meta: require atleast ansible >= 2.15.0

feat(synapse): add ansible role
feat(synapse_signing_key): add ansible module for managing signing keys
2024-09-21 11:32:51 +02:00 · 2024-09-20 22:28:55 +02:00 · 2024-09-20 19:25:15 +02:00
53 changed files with 66 additions and 866 deletions
--- a/README.md
+++ b/README.md
@ -12,7 +12,6 @@ Roles for deploying matrix infrastructure using ansible.

 - [`cinny`](roles/cinny/README.md): [Cinny](https://cinny.in/) Web Client
 - [`element`](roles/element/README.md): [Element](https://element.io/) Web Client
- [`hydrogen`](roles/hydrogen/README.md): [Hydrogen](https://matrix.org/ecosystem/clients/hydrogen/) lightweight web client
 - [`synapse`](roles/synapse/README.md): [Synapse](https://github.com/element-hq/synapse/),
  a matrix homeserver implemention by Element

--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: matrix
-version: 0.1.5
+version: 0.0.1
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@ -9,11 +9,4 @@ license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/matrix
-issues: https://codeberg.org/finallycoffee/ansible-collection-matrix/issues
-tags:
-  - matrix
-  - synapse
-  - homeserver
-  - element
-  - hydrogen
-  - cinny
+issues: https://git.finally.coffee/finallycoffee/matrix/issues
--- a/playbooks/hydrogen.yml
+++ b/playbooks/hydrogen.yml
@ -1,6 +0,0 @@
---
- name: Deploy and configure hydrogen
-  hosts: "{{ hydrogen_hosts | default('hydrogen') }}"
-  become: "{{ hydrogen_become | default(true) }}"
-  roles:
-    - role: finallycoffee.matrix.hydrogen
--- a/plugins/modules/synapse_signing_key.md
+++ b/plugins/modules/synapse_signing_key.md
@ -8,7 +8,7 @@ Module to generate and manage synapse signing keys.
 ## Requirements

 - `python >= 3.9`
- (pip) `signed_json >= 1.1.4`
+- `signed_json >= 1.1.4`


 ## Usage examples
--- a/plugins/modules/synapse_signing_key.py
+++ b/plugins/modules/synapse_signing_key.py
@ -94,7 +94,7 @@ def main() -> None:

    if not module.check_mode:
        if state == 'present' and not existing_key_found and path:
-            _write_signing_keys(path, keys)
+            _save_signing_keys(path, keys)
        if state == 'absent' and existing_key_found:
            os.remove(path)
            result['changed'] = True
@ -124,8 +124,8 @@ def _read_signing_keys(file):
        return read_signing_keys(stream)

 def _write_signing_keys(file, keys) -> None:
-    with open(file, "w", opener=lambda path, f: os.open(path, f, mode=0o640)) as stream:
-        write_signing_keys(stream, keys)
+    with open(file, "w", opener=lambda path, f: op.open(path, f, mode=0o640)) as stream:
+        write_signing_keys(strea, keys)

 def _generate_signing_key():
    id = ''
--- a/roles/cinny/defaults/main/main.yml
+++ b/roles/cinny/defaults/main/main.yml
@ -1,7 +1,7 @@
 ---
 cinny_user: cinny
 cinny_state: "present"
-cinny_version: "4.2.3"
+cinny_version: "4.2.1"
 cinny_deployment_method: "docker"

 cinny_base_path: "/opt/cinny"
--- a/roles/cinny/docs/docker.md
+++ b/roles/cinny/docs/docker.md
@ -14,6 +14,7 @@ are available under the `cinny_container_` prefix:
 - `labels`
 - `networks`
 - `etc_hosts`
+- `purge_networks`

 The following variables are pre-populated by the role, so override them with care:

--- a/roles/cinny/meta/main.yml
+++ b/roles/cinny/meta/main.yml
@ -1,12 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: cinny
-  description: Deploy cinny, a matrix web client, using podman, docker or a raw tarball to serve from your webserver
-  galaxy_tags:
-    - cinny
-    - matrix
-    - matrix-client
-    - docker
-    - podman
--- a/roles/cinny/tasks/deploy-docker.yml
+++ b/roles/cinny/tasks/deploy-docker.yml
@ -30,3 +30,4 @@
    networks: "{{ cinny_container_networks | default(omit) }}"
    etc_hosts: "{{ cinny_container_etc_hosts | default(omit) }}"
    restart_policy: "{{ cinny_container_restart_policy }}"
+    purge_networks: "{{ cinny_container_purge_networks | default(omit) }}"
--- a/roles/element/defaults/main/container.yml
+++ b/roles/element/defaults/main/container.yml
@ -11,15 +11,12 @@ element_container_image_registry: "docker.io"
 element_container_image_namespace: "vectorim"
 element_container_image_name: "element-web"
 element_container_image_tag: ~
-element_container_image_source: pull
-element_container_image_force_source: >-2
-  {{ element_container_image_tag | default(false, true) | bool }}
 element_container_name: "element-web"
 element_container_restart_policy: >-
  {{ (element_deployment_method == 'docker')
      | ternary('unless-stopped',
        (element_deployment_method == 'podman' |
-          ternary('on-failure', 'always')))
+          ternary('on-failure', 'always'))
  }}
 element_container_full_volumes: >-
  {{ element_container_default_volumes
--- a/roles/element/defaults/main/main.yml
+++ b/roles/element/defaults/main/main.yml
@ -1,7 +1,7 @@
 ---
 element_user: element
 element_state: "present"
-element_version: "1.11.86"
+element_version: "1.11.77"
 element_deployment_method: "docker"

 element_base_path: "/opt/element"
@ -10,9 +10,9 @@ element_dist_path: "{{ element_source_path }}/dist"
 element_config_path: "{{ element_base_path }}/config"
 element_config_file: "{{ element_config_path }}/config.json"

-element_host_uid: >-2
-  {{ ((element_user_info is defined) and ('uid' in element_user_info))
+element_host_uid: >-
+  {{ element_user_info is defined
  | ternary(element_user_info.uid, element_user) }}
-element_host_gid: >-2
-  {{ ((element_user_info is defined) and ('uid' in element_user_info))
+element_host_gid: >-
+  {{ element_user_info is defined
  | ternary(element_user_info.group, element_user) }}
--- a/roles/element/docs/docker.md
+++ b/roles/element/docs/docker.md
@ -14,6 +14,7 @@ are available under the `element_container_` prefix:
 - `labels`
 - `networks`
 - `etc_hosts`
+- `purge_networks`

 The following variables are pre-populated by the role, so override them with care:

--- a/roles/element/meta/main.yml
+++ b/roles/element/meta/main.yml
@ -1,12 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: element
-  description: Deploy element, a matrix web client, using either docker, podman or a raw tarball to serve with your webserver
-  galaxy_tags:
-    - element
-    - matrix
-    - matrix-client
-    - docker
-    - podman
--- a/roles/element/tasks/deploy-docker.yml
+++ b/roles/element/tasks/deploy-docker.yml
@ -14,8 +14,8 @@
  community.docker.docker_image:
    name: "{{ element_container_image }}"
    state: "{{ element_state }}"
-    source: "{{ element_container_image_source }}"
-    force_source: "{{ element_container_image_force_source }}"
+    source: "{{ element_container_source }}"
+    force_source: "{{ element_container_image_tag | default(false, true) }}"

