/matrix*

This paves the way for installing other roles into `roles/galaxy` using `ansible-galaxy`,
similar to how it's done in:

- https://github.com/spantaleev/gitea-docker-ansible-deploy
- https://github.com/spantaleev/nextcloud-docker-ansible-deploy

In the near future, we'll be removing a lot of the shared role code from here
and using upstream roles for it. Some of the core `matrix-*` roles have
already been extracted out into other reusable roles:

- https://github.com/devture/com.devture.ansible.role.postgres
- https://github.com/devture/com.devture.ansible.role.systemd_docker_base
- https://github.com/devture/com.devture.ansible.role.timesync
- https://github.com/devture/com.devture.ansible.role.vars_preserver
- https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages
- https://github.com/devture/com.devture.ansible.role.playbook_help

We just need to migrate to those.

roles/custom/matrix-dendrite/defaults/main.yml

@@ -0,0 +1,196 @@
+---
+# Dendrite is a second-generation Matrix homeserver currently in Beta
+# Project source code URL: https://github.com/matrix-org/dendrite
+
+matrix_dendrite_enabled: true
+
+matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
+matrix_dendrite_docker_image_name_prefix: "docker.io/"
+matrix_dendrite_docker_image_tag: "v0.10.6"
+matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
+
+matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
+matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config"
+matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage"
+matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store"
+matrix_dendrite_nats_storage_path: "{{ matrix_dendrite_base_path }}/nats"
+matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext"
+
+# By default, we make Dendrite only serve HTTP (not HTTPS).
+# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`).
+#
+# To enable HTTPS serving by Dendrite (directly):
+# - `matrix_dendrite_https_bind_port` must be set
+# - `-tls-cert` and `-tls-key` must be passed to Dendrite via `matrix_dendrite_process_extra_arguments`
+# - the TLS certificate files must be mounted into the container using `matrix_dendrite_container_additional_volumes`
+matrix_dendrite_http_bind_port: 8008
+matrix_dendrite_https_bind_port: ~
+
+# This is passed as an `-http-bind-address` flag to the Dendrite server in the container
+matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port | string) if matrix_dendrite_http_bind_port else '' }}"
+
+# This is passed as an `-https-bind-address` flag to the Dendrite server in the container
+matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port | string) if matrix_dendrite_https_bind_port else '' }}"
+
+# Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
+matrix_dendrite_container_http_host_bind_address: ""
+
+# Controls whether the matrix-dendrite container exposes the HTTPS port (tcp/{{ matrix_dendrite_https_bind_port }} in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
+matrix_dendrite_container_https_host_bind_address: ""
+
+# A list of extra arguments to pass to the container (`docker run` command)
+# Also see `matrix_dendrite_container_arguments`
+matrix_dendrite_container_extra_arguments: []
+
+# matrix_dendrite_container_runtime_injected_arguments is a list of extra arguments to pass to the container.
+# This list is built during runtime. You're not meant to override this variable.
+# If you'd like to inject your own arguments, see `matrix_dendrite_container_extra_arguments`.
+matrix_dendrite_container_runtime_injected_arguments: []
+
+# matrix_dendrite_container_arguments holds the final list of extra arguments to pass to the container.
+# You're not meant to override this variable.
+# If you'd like to inject your own arguments, see `matrix_dendrite_container_extra_arguments`.
+matrix_dendrite_container_arguments: "{{ matrix_dendrite_container_extra_arguments + matrix_dendrite_container_runtime_injected_arguments }}"
+
+# A list of extra arguments to pass to the container process (`dendrite-monolith` command)
+# Example:
+# matrix_dendrite_process_extra_arguments:
+#  - "-tls-cert /some/path.crt"
+#  - "-tls-key /some/path.pem"
+matrix_dendrite_process_extra_arguments: []
+
+# List of systemd services that matrix-dendrite.service depends on
+matrix_dendrite_systemd_required_services_list: ["docker.service"]
+
+# List of systemd services that matrix-dendrite.service wants
+matrix_dendrite_systemd_wanted_services_list: []
+
+# Specifies which template files to use when configuring Dendrite.
+# If you'd like to have your own different configuration, feel free to copy and paste
+# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
+# and then change the specific host's `vars.yml` file like this:
+# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
+matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
+
+matrix_dendrite_registration_shared_secret: ''
