Split playbook into multiple roles

As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.

roles/matrix-mxisd/defaults/main.yml

@@ -0,0 +1,101 @@
+# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
+# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
+# you may wish to disable this.
+matrix_mxisd_enabled: true
+matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
+matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
+matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
+matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
+
+# Controls whether the mxisd web server's port is exposed outside of the container.
+# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+# mxisd's web-server port to the local host (`127.0.0.1:8090`).
+matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
+
+# Your identity server is private by default.
+# To ensure maximum discovery, you can make your identity server
+# also forward lookups to the central matrix.org Identity server
+# (at the cost of potentially leaking all your contacts information).
+# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups
+matrix_mxisd_matrixorg_forwarding_enabled: false
+
+# mxisd has serveral supported identity stores.
+# One of them (which we enable by default) is storing identities directly in Synapse's database.
+# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
+#
+# If you need to disable this in favor of some other store, you can toggle it to disabled here
+# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
+matrix_mxisd_synapsesql_enabled: true
+matrix_mxisd_synapsesql_type: postgresql
+matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
+
+# Default mxisd configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mxisd_configuration_yaml: |
+  matrix:
+    domain: {{ hostname_identity }}
+
+  server:
+    name: {{ hostname_matrix }}
+
+  key:
+    path: /var/mxisd/sign.key
+
+  storage:
+    provider:
+      sqlite:
+        database: /var/mxisd/mxisd.db
+
+  {% if matrix_mxisd_matrixorg_forwarding_enabled %}
+  forward:
+    servers: ['matrix-org']
+  {% endif %}
+
+  threepid:
+    medium:
+      email:
+        identity:
+          from: {{ matrix_mailer_sender_address }}
+        connectors:
+          smtp:
+            host: matrix-mailer
+            port: 587
+            tls: 0
+
+  synapseSql:
+    enabled: {{ matrix_mxisd_synapsesql_enabled }}
+    type: {{ matrix_mxisd_synapsesql_type }}
+    connection: {{ matrix_mxisd_synapsesql_connection }}
+
+matrix_mxisd_configuration_extension_yaml: |
+  # Your custom YAML configuration for mxisd goes here.
+  # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mxisd_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # ldap:
+  #   enabled: true
+  #   connection:
+  #     host: ldapHostnameOrIp
+  #     tls: false
+  #     port: 389
+  #     baseDns: ['OU=Users,DC=example,DC=org']
+  #     bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
+  #     bindPassword: TheUserPassword
+
+# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
+# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
+matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
+
+# Holds the final mxisd configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
+matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"

roles/matrix-mxisd/tasks/init.yml

@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}"
+  when: "matrix_mxisd_enabled"

roles/matrix-mxisd/tasks/main.yml

@@ -0,0 +1,13 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
+  tags:
+    - setup-all
+    - setup-mxisd
+
+- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "run_self_check and matrix_mxisd_enabled"

roles/matrix-mxisd/tasks/self_check_mxisd.yml

@@ -0,0 +1,20 @@
+---
+
+- set_fact:
+    mxisd_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/identity/api/v1"
+
+- name: Check mxisd Identity Service
+  uri:
+    url: "{{ mxisd_url_endpoint_public }}"
+    follow_redirects: false
+  register: result_mxisd
+  ignore_errors: true
+
+- name: Fail if mxisd Identity Service not working
+  fail:
+    msg: "Failed checking mxisd is up at `{{ hostname_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}"
+  when: "result_mxisd.failed or 'json' not in result_mxisd"
+
+- name: Report working mxisd Identity Service
+  debug:
+    msg: "mxisd at `{{ hostname_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)"

