Split playbook into multiple roles

As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.

roles/matrix-synapse/tasks/ext/init.yml

@@ -0,0 +1,5 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/init.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml"

roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml

@@ -0,0 +1,11 @@
+- set_fact:
+    matrix_synapse_password_providers_enabled: true
+  when: "matrix_synapse_ext_password_provider_ldap_enabled"
+
+- set_fact:
+    matrix_synapse_additional_loggers: >
+      {{ matrix_synapse_additional_loggers }}
+      +
+      {{ [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }}
+  when: "matrix_synapse_ext_password_provider_ldap_enabled"
+

roles/matrix-synapse/tasks/ext/mautrix-telegram/init.yml

@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}"
+  when: matrix_mautrix_telegram_enabled

roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Ensure Mautrix Telegram image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_telegram_docker_image }}"
+  when: "matrix_mautrix_telegram_enabled"
+
+- name: Ensure Mautrix Telegram configuration path exists
+  file:
+    path: "{{ matrix_mautrix_telegram_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_telegram_enabled"
+
+- stat: "path={{ matrix_mautrix_telegram_base_path }}/config.yaml"
+  register: mautrix_config_file
+
+- name: Ensure Matrix Mautrix telegram config installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-telegram/config.yaml.j2"
+    dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_telegram_enabled and mautrix_config_file.stat.exists == False"
+
+- name: Ensure matrix-mautrix-telegram.service installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2"
+    dest: "/etc/systemd/system/matrix-mautrix-telegram.service"
+    mode: 0644
+  when: "matrix_mautrix_telegram_enabled"
+
+- stat:
+    path: "{{ matrix_mautrix_telegram_base_path }}/registration.yaml"
+  register: mautrix_telegram_registration_file
+
+- name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist
+  shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml
+  when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False"
+
+- set_fact:
+    matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
+
+- set_fact:
+    matrix_synapse_container_additional_volumes: >
+      {{ matrix_synapse_container_additional_volumes }}
+      +
+      {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }}
+  when: "matrix_mautrix_telegram_enabled"
+
+- set_fact:
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files }}
+      +
+      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json  }}
+  when: "matrix_mautrix_telegram_enabled"
+
+#
+# Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled)
+#
+
+- name: Ensure matrix-mautrix-telegram.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-mautrix-telegram.service"
+    state: absent
+  when: "not matrix_mautrix_telegram_enabled"

roles/matrix-synapse/tasks/ext/mautrix-whatsapp/init.yml

@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}"
+  when: matrix_mautrix_whatsapp_enabled

roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Ensure Mautrix Whatsapp image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_whatsapp_docker_image }}"
+  when: "matrix_mautrix_whatsapp_enabled"
+
+- name: Ensure Mautrix Whatsapp configuration path exists
+  file:
+    path: "{{ matrix_mautrix_whatsapp_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_whatsapp_enabled"
+
+- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
+  register: mautrix_config_file
+
+- name: Ensure Matrix Mautrix whatsapp config installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-whatsapp/config.yaml.j2"
+    dest: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_whatsapp_enabled and mautrix_config_file.stat.exists == False"
+
+- name: Ensure matrix-mautrix-whatsapp.service installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2"
+    dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service"
+    mode: 0644
+  when: "matrix_mautrix_whatsapp_enabled"
+
+- stat:
+    path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml"
+  register: mautrix_whatsapp_registration_file
+
+- name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist
+  shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_mautrix_whatsapp_docker_image }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml
+  when: "matrix_mautrix_whatsapp_enabled and mautrix_whatsapp_registration_file.stat.exists == False"
+
+- set_fact:
+    matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml'
+
+- set_fact:
+    matrix_synapse_container_additional_volumes: >
+      {{ matrix_synapse_container_additional_volumes }}
+      +
+      {{ [{'src': '{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}', 'options': 'ro'}] }}
+  when: "matrix_mautrix_whatsapp_enabled"
+
+- set_fact:
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files }}
+      +
+      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}"] | to_nice_json  }}
+  when: "matrix_mautrix_whatsapp_enabled"
+
+#
+# Tasks related to getting rid of matrix-mautrix-whatsapp (if it was previously enabled)
+#
+
+- name: Ensure matrix-mautrix-whatsapp.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-mautrix-whatsapp.service"
+    state: absent
+  when: "not matrix_mautrix_whatsapp_enabled"

