Split playbook into multiple roles

As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.

roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2

@@ -0,0 +1,55 @@
+server {
+	listen 80;
+	server_name {{ hostname_riot }};
+
+	server_tokens off;
+
+	location /.well-known/acme-challenge {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-certbot:80";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
+		{% endif %}
+	}
+
+	location / {
+		return 301 https://$http_host$request_uri;
+	}
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ hostname_riot }};
+
+	server_tokens off;
+	root /dev/null;
+
+	gzip on;
+	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+    location / {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-riot-web:80";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://localhost:8765;
+		{% endif %}
+
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+}

roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2

@@ -0,0 +1,112 @@
+server {
+	listen 80;
+	server_name {{ hostname_matrix }};
+
+	server_tokens off;
+
+	location /.well-known/acme-challenge {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-certbot:80";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
+		{% endif %}
+	}
+
+	location / {
+		return 301 https://$http_host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ hostname_matrix }};
+
+	server_tokens off;
+	root /dev/null;
+
+	gzip on;
+	gzip_types text/plain application/json;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+	location /.well-known/matrix/client {
+		root {{ matrix_static_files_base_path }};
+		expires 1m;
+		default_type application/json;
+		add_header Access-Control-Allow-Origin *;
+	}
+
+	{% if matrix_corporal_enabled and matrix_corporal_http_api_enabled %}
+	location /_matrix/corporal {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-corporal:41081";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://localhost:41081;
+		{% endif %}
+	}
+	{% endif %}
+
+	{% if matrix_mxisd_enabled %}
+	location /_matrix/identity {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-mxisd:8090";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://localhost:8090;
+		{% endif %}
+	}
+	{% endif %}
+
+	{% if matrix_mautrix_telegram_enabled %}
+	location {{ matrix_mautrix_telegram_public_endpoint }} {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-mautrix-telegram:8080";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://localhost:8080;
+		{% endif %}
+	}
+	{% endif %}
+
+	location /_matrix {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "{{ matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container }}";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://{{ matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container }};
+		{% endif %}
+
+		proxy_set_header X-Forwarded-For $remote_addr;
+
+		client_body_buffer_size 25M;
+		client_max_body_size {{ matrix_synapse_max_upload_size_mb }}M;
+		proxy_max_temp_file_size 0;
+	}
+
+	location / {
+		rewrite ^/$ /_matrix/static/ last;
+	}
+}

roles/matrix-nginx-proxy/templates/nginx-conf.d/nginx-http.conf.j2

@@ -0,0 +1,5 @@
+# The default is aligned to the CPU's cache size,
+# which can sometimes be too low to handle our 2 vhosts (Synapse and Riot).
+#
+# Thus, we ensure a larger bucket size value is used.
+server_names_hash_bucket_size 64;

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -0,0 +1,36 @@
+[Unit]
+Description=Matrix nginx proxy server
+After=docker.service
+Requires=docker.service
+Wants=matrix-synapse.service
+{% if matrix_corporal_enabled %}
+Wants=matrix-corporal.service
+{% endif %}
+{% if matrix_riot_web_enabled %}
+Wants=matrix-riot-web.service
+{% endif %}
+{% if matrix_mxisd_enabled %}
+Wants=matrix-mxisd.service
+{% endif %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
+ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
+ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
+			--log-driver=none \
+			--network={{ matrix_docker_network }} \
+			-p 80:80 \
+			-p 443:443 \
+			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \
+			-v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \
+			-v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \
+			{{ matrix_nginx_proxy_docker_image }}
+ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
+ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
+ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
+# need to forward requests for `/.well-known/acme-challenge` to the certbot container.
+#
+# This can happen inside the container network by proxying to `http://matrix-certbot:80`
+# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.
+
+docker run \
+	--rm \
+	--name=matrix-certbot \
+	--network="{{ matrix_docker_network }}" \
+	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 \
+	-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
+	-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \
+	{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
+	renew \
+		--non-interactive \
+		{% if matrix_ssl_lets_encrypt_staging %}
+			--staging \
+		{% endif %}
+		--quiet \
+		--standalone \
+		--preferred-challenges http \
+		--agree-tos \
+		--email={{ matrix_ssl_lets_encrypt_support_email }}