feat(synapse): add deployment method virtualenv

2024-09-28 11:41:09 +02:00
10 changed files with 22 additions and 110 deletions
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: matrix
-version: 0.1.1
+version: 0.1.0
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
--- a/plugins/modules/synapse_signing_key.md
+++ b/plugins/modules/synapse_signing_key.md
@ -8,7 +8,7 @@ Module to generate and manage synapse signing keys.
 ## Requirements
 - `python >= 3.9`
- (pip) `signed_json >= 1.1.4`
+- `signed_json >= 1.1.4`
 ## Usage examples
--- a/roles/synapse/README.md
+++ b/roles/synapse/README.md
@ -35,6 +35,3 @@ uses the `default.target` as it's `WantedBy`
 To only start synapse after, for example, services for redis and postgresql are up,
 set `synapse_systemd_unit_wants: [ "postgresql.service", "redis.service" ]`.
 > [!NOTE]
 > Requires `systemd >= 245` on the target machine
--- a/roles/synapse/defaults/main/homeserver.turn.yml
+++ b/roles/synapse/defaults/main/homeserver.turn.yml
@ -2,7 +2,6 @@
 # TURN / RTC configuration
 synapse_config_turn_uris: []
 synapse_config_turn_shared_secret: ~
 synapse_config_turn_shared_secret_path: ~
 synapse_config_turn_username: ~
 synapse_config_turn_password: ~
 synapse_config_turn_user_lifetime: "2h"
@ -17,8 +16,6 @@ synapse_turn_config: >-2
    synapse_turn_config_base
    | combine(({ turn_shared_secret: synapse_config_turn_shared_secret })
      if synapse_config_turn_shared_secret | default(false, true) else {})
    | combine(({ turn_shared_secret_path: synapse_config_turn_shared_secret_path })
      if synapse_config_turn_shared_secret_path | default(false, true) else {})
    | combine(({ turn_username: synapse_config_turn_username })
      if synapse_config_username | default(false, true) else {})
    | combine(({ turn_password: synapse_config_turn_password })
--- a/roles/synapse/defaults/main/main.yml
+++ b/roles/synapse/defaults/main/main.yml
@ -1,12 +1,12 @@
 ---
 synapse_user: synapse
 synapse_group: synapse
-synapse_version: "1.116.0"
+synapse_version: "1.115.0"
 synapse_state: "present"
 synapse_deployment_method: "docker"
 synapse_base_path: /opt/synapse
-synapse_config_path: "/etc/synapse"
+synapse_config_path: "{{ synapse_base_path }}/config"
 synapse_data_path: "{{ synapse_base_path }}/data"
 synapse_media_store_path: "{{ synapse_data_path }}/media_store"
 synapse_log_path: "/var/log/synapse"
--- a/roles/synapse/defaults/main/systemd.yml
+++ b/roles/synapse/defaults/main/systemd.yml
@ -1,53 +1,23 @@
 ---
-synapse_systemd_name: "synapse.service"
+synapse_systemd_service_name: "synapse.service"
 synapse_systemd_service_directory: /etc/systemd/system
 synapse_systemd_service_file: >-2
-  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
+  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_service_name }}
-synapse_systemd_state: >-2
+synapse_systemd_service_state: >-2
  {{ (synapse_state == 'present') | ternary('started', 'stopped') }}
-synapse_systemd_enabled: >-2
+synapse_systemd_service_enabled: >-2
  {{ (synapse_state == 'present') | bool }}
 synapse_systemd_unit_description: "Synapse matrix homeserver"
-synapse_systemd_service_type: notify
+synapse_systemd_service_type: simple
 synapse_systemd_service_exec_start: >-2
-  {{ synapse_venv_path }}/bin/synapse_homeserver \
+  {{ synapse_venv_path }}/bin/python \
    -m synapse.app.homeserver \
    --config-path={{ synapse_homeserver_config_file }}
-synapse_systemd_service_exec_stop: >-2
+synapse_systemd_service_restart: always
  {{ synapse_venv_path }}/bin/synctl \
    stop {{ synapse_homeserver_config_file }}
 synapse_systemd_service_exec_reload: >-2
  /usr/bin/env kill -HUP $MAINPID
 synapse_systemd_service_restart: on-failure
 synapse_systemd_unit_after:
  - "network.target"
 synapse_systemd_unit_wants: []
 synapse_systemd_install_wanted_by: "default.target"
 # Hardening
 synapse_systemd_service_read_write_paths:
  - "{{ synapse_base_path }}"
  - "{{ synapse_data_path }}"
  - "{{ synapse_media_store_path }}"
  - "{{ synapse_log_path }}"
 synapse_systemd_service_restrict_address_families:
  - "AF_INET"
  - "AF_INET6"
  - "AF_UNIX"
 synapse_systemd_service_protect_system: strict
 synapse_systemd_service_protect_home: true
 synapse_systemd_service_protect_clock: true
 synapse_systemd_service_protect_hostname: true
 synapse_systemd_service_protect_protect_kernel_logs: true
 synapse_systemd_service_protect_protect_kernel_modules: true
 synapse_systemd_service_protect_protect_kernel_tunables: true
 synapse_systemd_service_protect_protect_control_groups: true
 synapse_systemd_service_restrict_namespaces: true
