feat(synapse): add deployment method virtualenv

roles/synapse/templates/synapse.service.j2

@@ -0,0 +1,46 @@
+[Unit]
+Description="{{ synapse_systemd_unit_description }}"
+
+{% if synapse_systemd_unit_after | default([]) | length > 0 %}
+After={{ synapse_systemd_unit_after | join(' ') }}
+{% endif %}
+{% if synapse_systemd_unit_wants | default([]) | length > 0 %}
+Wants={{ synapse_systemd_unit_wants | join(' ') }}
+{% endif %}
+
+[Service]
+Type={{ synapse_systemd_service_type }}
+WorkingDirectory={{ synapse_venv_path }}
+ExecStart={{ synapse_systemd_service_exec_start }}
+ExecStop={{ synapse_systemd_service_exec_stop }}
+ExecReload={{ synapse_systemd_service_exec_reload }}
+
+User={{ synapse_run_user }}
+Group={{ synapse_run_group }}
+
+Restart={{ synapse_systemd_service_restart }}
+
+ProtectSystem={{ synapse_systemd_service_protect_system }}
+ProtectHome={{ synapse_systemd_service_protect_home }}
+ProtectClock={{ synapse_systemd_service_protect_clock }}
+ProtectHostname={{ synapse_systemd_service_protect_hostname }}
+ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
+ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
+ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
+ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
+
+RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
+RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
+{% for path in synapse_systemd_service_read_write_paths | default([]) %}
+ReadWritePaths={{ path }}
+{% endfor %}
+{% for addr_family in synapse_systemd_service_restrict_address_families | default([]) %}
+RestrictAddressFamilies={{ addr_family }}
+{% endfor %}
+
+RemoveIPC={{ synapse_systemd_service_remove_ipc }}
+LockPersonality={{ synapse_systemd_service_lock_personality }}
+NoNewPersonalities={{ synapse_systemd_service_no_new_privileges }}
+
+[Install]
+WantedBy={{ synapse_systemd_install_wanted_by }}