meta: bump collection version to 0.1.3

README.md

@@ -12,6 +12,7 @@ Roles for deploying matrix infrastructure using ansible.
 
 - [`cinny`](roles/cinny/README.md): [Cinny](https://cinny.in/) Web Client
 - [`element`](roles/element/README.md): [Element](https://element.io/) Web Client
+- [`hydrogen`](roles/hydrogen/README.md): [Hydrogen](https://matrix.org/ecosystem/clients/hydrogen/) lightweight web client
 - [`synapse`](roles/synapse/README.md): [Synapse](https://github.com/element-hq/synapse/),
   a matrix homeserver implemention by Element
 

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: matrix
-version: 0.1.0
+version: 0.1.3
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -10,3 +10,10 @@ build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/matrix
 issues: https://codeberg.org/finallycoffee/ansible-collection-matrix/issues
+tags:
+  - matrix
+  - synapse
+  - homeserver
+  - element
+  - hydrogen
+  - cinny

playbooks/hydrogen.yml

@@ -0,0 +1,6 @@
+---
+- name: Deploy and configure hydrogen
+  hosts: "{{ hydrogen_hosts | default('hydrogen') }}"
+  become: "{{ hydrogen_become | default(true) }}"
+  roles:
+    - role: finallycoffee.matrix.hydrogen

plugins/modules/synapse_signing_key.md

@@ -8,7 +8,7 @@ Module to generate and manage synapse signing keys.
 ## Requirements
 
 - `python >= 3.9`
-- `signed_json >= 1.1.4`
+- (pip) `signed_json >= 1.1.4`
 
 
 ## Usage examples

roles/cinny/defaults/main/main.yml

@@ -1,7 +1,7 @@
 ---
 cinny_user: cinny
 cinny_state: "present"
-cinny_version: "4.2.1"
+cinny_version: "4.2.2"
 cinny_deployment_method: "docker"
 
 cinny_base_path: "/opt/cinny"

roles/cinny/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: cinny
+  description: Deploy cinny, a matrix web client, using podman, docker or a raw tarball to serve from your webserver
+  galaxy_tags:
+    - cinny
+    - matrix
+    - matrix-client
+    - docker
+    - podman

roles/element/defaults/main/container.yml

@@ -11,12 +11,15 @@ element_container_image_registry: "docker.io"
 element_container_image_namespace: "vectorim"
 element_container_image_name: "element-web"
 element_container_image_tag: ~
+element_container_image_source: pull
+element_container_image_force_source: >-2
+  {{ element_container_image_tag | default(false, true) | bool }}
 element_container_name: "element-web"
 element_container_restart_policy: >-
   {{ (element_deployment_method == 'docker')
       | ternary('unless-stopped',
         (element_deployment_method == 'podman' |
-          ternary('on-failure', 'always'))
+          ternary('on-failure', 'always')))
   }}
 element_container_full_volumes: >-
   {{ element_container_default_volumes

roles/element/defaults/main/main.yml

@@ -1,7 +1,7 @@
 ---
 element_user: element
 element_state: "present"
-element_version: "1.11.77"
+element_version: "1.11.85"
 element_deployment_method: "docker"
 
 element_base_path: "/opt/element"
@@ -10,9 +10,9 @@ element_dist_path: "{{ element_source_path }}/dist"
 element_config_path: "{{ element_base_path }}/config"
 element_config_file: "{{ element_config_path }}/config.json"
 