+matrix_dendrite_allow_guest_access: false
+
+matrix_dendrite_max_file_size_bytes: 10485760
+
+# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client.
+# This is likely required if Dendrite is running behind a reverse proxy server.
+matrix_dendrite_sync_api_real_ip_header: ''
+
+# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
+matrix_dendrite_tmp_directory_size_mb: 500
+
+# Rate limits
+matrix_dendrite_rate_limiting_enabled: true
+matrix_dendrite_rate_limiting_threshold: 20
+matrix_dendrite_rate_limiting_cooloff_ms: 500
+
+# Controls whether people with access to the homeserver can register by themselves.
+matrix_dendrite_registration_disabled: true
+
+# reCAPTCHA API for validating registration attempts
+matrix_dendrite_enable_registration_captcha: false
+matrix_dendrite_recaptcha_public_key: ""
+matrix_dendrite_recaptcha_private_key: ""
+matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+
+# A list of additional "volumes" to mount in the container.
+# This list gets populated dynamically based on Dendrite extensions that have been enabled.
+# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
+#
+# Note: internally, this uses the `-v` flag for mounting the specified volumes.
+# It's better (safer) to use the `--mount` flag for mounting volumes.
+# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`.
+# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro']
+matrix_dendrite_container_additional_volumes: []
+
+# A list of appservice config files (in-container filesystem paths).
+# This list gets populated dynamically based on Dendrite extensions that have been enabled.
+# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`.
+# Also see `matrix_dendrite_app_service_config_files_final`
+matrix_dendrite_app_service_config_files: []
+
+# matrix_dendrite_app_service_runtime_injected_config_files is a list of appservice config files.
+# This list is built during runtime. You're not meant to override this variable.
+# If you'd like to inject your own arguments, see `matrix_dendrite_app_service_config_files`.
+matrix_dendrite_app_service_runtime_injected_config_files: []
+
+# matrix_dendrite_app_service_config_files_final holds the final list of config files to pass to the container.
+# You're not meant to override this variable.
+# If you'd like to inject your own arguments, see `matrix_dendrite_app_service_config_files`.
+matrix_dendrite_app_service_config_files_final: "{{ matrix_dendrite_app_service_config_files + matrix_dendrite_app_service_runtime_injected_config_files }}"
+
+# Enable exposure of metrics
+matrix_dendrite_metrics_enabled: false
+matrix_dendrite_metrics_username: "metrics"
+matrix_dendrite_metrics_password: "metrics"
+
+# Postgres database information
+matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}"
+matrix_dendrite_database_hostname: "matrix-postgres"
+matrix_dendrite_database_user: "dendrite"
+matrix_dendrite_database_password: "itsasecret"
+matrix_dendrite_federationapi_database: "dendrite_federationapi"
+matrix_dendrite_keyserver_database: "dendrite_keyserver"
+matrix_dendrite_mediaapi_database: "dendrite_mediaapi"
+matrix_dendrite_room_database: "dendrite_room"
+matrix_dendrite_syncapi_database: "dendrite_syncapi"
+matrix_dendrite_userapi_database: "dendrite_userapi"
+matrix_dendrite_pushserver_database: "dendrite_pushserver"
+matrix_dendrite_mscs_database: "dendrite_mscs"
+
+matrix_dendrite_turn_uris: []
+matrix_dendrite_turn_shared_secret: ""
+matrix_dendrite_turn_allow_guests: false
+
+# Controls whether the self-check feature should validate TLS certificates.
+matrix_dendrite_disable_tls_validation: false
+
+matrix_dendrite_trusted_id_servers:
+  - "matrix.org"
+  - "vector.im"
+
+# Controls whether Dendrite will federate at all.
+# Disable this to completely isolate your server from the rest of the Matrix network.
+matrix_dendrite_federation_enabled: true
+
+# Controls whether the self-check feature should validate SSL certificates.
+matrix_dendrite_self_check_validate_certificates: true
+
+# Default Dendrite configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}"
+
+matrix_dendrite_configuration_extension_yaml: |
+  # Your custom YAML configuration for Dendrite goes here.
+  # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_dendrite_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # server_notices:
+  #   system_mxid_localpart: notices
+  #   system_mxid_display_name: "Server Notices"
+  #   system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
+  #   room_name: "Server Notices"
+
+matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml | from_yaml if matrix_dendrite_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final Dendrite configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`.
+matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml | from_yaml | combine(matrix_dendrite_configuration_extension, recursive=True) }}"