 - name: Ensure container '{{ element_container_name }}' is {{ element_state }}
  community.docker.docker_container:
@ -23,10 +23,11 @@
    image: "{{ element_container_image }}"
    state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
    env: "{{ element_container_env | default(omit) }}"
-    user: "{{ element_container_user | default(omit) }}"
+    user: "{{ element_container_user }}"
    ports: "{{ element_container_ports | default(omit) }}"
    labels: "{{ element_container_labels | default(omit) }}"
    volumes: "{{ element_container_full_volumes }}"
    networks: "{{ element_container_networks | default(omit) }}"
    etc_hosts: "{{ element_container_etc_hosts | default(omit) }}"
    restart_policy: "{{ element_container_restart_policy }}"
+    purge_networks: "{{ element_container_purge_networks | default(omit) }}"
--- a/roles/element/tasks/deploy-podman.yml
+++ b/roles/element/tasks/deploy-podman.yml
@ -3,8 +3,8 @@
  containers.podman.podman_image:
    name: "{{ element_container_image }}"
    state: "{{ element_state }}"
-    pull: "{{ element_container_image_source == 'pull' }}"
-    force: "{{ element_container_image_force_source }}"
+    pull: "{{ element_container_source == 'pull' }}"
+    force: "{{ element_container_image_tag | default(false, true) }}"

 - name: Ensure container '{{ element_container_name }}' is {{ element_state }}
  containers.podman.podman_container:
@ -12,7 +12,7 @@
    image: "{{ element_container_image }}"
    state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
    env: "{{ element_container_env | default(omit) }}"
-    user: "{{ element_container_user | default(omit) }}"
+    user: "{{ element_container_user }}"
    ports: "{{ element_container_ports | default(omit) }}"
    labels: "{{ element_container_labels | default(omit) }}"
    volumes: "{{ element_container_full_volumes }}"
--- a/roles/element/vars/main.yml
+++ b/roles/element/vars/main.yml
@ -1,5 +1,5 @@
 ---
-element_states:
+element_state:
  - present
  - absent

--- a/roles/hydrogen/README.md
+++ b/roles/hydrogen/README.md
@ -1,13 +0,0 @@
-# `finallycoffee.matrix.hydrogen` ansible role
-
-Deploy [hydrogen](https://matrix.org/ecosystem/clients/hydrogen/),
-a lightweight matrix web client with SSO, multi-account and E2EE
-Support.
-
-## Configuration
-
-All configuration keys which would be written in the `config.json`
-are available under the `hydrogen_config_*` as flattened camelcase keys.
-As an alternative, the entire config structure can be passed into
-`hydrogen_config` (in combine mode) or `hydrogen_full_config` (ignores
-all defaults).
--- a/roles/hydrogen/defaults/main/container.yml
+++ b/roles/hydrogen/defaults/main/container.yml
@ -1,42 +0,0 @@
---
-hydrogen_container_name: hydrogen
-hydrogen_container_image_server: ghcr.io
-hydrogen_container_image_namespace: element-hq
-hydrogen_container_image_name: hydrogen-web
-hydrogen_container_image_tag: ~
-hydrogen_container_image: >-2
-  {{
-    ([
-      hydrogen_container_image_server,
-      hydrogen_container_image_namespace,
-      hydrogen_container_image_name,
-    ] | join('/'))
-    + ':' + (hydrogen_container_image_tag
-      | default('v' + hydrogen_version, true))
-  }}
-
-hydrogen_container_working_directory: "/usr/share/nginx/html"
-hydrogen_container_config_file: >-2
-  {{ hydrogen_container_working_directory }}/config.json
-hydrogen_container_base_volumes:
-  - "{{ hydrogen_config_file }}:{{ hydrogen_container_config_file }}:ro"
-hydrogen_container_full_volumes: >-2
-  {{ hydrogen_container_base_volumes | default([], true)
-    + (hydrogen_container_volumes | default([], true))
-
-hydrogen_container_image_source: pull
-hydrogen_container_image_force_source: >-2
-  {{ hydrogen_container_image_tag | default(false, true) | bool }}
-hydrogen_container_state: >-2
-  {{ (hydrogen_state == 'present') | ternary('started', 'absent') }}
-hydrogen_container_env: ~
-hydrogen_container_user: >-2
-  {{ hydrogen_run_user_id }}:{{ hydrogen_run_group_id }}
-hydrogen_container_ports: ~
-hydrogen_container_labels: ~
-hydrogen_container_ulimits: ~
-hydrogen_container_volumes: ~
-hydrogen_container_networks: ~
-hydrogen_container_dns_servers: ~
-hydrogen_container_etc_hosts: ~
-hydrogen_container_restart_policy: unless-stopped
--- a/roles/hydrogen/defaults/main/main.yml
+++ b/roles/hydrogen/defaults/main/main.yml
@ -1,21 +0,0 @@
---
-hydrogen_state: present
-hydrogen_user: hydrogen
-hydrogen_version: "0.5.1"
-hydrogen_deployment_method: docker
-
-hydrogen_config_file: "/etc/hydrogen/config.json"
-
-hydrogen_config: ~
-hydrogen_config_default_home_server: matrix.org
-hydrogen_config_default_theme_light: "element-light"
-hydrogen_config_default_theme_dark: "element-dark"
-hydrogen_config_default_theme:
-  light: "{{ hydrogen_config_default_theme_light }}"
-  dark: "{{ hydrogen_config_default_theme_dark }}"
-hydrogen_base_config:
-  defaultHomeServer: "{{ hydrogen_config_default_home_server }}"
-  defaultTheme: "{{ hydrogen_config_default_theme }}"
-hydrogen_full_config: >-2
-  {{ hydrogen_base_config | default({}, true)
-      | combine(hydrogen_config | default({}, true)) }}
--- a/roles/hydrogen/defaults/main/user.yml
+++ b/roles/hydrogen/defaults/main/user.yml
@ -1,5 +0,0 @@
---
-hydrogen_run_user_id: >-2
-  {{ hydrogen_user_info.uid | default(hydrogen_user) }}
-hydrogen_run_group_id: >-2
-  {{ hydrogen_user_info.group | default(hydrogen_user) }}
--- a/roles/hydrogen/meta/main.yml
+++ b/roles/hydrogen/meta/main.yml
@ -1,12 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: hydrogen
-  description: Deploy hydrogen, a lightweight matrix web client
-  galaxy_tags:
-    - hydrogen
-    - matrix
-    - matrix-client
-    - docker
-    - podman
--- a/roles/hydrogen/tasks/deploy-docker.yml
+++ b/roles/hydrogen/tasks/deploy-docker.yml
@ -1,31 +0,0 @@
---
- name: Ensure container image '{{ hydrogen_container_image }}' is {{ hydrogen_state }} on host
-  community.docker.docker_image:
-    name: "{{ hydrogen_container_image }}"
-    state: "{{ hydrogen_state }}"
-    source: "{{ hydrogen_container_image_source }}"
-    force_source: >-2
-      {{ hydrogen_container_image_force_source }}
-  register: hydrogen_container_image_info
-  until: hydrogen_container_image_info is success
-  retries: 5
-  delay: 3
-
- name: Ensure hydrogen container '{{ hydrogen_container_name }}' is {{ hydrogen_container_state }}
-  community.docker.docker_container:
-    name: "{{ hydrogen_container_name }}"
-    image: "{{ hydrogen_container_image }}"
-    env: "{{ hydrogen_container_env | default(omit, true) }}"
-    user: "{{ hydrogen_container_user }}"
-    ports: "{{ hydrogen_container_ports | default(omit, true) }}"
-    labels: "{{ hydrogen_container_labels | default(omit, true) }}"
-    ulimits: "{{ hydrogen_container_ulimits | default(omit, true) }}"
-    volumes: "{{ hydrogen_container_volumes }}"
-    networks: "{{ hydrogen_container_networks | default(omit, true) }}"
-    dns_servers: >-2
-      {{ hydrogen_container_dns_servers | default(omit, true) }}
-    etc_hosts: >-2
-      {{ hydrogen_container_etc_hosts | default(omit, true) }}
-    restart_policy: >-2
-      {{ hydrogen_container_restart_policy | default(omit, true) }}
-    state: "{{ hydrogen_container_state }}"
--- a/roles/hydrogen/tasks/deploy-podman.yml
+++ b/roles/hydrogen/tasks/deploy-podman.yml
@ -1,30 +0,0 @@
---
- name: Ensure container image '{{ hydrogen_container_image }}' is {{ hydrogen_state }} on host
-  containers.podman.podman_image:
-    name: "{{ hydrogen_container_image }}"
-    state: "{{ hydrogen_state }}"
-    pull: "{{ hydrogen_container_image_source == 'pull' }}"
-    force: "{{ hydrogen_container_image_force_source }}"
-  register: hydrogen_container_image_info
-  until: hydrogen_container_image_info is success
-  retries: 5
-  delay: 3
-
- name: Ensure hydrogen container '{{ hydrogen_container_name }}' is {{ hydrogen_container_state }}
-  containers.podman.podman_container:
-    name: "{{ hydrogen_container_name }}"
-    image: "{{ hydrogen_container_image }}"
-    env: "{{ hydrogen_container_env | default(omit, true) }}"
-    user: "{{ hydrogen_container_user }}"
-    ports: "{{ hydrogen_container_ports | default(omit, true) }}"
-    labels: "{{ hydrogen_container_labels | default(omit, true) }}"
-    ulimits: "{{ hydrogen_container_ulimits | default(omit, true) }}"
-    volumes: "{{ hydrogen_container_volumes }}"
-    network: "{{ hydrogen_container_networks | default(omit, true) }}"
-    dns_servers: >-2
-      {{ hydrogen_container_dns_servers | default(omit, true) }}
-    etc_hosts: >-2
-      {{ hydrogen_container_etc_hosts | default(omit, true) }}
-    restart_policy: >-2
-      {{ hydrogen_container_restart_policy | default(omit, true) }}
-    state: "{{ hydrogen_container_state }}"
--- a/roles/hydrogen/tasks/main.yml
+++ b/roles/hydrogen/tasks/main.yml
@ -1,57 +0,0 @@
---
- name: Check if deployment method is supported
-  ansible.builtin.fail:
-    msg: >-2
-      Deployment method '{{ hydrogen_deployment_method }}'
-      is not supported. Support methods are
-      {{ hydrogen_deployment_methods | join(', ') }}.
-  when: hydrogen_deployment_method not in hydrogen_deployment_methods
-
- name: Check if state is supported
-  ansible.builtin.fail:
-    msg: >-2
-      State '{{ hydrogen_state }}' is not supported.
-      Supported states are: {{ hydrogen_states | join(', ') }}
-  when: hydrogen_state not in hydrogen_states
-
- name: Ensure hydrogen user '{{ hydrogen_user }}' is {{ hydrogen_state }}
-  ansible.builtin.user:
-    name: "{{ hydrogen_user }}"
-    system: "{{ hydrogen_user_system | default(true, true) }}"
-    groups: "{{ hydrogen_user_groups | default(omit, true) }}"
-    append: >-2
-      {{ hydrogen_user_append_groups
-        | default(hydrogen_user_groups | default([]) | length > 0, true)
-        | bool
-      }}
-    state: "{{ hydrogen_state }}"
-  register: hydrogen_user_info
-
- name: Ensure hydrogen config file is {{ hydrogen_state }}
-  ansible.builtin.file:
-    path: "{{ hydrogen_config_file }}"
-    state: "{{ hydrogen_state }}"
-  when: hydrogen_state == 'absent'
-
- name: Ensure hydrogen config folder is {{ hydrogen_state }}
-  ansible.builtin.file:
-    path: "{{ hydrogen_config_file | ansible.builtin.basename }}"
-    state: >-2
-      {{ (hydrogen_state == 'present')
-        | ternary('directory', 'absent') }}
-    owner: "{{ hydrogen_run_user_id }}"
-    group: "{{ hydrogen_run_group_id }}"
-    mode: "0755"
-
- name: Ensure hydrogen config file is {{ hydrogen_state }}
-  ansible.builtin.copy:
-    dest: "{{ hydrogen_config_file }}"
-    content: "{{ hydrogen_config | to_nice_json }}"
-    owner: "{{ hydrogen_run_user_id }}"
-    group: "{{ hydrogen_run_group_id }}"
-    mode: "0640"
-  when: hydrogen_state == 'present'
-
- name: Deploy using {{ hydrogen_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ hydrogen_deployment_method }}.yml"
--- a/roles/hydrogen/vars/main.yml
+++ b/roles/hydrogen/vars/main.yml
@ -1,7 +0,0 @@
---
-hydrogen_states:
-  - present
-  - absent
-hydrogen_deployment_methods:
-  - docker
-  - podman
--- a/roles/synapse/README.md
+++ b/roles/synapse/README.md
@ -14,27 +14,15 @@ The following variables need to be populated:

 - [Configure your database](docs/database.md)
 - [Configure your listeners](docs/listeners.md)
- [Configure logging](docs/logging.md)

 ## Deployment methods

- `docker`
- `podman`
- `virtualenv` - Python virtual env supervised with `systemd`
+### Docker

-Set `synapse_deployment_method` to one of the supported deployment methods.
-The current default is `docker`.
+Set `synapse_deployment_method: docker` to deploy synapse in docker container(s).
+This is currently the default.

-### `virtualenv` deployment method
+### Planned methods

-This deployment method installs a `systemd` service called `synapse.service` to
-control the homeserver process. The service depends on the `network.target` by
-default (see [`synapse_systemd_unit_after`](synapse/main/systemd.yml)), and
-uses the `default.target` as it's `WantedBy`
-(see [`synapse_systemd_install_wanted_by`](synapse/main/systemd.yml)).
-
-To only start synapse after, for example, services for redis and postgresql are up,
-set `synapse_systemd_unit_wants: [ "postgresql.service", "redis.service" ]`.
-
-> [!NOTE]
-> Requires `systemd >= 245` on the target machine
+- virtual env + systemd
+- podman
--- a/roles/synapse/defaults/main/container.yml
+++ b/roles/synapse/defaults/main/container.yml
@ -18,47 +18,26 @@ synapse_container_image_repository: >-2
 synapse_container_image_source: pull
 synapse_container_image_tag: ~
 synapse_container_env: {}
-synapse_container_user: >-2
-  {{ ((synapse_user_info is defined) and ('uid' in synapse_user_info))
-  | ternary(synapse_user_info.uid, synapse_user) }}
-synapse_container_group: >-2
-  {{ ((synapse_user_info is defined) and ('group' in synapse_user_info))
-  | ternary(synapse_user_info.group, synapse_user) }}
-synapse_container_groups:
-  - "{{ synapse_container_group }}"
+synapse_container_user: ~
+synapse_container_group: ~
 synapse_container_ports: ~
 synapse_container_labels: ~
 synapse_container_ulimits: ~
 synapse_container_networks: ~
+synapse_container_purge_networks: ~
 synapse_container_dns_servers: ~
 synapse_container_etc_hosts: ~
 synapse_container_memory: ~
 synapse_container_memory_reservation: ~
 synapse_container_memory_swap: ~
-synapse_container_state: >-2
-  {{ (synapse_state == 'present')
-  | ternary('started', 'absent') }}
-synapse_container_restart_policy: >-2
-  {{ (synapse_deployment_method == 'docker')
-    | ternary('unless-stopped', ((synapse_deployment_method == 'podman')
-      | ternary('on-failure', 'always')))
-  }}
+synapse_container_state: "started"
+synapse_container_restart_policy: "unless-stopped"