-element_host_uid: >-
+element_host_uid: >-2
-  {{ element_user_info is defined
+  {{ ((element_user_info is defined) and ('uid' in element_user_info))
   | ternary(element_user_info.uid, element_user) }}
-element_host_gid: >-
+element_host_gid: >-2
-  {{ element_user_info is defined
+  {{ ((element_user_info is defined) and ('uid' in element_user_info))
   | ternary(element_user_info.group, element_user) }}

roles/element/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: element
+  description: Deploy element, a matrix web client, using either docker, podman or a raw tarball to serve with your webserver
+  galaxy_tags:
+    - element
+    - matrix
+    - matrix-client
+    - docker
+    - podman

roles/element/tasks/deploy-docker.yml

@@ -14,8 +14,8 @@
   community.docker.docker_image:
     name: "{{ element_container_image }}"
     state: "{{ element_state }}"
-    source: "{{ element_container_source }}"
+    source: "{{ element_container_image_source }}"
-    force_source: "{{ element_container_image_tag | default(false, true) }}"
+    force_source: "{{ element_container_image_force_source }}"
 
 - name: Ensure container '{{ element_container_name }}' is {{ element_state }}
   community.docker.docker_container:
@@ -23,7 +23,7 @@
     image: "{{ element_container_image }}"
     state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
     env: "{{ element_container_env | default(omit) }}"
-    user: "{{ element_container_user }}"
+    user: "{{ element_container_user | default(omit) }}"
     ports: "{{ element_container_ports | default(omit) }}"
     labels: "{{ element_container_labels | default(omit) }}"
     volumes: "{{ element_container_full_volumes }}"

roles/element/tasks/deploy-podman.yml

@@ -3,8 +3,8 @@
   containers.podman.podman_image:
     name: "{{ element_container_image }}"
     state: "{{ element_state }}"
-    pull: "{{ element_container_source == 'pull' }}"
+    pull: "{{ element_container_image_source == 'pull' }}"
-    force: "{{ element_container_image_tag | default(false, true) }}"
+    force: "{{ element_container_image_force_source }}"
 
 - name: Ensure container '{{ element_container_name }}' is {{ element_state }}
   containers.podman.podman_container:
@@ -12,7 +12,7 @@
     image: "{{ element_container_image }}"
     state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
     env: "{{ element_container_env | default(omit) }}"
-    user: "{{ element_container_user }}"
+    user: "{{ element_container_user | default(omit) }}"
     ports: "{{ element_container_ports | default(omit) }}"
     labels: "{{ element_container_labels | default(omit) }}"
     volumes: "{{ element_container_full_volumes }}"

roles/element/vars/main.yml

@@ -1,5 +1,5 @@
 ---
-element_state:
+element_states:
   - present
   - absent
 

roles/hydrogen/README.md

@@ -0,0 +1,13 @@
+# `finallycoffee.matrix.hydrogen` ansible role
+
+Deploy [hydrogen](https://matrix.org/ecosystem/clients/hydrogen/),
+a lightweight matrix web client with SSO, multi-account and E2EE
+Support.
+
+## Configuration
+
+All configuration keys which would be written in the `config.json`
+are available under the `hydrogen_config_*` as flattened camelcase keys.
+As an alternative, the entire config structure can be passed into
+`hydrogen_config` (in combine mode) or `hydrogen_full_config` (ignores
+all defaults).

