Add support for storing Matrix Synapse's media_store to Amazon S3

roles/matrix-server/defaults/main.yml

@@ -35,9 +35,10 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
 matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad"
 
 docker_postgres_image: "postgres:9.6.3-alpine"
-docker_matrix_image: "silviof/docker-matrix"
+docker_matrix_image: "silviof/docker-matrix:latest"
 docker_nginx_image: "nginx:1.13.3-alpine"
-docker_riot_image: "silviof/matrix-riot-docker"
+docker_riot_image: "silviof/matrix-riot-docker:latest"
+docker_s3fs_image: "xueshanf/s3fs:latest"
 
 # Specifies when to restart the Matrix services so that
 # a new SSL certificate could go into effect (UTC time).
@@ -51,4 +52,9 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
 
 matrix_max_upload_size_mb: 10
 matrix_max_log_file_size_mb: 100
-matrix_max_log_files_count: 10
+matrix_max_log_files_count: 10
+
+matrix_s3_media_store_enabled: false
+matrix_s3_media_store_bucket_name: "your-bucket-name"
+matrix_s3_media_store_aws_access_key: "your-aws-access-key"
+matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"

roles/matrix-server/tasks/import_media_store.yml

@@ -42,13 +42,37 @@
     # It's wasteful to preserve owner/group now. We chown below anyway.
     owner: no
     group: no
+    # The default of times=yes does not work when s3fs is used.
+    times: "{{ False if matrix_s3_media_store_enabled else True }}"
+    perms: "{{ False if matrix_s3_media_store_enabled else True }}"
 
-- name: Ensure media store permissions are correct
+# This is for the generic case and fails for remote file systems,
+# because the base path (matrix_synapse_media_store_path) is a mount point.
+- name: Ensure media store permissions are correct (generic case)
   file:
     path: "{{ matrix_synapse_media_store_path }}"
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
     recurse: yes
+  when: "not matrix_s3_media_store_enabled"
+
+- name: Determine media store subdirectories
+  find: paths="{{ local_path_media_store }}" file_type=directory
+  delegate_to: 127.0.0.1
+  become: false
+  register: media_store_directories_result
+  when: "matrix_s3_media_store_enabled"
+
+# This is the s3fs special case. We chown the subdirectories one by one,
+# without touching the base directory.
+- name: Ensure media store permissions are correct (s3fs)
+  file:
+    path: "{{ matrix_synapse_media_store_path }}/{{ item.path|basename }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+    recurse: yes
+  with_items: "{{ media_store_directories_result.files }}"
+  when: "matrix_s3_media_store_enabled"
 
 - name: Ensure Matrix Synapse is started (if it previously was)
   service: name="{{ item }}" state=started daemon_reload=yes

roles/matrix-server/tasks/main.yml

@@ -1,5 +1,10 @@
 ---
 
+- include: tasks/setup_s3fs.yml
+  tags:
+    - setup-main
+    - setup-s3fs
+
 - include: tasks/setup_base.yml
   tags:
     - setup-main

roles/matrix-server/tasks/setup_s3fs.yml

@@ -0,0 +1,49 @@
+#
+# Tasks related to setting up s3fs
+#
+
+- name: Ensure S3fs Docker image is pulled
+  docker_image:
+    name: "{{ docker_s3fs_image }}"
+  when: matrix_s3_media_store_enabled
+
+- name: Ensure s3fs-credentials file created
+  template:
+    src: "{{ role_path }}/templates/s3fs-credentials.j2"
+    dest: "{{ matrix_base_data_path }}/s3fs-credentials"
+    owner: root
+    mode: 0600
+  when: matrix_s3_media_store_enabled
+
+- name: Ensure matrix-s3fs.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-s3fs.service.j2"
+    dest: "/etc/systemd/system/matrix-s3fs.service"
+    mode: 0644
+  when: matrix_s3_media_store_enabled
+
+#
+# Tasks related to getting rid of s3fs (if it was previously enabled)
+#
+- name: Ensure matrix-s3fs is stopped
+  service: name=matrix-s3fs state=stopped daemon_reload=yes
+  register: stopping_result
+  when: "not matrix_s3_media_store_enabled"
+
+- name: Ensure matrix-s3fs.service doesn't exist
+  file:
+    path: "{{ matrix_base_data_path }}/s3fs-credentials"
+    state: absent
+  when: "not matrix_s3_media_store_enabled"
+
+- name: Ensure s3fs-credentials doesn't exist
+  file:
+    path: "{{ matrix_base_data_path }}/s3fs-credentials"
+    state: absent
+  when: "not matrix_s3_media_store_enabled"
+
+- name: Ensure S3fs Docker image doesn't exist
+  docker_image:
+    name: "{{ docker_s3fs_image }}"
+    state: absent
+  when: "not matrix_s3_media_store_enabled"