 synapse_container_volumes: ~
 synapse_container_default_volumes:
-  - "{{ synapse_homeserver_config_file }}:/data/homeserver.yaml:ro"
+  - "{{ synapse_homeserver_config_file }}:{{ synapse_homeserver_config_file }}:ro"
  - "{{ synapse_logging_config_file }}:{{ synapse_logging_config_file }}:ro"
  - "{{ synapse_signing_key_file }}:{{ synapse_signing_key_file }}:ro"
  - "{{ synapse_data_path }}:{{ synapse_data_path }}:z"
  - "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z"
-  - "{{ synapse_log_path }}:{{ synapse_log_path }}:z"
-synapse_container_tls_volumes:
-  - "{{ synapse_config_tls_certificate_path }}:{{ synapse_config_tls_certificate_path }}:ro"
-  - "{{ synapse_config_tls_private_key_path }}:{{ synapse_config_tls_private_key_path_path }}:ro"
-synapse_container_all_volumes: >-
-  {{ synapse_container_default_volumes | default([], true)
-  + (synapse_container_tls_volumes
-      if (synapse_config_tls_private_key_path | default(false, true) | bool
-        and synapse_config_tls_certificate_path | default(false, true) | bool)
-      else [])
-  + synapse_container_volumes | default([], true) }}
+
--- a/roles/synapse/defaults/main/homeserver.api.yml
+++ b/roles/synapse/defaults/main/homeserver.api.yml
@ -1,31 +0,0 @@
---
-synapse_config_macaroon_secret_key: ~
-synapse_config_form_secret: ~
-synapse_config_use_appservice_legacy_authorization: false
-synapse_config_track_appservice_user_ips: false
-synapse_config_track_puppeted_user_ips: false
-synapse_config_app_service_config_files: []
-synapse_config_room_prejoin_state_disable_default_event_types: false
-synapse_config_room_prejoin_state_additional_event_types: []
-
-synapse_base_api_config:
-  app_service_config_files: "{{ synapse_config_app_service_config_files }}" 
-  use_appservice_legacy_authorization: >-
-    {{ synapse_config_use_appservice_legacy_authorization }}
-  track_appservice_user_ips: >-
-    {{ synapse_config_track_appservice_user_ips }}
-  track_puppeted_user_ips: >-
-    {{ synapse_config_track_puppeted_user_ips }}
-  room_prejoin_state:
-    disable_default_event_types: >-2
-      {{ synapse_config_room_prejoin_state_disable_default_event_types }}
-    additional_event_types: >-2
-      {{ synapse_config_room_prejoin_state_additional_event_types }}
-synapse_api_config: >-2
-  {{
-    synapse_base_api_config
-    | combine(({"macaroon_secret_key": synapse_config_macaroon_secret_key})
-      if synapse_config_macaroon_secret_key | default(false, true) else {})
-    | combine(({"form_secret": synapse_config_form_secret})
-      if synapse_config_form_secret | default(false, true) else {})
-  }}
--- a/roles/synapse/defaults/main/homeserver.cache.yml
+++ b/roles/synapse/defaults/main/homeserver.cache.yml
@ -1,6 +1,6 @@
 ---
 synapse_config_event_cache_size: "10K"
-synapse_config_caches_global_factor: 0.5
+synapse_config_caches_global_factor: "0.5"
 synapse_config_caches_per_cache_factors: {}
 synapse_config_caches_expire_caches: true
 synapse_config_caches_sync_response_cache_duration: "2m"
--- a/roles/synapse/defaults/main/homeserver.config.yml
+++ b/roles/synapse/defaults/main/homeserver.config.yml
@ -7,7 +7,7 @@ synapse_config_media_store_path: >-
 synapse_config_signing_key_path: >-
  {{ synapse_signing_key_file }}
 synapse_config_trusted_key_servers:
-  - server_name: "matrix.org"
+  - "matrix.org"
 synapse_listeners_config: "{{ synapse_config_listeners }}"

 synapse_default_config: >-
@ -21,11 +21,8 @@ synapse_default_config: >-
    | combine(synapse_cache_config)
    | combine(synapse_ratelimit_config)
    | combine(synapse_metrics_config)
-    | combine(synapse_api_config)
-    | combine(synapse_push_config)
-    | combine(synapse_registration_config)
  }}

 synapse_homeserver_config: >-
  {{ synapse_default_config
-    | combine(synapse_config | default({}), recursive=True) }}
+    | combine(synapse_config | default({})) }}
--- a/roles/synapse/defaults/main/homeserver.federation.yml
+++ b/roles/synapse/defaults/main/homeserver.federation.yml
@ -20,6 +20,7 @@ synapse_federation_tls_config:
    {{ synapse_config_federation_client_minimum_tls_version }}
  federation_certificate_verification_whitelist: >-
    {{ synapse_config_federation_verification_whitelist }}
+  federation_custom_ca_list: "{{ synapse_config_federation_custom_ca_list }}"

 synapse_federation_config: >-
  {{
@ -31,9 +32,6 @@ synapse_federation_config: >-
      "federation": synapse_config_federation
    }
    | combine(synapse_federation_tls_config)
-    | combine(({"federation_custom_ca_list": synapse_config_federation_custom_ca_list})
-      if (synapse_config_federation_custom_ca_list | default(false, true)
-        and synapse_config_federation_custom_ca_list | length > 0) else {})
    | combine(({"federation_domain_whitelist": synapse_config_federation_domain_whitelist})
      if synapse_config_federation_domain_whitelist | default(false, true) else {})
  }}
--- a/roles/synapse/defaults/main/homeserver.metrics.yml
+++ b/roles/synapse/defaults/main/homeserver.metrics.yml
@ -15,14 +15,10 @@ synapse_metrics_sentry_config: >-
      if synapse_config_sentry_dsn | default(false, true) else {})
  }}