roles/hydrogen/defaults/main/container.yml

@@ -0,0 +1,43 @@
+---
+hydrogen_container_name: hydrogen
+hydrogen_container_image_server: ghcr.io
+hydrogen_container_image_namespace: element-hq
+hydrogen_container_image_name: hydrogen-web
+hydrogen_container_image_tag: ~
+hydrogen_container_image: >-2
+  {{
+    ([
+      hydrogen_container_image_server,
+      hydrogen_container_image_namespace,
+      hydrogen_container_image_name,
+    ] | join('/'))
+    + ':' + (hydrogen_container_image_tag
+      | default('v' + hydrogen_version, true))
+  }}
+
+hydrogen_container_working_directory: "/usr/share/nginx/html"
+hydrogen_container_config_file: >-2
+  {{ hydrogen_container_working_directory }}/config.json
+hydrogen_container_base_volumes:
+  - "{{ hydrogen_config_file }}:{{ hydrogen_container_config_file }}:ro"
+hydrogen_container_full_volumes: >-2
+  {{ hydrogen_container_base_volumes | default([], true)
+    + (hydrogen_container_volumes | default([], true))
+
+hydrogen_container_image_source: pull
+hydrogen_container_image_force_source: >-2
+  {{ hydrogen_container_image_tag | default(false, true) | bool }}
+hydrogen_container_state: >-2
+  {{ (hydrogen_state == 'present') | ternary('started', 'absent') }}
+hydrogen_container_env: ~
+hydrogen_container_user: >-2
+  {{ hydrogen_run_user_id }}:{{ hydrogen_run_group_id }}
+hydrogen_container_ports: ~
+hydrogen_container_labels: ~
+hydrogen_container_ulimits: ~
+hydrogen_container_volumes: ~
+hydrogen_container_networks: ~
+hydrogen_container_purge_networks: ~
+hydrogen_container_dns_servers: ~
+hydrogen_container_etc_hosts: ~
+hydrogen_container_restart_policy: unless-stopped

roles/hydrogen/defaults/main/main.yml

@@ -0,0 +1,21 @@
+---
+hydrogen_state: present
+hydrogen_user: hydrogen
+hydrogen_version: "0.5.0"
+hydrogen_deployment_method: docker
+
+hydrogen_config_file: "/etc/hydrogen/config.json"
+
+hydrogen_config: ~
+hydrogen_config_default_home_server: matrix.org
+hydrogen_config_default_theme_light: "element-light"
+hydrogen_config_default_theme_dark: "element-dark"
+hydrogen_config_default_theme:
+  light: "{{ hydrogen_config_default_theme_light }}"
+  dark: "{{ hydrogen_config_default_theme_dark }}"
+hydrogen_base_config:
+  defaultHomeServer: "{{ hydrogen_config_default_home_server }}"
+  defaultTheme: "{{ hydrogen_config_default_theme }}"
+hydrogen_full_config: >-2
+  {{ hydrogen_base_config | default({}, true)
+      | combine(hydrogen_config | default({}, true)) }}

roles/hydrogen/defaults/main/user.yml

@@ -0,0 +1,5 @@
+---
+hydrogen_run_user_id: >-2
+  {{ hydrogen_user_info.uid | default(hydrogen_user) }}
+hydrogen_run_group_id: >-2
+  {{ hydrogen_user_info.group | default(hydrogen_user) }}

roles/hydrogen/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: hydrogen
+  description: Deploy hydrogen, a lightweight matrix web client
+  galaxy_tags:
+    - hydrogen
+    - matrix
+    - matrix-client
+    - docker
+    - podman

roles/hydrogen/tasks/deploy-docker.yml

@@ -0,0 +1,33 @@
+---
+- name: Ensure container image '{{ hydrogen_container_image }}' is {{ hydrogen_state }} on host
+  community.docker.docker_image:
+    name: "{{ hydrogen_container_image }}"
+    state: "{{ hydrogen_state }}"
+    source: "{{ hydrogen_container_image_source }}"
+    force_source: >-2
+      {{ hydrogen_container_image_force_source }}
+  register: hydrogen_container_image_info
+  until: hydrogen_container_image_info is success
+  retries: 5
+  delay: 3
+
+- name: Ensure hydrogen container '{{ hydrogen_container_name }}' is {{ hydrogen_container_state }}
+  community.docker.docker_container:
+    name: "{{ hydrogen_container_name }}"
+    image: "{{ hydrogen_container_image }}"
+    env: "{{ hydrogen_container_env | default(omit, true) }}"
+    user: "{{ hydrogen_container_user }}"
+    ports: "{{ hydrogen_container_ports | default(omit, true) }}"
+    labels: "{{ hydrogen_container_labels | default(omit, true) }}"
+    ulimits: "{{ hydrogen_container_ulimits | default(omit, true) }}"
+    volumes: "{{ hydrogen_container_volumes }}"
+    networks: "{{ hydrogen_container_networks | default(omit, true) }}"
+    purge_networks: >-2
+      {{ hydrogen_container_purge_networks | default(omit, true) }}
+    dns_servers: >-2
+      {{ hydrogen_container_dns_servers | default(omit, true) }}
+    etc_hosts: >-2
+      {{ hydrogen_container_etc_hosts | default(omit, true) }}
+    restart_policy: >-2
+      {{ hydrogen_container_restart_policy | default(omit, true) }}
+    state: "{{ hydrogen_container_state }}"