roles/custom/matrix-dendrite/tasks/dendrite/setup.yml

@@ -0,0 +1,7 @@
+---
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml"
+  when: matrix_dendrite_enabled | bool
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml"
+  when: "not matrix_dendrite_enabled | bool"

roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml

@@ -0,0 +1,81 @@
+---
+# This will throw a Permission Denied error if already mounted using fuse
+- name: Check Dendrite media store path
+  ansible.builtin.stat:
+    path: "{{ matrix_dendrite_media_store_path }}"
+  register: local_path_media_store_stat
+  ignore_errors: true
+
+# This is separate and conditional, to ensure we don't execute it
+# if the path already exists or we failed to check, because it's mounted using fuse.
+- name: Ensure Dendrite media store path exists
+  ansible.builtin.file:
+    path: "{{ matrix_dendrite_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
+
+- name: Ensure Dendrite Docker image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_dendrite_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}"
+  register: result
+  retries: "{{ matrix_container_retries_count }}"
+  delay: "{{ matrix_container_retries_delay }}"
+  until: result is not failed
+
+- name: Check if a Dendrite signing key exists
+  ansible.builtin.stat:
+    path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+  register: matrix_dendrite_signing_key_stat
+
+# We do this so that the signing key would get generated.
+# We don't use the `docker_container` module, because using it with `cap_drop` requires
+# a very recent version, which is not available for a lot of people yet.
+- name: Generate Dendrite signing key
+  ansible.builtin.command: |
+    docker run
+    --rm
+    --name=matrix-dendrite-config
+    --entrypoint=generate-keys
+    --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data
+    {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem
+    generate
+  when: "not matrix_dendrite_signing_key_stat.stat.exists"
+
+- name: Ensure Dendrite server key exists
+  ansible.builtin.file:
+    path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Dendrite configuration installed
+  ansible.builtin.copy:
+    content: "{{ matrix_dendrite_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-dendrite.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+    mode: 0644
+  register: matrix_dendrite_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-dendrite.service installation
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_dendrite_systemd_service_result.changed | bool"
+
+- name: Ensure matrix-dendrite-create-account script created
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2"
+    dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account"
+    mode: 0750

roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Check existence of matrix-dendrite service
+  ansible.builtin.stat:
+    path: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+  register: matrix_dendrite_service_stat
+
+- name: Ensure matrix-dendrite is stopped
+  ansible.builtin.service:
+    name: matrix-dendrite
+    state: stopped
+    daemon_reload: true
+  register: stopping_result
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure matrix-dendrite.service doesn't exist
+  ansible.builtin.file:
+    path: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+    state: absent
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-dendrite.service removal
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure Dendrite Docker image doesn't exist
+  community.docker.docker_image:
+    name: "{{ matrix_dendrite_docker_image }}"
+    state: absent

roles/custom/matrix-dendrite/tasks/init.yml

@@ -0,0 +1,5 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}"
+  when: matrix_dendrite_enabled | bool