-synapse_base_metrics_config:
+synapse_metrics_config:
  enable_metrics: "{{ synapse_config_enable_metrics }}"
+  sentry: "{{ synapse_metrics_sentry_config }}"
  metrics_flags:
    known_servers: "{{ synapse_config_metrics_flags_known_servers }}"
  report_stats: "{{ synapse_config_report_stats }}"
  report_stats_endpoint: "{{ synapse_config_report_stats_endpoint }}"
-synapse_metrics_config: >-
-  {{ synapse_base_metrics_config
-  | combine(({"sentry": synapse_metrics_sentry_config})
-    if (synapse_config_sentry_dsn or synapse_config_sentry_environment) else {})
-  }}
--- a/roles/synapse/defaults/main/homeserver.push.yml
+++ b/roles/synapse/defaults/main/homeserver.push.yml
@ -1,13 +0,0 @@
---
-synapse_config_push_enabled: true
-synapse_config_push_include_content: true
-synapse_config_push_group_unread_count_by_room: true
-synapse_config_push_jitter_delay: "1s"
-
-synapse_push_config:
-  push:
-    enabled: "{{ synapse_config_push_enabled }}"
-    include_content: "{{ synapse_config_push_include_content }}"
-    group_unread_count_by_room: >-
-      {{ synapse_config_push_group_unread_count_by_room }}
-    jitter_delay: "{{ synapse_config_push_jitter_delay }}"
--- a/roles/synapse/defaults/main/homeserver.registration.yml
+++ b/roles/synapse/defaults/main/homeserver.registration.yml
@ -1,41 +0,0 @@
---
-synapse_config_enable_registration: false
-synapse_config_enable_registration_without_verification: false
-synapse_config_registrations_require_3pid: []
-synapse_config_registration_requires_token: true
-synapse_config_registration_shared_secret: ~
-synapse_config_registration_shared_secret_path: ~
-synapse_config_allowed_local_3pids: []
-synapse_config_enable_3pid_lookup: true
-
-synapse_config_bcrypt_rounds: 14
-synapse_config_allow_guest_access: false
-synapse_config_default_identity_server: ~
-synapse_config_enable_set_displayname: true
-synapse_config_enable_set_avatar_url: true
-synapse_config_enable_3pid_changes: true
-
-synapse_registration_base_config:
-  enable_set_displayname: "{{ synapse_config_enable_set_displayname }}"
-  enable_set_avatar_url: "{{ synapse_config_enable_set_avatar_url }}"
-  enable_3pid_changes: "{{ synapse_config_enable_3pid_changes }}"
-  allow_guest_access: "{{ synapse_config_allow_guest_access }}"
-  enable_registration: "{{ synapse_config_enable_registration }}"
-  enable_registration_without_verification: >-2
-    {{ synapse_config_enable_registration_without_verification }}
-  allowed_local_3pids: "{{ synapse_config_allowed_local_3pids }}"
-  enable_3pid_lookup: "{{ synapse_config_enable_3pid_lookup }}"
-  registrations_require_3pid: "{{ synapse_config_registrations_require_3pid }}"
-  registration_requires_token: "{{ synapse_config_registration_requires_token }}"
-  registration_shared_secret: "{{ synapse_config_registration_shared_secret }}"
-  registration_shared_secret_path: >-2
-    {{ synapse_config_registration_shared_secret_path }}
-  bcrypt_rounds: "{{ synapse_config_bcrypt_rounds }}"
-
-synapse_registration_config: >-2
-  {{
-    synapse_registration_base_config
-    | combine(({"default_identity_server": synapse_config_default_identity_server})
-      if (synapse_config_default_identity_server | default(false, true)
-        and synapse_config_default_identity_server | length > 0) else {})
-  }}
--- a/roles/synapse/defaults/main/homeserver.server.yml
+++ b/roles/synapse/defaults/main/homeserver.server.yml
@ -17,8 +17,6 @@ synapse_config_block_non_admin_invites: false
 synapse_config_enable_search: true
 synapse_config_dummy_events_threshold: 10
 synapse_config_delete_stale_devices_after: "90d"
-synapse_config_key_refresh_interval: "1d"
-synapse_config_suppress_key_server_warning: false

 synapse_config_ip_range_blacklist:
  - '127.0.0.0/8'
@ -46,12 +44,10 @@ synapse_default_server_config:
  server_name: "{{ synapse_config_server_name }}"
  pid_file: "{{ synapse_config_pid_file }}"
  listeners: "{{ synapse_listeners_config }}"
-  database: "{{ synapse_database_config }}"
+  database: "{{ synapse_listeners_config }}"
  log_config: "{{ synapse_config_log_config_path }}"
  signing_key_path: "{{ synapse_config_signing_key_path }}"
-  key_refresh_interval: "{{ synapse_config_key_refresh_interval }}"
  trusted_key_servers: "{{ synapse_config_trusted_key_servers }}"
-  suppress_key_server_warning: "{{ synapse_config_suppress_key_server_warning }}"
  public_baseurl: "{{ synapse_config_public_baseurl }}"
  serve_server_wellknown: "{{ synapse_config_serve_server_wellknown }}"
  extra_well_known_client_content: >-
--- a/roles/synapse/defaults/main/homeserver.turn.yml
+++ b/roles/synapse/defaults/main/homeserver.turn.yml
@ -2,7 +2,6 @@
 # TURN / RTC configuration
 synapse_config_turn_uris: []
 synapse_config_turn_shared_secret: ~
-synapse_config_turn_shared_secret_path: ~
 synapse_config_turn_username: ~
 synapse_config_turn_password: ~
 synapse_config_turn_user_lifetime: "2h"
@ -17,8 +16,6 @@ synapse_turn_config: >-2
    synapse_turn_config_base
    | combine(({ turn_shared_secret: synapse_config_turn_shared_secret })
      if synapse_config_turn_shared_secret | default(false, true) else {})
-    | combine(({ turn_shared_secret_path: synapse_config_turn_shared_secret_path })
-      if synapse_config_turn_shared_secret_path | default(false, true) else {})
    | combine(({ turn_username: synapse_config_turn_username })
      if synapse_config_username | default(false, true) else {})
    | combine(({ turn_password: synapse_config_turn_password })
--- a/roles/synapse/defaults/main/homeservers.listeners.yml
+++ b/roles/synapse/defaults/main/homeservers.listeners.yml
@ -1,7 +1,7 @@
 ---
 synapse_config_listeners: >-
  {{ synapse_listeners_default_config }}
-synapse_config_listeners_port: 8080
+synapse_config_listeners_port: "8080"
 synapse_config_listeners_tls: false
 synapse_config_listeners_type: http
 synapse_config_listeners_x_forwarded: true
@ -22,20 +22,3 @@ synapse_listeners_default_config:
    x_forwarded: "{{ synapse_config_listeners_x_forwarded }}"
    bind_addresses: "{{ synapse_config_listeners_bind_addresses }}"
    resources: "{{ synapse_config_listeners_resources }}"
-synapse_config_metrics_listener_port: 9000
-synapse_config_metrics_listener_tls: false
-synapse_config_metrics_listener_type: http
-synapse_config_metrics_listener_x_forwarded: false
-synapse_config_metrics_listener_bind_addresses:
-  - "127.0.0.1"
-  - "::1"
-synapse_config_metrics_listener_resources:
-  - names: metrics
-    compress: false
-synapse_metrics_listener:
-  - port: "{{ synapse_config_metrics_listener_port }}"
-    tls: "{{ synapse_config_metrics_listener_tls }}"
-    type: "{{ synapse_config_metrics_listener_type }}"
-    x_forwarded: "{{ synapse_config_metrics_listener_x_forwarded }}"
-    bind_addresses: "{{ synapse_config_metrics_listener_bind_addresses }}"
-    resources: "{{ synapse_config_metrics_listener_resources }}"
--- a/roles/synapse/defaults/main/main.yml
+++ b/roles/synapse/defaults/main/main.yml
@ -1,17 +1,16 @@
 ---
+
 synapse_user: synapse
-synapse_group: synapse
-synapse_version: "1.120.0"
+synapse_version: "1.115.0"
 synapse_state: "present"
 synapse_deployment_method: "docker"

 synapse_base_path: /opt/synapse
-synapse_config_path: "/etc/synapse"
+synapse_config_path: "{{ synapse_base_path }}/config"
 synapse_data_path: "{{ synapse_base_path }}/data"
 synapse_media_store_path: "{{ synapse_data_path }}/media_store"
 synapse_log_path: "/var/log/synapse"
 synapse_homeserver_log_path: "{{ synapse_log_path }}/homeserver.log"
-synapse_venv_path: "{{ synapse_base_path }}/venv"