roles/matrix-server/tasks/setup_synapse.yml

@@ -11,7 +11,24 @@
     - "{{ matrix_synapse_base_path }}"
     - "{{ matrix_synapse_config_dir_path }}"
     - "{{ matrix_synapse_run_path }}"
-    - "{{ matrix_synapse_media_store_path }}"
+    # We handle matrix_synapse_media_store_path below, not here,
+    # because if it's using S3fs and it's already mounted (from before),
+    # trying to chown/chmod it here will cause trouble.
+
+- name: Check Matrix Synapse media store path
+  stat: path="{{ matrix_synapse_media_store_path }}"
+  register: local_path_media_store_stat
+
+# This is separate and conditional, to ensure we don't execute it
+# if the path already exists (and is likely used by an s3fs mount).
+- name: Ensure Matrix media store path exists
+  file:
+    path: "{{ matrix_synapse_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "not local_path_media_store_stat.stat.exists"
 
 - name: Ensure Matrix Docker image is pulled
   docker_image:

roles/matrix-server/tasks/start.yml

@@ -3,6 +3,10 @@
 - name: Ensure matrix-postgres autoruns and is restarted
   service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes
 
+- name: Ensure matrix-s3fs autoruns and is restarted
+  service: name=matrix-s3fs enabled=yes state=restarted daemon_reload=yes
+  when: matrix_s3_media_store_enabled
+
 - name: Ensure matrix-synapse autoruns and is restarted
   service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes
 

roles/matrix-server/templates/s3fs-credentials.j2

@@ -0,0 +1 @@
+{{ matrix_s3_media_store_aws_access_key }}:{{ matrix_s3_media_store_aws_secret_key }}

roles/matrix-server/templates/systemd/matrix-s3fs.service.j2

@@ -0,0 +1,35 @@
+[Unit]
+Description=Matrix S3fs media store
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
+ExecStartPre=-/usr/bin/mkdir /tmp/matrix-s3fs-cache
+ExecStart=/usr/bin/docker run --rm --name %n \
+				-v {{ matrix_base_data_path }}/s3fs-credentials:/s3fs-credentials \
+				--security-opt apparmor:unconfined \
+				--cap-add mknod \
+				--cap-add sys_admin \
+				--device=/dev/fuse \
+				-v {{ matrix_synapse_media_store_path }}:/media-store:shared \
+				-v /tmp/matrix-s3fs-cache:/s3fs-cache \
+				{{ docker_s3fs_image }} \
+				/usr/bin/s3fs -f \
+					-o allow_other \
+					-o use_cache=/s3fs-cache \
+					-o storage_class=standard_ia \
+					-o passwd_file=/s3fs-credentials \
+					{{ matrix_s3_media_store_bucket_name }} /media-store
+TimeoutStartSec=5min
+ExecStop=-/usr/bin/docker stop %n
+ExecStop=-/usr/bin/docker kill %n
+ExecStop=-/usr/bin/docker rm %n
+ExecStop=-/usr/bin/rm -rf /tmp/matrix-s3fs-cache
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-server/templates/systemd/matrix-synapse.service.j2

@@ -4,6 +4,10 @@ After=docker.service
 Requires=docker.service
 Requires=matrix-postgres.service
 After=matrix-postgres.service
+{% if matrix_s3_media_store_enabled %}
+After=matrix-s3fs.service
+Requires=matrix-s3fs.service
+{% endif %}
 
 [Service]
 Type=simple