roles/custom/matrix-dendrite/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: run_setup | bool
+  tags:
+    - setup-all
+    - setup-dendrite
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml"
+  when: run_setup | bool
+  tags:
+    - setup-all
+    - setup-dendrite
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/register_user.yml"
+  when: run_dendrite_register_user | bool and matrix_dendrite_enabled | bool
+  tags:
+    - register-user
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check | bool and matrix_dendrite_enabled | bool
+  tags:
+    - self-check
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check | bool and matrix_dendrite_enabled | bool
+  tags:
+    - self-check
+
+- name: Mark matrix-dendrite role as executed
+  ansible.builtin.set_fact:
+    matrix_dendrite_role_executed: true
+  tags:
+    - always

roles/custom/matrix-dendrite/tasks/register_user.yml

@@ -0,0 +1,33 @@
+---
+- name: Fail if playbook called incorrectly
+  ansible.builtin.fail:
+    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  ansible.builtin.fail:
+    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Fail if playbook called incorrectly
+  ansible.builtin.fail:
+    msg: "The `admin` variable needs to be provided to this playbook, via --extra-vars"
+  when: "admin is not defined or admin not in ['yes', 'no']"
+
+- name: Ensure matrix-dendrite is started
+  ansible.builtin.service:
+    name: matrix-dendrite
+    state: started
+    daemon_reload: true
+  register: start_result
+
+- name: Wait a while, so that Dendrite can manage to start
+  ansible.builtin.pause:
+    seconds: 7
+  when: start_result.changed | bool
+
+- name: Register user
+  ansible.builtin.command:
+    cmd: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}"
+  register: matrix_dendrite_register_user_result
+  changed_when: matrix_dendrite_register_user_result.rc == 0

roles/custom/matrix-dendrite/tasks/self_check_client_api.yml

@@ -0,0 +1,18 @@
+---
+- name: Check Matrix Client API
+  ansible.builtin.uri:
+    url: "{{ matrix_dendrite_client_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}"
+  register: result_matrix_dendrite_client_api
+  ignore_errors: true
+  check_mode: false
+
+- name: Fail if Matrix Client API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}"
+  when: "(result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)"
+
+- name: Report working Matrix Client API
+  ansible.builtin.debug:
+    msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working"

roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml

@@ -0,0 +1,24 @@
+---
+- name: Check Matrix Federation API
+  ansible.builtin.uri:
+    url: "{{ matrix_dendrite_federation_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}"
+  register: result_matrix_dendrite_federation_api
+  ignore_errors: true
+  check_mode: false
+
+- name: Fail if Matrix Federation API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}"
+  when: "matrix_dendrite_federation_enabled | bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)"
+
+- name: Fail if Matrix Federation API unexpectedly enabled
+  ansible.builtin.fail:
+    msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled."
+  when: "not matrix_dendrite_federation_enabled | bool and not result_matrix_dendrite_federation_api.failed"
+
+- name: Report working Matrix Federation API
+  ansible.builtin.debug:
+    msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working"
+  when: "matrix_dendrite_federation_enabled | bool"

roles/custom/matrix-dendrite/tasks/setup_dendrite.yml

@@ -0,0 +1,15 @@
+---
+- name: Ensure Dendrite paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_dendrite_config_dir_path }}", when: true}
+    - {path: "{{ matrix_dendrite_ext_path }}", when: true}
+    - {path: "{{ matrix_dendrite_nats_storage_path }}", when: true}
+  when: "matrix_dendrite_enabled | bool and item.when"
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml"

roles/custom/matrix-dendrite/tasks/validate_config.yml

@@ -0,0 +1,16 @@
+---
+- name: Fail if required Dendrite settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) for using Dendrite.
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_dendrite_registration_shared_secret"
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items: []

roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2

@@ -0,0 +1,416 @@
+# This is the Dendrite configuration file.
+#
+# The configuration is split up into sections - each Dendrite component has a
+# configuration section, in addition to the "global" section which applies to
+# all components.
+#
+# At a minimum, to get started, you will need to update the settings in the
+# "global" section for your deployment, and you will need to check that the
+# database "connection_string" line in each component section is correct.
+#
+# Each component with a "database" section can accept the following formats
+# for "connection_string":
+#   SQLite:     file:filename.db
+#               file:///path/to/filename.db
+#   PostgreSQL: postgresql://user:pass@hostname/database?params=...
+#
+# SQLite is embedded into Dendrite and therefore no further prerequisites are
+# needed for the database when using SQLite mode. However, performance with
+# PostgreSQL is significantly better and recommended for multi-user deployments.
+# SQLite is typically around 20-30% slower than PostgreSQL when tested with a
+# small number of users and likely will perform worse still with a higher volume
+# of users.
+#
+# The "max_open_conns" and "max_idle_conns" settings configure the maximum
+# number of open/idle database connections. The value 0 will use the database
+# engine default, and a negative value will use unlimited connections. The
+# "conn_max_lifetime" option controls the maximum length of time a database
+# connection can be idle in seconds - a negative value is unlimited.
+
+# The version of the configuration file.
+version: 2
+
+# Global Matrix configuration. This configuration applies to all components.
+global:
+  # The domain name of this homeserver.
+  server_name: {{ matrix_domain|to_json }}
+
+  # The path to the signing private key file, used to sign requests and events.
+  # Note that this is NOT the same private key as used for TLS! To generate a
+  # signing key, use "./bin/generate-keys --private-key matrix_key.pem".
+  private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem"
+
+  # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
+  # to old signing private keys that were formerly in use on this domain. These
+  # keys will not be used for federation request or event signing, but will be
+  # provided to any other homeserver that asks when trying to verify old events.
+  # old_private_keys:
+  # - private_key: old_matrix_key.pem
+  #   expired_at: 1601024554498
+
+  # How long a remote server can cache our server signing key before requesting it
+  # again. Increasing this number will reduce the number of requests made by other
+  # servers for our key but increases the period that a compromised key will be
+  # considered valid by other homeservers.
+  key_validity_period: 168h0m0s
+
+  # The server name to delegate server-server communications to, with optional port
+  # e.g. localhost:443
+  well_known_server_name: ""
+
+  # The server name to delegate client-server communications to, with optional port
+  # e.g. localhost:443
+  well_known_client_name: ""
+
+  # Lists of domains that the server will trust as identity servers to verify third
+  # party identifiers such as phone numbers and email addresses.
+  trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }}
+
+  # Disables federation. Dendrite will not be able to make any outbound HTTP requests
+  # to other servers and the federation API will not be exposed.
+  disable_federation: {{ (not matrix_dendrite_federation_enabled)|to_json }}
+
+  # Configures the handling of presence events.
+  presence:
+    # Whether inbound presence events are allowed, e.g. receiving presence events from other servers
+    enable_inbound: false
+    # Whether outbound presence events are allowed, e.g. sending presence events to other servers
+    enable_outbound: false
+
+  # Configuration for in-memory caches. Caches can often improve performance by
+  # keeping frequently accessed items (like events, identifiers etc.) in memory
+  # rather than having to read them from the database.
+  cache:
+    # The estimated maximum size for the global cache in bytes, or in terabytes,
+    # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
+    # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
+    # memory limit for the entire process. A cache that is too small may ultimately
+    # provide little or no benefit.
+    max_size_estimated: 1gb
+
+    # The maximum amount of time that a cache entry can live for in memory before
+    # it will be evicted and/or refreshed from the database. Lower values result in
+    # easier admission of new cache entries but may also increase database load in
+    # comparison to higher values, so adjust conservatively. Higher values may make
+    # it harder for new items to make it into the cache, e.g. if new rooms suddenly
+    # become popular.
+    max_age: 1h
+
+  # Server notices allows server admins to send messages to all users.
+  server_notices:
+    enabled: false
+    # The server localpart to be used when sending notices, ensure this is not yet taken
+    local_part: "_server"
+    # The displayname to be used when sending notices
+    display_name: "Server alerts"
+    # The mxid of the avatar to use
+    avatar_url: ""
+    # The roomname to be used when creating messages
+    room_name: "Server Alerts"
+