roles/hydrogen/tasks/deploy-podman.yml

@@ -0,0 +1,32 @@
+---
+- name: Ensure container image '{{ hydrogen_container_image }}' is {{ hydrogen_state }} on host
+  containers.podman.podman_image:
+    name: "{{ hydrogen_container_image }}"
+    state: "{{ hydrogen_state }}"
+    pull: "{{ hydrogen_container_image_source == 'pull' }}"
+    force: "{{ hydrogen_container_image_force_source }}"
+  register: hydrogen_container_image_info
+  until: hydrogen_container_image_info is success
+  retries: 5
+  delay: 3
+
+- name: Ensure hydrogen container '{{ hydrogen_container_name }}' is {{ hydrogen_container_state }}
+  containers.podman.podman_container:
+    name: "{{ hydrogen_container_name }}"
+    image: "{{ hydrogen_container_image }}"
+    env: "{{ hydrogen_container_env | default(omit, true) }}"
+    user: "{{ hydrogen_container_user }}"
+    ports: "{{ hydrogen_container_ports | default(omit, true) }}"
+    labels: "{{ hydrogen_container_labels | default(omit, true) }}"
+    ulimits: "{{ hydrogen_container_ulimits | default(omit, true) }}"
+    volumes: "{{ hydrogen_container_volumes }}"
+    network: "{{ hydrogen_container_networks | default(omit, true) }}"
+    purge_networks: >-2
+      {{ hydrogen_container_purge_networks | default(omit, true) }}
+    dns_servers: >-2
+      {{ hydrogen_container_dns_servers | default(omit, true) }}
+    etc_hosts: >-2
+      {{ hydrogen_container_etc_hosts | default(omit, true) }}
+    restart_policy: >-2
+      {{ hydrogen_container_restart_policy | default(omit, true) }}
+    state: "{{ hydrogen_container_state }}"

roles/hydrogen/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Check if deployment method is supported
+  ansible.builtin.fail:
+    msg: >-2
+      Deployment method '{{ hydrogen_deployment_method }}'
+      is not supported. Support methods are
+      {{ hydrogen_deployment_methods | join(', ') }}.
+  when: hydrogen_deployment_method not in hydrogen_deployment_methods
+
+- name: Check if state is supported
+  ansible.builtin.fail:
+    msg: >-2
+      State '{{ hydrogen_state }}' is not supported.
+      Supported states are: {{ hydrogen_states | join(', ') }}
+  when: hydrogen_state not in hydrogen_states
+
+- name: Ensure hydrogen user '{{ hydrogen_user }}' is {{ hydrogen_state }}
+  ansible.builtin.user:
+    name: "{{ hydrogen_user }}"
+    system: "{{ hydrogen_user_system | default(true, true) }}"
+    groups: "{{ hydrogen_user_groups | default(omit, true) }}"
+    append: >-2
+      {{ hydrogen_user_append_groups
+        | default(hydrogen_user_groups | default([]) | length > 0, true)
+        | bool
+      }}
+    state: "{{ hydrogen_state }}"
+  register: hydrogen_user_info
+
+- name: Ensure hydrogen config file is {{ hydrogen_state }}
+  ansible.builtin.file:
+    path: "{{ hydrogen_config_file }}"
+    state: "{{ hydrogen_state }}"
+  when: hydrogen_state == 'absent'
+
+- name: Ensure hydrogen config folder is {{ hydrogen_state }}
+  ansible.builtin.file:
+    path: "{{ hydrogen_config_file | ansible.builtin.basename }}"
+    state: >-2
+      {{ (hydrogen_state == 'present')
+        | ternary('directory', 'absent') }}
+    owner: "{{ hydrogen_run_user_id }}"
+    group: "{{ hydrogen_run_group_id }}"
+    mode: "0755"
+
+- name: Ensure hydrogen config file is {{ hydrogen_state }}
+  ansible.builtin.copy:
+    dest: "{{ hydrogen_config_file }}"
+    content: "{{ hydrogen_config | to_nice_json }}"
+    owner: "{{ hydrogen_run_user_id }}"
+    group: "{{ hydrogen_run_group_id }}"
+    mode: "0640"
+  when: hydrogen_state == 'present'
+
+- name: Deploy using {{ hydrogen_deployment_method }}
+  ansible.builtin.include_tasks:
+    file: "deploy-{{ hydrogen_deployment_method }}.yml"

