Split playbook into multiple roles

As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.

roles/matrix-corporal/tasks/init.yml

@@ -0,0 +1,9 @@
+- name: Override configuration specifying where the Matrix Client API is
+  set_fact:
+    matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
+    matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
+  when: "matrix_corporal_enabled"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
+  when: "matrix_corporal_enabled"

roles/matrix-corporal/tasks/main.yml

@@ -0,0 +1,16 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
+  when: run_setup
+  tags:
+    - setup-all
+    - setup-corporal
+
+- import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "run_self_check and matrix_corporal_enabled"
+  tags:
+    - self-check

roles/matrix-corporal/tasks/self_check_corporal.yml

@@ -0,0 +1,21 @@
+---
+
+- set_fact:
+    corporal_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/corporal"
+
+- name: Check Matrix Corporal HTTP gateway
+  uri:
+    url: "{{ corporal_client_api_url_endpoint_public }}"
+    follow_redirects: false
+    return_content: true
+  register: result_corporal_client_api
+  ignore_errors: true
+
+- name: Fail if Matrix Corporal HTTP gateway not working
+  fail:
+    msg: "Failed checking Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`). Is matrix-corporal running? Is port 443 open in your firewall? Full error: {{ result_corporal_client_api }}"
+  when: "result_corporal_client_api.failed or 'Matrix Client-Server API protected by Matrix Corporal' not in result_corporal_client_api.content"
+
+- name: Report working Matrix Corporal HTTP gateway
+  debug:
+    msg: "Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`)"

roles/matrix-corporal/tasks/setup_corporal.yml

@@ -0,0 +1,68 @@
+---
+
+#
+# Tasks related to setting up matrix-corporal
+#
+
+- name: Fail if Shared Secret Auth extension not enabled
+  fail:
+    msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)"
+  when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
+
+- name: Fail if HTTP API enabled, but no token set
+  fail:
+    msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token"
+  when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
+
+- name: Fail if policy provider configuration not set
+  fail:
+    msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config"
+  when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''"
+
+# There are some additional initialization tasks in setup_corporal_overrides.yml,
+# which need to always run, no matter what tag the playbook is running with.
+
+- name: Ensure Matrix Corporal paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_corporal_config_dir_path }}"
+    - "{{ matrix_corporal_cache_dir_path }}"
+    - "{{ matrix_corporal_var_dir_path }}"
+  when: "matrix_corporal_enabled"
+
+- name: Ensure Matrix Corporal Docker image is pulled
+  docker_image:
+    name: "{{ matrix_corporal_docker_image }}"
+  when: "matrix_corporal_enabled"
+
+- name: Ensure Matrix Corporal config installed
+  template:
+    src: "{{ role_path }}/templates/config.json.j2"
+    dest: "{{ matrix_corporal_config_dir_path }}/config.json"
+    mode: 0644
+  when: "matrix_corporal_enabled"
+
+- name: Ensure matrix-corporal.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2"
+    dest: "/etc/systemd/system/matrix-corporal.service"
+    mode: 0644
+  when: "matrix_corporal_enabled"
+
+#
+# Tasks related to getting rid of matrix-corporal (if it was previously enabled)
+#
+
+- name: Ensure matrix-corporal files don't exist
+  file:
+    path: "{{ item }}"
+    state: absent
+  when: "not matrix_corporal_enabled"
+  with_items:
+    - /etc/systemd/system/matrix-corporal.service
+    - "{{ matrix_corporal_config_dir_path }}/config.json"