Split playbook into multiple roles

As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable.
2019-01-12 17:53:00 +02:00
parent 7d1561b506
commit 51312b8250
122 changed files with 931 additions and 787 deletions
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -0,0 +1,28 @@
+# Enable this to add support for matrix-corporal.
+# See: https://github.com/devture/matrix-corporal
+matrix_corporal_enabled: false
+
+# Controls whether the matrix-corporal web server's ports are exposed outside of the container.
+# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
+matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
+
+matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
+matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
+matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
+matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
+matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
+
+matrix_corporal_matrix_timeout_milliseconds: 45000
+
+matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
+matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
+
+matrix_corporal_http_api_enabled: false
+matrix_corporal_http_api_auth_token: ""
+
+# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value)
+matrix_corporal_policy_provider_config: ""
+
+matrix_corporal_debug: false
--- a/roles/matrix-corporal/tasks/init.yml
+++ b/roles/matrix-corporal/tasks/init.yml
@ -0,0 +1,9 @@
+- name: Override configuration specifying where the Matrix Client API is
+  set_fact:
+    matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
+    matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
+  when: "matrix_corporal_enabled"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
+  when: "matrix_corporal_enabled"
--- a/roles/matrix-corporal/tasks/main.yml
+++ b/roles/matrix-corporal/tasks/main.yml
@ -0,0 +1,16 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
+  when: run_setup
+  tags:
+    - setup-all
+    - setup-corporal
+
+- import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "run_self_check and matrix_corporal_enabled"
+  tags:
+    - self-check
--- a/roles/matrix-corporal/tasks/self_check_corporal.yml
+++ b/roles/matrix-corporal/tasks/self_check_corporal.yml
@ -0,0 +1,21 @@
+---
+
+- set_fact:
+    corporal_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/corporal"
+
+- name: Check Matrix Corporal HTTP gateway
+  uri:
+    url: "{{ corporal_client_api_url_endpoint_public }}"
+    follow_redirects: false
+    return_content: true
+  register: result_corporal_client_api
+  ignore_errors: true
+
+- name: Fail if Matrix Corporal HTTP gateway not working
+  fail:
+    msg: "Failed checking Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`). Is matrix-corporal running? Is port 443 open in your firewall? Full error: {{ result_corporal_client_api }}"
+  when: "result_corporal_client_api.failed or 'Matrix Client-Server API protected by Matrix Corporal' not in result_corporal_client_api.content"
+
+- name: Report working Matrix Corporal HTTP gateway
+  debug:
+    msg: "Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`)"
--- a/roles/matrix-corporal/tasks/setup_corporal.yml
+++ b/roles/matrix-corporal/tasks/setup_corporal.yml
@ -0,0 +1,68 @@
+---
+
+#
+# Tasks related to setting up matrix-corporal
+#
+
+- name: Fail if Shared Secret Auth extension not enabled
+  fail:
+    msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)"
+  when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
+
+- name: Fail if HTTP API enabled, but no token set
+  fail:
+    msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token"
+  when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
+
+- name: Fail if policy provider configuration not set
+  fail:
+    msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config"
+  when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''"
+
+# There are some additional initialization tasks in setup_corporal_overrides.yml,
+# which need to always run, no matter what tag the playbook is running with.
+
+- name: Ensure Matrix Corporal paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_corporal_config_dir_path }}"
+    - "{{ matrix_corporal_cache_dir_path }}"
+    - "{{ matrix_corporal_var_dir_path }}"
+  when: "matrix_corporal_enabled"
+
+- name: Ensure Matrix Corporal Docker image is pulled
+  docker_image:
+    name: "{{ matrix_corporal_docker_image }}"
+  when: "matrix_corporal_enabled"
+
+- name: Ensure Matrix Corporal config installed
+  template:
+    src: "{{ role_path }}/templates/config.json.j2"
+    dest: "{{ matrix_corporal_config_dir_path }}/config.json"
+    mode: 0644
+  when: "matrix_corporal_enabled"
+
+- name: Ensure matrix-corporal.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2"
+    dest: "/etc/systemd/system/matrix-corporal.service"
+    mode: 0644
+  when: "matrix_corporal_enabled"
+
+#
+# Tasks related to getting rid of matrix-corporal (if it was previously enabled)
+#
+
+- name: Ensure matrix-corporal files don't exist
+  file:
+    path: "{{ item }}"
+    state: absent
+  when: "not matrix_corporal_enabled"
+  with_items:
+    - /etc/systemd/system/matrix-corporal.service
+    - "{{ matrix_corporal_config_dir_path }}/config.json"
--- a/roles/matrix-corporal/templates/config.json.j2
+++ b/roles/matrix-corporal/templates/config.json.j2
@ -0,0 +1,30 @@
+{
+	"Matrix": {
+		"HomeserverDomainName": "{{ hostname_identity }}",
+		"HomeserverApiEndpoint": "http://matrix-synapse:8008",
+		"AuthSharedSecret": "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}",
+		"RegistrationSharedSecret": "{{ matrix_synapse_registration_shared_secret }}",
+		"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
+	},
+
+	"Reconciliation": {
+		"UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ hostname_identity }}",
+		"RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }}
+	},
+
+	"HttpGateway": {
+		"ListenAddress": "0.0.0.0:41080"
+	},
+
+	"HttpApi": {
+		"Enabled": {{ matrix_corporal_http_api_enabled|to_json }},
+		"ListenAddress": "0.0.0.0:41081",
+		"AuthorizationBearerToken": "{{ matrix_corporal_http_api_auth_token }}"
+	},
+
+	"PolicyProvider": {{ matrix_corporal_policy_provider_config }},
+
+	"Misc": {
+		"Debug": {{ matrix_corporal_debug|to_json }}
+	}
+}
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@ -0,0 +1,31 @@
+[Unit]
+Description=Matrix Corporal
+After=docker.service
+Requires=docker.service
+Requires=matrix-synapse.service
+After=matrix-synapse.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-corporal
+ExecStartPre=-/usr/bin/docker rm matrix-corporal
+ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_corporal_container_expose_ports %}
+			-p 127.0.0.1:41080:41080 \
+			-p 127.0.0.1:41081:41081 \
+			{% endif %}
+			-v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \
+			-v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \
+			-v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \
+			{{ matrix_corporal_docker_image }} \
+			/matrix-corporal -config=/etc/matrix-corporal/config.json
+ExecStop=-/usr/bin/docker kill matrix-corporal
+ExecStop=-/usr/bin/docker rm matrix-corporal
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target