 synapse_systemd_service_restrict_suid_sgid: true
 synapse_systemd_service_remove_ipc: true
 synapse_systemd_service_lock_personality: true
 synapse_systemd_service_no_new_privileges: true
--- a/roles/synapse/handlers/main.yml
+++ b/roles/synapse/handlers/main.yml
@ -15,16 +15,6 @@
    force_restart: true
  when: synapse_deployment_method == 'podman'
 - name: Ensure synapse is restarted
  listen: synapse-restart
  ansible.builtin.systemd_service:
    name: "{{ synapse_systemd_service_name }}"
    state: restarted
  when:
    - synapse_deployment_method == 'virtualenv'
    - ansible_facts['service_mgr'] == systemd
    - synapse_systemd_state == 'started'
 - name: Ensure systemd units are reloaded
  listen: systemd-daemon-reload
  ansible.builtin.systemd:
--- a/roles/synapse/tasks/configure.yml
+++ b/roles/synapse/tasks/configure.yml
@ -71,4 +71,3 @@
        mode: "0640"
  notify:
    - synapse-restart
  when: synapse_state != 'absent'
--- a/roles/synapse/tasks/deploy-virtualenv.yml
+++ b/roles/synapse/tasks/deploy-virtualenv.yml
@ -27,13 +27,6 @@
    virtualenv: "{{ synapse_venv_path }}"
  notify:
    - synapse-restart
  when: synapse_state != 'absent'
 - name: Ensure synapse virtualenv is {{ synapse_state }}
  ansible.builtin.file:
    path: "{{ synapse_venv_path }}"
    state: "{{ synapse_state }}"
  when: synapse_state == 'absent'
 - name: Ensure systemd unit is {{ synapse_state }}
  ansible.builtin.template:
@ -41,27 +34,15 @@
    dest: "{{ synapse_systemd_service_file }}"
  notify:
    - systemd-daemon-reload
  when: synapse_state != 'absent'
- name: Ensure systemd unit is {{ synapse_state }}
+- meta: flush_handlers
  ansible.builtin.file:
    path: "{{ synapse_systemd_service_file }}"
    state: "{{ synapse_state }}"
  when: synapse_state == 'absent'
  notify:
    - systemd-daemon-reload
- name: Ensure handlers are flushed for systemd daemon reload and synapse service state propagation
+- name: Ensure systemd service is {{ synapse_state }}
-  meta: flush_handlers
+  ansible.builtin.systemd:
    name: "{{ synapse_systemd_service_name }}"
    state: "{{ synapse_systemd_service_state }}"
- name: Ensure systemd service is {{ synapse_systemd_state }}
+- name: Ensure systemd service is {{ synapse_systemd_service_enabled | ternary('enabled', 'disabled') }}
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
-    name: "{{ synapse_systemd_name }}"
+    name: "{{ synapse_systemd_service_name }}"
-    state: "{{ synapse_systemd_state }}"
+    enabled: "{{ synapse_systemd_service_enabled }}"
  when: synapse_state != 'absent'
 - name: Ensure systemd service is {{ synapse_systemd_enabled | ternary('enabled', 'disabled') }}
  ansible.builtin.systemd_service:
    name: "{{ synapse_systemd_name }}"
    enabled: "{{ synapse_systemd_enabled }}"
  when: synapse_state != 'absent'
--- a/roles/synapse/templates/synapse.service.j2
+++ b/roles/synapse/templates/synapse.service.j2
@ -1,5 +1,5 @@
 [Unit]
-Description={{ synapse_systemd_unit_description }}
+Description="{{ synapse_systemd_unit_description }}"
 {% if synapse_systemd_unit_after | default([]) | length > 0 %}
 After={{ synapse_systemd_unit_after | join(' ') }}
@ -12,33 +12,11 @@ Wants={{ synapse_systemd_unit_wants | join(' ') }}
 Type={{ synapse_systemd_service_type }}
 WorkingDirectory={{ synapse_venv_path }}
 ExecStart={{ synapse_systemd_service_exec_start }}
 ExecStop={{ synapse_systemd_service_exec_stop }}
 ExecReload={{ synapse_systemd_service_exec_reload }}
 User={{ synapse_run_user }}
 Group={{ synapse_run_group }}
 Restart={{ synapse_systemd_service_restart }}
 ProtectSystem={{ synapse_systemd_service_protect_system }}
 ProtectHome={{ synapse_systemd_service_protect_home }}
 ProtectClock={{ synapse_systemd_service_protect_clock }}
 ProtectHostname={{ synapse_systemd_service_protect_hostname }}
 ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
 ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
 ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
 ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
 RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
 RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
 {% for path in synapse_systemd_service_read_write_paths | default([]) %}
 ReadWritePaths={{ path }}
 {% endfor %}
 RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }}
 RemoveIPC={{ synapse_systemd_service_remove_ipc }}
 LockPersonality={{ synapse_systemd_service_lock_personality }}
 NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }}
 [Install]
 WantedBy={{ synapse_systemd_install_wanted_by }}