roles/matrix-synapse/tasks/ext/rest-auth/setup.yml

@@ -0,0 +1,48 @@
+---
+
+#
+# Tasks related to setting up matrix-synapse-rest-auth
+#
+
+- name: Fail if REST Auth enabled, but endpoint not configured
+  fail:
+    msg: "You have enabled the REST Auth password provider, but have not configured its endpoint in the `matrix_synapse_ext_password_provider_rest_auth_endpoint` variable. Consult the documentation."
+  when: "matrix_synapse_ext_password_provider_rest_auth_enabled and matrix_synapse_ext_password_provider_rest_auth_endpoint == ''"
+
+- name: Download matrix-synapse-rest-auth
+  get_url:
+    url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}"
+    dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
+    force: true
+    mode: 0440
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
+
+- set_fact:
+    matrix_synapse_password_providers_enabled: true
+  when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
+
+- set_fact:
+    matrix_synapse_container_additional_volumes: >
+      {{ matrix_synapse_container_additional_volumes }}
+      +
+      {{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py', 'options': 'ro'}] }}
+  when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
+
+- set_fact:
+    matrix_synapse_additional_loggers: >
+      {{ matrix_synapse_additional_loggers }}
+      +
+      {{ [{'name': 'rest_auth_provider', 'level': 'INFO'}] }}
+  when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
+
+#
+# Tasks related to getting rid of matrix-synapse-rest-auth (if it was previously enabled)
+#
+
+- name: Ensure matrix-synapse-rest-auth doesn't exist
+  file:
+    path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
+    state: absent
+  when: "not matrix_synapse_ext_password_provider_rest_auth_enabled"

roles/matrix-synapse/tasks/ext/setup.yml

@@ -0,0 +1,11 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/setup.yml"

roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml

@@ -0,0 +1,48 @@
+---
+
+#
+# Tasks related to setting up matrix-synapse-shared-secret-auth
+#
+
+- name: Fail if Shared Secret Auth enabled, but no secret set
+  fail:
+    msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret"
+  when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled and matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''"
+
+- name: Download matrix-synapse-shared-secret-auth
+  get_url:
+    url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}"
+    dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py"
+    force: true
+    mode: 0440
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
+
+- set_fact:
+    matrix_synapse_password_providers_enabled: true
+  when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
+
+- set_fact:
+    matrix_synapse_container_additional_volumes: >
+      {{ matrix_synapse_container_additional_volumes }}
+      +
+      {{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py', 'options': 'ro'}] }}
+  when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
+
+- set_fact:
+    matrix_synapse_additional_loggers: >
+      {{ matrix_synapse_additional_loggers }}
+      +
+      {{ [{'name': 'shared_secret_authenticator', 'level': 'INFO'}] }}
+  when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
+
+#
+# Tasks related to getting rid of matrix-synapse-shared-secret-auth (if it was previously enabled)
+#
+
+- name: Ensure matrix-synapse-shared-secret-auth doesn't exist
+  file:
+    path: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py"
+    state: absent
+  when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"

roles/matrix-synapse/tasks/import_media_store.yml

@@ -0,0 +1,83 @@
+---
+
+# Pre-checks
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars"
+  when: "server_path_media_store is not defined or server_path_media_store.startswith('<')"
+
+- name: Fail if media store is on Amazon S3
+  fail:
+    msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported."
+  when: "matrix_s3_media_store_enabled"
+
+- name: Check if the provided media store directory exists
+  stat:
+    path: "{{ server_path_media_store }}"
+  register: server_path_media_store_stat
+
+- name: Fail if provided media store directory doesn't exist on the server
+  fail:
+    msg: "{{ server_path_media_store }} cannot be found on the server"
+  when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir"
+
+- name: Check if media store contains local_content
+  stat:
+    path: "{{ server_path_media_store }}/local_content"
+  register: server_path_media_store_local_content_stat
+
+- name: Check if media store contains remote_content
+  stat:
+    path: "{{ server_path_media_store }}/remote_content"
+  register: server_path_media_store_remote_content_stat
+
+- name: Fail if media store directory doesn't look okay (lacking remote and local content)
+  fail:
+    msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory."
+  when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists"
+
+
+# Actual import work
+
+- name: Ensure matrix-synapse is stopped
+  service:
+    name: matrix-synapse
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+
+# This can only work with local files, not if the media store is on Amazon S3,
+# as it won't be accessible in such a case.
+- name: Ensure provided media store directory is synchronized
+  synchronize:
+    src: "{{ server_path_media_store }}/"
+    dest: "{{ matrix_synapse_media_store_path }}"
+    delete: yes
+    # It's wasteful to preserve owner/group now. We chown below anyway.
+    owner: no
+    group: no
+    times: yes
+  delegate_to: "{{ inventory_hostname }}"
+
+# This is for the generic case and fails in other cases (remote file systems),
+# because in such cases the base path (matrix_synapse_media_store_path) is a mount point.
+- name: Ensure media store permissions are correct (generic case)
+  file:
+    path: "{{ matrix_synapse_media_store_path }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+    recurse: yes
+  when: "not matrix_s3_media_store_enabled"
+
+# We don't chown for Goofys, because due to the way it's mounted,
+# all files become owned by whoever needs to own them.
+
+- name: Ensure Matrix Synapse is started (if it previously was)
+  service:
+    name: "{{ item }}"
+    state: started
+    daemon_reload: yes
+  when: stopping_result.changed
+  with_items:
+    - matrix-synapse