+  # Configuration for NATS JetStream
+  jetstream:
+    # A list of NATS Server addresses to connect to. If none are specified, an
+    # internal NATS server will be started automatically when running Dendrite
+    # in monolith mode. It is required to specify the address of at least one
+    # NATS Server node if running in polylith mode.
+    addresses:
+    #  - jetstream:4222
+
+    # Keep all NATS streams in memory, rather than persisting it to the storage
+    # path below. This option is present primarily for integration testing and
+    # should not be used on a real world Dendrite deployment.
+    in_memory: false
+
+    # Persistent directory to store JetStream streams in. This directory
+    # should be preserved across Dendrite restarts.
+    storage_path: "/matrix-nats-store"
+
+    # The prefix to use for stream names for this homeserver - really only
+    # useful if running more than one Dendrite on the same NATS deployment.
+    topic_prefix: Dendrite
+
+  # Configuration for Prometheus metric collection.
+  metrics:
+    # Whether or not Prometheus metrics are enabled.
+    enabled: {{ matrix_dendrite_metrics_enabled|to_json }}
+
+    # HTTP basic authentication to protect access to monitoring.
+    basic_auth:
+      username: {{ matrix_dendrite_metrics_username|to_json }}
+      password: {{ matrix_dendrite_metrics_password|to_json }}
+
+  # DNS cache options. The DNS cache may reduce the load on DNS servers
+  # if there is no local caching resolver available for use.
+  dns_cache:
+    # Whether or not the DNS cache is enabled.
+    enabled: false
+
+    # Maximum number of entries to hold in the DNS cache, and
+    # for how long those items should be considered valid in seconds.
+    cache_size: 256
+    cache_lifetime: "5m" # 5minutes; see https://pkg.go.dev/time@master#ParseDuration for more
+
+# Configuration for the Appservice API.
+app_service_api:
+  internal_api:
+    listen: http://0.0.0.0:7777
+    connect: http://appservice_api:7777
+
+  # Disable the validation of TLS certificates of appservices. This is
+  # not recommended in production since it may allow appservice traffic
+  # to be sent to an unverified endpoint.
+  disable_tls_validation: {{ matrix_dendrite_disable_tls_validation|to_json }}
+
+  # Appservice configuration files to load into this homeserver.
+  config_files: {{ matrix_dendrite_app_service_config_files_final|to_json }}
+
+# Configuration for the Client API.
+client_api:
+  internal_api:
+    listen: http://0.0.0.0:7771
+    connect: http://client_api:7771
+  external_api:
+    listen: http://0.0.0.0:8071
+
+  # Prevents new users from being able to register on this homeserver, except when
+  # using the registration shared secret below.
+  registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }}
+
+  # Prevents new guest accounts from being created. Guest registration is also
+  # disabled implicitly by setting 'registration_disabled' above.
+  guests_disabled: true
+
+  # If set, allows registration by anyone who knows the shared secret, regardless of
+  # whether registration is otherwise disabled.
+  registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }}
+
+  # Whether to require reCAPTCHA for registration.
+  enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }}
+
+  # Settings for ReCAPTCHA.
+  recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }}
+  recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }}
+  recaptcha_bypass_secret: ""
+  recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }}
+
+  # TURN server information that this homeserver should send to clients.
+  turn:
+    turn_user_lifetime: ""
+    turn_uris: {{ matrix_dendrite_turn_uris|to_json }}
+    turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }}
+    turn_username: ""
+    turn_password: ""
+
+  # Settings for rate-limited endpoints. Rate limiting will kick in after the
+  # threshold number of "slots" have been taken by requests from a specific
+  # host. Each "slot" will be released after the cooloff time in milliseconds.
+  rate_limiting:
+    enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }}
+    threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }}
+    cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }}
+    exempt_user_ids:
+    #  - "@user:domain.com"
+
+# Configuration for the Federation API.
+federation_api:
+  internal_api:
+    listen: http://0.0.0.0:7772
+    connect: http://federation_api:7772
+  external_api:
+    listen: http://0.0.0.0:8072
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationapi_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # How many times we will try to resend a failed transaction to a specific server. The
+  # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc.
+  send_max_retries: 16
+
+  # Disable the validation of TLS certificates of remote federated homeservers. Do not
+  # enable this option in production as it presents a security risk!
+  disable_tls_validation: {{ matrix_dendrite_disable_tls_validation|to_json }}
+
+  # Not in dendrite-config.yaml, but is in build/docker/config/dendrite.yaml
+  # Use the following proxy server for outbound federation traffic.
+  #proxy_outbound:
+  #  enabled: false
+  #  protocol: http
+  #  host: localhost
+  #  port: 8080
+
+  # Perspective keyservers to use as a backup when direct key fetches fail. This may
+  # be required to satisfy key requests for servers that are no longer online when