roles/hydrogen/vars/main.yml

@@ -0,0 +1,7 @@
+---
+hydrogen_states:
+  - present
+  - absent
+hydrogen_deployment_methods:
+  - docker
+  - podman

roles/synapse/README.md

@@ -20,10 +20,21 @@ The following variables need to be populated:
 
 - `docker`
 - `podman`
+- `virtualenv` - Python virtual env supervised with `systemd`
 
 Set `synapse_deployment_method` to one of the supported deployment methods.
 The current default is `docker`.
 
-### Planned deployment methods
+### `virtualenv` deployment method
 
-- `venv` - Python virtual env supervised with `systemd`
+This deployment method installs a `systemd` service called `synapse.service` to
+control the homeserver process. The service depends on the `network.target` by
+default (see [`synapse_systemd_unit_after`](synapse/main/systemd.yml)), and
+uses the `default.target` as it's `WantedBy`
+(see [`synapse_systemd_install_wanted_by`](synapse/main/systemd.yml)).
+
+To only start synapse after, for example, services for redis and postgresql are up,
+set `synapse_systemd_unit_wants: [ "postgresql.service", "redis.service" ]`.
+
+> [!NOTE]
+> Requires `systemd >= 245` on the target machine

roles/synapse/defaults/main/homeserver.turn.yml

@@ -2,6 +2,7 @@
 # TURN / RTC configuration
 synapse_config_turn_uris: []
 synapse_config_turn_shared_secret: ~
+synapse_config_turn_shared_secret_path: ~
 synapse_config_turn_username: ~
 synapse_config_turn_password: ~
 synapse_config_turn_user_lifetime: "2h"
@@ -16,6 +17,8 @@ synapse_turn_config: >-2
     synapse_turn_config_base
     | combine(({ turn_shared_secret: synapse_config_turn_shared_secret })
       if synapse_config_turn_shared_secret | default(false, true) else {})
+    | combine(({ turn_shared_secret_path: synapse_config_turn_shared_secret_path })
+      if synapse_config_turn_shared_secret_path | default(false, true) else {})
     | combine(({ turn_username: synapse_config_turn_username })
       if synapse_config_username | default(false, true) else {})
     | combine(({ turn_password: synapse_config_turn_password })

roles/synapse/defaults/main/main.yml

@@ -1,16 +1,17 @@
 ---
-
 synapse_user: synapse
-synapse_version: "1.115.0"
+synapse_group: synapse
+synapse_version: "1.118.0"
 synapse_state: "present"
 synapse_deployment_method: "docker"
 
 synapse_base_path: /opt/synapse
-synapse_config_path: "{{ synapse_base_path }}/config"
+synapse_config_path: "/etc/synapse"
 synapse_data_path: "{{ synapse_base_path }}/data"
 synapse_media_store_path: "{{ synapse_data_path }}/media_store"
 synapse_log_path: "/var/log/synapse"
 synapse_homeserver_log_path: "{{ synapse_log_path }}/homeserver.log"
+synapse_venv_path: "{{ synapse_base_path }}/venv"
 
