Make roles more independent of one another

With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).

roles/matrix-synapse/defaults/main.yml

@@ -8,10 +8,13 @@ matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
 matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
 
 # Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
-# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
-# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# the Client/Server API's port to the local host (`127.0.0.1:8008`).
-matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
+matrix_synapse_container_expose_client_server_api_port: false
+
+# List of systemd services that matrix-synapse.service depends on
+matrix_synapse_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-synapse.service wants
+matrix_synapse_systemd_wanted_services_list: []
 
 matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
 
@@ -27,15 +30,10 @@ matrix_synapse_macaroon_secret_key: ""
 matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
 matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
 
-# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
-matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
-
-# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
-matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
-
-# The final list of identity servers to use for Synapse.
-# The first one would also be used as riot-web's default identity server.
-matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
+# The list of identity servers to use for Synapse.
+# We assume this role runs standalone without a local Identity server, so we point Synapse to public ones.
+# This most likely gets overwritten later, so that a local Identity server is used.
+matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
 
 matrix_synapse_max_upload_size_mb: 10
 matrix_synapse_max_log_file_size_mb: 100
@@ -114,6 +112,22 @@ matrix_synapse_app_service_config_files: []
 # any password providers have been enabled or not.
 matrix_synapse_password_providers_enabled: false
 
+# Postgres database information
+matrix_synapse_database_host: ""
+matrix_synapse_database_user: ""
+matrix_synapse_database_password: ""
+matrix_synapse_database_database: ""
+
+matrix_synapse_turn_uris: []
+matrix_synapse_turn_shared_secret: ""
+
+matrix_synapse_email_enabled: false
+matrix_synapse_email_smtp_host: ""
+matrix_synapse_email_smtp_port: 587
+matrix_synapse_email_smtp_require_transport_security: false
+matrix_synapse_email_notif_from: "Matrix <matrix@{{ hostname_identity }}>"
+matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}"
+
 
 # Enable this to activate the REST auth password provider module.
 # See: https://github.com/kamax-io/matrix-synapse-rest-auth

roles/matrix-synapse/tasks/main.yml

@@ -2,6 +2,12 @@
   tags:
     - always
 
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: run_setup
+  tags:
+    - setup-all
+    - setup-synapse
+
 - import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml"
   when: run_setup
   tags:

roles/matrix-synapse/tasks/self_check_client_api.yml

@@ -1,20 +1,17 @@
 ---
 
-- set_fact:
-    matrix_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
-
 - name: Check Matrix Client API
   uri:
-    url: "{{ matrix_client_api_url_endpoint_public }}"
+    url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
     follow_redirects: false
-  register: result_matrix_client_api
+  register: result_matrix_synapse_client_api
   ignore_errors: true
 
 - name: Fail if Matrix Client API not working
   fail:
-    msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_client_api }}"
-  when: "result_matrix_client_api.failed or 'json' not in result_matrix_client_api"
+    msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}"
+  when: "result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api"
 
 - name: Report working Matrix Client API
   debug:
-    msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`) is working"
+    msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working"

roles/matrix-synapse/tasks/self_check_federation_api.yml

@@ -1,21 +1,18 @@
 ---
 
-- set_fact:
-    matrix_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"
-
 - name: Check Matrix Federation API
   uri:
-    url: "{{ matrix_federation_api_url_endpoint_public }}"
+    url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
     follow_redirects: false
     validate_certs: false
-  register: result_matrix_federation_api
+  register: result_matrix_synapse_federation_api
   ignore_errors: true
 
 - name: Fail if Matrix Federation API not working
   fail:
-    msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_federation_api }}"
-  when: "result_matrix_federation_api.failed or 'json' not in result_matrix_federation_api"
+    msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
+  when: "result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api"
 
 - name: Report working Matrix Federation API
   debug:
-    msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`) is working"
+    msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"

roles/matrix-synapse/tasks/validate_config.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Fail if required Synapse settings not defined
+  fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item }}`) for using Synapse.
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_synapse_macaroon_secret_key"

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -216,10 +216,10 @@ database:
   # The database engine name
   name: "psycopg2"
   args:
-    user: {{ matrix_postgres_connection_username|to_json }}
-    password: {{ matrix_postgres_connection_password|to_json }}
-    database: "{{ matrix_postgres_db_name }}"
-    host: "{{ matrix_postgres_connection_hostname }}"
+    user: {{ matrix_synapse_database_user|to_json }}
+    password: {{ matrix_synapse_database_password|to_json }}
+    database: "{{ matrix_synapse_database_database }}"
+    host: "{{ matrix_synapse_database_host }}"
     cp_min: 5
     cp_max: 10
 
@@ -409,10 +409,10 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
 ## Turn ##
 
 # The public URIs of the TURN server to give to clients
-turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]
+turn_uris: {{ matrix_synapse_turn_uris|to_json }}
 
 # The shared secret used to compute passwords for the TURN server
-turn_shared_secret: {{ matrix_coturn_turn_static_auth_secret|to_json }}
+turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }}
 
 # The Username and password if the TURN server needs them and
 # does not use a token
@@ -600,18 +600,18 @@ password_config:
 # If your SMTP server requires authentication, the optional smtp_user &
 # smtp_pass variables should be used
 #
-{% if matrix_mailer_enabled %}
+{% if matrix_synapse_email_enabled %}
 email:
    enable_notifs: true
-   smtp_host: "matrix-mailer"
-   smtp_port: 587
-   require_transport_security: false
-   notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
+   smtp_host: {{ matrix_synapse_email_smtp_host|to_json }}
+   smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
+   require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
+   notif_from: {{ matrix_synapse_email_notif_from|to_json }}
    app_name: Matrix
    notif_template_html: notif_mail.html
    notif_template_text: notif_mail.txt
    notif_for_new_users: True
-   riot_base_url: "https://{{ hostname_riot }}"
+   riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }}
 {% endif %}
 
 

roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2

@@ -1,19 +1,12 @@
 [Unit]
 Description=Matrix Synapse server
-After=docker.service
-Requires=docker.service
-{% if not matrix_postgres_use_external %}
-Requires=matrix-postgres.service
-After=matrix-postgres.service
-{% endif %}
-{% if matrix_s3_media_store_enabled %}
-After=matrix-goofys.service
-Requires=matrix-goofys.service
-{% endif %}
-{% if matrix_mailer_enabled %}
-Wants=matrix-mailer.service
-{% endif %}
-Wants=matrix-coturn.service
+{% for service in matrix_synapse_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_synapse_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
 
 [Service]
 Type=simple

roles/matrix-synapse/vars/main.yml

@@ -0,0 +1,6 @@
+---
+
+matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
+
+matrix_synapse_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
+matrix_synapse_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"