+  # joining some rooms.
+  key_perspectives:
+    - server_name: matrix.org
+      keys:
+        - key_id: ed25519:auto
+          public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
+        - key_id: ed25519:a_RXGa
+          public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
+
+  # This option will control whether Dendrite will prefer to look up keys directly
+  # or whether it should try perspective servers first, using direct fetches as a
+  # last resort.
+  prefer_direct_fetch: false
+
+# Configuration for the Key Server (for end-to-end encryption).
+key_server:
+  internal_api:
+    listen: http://0.0.0.0:7779
+    connect: http://key_server:7779
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for the Media API.
+media_api:
+  internal_api:
+    listen: http://0.0.0.0:7774
+    connect: http://media_api:7774
+  external_api:
+    listen: http://0.0.0.0:8074
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # Storage path for uploaded media. May be relative or absolute.
+  base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}"
+
+  # The maximum allowed file size (in bytes) for media uploads to this homeserver
+  # (0 = unlimited). If using a reverse proxy, ensure it allows requests at
+  # least this large (e.g. client_max_body_size in nginx.)
+  max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }}
+
+  # Whether to dynamically generate thumbnails if needed.
+  dynamic_thumbnails: false
+
+  # The maximum number of simultaneous thumbnail generators to run.
+  max_thumbnail_generators: 10
+
+  # A list of thumbnail sizes to be generated for media content.
+  thumbnail_sizes:
+    - width: 32
+      height: 32
+      method: crop
+    - width: 96
+      height: 96
+      method: crop
+    - width: 640
+      height: 480
+      method: scale
+
+# Configuration for experimental MSC's
+mscs:
+  # A list of enabled MSC's
+  # Currently valid values are:
+  # - msc2836    (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
+  # - msc2946    (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
+  mscs: []
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable
+    max_open_conns: 5
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for the Room Server.
+room_server:
+  internal_api:
+    listen: http://0.0.0.0:7770
+    connect: http://room_server:7770
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for the Sync API.
+sync_api:
+  internal_api:
+    listen: http://0.0.0.0:7773
+    connect: http://sync_api:7773
+  external_api:
+    listen: http://0.0.0.0:8073
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+  # This option controls which HTTP header to inspect to find the real remote IP
+  # address of the client. This is likely required if Dendrite is running behind
+  # a reverse proxy server.
+  # real_ip_header: X-Real-IP
+  real_ip_header: {{ matrix_dendrite_sync_api_real_ip_header|to_json }}
+  # Configuration for the full-text search engine.
+  search:
+    # Whether or not search is enabled.
+    enabled: false
+    # The path where the search index will be created in.
+    index_path: "/matrix-media-store-parent/searchindex"
+    # The language most likely to be used on the server - used when indexing, to
+    # ensure the returned results match expectations. A full list of possible languages
+    # can be found at https://github.com/blevesearch/bleve/tree/master/analysis/lang
+    language: "en"
+
+# Configuration for the User API.
+user_api:
+  # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31
+  # See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information.
+  # Setting this lower makes registration/login consume less CPU resources at the cost of security
+  # should the database be compromised. Setting this higher makes registration/login consume more
+  # CPU resources but makes it harder to brute force password hashes.
+  # This value can be low if performing tests or on embedded Dendrite instances (e.g WASM builds)
+  # bcrypt_cost: 10
+  internal_api:
+    listen: http://0.0.0.0:7781
+    connect: http://user_api:7781
+  account_database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_userapi_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+  # The length of time that a token issued for a relying party from
+  # /_matrix/client/r0/user/{userId}/openid/request_token endpoint
+  # is considered to be valid in milliseconds.
+  # The default lifetime is 3600000ms (60 minutes).
+  # openid_token_lifetime_ms: 3600000
+
+# Not in dendrite-config.yaml, but is in build/docker/config/dendrite.yaml
+# Configuration for the Push Server API.
+push_server:
+  internal_api:
+    listen: http://localhost:7782
+    connect: http://localhost:7782
+  database:
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_pushserver_database }}?sslmode=disable
+    max_open_conns: 10
+    max_idle_conns: 2
+    conn_max_lifetime: -1
+
+# Configuration for Opentracing.
+# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
+# how this works and how to set it up.
+tracing:
+  enabled: false
+  jaeger:
+    serviceName: ""
+    disabled: false
+    rpc_metrics: false
+    tags: []
+    sampler: null
+    reporter: null
+    headers: null
+    baggage_restrictions: null
+    throttler: null
+
+# Logging configuration, in addition to the standard logging that is sent to
+# stdout by Dendrite.
+logging: []

roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2

@@ -0,0 +1,65 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Dendrite server
+{% for service in matrix_dendrite_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_dendrite_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null || true'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null || true'
+
+{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %}
+# Dendrite is too quick to start in relation to its matrix-postgres dependency.
+# Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up").
+ExecStartPre={{ matrix_host_command_sleep }} 5
+{% endif %}
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %}
+			-p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \
+			{% endif %}
+			{% if matrix_dendrite_container_https_host_bind_address and matrix_dendrite_https_bind_port %}
+			-p {{ matrix_dendrite_container_https_host_bind_address }}:{{ matrix_dendrite_https_bind_port }} \
+			{% endif %}
+			--mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \
+			--mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
+			--mount type=bind,src={{ matrix_dendrite_nats_storage_path }},dst=/matrix-nats-store,bind-propagation=slave \
+			{% for volume in matrix_dendrite_container_additional_volumes %}
+			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
+			{% endfor %}
+			{% for arg in matrix_dendrite_container_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_dendrite_docker_image }} \
+			-config /data/dendrite.yaml \
+			{{ matrix_dendrite_process_extra_arguments|join(' ') }} \
+			{% if matrix_dendrite_http_bind_address %}
+			-http-bind-address {{ matrix_dendrite_http_bind_address }}
+			{% endif %}
+			{% if matrix_dendrite_https_bind_address %}
+			-https-bind-address {{ matrix_dendrite_https_bind_address }}
+			{% endif %}
+
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null || true'
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null || true'
+ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-dendrite
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2

@@ -0,0 +1,17 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 3 ]; then
+	echo "Usage: "$0" <username> <password> <admin access: 0 or 1>"
+	exit 1
+fi
+
+user=$1
+password=$2
+admin=$3
+
+if [ "$admin" -eq "1" ]; then
+	docker exec matrix-dendrite create-account -config /data/dendrite.yaml -username "$user" -password "$password" -admin -url http://localhost:{{ matrix_dendrite_http_bind_port }}
+else
+	docker exec matrix-dendrite create-account -config /data/dendrite.yaml -username "$user" -password "$password" -url http://localhost:{{ matrix_dendrite_http_bind_port }}
+fi

roles/custom/matrix-dendrite/vars/main.yml

@@ -0,0 +1,11 @@
+---
+matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions"
+matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"
+
+# Tells whether this role had executed or not. Toggled to `true` during runtime.
+matrix_dendrite_role_executed: false
+
+matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path | dirname }}"
+matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path | basename }}"
+
+matrix_dendrite_signing_key_file_name: "{{ matrix_dendrite_signing_key | basename }}"