roles/matrix-synapse/tasks/init.yml

@@ -0,0 +1,8 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse'] }}"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys'] }}"
+  when: matrix_s3_media_store_enabled
+
+- import_tasks: "{{ role_path }}/tasks/ext/init.yml"

roles/matrix-synapse/tasks/main.yml

@@ -0,0 +1,33 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml"
+  when: run_setup
+  tags:
+    - setup-all
+    - setup-synapse
+
+- import_tasks: "{{ role_path }}/tasks/import_media_store.yml"
+  when: run_import_media_store
+  tags:
+    - import-media-store
+
+- import_tasks: "{{ role_path }}/tasks/register_user.yml"
+  when: run_register_user
+  tags:
+    - register-user
+
+- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check
+  tags:
+    - self-check
+
+- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check
+  tags:
+    - self-check

roles/matrix-synapse/tasks/register_user.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `admin` variable needs to be provided to this playbook, via --extra-vars"
+  when: "admin is not defined or admin not in ['yes', 'no']"
+
+- name: Ensure matrix-synapse is started
+  service:
+    name: matrix-synapse
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- name: Wait a while, so that Matrix Synapse can manage to start
+  pause:
+    seconds: 7
+  when: start_result.changed
+
+- name: Register user
+  shell: "/usr/local/bin/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}"

roles/matrix-synapse/tasks/self_check_client_api.yml

@@ -0,0 +1,20 @@
+---
+
+- set_fact:
+    matrix_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
+
+- name: Check Matrix Client API
+  uri:
+    url: "{{ matrix_client_api_url_endpoint_public }}"
+    follow_redirects: false
+  register: result_matrix_client_api
+  ignore_errors: true
+
+- name: Fail if Matrix Client API not working
+  fail:
+    msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_client_api }}"
+  when: "result_matrix_client_api.failed or 'json' not in result_matrix_client_api"
+
+- name: Report working Matrix Client API
+  debug:
+    msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`) is working"

roles/matrix-synapse/tasks/self_check_federation_api.yml

@@ -0,0 +1,21 @@
+---
+
+- set_fact:
+    matrix_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"
+
+- name: Check Matrix Federation API
+  uri:
+    url: "{{ matrix_federation_api_url_endpoint_public }}"
+    follow_redirects: false
+    validate_certs: false
+  register: result_matrix_federation_api
+  ignore_errors: true
+
+- name: Fail if Matrix Federation API not working
+  fail:
+    msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_federation_api }}"
+  when: "result_matrix_federation_api.failed or 'json' not in result_matrix_federation_api"
+
+- name: Report working Matrix Federation API
+  debug:
+    msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`) is working"

roles/matrix-synapse/tasks/setup_synapse_entrypoint.yml

@@ -0,0 +1,9 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/setup_synapse_pre.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/setup_synapse_main.yml"
+
+- import_tasks: "{{ role_path }}/tasks/setup_synapse_goofys.yml"