 synapse_signing_key: ~
 synapse_signing_key_file: >-

roles/synapse/defaults/main/systemd.yml

@@ -0,0 +1,53 @@
+---
+synapse_systemd_name: "synapse.service"
+synapse_systemd_service_directory: /etc/systemd/system
+synapse_systemd_service_file: >-2
+  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
+
+synapse_systemd_state: >-2
+  {{ (synapse_state == 'present') | ternary('started', 'stopped') }}
+synapse_systemd_enabled: >-2
+  {{ (synapse_state == 'present') | bool }}
+
+synapse_systemd_unit_description: "Synapse matrix homeserver"
+synapse_systemd_service_type: notify
+synapse_systemd_service_exec_start: >-2
+  {{ synapse_venv_path }}/bin/synapse_homeserver \
+    --config-path={{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_stop: >-2
+  {{ synapse_venv_path }}/bin/synctl \
+    stop {{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_reload: >-2
+  /usr/bin/env kill -HUP $MAINPID
+synapse_systemd_service_restart: on-failure
+
+synapse_systemd_unit_after:
+  - "network.target"
+synapse_systemd_unit_wants: []
+synapse_systemd_install_wanted_by: "default.target"
+
+# Hardening
+synapse_systemd_service_read_write_paths:
+  - "{{ synapse_base_path }}"
+  - "{{ synapse_data_path }}"
+  - "{{ synapse_media_store_path }}"
+  - "{{ synapse_log_path }}"
+synapse_systemd_service_restrict_address_families:
+  - "AF_INET"
+  - "AF_INET6"
+  - "AF_UNIX"
+synapse_systemd_service_protect_system: strict
+synapse_systemd_service_protect_home: true
+synapse_systemd_service_protect_clock: true
+synapse_systemd_service_protect_hostname: true
+synapse_systemd_service_protect_protect_kernel_logs: true
+synapse_systemd_service_protect_protect_kernel_modules: true
+synapse_systemd_service_protect_protect_kernel_tunables: true
+synapse_systemd_service_protect_protect_control_groups: true
+
+synapse_systemd_service_restrict_namespaces: true
+synapse_systemd_service_restrict_suid_sgid: true
+
+synapse_systemd_service_remove_ipc: true
+synapse_systemd_service_lock_personality: true
+synapse_systemd_service_no_new_privileges: true

roles/synapse/defaults/main/user.yml

@@ -0,0 +1,21 @@
+---
+synapse_user_base_groups:
+  - "{{ synapse_run_group }}"
+synapse_user_groups: ~
+synapse_user_all_groups: >-2
+  {{ synapse_user_base_groups | default([], true)
+    + synapse_user_groups | default([], true) }}
+synapse_user_groups_append: "{{ synapse_user_all_groups | length > 0 }}"
+synapse_run_user: >-2
+  {{ synapse_user_info.name | default(synapse_user) }}
+synapse_run_group: >-2
+  {{ (synapse_user_info is defined and ('groups' in synapse_user_info))
+    | ternary(
+      (synapse_user_info.groups | default("") | split(",") | first),
+      synapse_group
+    )
+  }}
+synapse_run_user_id: >-2
+  {{ synapse_user_info.uid | default(synapse_user) }}
+synapse_run_group_id: >-2
+  {{ synapse_user_info.group | default(synapse_user) }}

roles/synapse/defaults/main/virtualenv.yml

@@ -0,0 +1,11 @@
+---
+synapse_venv_package: "matrix-synapse[all]"
+synapse_venv_pip_dependencies:
+  - pip
+  - setuptools
+synapse_venv_package_full: >-2
+  {{ synapse_venv_package }}@{{ synapse_version }}
+
+synapse_venv_python_binary: >-2
+  {{ ansible_python_interpreter | default(omit, true) }}
+synapse_venv_extra_args: ~