 synapse_signing_key: ~
 synapse_signing_key_file: >-
--- a/roles/synapse/defaults/main/systemd.yml
+++ b/roles/synapse/defaults/main/systemd.yml
@ -1,53 +0,0 @@
---
-synapse_systemd_name: "synapse.service"
-synapse_systemd_service_directory: /etc/systemd/system
-synapse_systemd_service_file: >-2
-  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
-
-synapse_systemd_state: >-2
-  {{ (synapse_state == 'present') | ternary('started', 'stopped') }}
-synapse_systemd_enabled: >-2
-  {{ (synapse_state == 'present') | bool }}
-
-synapse_systemd_unit_description: "Synapse matrix homeserver"
-synapse_systemd_service_type: notify
-synapse_systemd_service_exec_start: >-2
-  {{ synapse_venv_path }}/bin/synapse_homeserver \
-    --config-path={{ synapse_homeserver_config_file }}
-synapse_systemd_service_exec_stop: >-2
-  {{ synapse_venv_path }}/bin/synctl \
-    stop {{ synapse_homeserver_config_file }}
-synapse_systemd_service_exec_reload: >-2
-  /usr/bin/env kill -HUP $MAINPID
-synapse_systemd_service_restart: on-failure
-
-synapse_systemd_unit_after:
-  - "network.target"
-synapse_systemd_unit_wants: []
-synapse_systemd_install_wanted_by: "default.target"
-
-# Hardening
-synapse_systemd_service_read_write_paths:
-  - "{{ synapse_base_path }}"
-  - "{{ synapse_data_path }}"
-  - "{{ synapse_media_store_path }}"
-  - "{{ synapse_log_path }}"
-synapse_systemd_service_restrict_address_families:
-  - "AF_INET"
-  - "AF_INET6"
-  - "AF_UNIX"
-synapse_systemd_service_protect_system: strict
-synapse_systemd_service_protect_home: true
-synapse_systemd_service_protect_clock: true
-synapse_systemd_service_protect_hostname: true
-synapse_systemd_service_protect_protect_kernel_logs: true
-synapse_systemd_service_protect_protect_kernel_modules: true
-synapse_systemd_service_protect_protect_kernel_tunables: true
-synapse_systemd_service_protect_protect_control_groups: true
-
-synapse_systemd_service_restrict_namespaces: true
-synapse_systemd_service_restrict_suid_sgid: true
-
-synapse_systemd_service_remove_ipc: true
-synapse_systemd_service_lock_personality: true
-synapse_systemd_service_no_new_privileges: true
--- a/roles/synapse/defaults/main/user.yml
+++ b/roles/synapse/defaults/main/user.yml
@ -1,21 +0,0 @@
---
-synapse_user_base_groups:
-  - "{{ synapse_run_group }}"
-synapse_user_groups: ~
-synapse_user_all_groups: >-2
-  {{ synapse_user_base_groups | default([], true)
-    + synapse_user_groups | default([], true) }}
-synapse_user_groups_append: "{{ synapse_user_all_groups | length > 0 }}"
-synapse_run_user: >-2
-  {{ synapse_user_info.name | default(synapse_user) }}
-synapse_run_group: >-2
-  {{ (synapse_user_info is defined and ('groups' in synapse_user_info))
-    | ternary(
-      (synapse_user_info.groups | default("") | split(",") | first),
-      synapse_group
-    )
-  }}
-synapse_run_user_id: >-2
-  {{ synapse_user_info.uid | default(synapse_user) }}
-synapse_run_group_id: >-2
-  {{ synapse_user_info.group | default(synapse_user) }}
--- a/roles/synapse/defaults/main/virtualenv.yml
+++ b/roles/synapse/defaults/main/virtualenv.yml
@ -1,11 +0,0 @@
---
-synapse_venv_package: "matrix-synapse[all]"
-synapse_venv_pip_dependencies:
-  - pip
-  - setuptools
-synapse_venv_package_full: >-2
-  {{ synapse_venv_package }}@{{ synapse_version }}
-
-synapse_venv_python_binary: >-2
-  {{ ansible_python_interpreter | default(omit, true) }}
-synapse_venv_extra_args: ~
--- a/roles/synapse/docs/database.md
+++ b/roles/synapse/docs/database.md
@ -13,7 +13,7 @@ synapse_config_database_args:
  user: my_synapse_db_user
  password: my_synapse_db_password
  host: my_database_host
-  port: my_database_port_to_connect_to
+  port: my_database_port_to_connect_to | int
  # connection pooling (cp) settings, min and max connections
  cp_min: 5 | int
  cp_max: 20 | int
--- a/roles/synapse/docs/listeners.md
+++ b/roles/synapse/docs/listeners.md
@ -2,7 +2,7 @@

 Synapse serves endpoints under so-called listeners, which are
 defined in `synapse_listeners_config`. The role gives some pre-
-configured options to set for use in various scenarios.
+configured options to set for use in various scenarios:

