feat(synapse): add deployment method virtualenv

roles/synapse/defaults/main/main.yml

@@ -1,16 +1,17 @@
 ---
-
 synapse_user: synapse
+synapse_group: synapse
 synapse_version: "1.115.0"
 synapse_state: "present"
 synapse_deployment_method: "docker"
 
 synapse_base_path: /opt/synapse
-synapse_config_path: "{{ synapse_base_path }}/config"
+synapse_config_path: "/etc/synapse"
 synapse_data_path: "{{ synapse_base_path }}/data"
 synapse_media_store_path: "{{ synapse_data_path }}/media_store"
 synapse_log_path: "/var/log/synapse"
 synapse_homeserver_log_path: "{{ synapse_log_path }}/homeserver.log"
+synapse_venv_path: "{{ synapse_base_path }}/venv"
 
 synapse_signing_key: ~
 synapse_signing_key_file: >-

roles/synapse/defaults/main/systemd.yml

@@ -0,0 +1,53 @@
+---
+synapse_systemd_name: "synapse.service"
+synapse_systemd_service_directory: /etc/systemd/system
+synapse_systemd_service_file: >-2
+  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
+
+synapse_systemd_state: >-2
+  {{ (synapse_state == 'present') | ternary('started', 'stopped') }}
+synapse_systemd_enabled: >-2
+  {{ (synapse_state == 'present') | bool }}
+
+synapse_systemd_unit_description: "Synapse matrix homeserver"
+synapse_systemd_service_type: notify
+synapse_systemd_service_exec_start: >-2
+  {{ synapse_venv_path }}/bin/synapse_homeserver \
+    --config-path={{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_stop: >-2
+  {{ synapse_venv_path }}/bin/synctl \
+    stop {{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_reload: >-2
+  /usr/bin/env kill -HUP $MAINPID
+synapse_systemd_service_restart: on-failure
+
+synapse_systemd_unit_after:
+  - "network.target"
+synapse_systemd_unit_wants: []
+synapse_systemd_install_wanted_by: "default.target"
+
+# Hardening
+synapse_systemd_service_read_write_paths:
+  - "{{ synapse_base_path }}"
+  - "{{ synapse_data_path }}"
+  - "{{ synapse_media_store_path }}"
+  - "{{ synapse_log_path }}"
+synapse_systemd_service_restrict_address_families:
+  - "AF_INET"
+  - "AF_INET6"
+  - "AF_UNIX"
+synapse_systemd_service_protect_system: strict
+synapse_systemd_service_protect_home: true
+synapse_systemd_service_protect_clock: true
+synapse_systemd_service_protect_hostname: true
+synapse_systemd_service_protect_protect_kernel_logs: true
+synapse_systemd_service_protect_protect_kernel_modules: true
+synapse_systemd_service_protect_protect_kernel_tunables: true
+synapse_systemd_service_protect_protect_control_groups: true
+
+synapse_systemd_service_restrict_namespaces: true
+synapse_systemd_service_restrict_suid_sgid: true
+
+synapse_systemd_service_remove_ipc: true
+synapse_systemd_service_lock_personality: true
+synapse_systemd_service_no_new_privileges: true

roles/synapse/defaults/main/user.yml

@@ -0,0 +1,21 @@
+---
+synapse_user_base_groups:
+  - "{{ synapse_run_group }}"
+synapse_user_groups: ~
+synapse_user_all_groups: >-2
+  {{ synapse_user_base_groups | default([], true)
+    + synapse_user_groups | default([], true) }}
+synapse_user_groups_append: "{{ synapse_user_all_groups | length > 0 }}"
+synapse_run_user: >-2
+  {{ synapse_user_info.name | default(synapse_user) }}
+synapse_run_group: >-2
+  {{ (synapse_user_info is defined and ('groups' in synapse_user_info))
+    | ternary(
+      (synapse_user_info.groups | default("") | split(",") | first),
+      synapse_group
+    )
+  }}
+synapse_run_user_id: >-2
+  {{ synapse_user_info.uid | default(synapse_user) }}
+synapse_run_group_id: >-2
+  {{ synapse_user_info.group | default(synapse_user) }}

roles/synapse/defaults/main/virtualenv.yml

@@ -0,0 +1,11 @@
+---
+synapse_venv_package: "matrix-synapse[all]"
+synapse_venv_pip_dependencies:
+  - pip
+  - setuptools
+synapse_venv_package_full: >-2
+  {{ synapse_venv_package }}@{{ synapse_version }}
+
+synapse_venv_python_binary: >-2
+  {{ ansible_python_interpreter | default(omit, true) }}
+synapse_venv_extra_args: ~