roles/synapse/handlers/main.yml

@@ -14,3 +14,18 @@
     state: "{{ synapse_container_state }}"
     force_restart: true
   when: synapse_deployment_method == 'podman'
+
+- name: Ensure synapse is restarted
+  listen: synapse-restart
+  ansible.builtin.systemd_service:
+    name: "{{ synapse_systemd_service_name }}"
+    state: restarted
+  when:
+    - synapse_deployment_method == 'virtualenv'
+    - ansible_facts['service_mgr'] == systemd
+    - synapse_systemd_state == 'started'
+
+- name: Ensure systemd units are reloaded
+  listen: systemd-daemon-reload
+  ansible.builtin.systemd:
+    daemon_reload: true

roles/synapse/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: synapse
+  description: Deploy synapse, a matrix homeserver. Supports docker, podman, virtualenv
+  galaxy_tags:
+    - synapse
+    - matrix
+    - homeserver
+    - docker
+    - podman

roles/synapse/tasks/check.yml

@@ -17,8 +17,8 @@
     msg: "Required variable '{{ item }}' is undefined!"
   loop: "{{ synapse_required_variables }}"
   when: >-2
-    item not in hostvars[ansible_host]
+    item not in hostvars[inventory_hostname]
-    or hostvars[ansible_host][item] | length == 0
+    or hostvars[inventory_hostname][item] | length == 0
 
 - name: Ensure conditionally required variables are given
   ansible.builtin.fail:

roles/synapse/tasks/configure.yml

@@ -1,12 +1,19 @@
 ---
+- name: Ensure synapse group '{{ synapse_group }}' is {{ synapse_state }}
+  ansible.builtin.group:
+    name: "{{ synapse_group }}"
+    system: "{{ synapse_group_system | default(true, true) }}"
+    state: "{{ synapse_state }}"
+  register: synapse_group_info
+
 - name: Ensure synapse user '{{ synapse_user }}' is {{ synapse_state }}
   ansible.builtin.user:
     name: "{{ synapse_user }}"
     state: "{{ synapse_state }}"
     system: "{{ synapse_user_system | default(true, true) }}"
     create_home: "{{ synapse_user_create_home | default(false, true) }}"
-    groups: "{{ synapse_user_groups | default(omit, true) }}"
+    groups: "{{ synapse_user_all_groups | default(omit, true) }}"
-    append: "{{ (synapse_user_groups is defined) | ternary(true, omit) }}"
+    append: "{{ synapse_user_groups_append | default(omit, true) }}"
   register: synapse_user_info
 
 - name: Ensure directories for synapse are {{ synapse_state }}
@@ -64,3 +71,4 @@
         mode: "0640"
   notify:
     - synapse-restart
+  when: synapse_state != 'absent'

