Compare commits

..

1 Commits

Author SHA1 Message Date
50e792cb33
feat(synapse): add deployment method virtualenv 2024-09-28 14:56:32 +02:00
2 changed files with 58 additions and 4 deletions

View File

@ -10,14 +10,44 @@ synapse_systemd_service_enabled: >-2
{{ (synapse_state == 'present') | bool }}
synapse_systemd_unit_description: "Synapse matrix homeserver"
synapse_systemd_service_type: simple
synapse_systemd_service_type: notify
synapse_systemd_service_exec_start: >-2
{{ synapse_venv_path }}/bin/python \
-m synapse.app.homeserver \
{{ synapse_venv_path }}/bin/synapse_homeserver \
--config-path={{ synapse_homeserver_config_file }}
synapse_systemd_service_restart: always
synapse_systemd_service_exec_stop: >-2
{{ synapse_venv_path }}/bin/synctl \
stop {{ synapse_homeserver_config_file }}
synapse_systemd_service_exec_reload: >-2
/usr/bin/env kill -HUP $MAINPID
synapse_systemd_service_restart: on-failure
synapse_systemd_unit_after:
- "network.target"
synapse_systemd_unit_wants: []
synapse_systemd_install_wanted_by: "default.target"
# Hardening
synapse_systemd_service_read_write_paths:
- "{{ synapse_base_path }}"
- "{{ synapse_data_path }}"
- "{{ synapse_media_store_path }}"
- "{{ synapse_log_path }}"
synapse_systemd_service_restrict_address_families:
- "AF_INET"
- "AF_INET6"
- "AF_UNIX"
synapse_systemd_service_protect_system: strict
synapse_systemd_service_protect_home: true
synapse_systemd_service_protect_clock: true
synapse_systemd_service_protect_hostname: true
synapse_systemd_service_protect_protect_kernel_logs: true
synapse_systemd_service_protect_protect_kernel_modules: true
synapse_systemd_service_protect_protect_kernel_tunables: true
synapse_systemd_service_protect_protect_control_groups: true
synapse_systemd_service_restrict_namespaces: true
synapse_systemd_service_restrict_suid_sgid: true
synapse_systemd_service_remove_ipc: true
synapse_systemd_service_lock_personality: true
synapse_systemd_service_no_new_privileges: true

View File

@ -12,11 +12,35 @@ Wants={{ synapse_systemd_unit_wants | join(' ') }}
Type={{ synapse_systemd_service_type }}
WorkingDirectory={{ synapse_venv_path }}
ExecStart={{ synapse_systemd_service_exec_start }}
ExecStop={{ synapse_systemd_service_exec_stop }}
ExecReload={{ synapse_systemd_service_exec_reload }}
User={{ synapse_run_user }}
Group={{ synapse_run_group }}
Restart={{ synapse_systemd_service_restart }}
ProtectSystem={{ synapse_systemd_service_protect_system }}
ProtectHome={{ synapse_systemd_service_protect_home }}
ProtectClock={{ synapse_systemd_service_protect_clock }}
ProtectHostname={{ synapse_systemd_service_protect_hostname }}
ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
{% for path in synapse_systemd_service_read_write_paths | default([]) %}
ReadWritePaths={{ path }}
{% endfor %}
{% for addr_family in synapse_systemd_service_restrict_address_families | default([]) %}
RestrictAddressFamilies={{ addr_family }}
{% endfor %}
RemoveIPC={{ synapse_systemd_service_remove_ipc }}
LockPersonality={{ synapse_systemd_service_lock_personality }}
NoNewPersonalities={{ synapse_systemd_service_no_new_privileges }}
[Install]
WantedBy={{ synapse_systemd_install_wanted_by }}