 ## Behind reverse proxy which does SSL offloading

@ -15,71 +15,10 @@ Use it like this:
 ```yaml
 synapse_listeners_config: "{{ synapse_listeners_default_config }}"
 # Change the port like this
-synapse_config_listeners_port: 8090
+synapse_config_listeners_port: "8090"
 # If you use docker or your reverse-proxy is not local,
 # set the listen_addresses like this
 synapse_config_listeners_bind_addresses:
  - "::"
  - "0.0.0.0"
 ```
-
-### Additional local metrics listener
-
-The role provides a ready-to-use configuration for a locally-reachable
-metrics listener in `synapse_metrics_listener`.
-
-To enable it, set `synapse_config_listeners: "{{ synapse_listeners_default_config + synapse_metrics_listener}}`.
-
-To customize the listener, see [the `synapse_config_metrics_listener_*` variables
-in `defaults/main/homeserver.listeners.yml`](../defaults/main/homeserver.listeners.yml).
-
-The defaults will create a http-only metrics listener on port 9000 which
-will listen on `127.0.0.1` and `::1`.
-
-## Synapse handling TLS without reverse proxy
-
-Supply your certificates using `synapse_config_tls_{certificate,private_key}_path`.
-
-Then you can either customize the default listener like this:
-```yaml
-# synapse_config_tls_certificate_path: "/etc/ssl/{{ synapse_domain }}.pem"
-# synapse_config_tls_private_key_path: "/etc/ssl/{{ synapse_domain }}.key"
-synapse_config_listeners_port: 443
-synapse_config_listeners_tls: true
-synapse_config_listeners_type: https
-synapse_config_listeners_x_forwarded: false
-synapse_config_listeners_resources_compress: true
-synapse_config_serve_server_wellknown: true
-```
-
-or you can serve federation over a different port, by completely rewriting
-the role's defaults:
-```yaml
-synapse_config_listeners:
-  - port: 8448
-    tls: true
-    type: https
-    x_forwarded: true
-    bind_addresses:
-      - 10.0.0.1
-      - fd00::1
-    resources:
-      - names: federation
-        compress: true
-  - port: 443
-    tls: true
-    type: https
-    x_forwarded: true
-    bind_addresses:
-      - 10.0.0.2
-      - fd00::2
-    resources:
-      - names: client
-        compress: true
-```
-
-It is possible to mix and match those listeners to almost all requirements,
-like listening locally without HTTPs for federation and using a WAF / firewall /
-reverse proxy infront of synapse for federation (see: "Secure Border Gateways")
-and trusting the `X-Forwarded-For` Header, while having clients
-directly connect to synapse.
--- a/roles/synapse/docs/logging.md
+++ b/roles/synapse/docs/logging.md
@ -1,48 +0,0 @@
-# `synapse` logging configuration
-
-Synapse uses a `buffer` handler per default, which flushes
-periodically, but flushes logs immediately for log events
-with a level greater or equal to WARNING.
-
-To set your desired log level, specify it in `synapse_log_config_root_level`.
-
-## Formatters
-
-By default, the upstream `precise` formatter is availabe. To define and use
-more formatters, extend `synapse_log_config_formatters` like this:
-
-```yaml
-synapse_log_config_formatters_custom_json:
-  custom_json:
-    format: >-
-      {"lineno": %(lineno)d, "level": "%(levelname)s", "req_id": "%(request)s", "msg": "%(message)s"}
-synapse_log_config_formatters: >-2
-  {{
-    ({ synapse_log_config_formatters_precise_name: synapse_log_config_formatters_precise })
-    | combine(synapse_log_config_formatters_custom_json)
-  }}
-
-# Set handlers to use your formatter like this
-synapse_log_config_handlers_file_formatter: custom_json
-synapse_log_config_handlers_console_formatter: custom_json
-```
-
-## Handlers
-
-For modifying the built-in `file`/`buffer`/`console` handlers, see
-[the defaults in `../defaults/main/log.config.yml`](../defaults/main/log.config.yml).
-
-### Containers
-
-For typical container setups, it is often recommended to log all
-logs to `stdout`/`stderr`. This can be easily archieved by setting
-`synapse_log_config_root_handlers: [ synapse_log_config_handlers_console_name ]`.
-
-## Child loggers
-
-To set a different configuration / log level for child loggers of
-the root logger (currently, this is only `synapse.storage.SQL`),
-override `synapse_log_config_loggers` directly or for the SQL loggers,
-set the level in `synapse_log_config_loggers_synapse_storage_sql_level`
-(which defaults to `synapse_log_config_root_level`).
-
--- a/roles/synapse/handlers/main.yml
+++ b/roles/synapse/handlers/main.yml
@ -1,31 +0,0 @@
---
- name: Ensure synapse is restarted
-  listen: synapse-restart
-  community.docker.docker_container:
-    name: "{{ synapse_container_name }}"
-    state: started
-    restart: true
-  when: synapse_deployment_method == 'docker'
-
- name: Ensure synapse is restarted
-  listen: synapse-restart
-  containers.podman.podman_container:
-    name: "{{ synapse_container_name }}"
-    state: "{{ synapse_container_state }}"
-    force_restart: true
-  when: synapse_deployment_method == 'podman'
-
- name: Ensure synapse is restarted
-  listen: synapse-restart
-  ansible.builtin.systemd_service:
-    name: "{{ synapse_systemd_service_name }}"
-    state: restarted
-  when:
-    - synapse_deployment_method == 'virtualenv'
-    - ansible_facts['service_mgr'] == systemd
-    - synapse_systemd_state == 'started'
-
- name: Ensure systemd units are reloaded
-  listen: systemd-daemon-reload
-  ansible.builtin.systemd:
-    daemon_reload: true
--- a/roles/synapse/meta/main.yml
+++ b/roles/synapse/meta/main.yml
@ -1,12 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: synapse
-  description: Deploy synapse, a matrix homeserver. Supports docker, podman, virtualenv
-  galaxy_tags:
-    - synapse
-    - matrix
-    - homeserver
-    - docker
-    - podman
--- a/roles/synapse/tasks/check.yml
+++ b/roles/synapse/tasks/check.yml
@ -13,20 +13,20 @@
  when: synapse_deployment_method not in synapse_deployment_methods

 - name: Ensure required variables are given
-  ansible.builtin.fail:
+  fail:
    msg: "Required variable '{{ item }}' is undefined!"
  loop: "{{ synapse_required_variables }}"
  when: >-2
-    item not in hostvars[inventory_hostname]
-    or hostvars[inventory_hostname][item] | length == 0
+    item not in hostvars[ansible_host]
+    or hostvars[ansible_host][item] | length == 0

 - name: Ensure conditionally required variables are given
-  ansible.builtin.fail:
+  fail:
    msg: "Required variable '{{ item.name }}' is undefined!"
  loop: "{{ synapse_conditionally_required_variables }}"
  loop_control:
    label: "{{ item.name }}"
  when: >-2
    item.when
-    and (item.name not in hostvars[inventory_hostname]
-        or hostvars[inventory_hostname][item.name] | length == 0)
+    and (item.name not in hostvars[ansible_host]
+        or hostvars[ansible_host][item.name] | length == 0)
--- a/roles/synapse/tasks/configure.yml
+++ b/roles/synapse/tasks/configure.yml
@ -1,19 +1,12 @@
 ---
- name: Ensure synapse group '{{ synapse_group }}' is {{ synapse_state }}
-  ansible.builtin.group:
-    name: "{{ synapse_group }}"
-    system: "{{ synapse_group_system | default(true, true) }}"
-    state: "{{ synapse_state }}"
-  register: synapse_group_info
-
 - name: Ensure synapse user '{{ synapse_user }}' is {{ synapse_state }}
  ansible.builtin.user:
    name: "{{ synapse_user }}"
    state: "{{ synapse_state }}"
    system: "{{ synapse_user_system | default(true, true) }}"
    create_home: "{{ synapse_user_create_home | default(false, true) }}"
-    groups: "{{ synapse_user_all_groups | default(omit, true) }}"
-    append: "{{ synapse_user_groups_append | default(omit, true) }}"
+    groups: "{{ synapse_user_groups | default(omit, true) }}"
+    append: "{{ (synapse_user_groups is defined) | ternary(true, omit) }}"
  register: synapse_user_info

 - name: Ensure directories for synapse are {{ synapse_state }}
@ -27,11 +20,8 @@
    - path: "{{ synapse_base_path }}"
      mode: "0755"
    - path: "{{ synapse_config_path }}"
-      mode: "0755"
    - path: "{{ synapse_data_path }}"
-      mode: "0755"
    - path: "{{ synapse_media_store_path }}"
-      mode: "0755"
    - path: "{{ synapse_log_path }}"
      mode: "0755"
  loop_control:
@ -42,8 +32,6 @@
    path: "{{ synapse_signing_key_file }}"
    state: "{{ synapse_state }}"
  when: synapse_role_generate_signing_key
-  notify:
-    - synapse-restart

 - name: Ensure configuration files are templated
  ansible.builtin.copy:
@ -69,6 +57,5 @@
      - content: "{{ synapse_signing_key }}"
        path: "{{ synapse_signing_key_file }}"
        mode: "0640"
-  notify:
-    - synapse-restart
-  when: synapse_state != 'absent'
+
+# TODO: signing key generation/handling
--- a/roles/synapse/tasks/deploy-docker.yml
+++ b/roles/synapse/tasks/deploy-docker.yml
@ -7,8 +7,8 @@
    force_source: "{{ synapse_container_image_tag | default(false, true) | bool }}"
  register: synapse_container_image_info
  until: synapse_container_image_info is success
-  retries: 4
-  delay: 2
+  retries: 10
+  delay: 5

