finallycoffee/matrix
5
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(synapse): add deployment method virtualenv

Browse Source
This commit is contained in:
transcaffeine
2024-09-26 23:13:41 +02:00
parent 03501ac444
commit 7d7693a2c7
10 changed files with 238 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
roles/synapse/defaults/main/systemd.yml Normal file
View File

@ -0,0 +1,53 @@
---
synapse_systemd_name: "synapse.service"
synapse_systemd_service_directory: /etc/systemd/system
synapse_systemd_service_file: >-2
{{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
synapse_systemd_state: >-2
{{ (synapse_state == 'present') | ternary('started', 'stopped') }}
synapse_systemd_enabled: >-2
{{ (synapse_state == 'present') | bool }}
synapse_systemd_unit_description: "Synapse matrix homeserver"
synapse_systemd_service_type: notify
synapse_systemd_service_exec_start: >-2
{{ synapse_venv_path }}/bin/synapse_homeserver \
--config-path={{ synapse_homeserver_config_file }}
synapse_systemd_service_exec_stop: >-2
{{ synapse_venv_path }}/bin/synctl \
stop {{ synapse_homeserver_config_file }}
synapse_systemd_service_exec_reload: >-2
/usr/bin/env kill -HUP $MAINPID
synapse_systemd_service_restart: on-failure
synapse_systemd_unit_after:
- "network.target"
synapse_systemd_unit_wants: []
synapse_systemd_install_wanted_by: "default.target"
# Hardening
synapse_systemd_service_read_write_paths:
- "{{ synapse_base_path }}"
- "{{ synapse_data_path }}"
- "{{ synapse_media_store_path }}"
- "{{ synapse_log_path }}"
synapse_systemd_service_restrict_address_families:
- "AF_INET"
- "AF_INET6"
- "AF_UNIX"
synapse_systemd_service_protect_system: strict
synapse_systemd_service_protect_home: true
synapse_systemd_service_protect_clock: true
synapse_systemd_service_protect_hostname: true
synapse_systemd_service_protect_protect_kernel_logs: true
synapse_systemd_service_protect_protect_kernel_modules: true
synapse_systemd_service_protect_protect_kernel_tunables: true
synapse_systemd_service_protect_protect_control_groups: true
synapse_systemd_service_restrict_namespaces: true
synapse_systemd_service_restrict_suid_sgid: true
synapse_systemd_service_remove_ipc: true
synapse_systemd_service_lock_personality: true
synapse_systemd_service_no_new_privileges: true