roles/matrix-synapse/tasks/setup_synapse_goofys.yml

@@ -0,0 +1,75 @@
+#
+# Tasks related to setting up Goofys
+#
+
+- name: Ensure Goofys Docker image is pulled
+  docker_image:
+    name: "{{ matrix_s3_goofys_docker_image }}"
+  when: matrix_s3_media_store_enabled
+
+# This will throw a Permission Denied error if already mounted
+- name: Check Matrix Goofys external storage mountpoint path
+  stat:
+    path: "{{ matrix_synapse_media_store_path }}"
+  register: local_path_matrix_synapse_media_store_path_stat
+  ignore_errors: yes
+  when: matrix_s3_media_store_enabled
+
+- name: Ensure Matrix Goofys external storage mountpoint exists
+  file:
+    path: "{{ matrix_synapse_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_uid }}"
+    group: "{{ matrix_user_gid }}"
+  when: "matrix_s3_media_store_enabled and not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists"
+
+- name: Ensure goofys environment variables file created
+  template:
+    src: "{{ role_path }}/templates/goofys/env-goofys.j2"
+    dest: "{{ matrix_synapse_config_dir_path }}/env-goofys"
+    owner: root
+    mode: 0600
+  when: matrix_s3_media_store_enabled
+
+- name: Ensure matrix-goofys.service installed
+  template:
+    src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2"
+    dest: "/etc/systemd/system/matrix-goofys.service"
+    mode: 0644
+  when: matrix_s3_media_store_enabled
+
+#
+# Tasks related to getting rid of goofys (if it was previously enabled)
+#
+
+- name: Check existence of matrix-goofys service
+  stat:
+    path: "/etc/systemd/system/matrix-goofys.service"
+  register: matrix_goofys_service_stat
+
+- name: Ensure matrix-goofys is stopped
+  service:
+    name: matrix-goofys
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists"
+
+- name: Ensure matrix-goofys.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-goofys.service"
+    state: absent
+  when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists"
+
+- name: Ensure goofys environment variables file doesn't exist
+  file:
+    path: "{{ matrix_synapse_config_dir_path }}/env-goofys"
+    state: absent
+  when: "not matrix_s3_media_store_enabled"
+
+- name: Ensure Goofys Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_s3_goofys_docker_image }}"
+    state: absent
+  when: "not matrix_s3_media_store_enabled"

roles/matrix-synapse/tasks/setup_synapse_main.yml

@@ -0,0 +1,80 @@
+---
+
+# This will throw a Permission Denied error if already mounted using fuse
+- name: Check Matrix Synapse media store path
+  stat:
+    path: "{{ matrix_synapse_media_store_path }}"
+  register: local_path_media_store_stat
+  ignore_errors: yes
+
+# This is separate and conditional, to ensure we don't execute it
+# if the path already exists or we failed to check, because it's mounted using fuse.
+- name: Ensure Matrix media store path exists
+  file:
+    path: "{{ matrix_synapse_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
+
+- name: Ensure Matrix Docker image is pulled
+  docker_image:
+    name: "{{ matrix_synapse_docker_image }}"
+
+- name: Check if a Matrix Synapse configuration exists
+  stat:
+    path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
+  register: matrix_synapse_config_stat
+
+# We do this mostly so that the keys would get generated.
+# We'll replace the rest of the configuration with our own templates below.
+- name: Generate initial Matrix config
+  docker_container:
+    name: matrix-config
+    image: "{{ matrix_synapse_docker_image }}"
+    detach: no
+    cleanup: yes
+    command: generate
+    env:
+      SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
+      SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
+      SYNAPSE_REPORT_STATS: "no"
+    user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    volumes:
+      - "{{ matrix_synapse_config_dir_path }}:/data"
+  when: "not matrix_synapse_config_stat.stat.exists"
+
+- name: Ensure Matrix homeserver config installed
+  template:
+    src: "{{ matrix_synapse_template_synapse_homeserver }}"
+    dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
+    mode: 0644
+
+- name: Ensure Matrix log config installed
+  template:
+    src: "{{ matrix_synapse_template_synapse_log }}"
+    dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
+    mode: 0644
+
+- name: Ensure matrix-synapse.service installed
+  template:
+    src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2"
+    dest: "/etc/systemd/system/matrix-synapse.service"
+    mode: 0644
+
+- name: Ensure matrix-synapse-register-user script created
+  template:
+    src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2"
+    dest: "/usr/local/bin/matrix-synapse-register-user"
+    mode: 0750
+
+- name: Allow access to Matrix ports in firewalld
+  firewalld:
+    port: "{{ item }}"
+    state: enabled
+    immediate: yes
+    permanent: yes
+  with_items:
+    - '8448/tcp' # Matrix federation
+  when: ansible_os_family == 'RedHat'

roles/matrix-synapse/tasks/setup_synapse_pre.yml

@@ -0,0 +1,20 @@
+---
+
+- set_fact:
+    matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
+    matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
+
+- name: Ensure Matrix Synapse paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_synapse_config_dir_path }}"
+    - "{{ matrix_synapse_run_path }}"
+    - "{{ matrix_synapse_ext_path }}"
+    # We handle matrix_synapse_media_store_path elsewhere (in setup_synapse_main.yml),
+    # because if it's using Goofys and it's already mounted (from before),
+    # trying to chown/chmod it here will cause trouble.