roles/synapse/tasks/deploy-virtualenv.yml

@@ -0,0 +1,67 @@
+---
+- name: Ensure directory for virtualenv is {{ synapse_state }}
+  ansible.builtin.file:
+    path: "{{ synapse_venv_path }}"
+    owner: >-2
+      {{ synapse_user_info.uid | default(synapse_user) }}
+    group: >-2
+      {{ synapse_user_info.group | default(synapse_user) }}
+    mode: "{{ synapse_venv_path_mode | default('0755') }}"
+    state: >-
+      {{ (synapse_state == 'present')
+        | ternary('directory', 'absent') }}
+
+- name: Ensure virtual environment is {{ synapse_state }}
+  ansible.builtin.pip:
+    name: "{{ synapse_venv_pip_dependencies }}"
+    virtualenv: "{{ synapse_venv_path }}"
+    virtualenv_python: "{{ synapse_venv_python_binary }}"
+    extra_args: "{{ synapse_venv_extra_args | default(omit, true) }}"
+    state: "{{ synapse_state }}"
+
+- name: Ensure synapse pip package is {{ synapse_state }}
+  ansible.builtin.pip:
+    name: "{{ synapse_venv_package }}"
+    version: "{{ synapse_version }}"
+    state: "{{ synapse_state }}"
+    virtualenv: "{{ synapse_venv_path }}"
+  notify:
+    - synapse-restart
+  when: synapse_state != 'absent'
+
+- name: Ensure synapse virtualenv is {{ synapse_state }}
+  ansible.builtin.file:
+    path: "{{ synapse_venv_path }}"
+    state: "{{ synapse_state }}"
+  when: synapse_state == 'absent'
+
+- name: Ensure systemd unit is {{ synapse_state }}
+  ansible.builtin.template:
+    src: "synapse.service.j2"
+    dest: "{{ synapse_systemd_service_file }}"
+  notify:
+    - systemd-daemon-reload
+  when: synapse_state != 'absent'
+
+- name: Ensure systemd unit is {{ synapse_state }}
+  ansible.builtin.file:
+    path: "{{ synapse_systemd_service_file }}"
+    state: "{{ synapse_state }}"
+  when: synapse_state == 'absent'
+  notify:
+    - systemd-daemon-reload
+
+- name: Ensure handlers are flushed for systemd daemon reload and synapse service state propagation
+  meta: flush_handlers
+
+- name: Ensure systemd service is {{ synapse_systemd_state }}
+  ansible.builtin.systemd_service:
+    name: "{{ synapse_systemd_name }}"
+    state: "{{ synapse_systemd_state }}"
+  when: synapse_state != 'absent'
+
+- name: Ensure systemd service is {{ synapse_systemd_enabled | ternary('enabled', 'disabled') }}
+  ansible.builtin.systemd_service:
+    name: "{{ synapse_systemd_name }}"
+    enabled: "{{ synapse_systemd_enabled }}"
+  when: synapse_state != 'absent'

roles/synapse/templates/synapse.service.j2

@@ -0,0 +1,44 @@
+[Unit]
+Description={{ synapse_systemd_unit_description }}
+
+{% if synapse_systemd_unit_after | default([]) | length > 0 %}
+After={{ synapse_systemd_unit_after | join(' ') }}
+{% endif %}
+{% if synapse_systemd_unit_wants | default([]) | length > 0 %}
+Wants={{ synapse_systemd_unit_wants | join(' ') }}
+{% endif %}
+
+[Service]
+Type={{ synapse_systemd_service_type }}
+WorkingDirectory={{ synapse_venv_path }}
+ExecStart={{ synapse_systemd_service_exec_start }}
+ExecStop={{ synapse_systemd_service_exec_stop }}
+ExecReload={{ synapse_systemd_service_exec_reload }}
+
+User={{ synapse_run_user }}
+Group={{ synapse_run_group }}
+
+Restart={{ synapse_systemd_service_restart }}
+
+ProtectSystem={{ synapse_systemd_service_protect_system }}
+ProtectHome={{ synapse_systemd_service_protect_home }}
+ProtectClock={{ synapse_systemd_service_protect_clock }}
+ProtectHostname={{ synapse_systemd_service_protect_hostname }}
+ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
+ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
+ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
+ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
+
+RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
+RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
+{% for path in synapse_systemd_service_read_write_paths | default([]) %}
+ReadWritePaths={{ path }}
+{% endfor %}
+RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }}
+
+RemoveIPC={{ synapse_systemd_service_remove_ipc }}
+LockPersonality={{ synapse_systemd_service_lock_personality }}
+NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }}
+
+[Install]
+WantedBy={{ synapse_systemd_install_wanted_by }}

roles/synapse/vars/main.yml

@@ -6,6 +6,7 @@ synapse_states:
 synapse_deployment_methods:
   - docker
   - podman
+  - virtualenv
 
 synapse_required_variables:
   - synapse_domain