 - name: Ensure synapse container '{{ synapse_container_name }}' is {{ (synapse_state == 'present') | ternary('started', 'absent') }}
  community.docker.docker_container:
@ -16,12 +16,13 @@
    image: "{{ synapse_container_image }}"
    env: "{{ synapse_container_env | default(omit, true) }}"
    user: "{{ synapse_container_user | default(omit, true) }}"
-    groups: "{{ synapse_container_groups | default(omit, true) }}"
+    group: "{{ synapse_container_group | default(omit, true) }}"
    ports: "{{ synapse_container_ports | default(omit, true) }}"
    labels: "{{ synapse_container_labels | default(omit, true) }}"
    ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
-    volumes: "{{ synapse_container_all_volumes }}"
+    volumes: "{{ synapse_container_volumes | default(omit, true) }}"
    networks: "{{ synapse_container_networks | default(omit, true) }}"
+    purge_networks: "{{ synapse_container_purge_networks | default(omit, true) }}"
    dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
    etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
    memory: "{{ synapse_container_memory | default(omit, true) }}"
--- a/roles/synapse/tasks/deploy-podman.yml
+++ b/roles/synapse/tasks/deploy-podman.yml
@ -1,31 +0,0 @@
---
- name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host
-  containers.podman.podman_image:
-    name: "{{ synapse_container_image }}"
-    state: "{{ synapse_state }}"
-    pull: "{{ synapse_container_image_source == 'pull' }}"
-    force: "{{ synapse_container_image_tag | default(false, true) | bool }}"
-  register: synapse_container_image_info
-  until: synapse_container_image_info is success
-  retries: 5
-  delay: 3
-
- name: Ensure synapse container '{{ synapse_container_name }}' is {{ synapse_container_state }}
-  containers.podman.podmain_container:
-    name: "{{ synapse_container_name }}"
-    image: "{{ synapse_container_image }}"
-    env: "{{ synapse_container_env | default(omit, true) }}"
-    user: "{{ synapse_container_user | default(omit, true) }}"
-    groups: "{{ synapse_container_groups | default(omit, true) }}"
-    ports: "{{ synapse_container_ports | default(omit, true) }}"
-    labels: "{{ synapse_container_labels | default(omit, true) }}"
-    ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
-    volumes: "{{ synapse_container_all_volumes }}"
-    network: "{{ synapse_container_networks | default(omit, true) }}"
-    dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
-    etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
-    memory: "{{ synapse_container_memory | default(omit, true) }}"
-    memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}"
-    memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}"
-    restart_policy: "{{ synapse_container_restart_policy }}"
-    state: "{{ synapse_container_state }}"
--- a/roles/synapse/tasks/deploy-virtualenv.yml
+++ b/roles/synapse/tasks/deploy-virtualenv.yml
@ -1,67 +0,0 @@
---
- name: Ensure directory for virtualenv is {{ synapse_state }}
-  ansible.builtin.file:
-    path: "{{ synapse_venv_path }}"
-    owner: >-2
-      {{ synapse_user_info.uid | default(synapse_user) }}
-    group: >-2
-      {{ synapse_user_info.group | default(synapse_user) }}
-    mode: "{{ synapse_venv_path_mode | default('0755') }}"
-    state: >-
-      {{ (synapse_state == 'present')
-        | ternary('directory', 'absent') }}
-
- name: Ensure virtual environment is {{ synapse_state }}
-  ansible.builtin.pip:
-    name: "{{ synapse_venv_pip_dependencies }}"
-    virtualenv: "{{ synapse_venv_path }}"
-    virtualenv_python: "{{ synapse_venv_python_binary }}"
-    extra_args: "{{ synapse_venv_extra_args | default(omit, true) }}"
-    state: "{{ synapse_state }}"
-
- name: Ensure synapse pip package is {{ synapse_state }}
-  ansible.builtin.pip:
-    name: "{{ synapse_venv_package }}"
-    version: "{{ synapse_version }}"
-    state: "{{ synapse_state }}"
-    virtualenv: "{{ synapse_venv_path }}"
-  notify:
-    - synapse-restart
-  when: synapse_state != 'absent'
-
- name: Ensure synapse virtualenv is {{ synapse_state }}
-  ansible.builtin.file:
-    path: "{{ synapse_venv_path }}"
-    state: "{{ synapse_state }}"
-  when: synapse_state == 'absent'
-
- name: Ensure systemd unit is {{ synapse_state }}
-  ansible.builtin.template:
-    src: "synapse.service.j2"
-    dest: "{{ synapse_systemd_service_file }}"
-  notify:
-    - systemd-daemon-reload
-  when: synapse_state != 'absent'
-
- name: Ensure systemd unit is {{ synapse_state }}
-  ansible.builtin.file:
-    path: "{{ synapse_systemd_service_file }}"
-    state: "{{ synapse_state }}"
-  when: synapse_state == 'absent'
-  notify:
-    - systemd-daemon-reload
-
- name: Ensure handlers are flushed for systemd daemon reload and synapse service state propagation
-  meta: flush_handlers
-
- name: Ensure systemd service is {{ synapse_systemd_state }}
-  ansible.builtin.systemd_service:
-    name: "{{ synapse_systemd_name }}"
-    state: "{{ synapse_systemd_state }}"
-  when: synapse_state != 'absent'
-
- name: Ensure systemd service is {{ synapse_systemd_enabled | ternary('enabled', 'disabled') }}
-  ansible.builtin.systemd_service:
-    name: "{{ synapse_systemd_name }}"
-    enabled: "{{ synapse_systemd_enabled }}"
-  when: synapse_state != 'absent'
--- a/roles/synapse/templates/synapse.service.j2
+++ b/roles/synapse/templates/synapse.service.j2
@ -1,44 +0,0 @@
-[Unit]
-Description={{ synapse_systemd_unit_description }}
-
-{% if synapse_systemd_unit_after | default([]) | length > 0 %}
-After={{ synapse_systemd_unit_after | join(' ') }}
-{% endif %}
-{% if synapse_systemd_unit_wants | default([]) | length > 0 %}
-Wants={{ synapse_systemd_unit_wants | join(' ') }}
-{% endif %}
-
-[Service]
-Type={{ synapse_systemd_service_type }}
-WorkingDirectory={{ synapse_venv_path }}
-ExecStart={{ synapse_systemd_service_exec_start }}
-ExecStop={{ synapse_systemd_service_exec_stop }}
-ExecReload={{ synapse_systemd_service_exec_reload }}
-
-User={{ synapse_run_user }}
-Group={{ synapse_run_group }}
-
-Restart={{ synapse_systemd_service_restart }}
-
-ProtectSystem={{ synapse_systemd_service_protect_system }}
-ProtectHome={{ synapse_systemd_service_protect_home }}
-ProtectClock={{ synapse_systemd_service_protect_clock }}
-ProtectHostname={{ synapse_systemd_service_protect_hostname }}
-ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
-ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
-ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
-ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
-
-RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
-RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
-{% for path in synapse_systemd_service_read_write_paths | default([]) %}
-ReadWritePaths={{ path }}
-{% endfor %}
-RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }}
-
-RemoveIPC={{ synapse_systemd_service_remove_ipc }}
-LockPersonality={{ synapse_systemd_service_lock_personality }}
-NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }}
-
-[Install]
-WantedBy={{ synapse_systemd_install_wanted_by }}
--- a/roles/synapse/vars/main.yml
+++ b/roles/synapse/vars/main.yml
@ -5,8 +5,6 @@ synapse_states:

 synapse_deployment_methods:
  - docker
-  - podman
-  - virtualenv

 synapse_required_variables:
  - synapse_domain
Author	SHA1	Message	Date
transcaffeine	acdffd5028	meta: require atleast ansible >= 2.15.0	2024-09-21 11:32:51 +02:00
transcaffeine	d96bc2010d	feat(synapse): add ansible role	2024-09-20 22:28:55 +02:00
transcaffeine	dd696c3442	feat(synapse_signing_key): add ansible module for managing signing keys	2024-09-20 19:25:15 +02:00