roles/matrix-mxisd/tasks/setup_mxisd.yml

@@ -0,0 +1,116 @@
+---
+
+#
+# Tasks related to setting up mxisd
+#
+
+- name: (Deprecation) Warn about mxisd variables that are not used anymore
+  fail:
+    msg: >
+      The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
+      You'll need to adapt to the new way of extending mxisd configuration.
+      See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples.
+  when: "matrix_mxisd_enabled and item in vars"
+  with_items:
+    - 'matrix_mxisd_ldap_enabled'
+    - 'matrix_mxisd_ldap_connection_host'
+    - 'matrix_mxisd_ldap_connection_tls'
+    - 'matrix_mxisd_ldap_connection_port'
+    - 'matrix_mxisd_ldap_connection_baseDn'
+    - 'matrix_mxisd_ldap_connection_baseDns'
+    - 'matrix_mxisd_ldap_connection_bindDn'
+    - 'matrix_mxisd_ldap_connection_bindPassword'
+    - 'matrix_mxisd_ldap_filter'
+    - 'matrix_mxisd_ldap_attribute_uid_type'
+    - 'matrix_mxisd_ldap_attribute_uid_value'
+    - 'matrix_mxisd_ldap_connection_bindPassword'
+    - 'matrix_mxisd_ldap_attribute_name'
+    - 'matrix_mxisd_ldap_attribute_threepid_email'
+    - 'matrix_mxisd_ldap_attribute_threepid_msisdn'
+    - 'matrix_mxisd_ldap_identity_filter'
+    - 'matrix_mxisd_ldap_identity_medium'
+    - 'matrix_mxisd_ldap_auth_filter'
+    - 'matrix_mxisd_ldap_directory_filter'
+    - 'matrix_mxisd_template_config'
+
+- name: Ensure mxisd configuration does not contain any dot-notation keys
+  fail:
+    msg: >
+      Since version 1.3.0, mxisd will not accept property-style configuration keys.
+      You have defined a key (`{{ item.key }}`) which contains a dot.
+      Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130
+  when: "matrix_mxisd_enabled and '.' in item.key"
+  with_dict: "{{ matrix_mxisd_configuration }}"
+
+- name: Fail if mailer is not enabled
+  fail:
+    msg: "You need to enable the mailer service (`matrix_mailer_enabled`) to install mxisd"
+  when: "matrix_mxisd_enabled and not matrix_mailer_enabled"
+
+- name: Ensure mxisd paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_mxisd_config_path }}"
+    - "{{ matrix_mxisd_data_path }}"
+  when: matrix_mxisd_enabled
+
+- name: Ensure mxisd image is pulled
+  docker_image:
+    name: "{{ matrix_mxisd_docker_image }}"
+  when: matrix_mxisd_enabled
+
+- name: Ensure mxisd config installed
+  copy:
+    content: "{{ matrix_mxisd_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: matrix_mxisd_enabled
+
+- name: Ensure matrix-mxisd.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2"
+    dest: "/etc/systemd/system/matrix-mxisd.service"
+    mode: 0644
+  when: matrix_mxisd_enabled
+
+#
+# Tasks related to getting rid of mxisd (if it was previously enabled)
+#
+
+- name: Check existence of matrix-mxisd service
+  stat:
+    path: "/etc/systemd/system/matrix-mxisd.service"
+  register: matrix_mxisd_service_stat
+
+- name: Ensure matrix-mxisd is stopped
+  service:
+    name: matrix-mxisd
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists"
+
+- name: Ensure matrix-mxisd.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-mxisd.service"
+    state: absent
+  when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists"
+
+- name: Ensure Matrix mxisd paths don't exist
+  file:
+    path: "{{ matrix_mxisd_base_path }}"
+    state: absent
+  when: "not matrix_mxisd_enabled"
+
+- name: Ensure mxisd Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_mxisd_docker_image }}"
+    state: absent
+  when: "not matrix_mxisd_enabled"

roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2

@@ -0,0 +1,30 @@
+[Unit]
+Description=Matrix mxisd identity server
+After=docker.service
+Requires=docker.service
+{% if not matrix_postgres_use_external %}
+Requires=matrix-postgres.service
+After=matrix-postgres.service
+{% endif %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-mxisd
+ExecStartPre=-/usr/bin/docker rm matrix-mxisd
+ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_mxisd_container_expose_port %}
+			-p 127.0.0.1:8090:8090 \
+			{% endif %}
+			-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
+			-v {{ matrix_mxisd_data_path }}:/var/mxisd \
+			{{ matrix_mxisd_docker_image }}
+ExecStop=-/usr/bin/docker kill matrix-mxisd
+ExecStop=-/usr/bin/docker rm matrix-mxisd
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target