feat(synapse): add deployment method virtualenv

roles/synapse/defaults/main/systemd.yml

@@ -10,14 +10,44 @@ synapse_systemd_service_enabled: >-2
   {{ (synapse_state == 'present') | bool }}
 
 synapse_systemd_unit_description: "Synapse matrix homeserver"
-synapse_systemd_service_type: simple
+synapse_systemd_service_type: notify
 synapse_systemd_service_exec_start: >-2
-  {{ synapse_venv_path }}/bin/python \
+  {{ synapse_venv_path }}/bin/synapse_homeserver \
-    -m synapse.app.homeserver \
     --config-path={{ synapse_homeserver_config_file }}
-synapse_systemd_service_restart: always
+synapse_systemd_service_exec_stop: >-2
+  {{ synapse_venv_path }}/bin/synctl \
+    stop {{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_reload: >-2
+  /usr/bin/env kill -HUP $MAINPID
+synapse_systemd_service_restart: on-failure
 
 synapse_systemd_unit_after:
   - "network.target"
 synapse_systemd_unit_wants: []
 synapse_systemd_install_wanted_by: "default.target"
+
+# Hardening
+synapse_systemd_service_read_write_paths:
+  - "{{ synapse_base_path }}"
+  - "{{ synapse_data_path }}"
+  - "{{ synapse_media_store_path }}"
+  - "{{ synapse_log_path }}"
+synapse_systemd_service_restrict_address_families:
+  - "AF_INET"
+  - "AF_INET6"
+  - "AF_UNIX"
+synapse_systemd_service_protect_system: strict
+synapse_systemd_service_protect_home: true
+synapse_systemd_service_protect_clock: true
+synapse_systemd_service_protect_hostname: true
+synapse_systemd_service_protect_protect_kernel_logs: true
+synapse_systemd_service_protect_protect_kernel_modules: true
+synapse_systemd_service_protect_protect_kernel_tunables: true
+synapse_systemd_service_protect_protect_control_groups: true
+
+synapse_systemd_service_restrict_namespaces: true
+synapse_systemd_service_restrict_suid_sgid: true
+
+synapse_systemd_service_remove_ipc: true
+synapse_systemd_service_lock_personality: true
+synapse_systemd_service_no_new_privileges: true

roles/synapse/templates/synapse.service.j2

@@ -12,11 +12,35 @@ Wants={{ synapse_systemd_unit_wants | join(' ') }}
 Type={{ synapse_systemd_service_type }}
 WorkingDirectory={{ synapse_venv_path }}
 ExecStart={{ synapse_systemd_service_exec_start }}
+ExecStop={{ synapse_systemd_service_exec_stop }}
+ExecReload={{ synapse_systemd_service_exec_reload }}
 
 User={{ synapse_run_user }}
 Group={{ synapse_run_group }}
 
 Restart={{ synapse_systemd_service_restart }}
 
+ProtectSystem={{ synapse_systemd_service_protect_system }}
+ProtectHome={{ synapse_systemd_service_protect_home }}
+ProtectClock={{ synapse_systemd_service_protect_clock }}
+ProtectHostname={{ synapse_systemd_service_protect_hostname }}
+ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
+ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
+ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
+ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
+
+RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
+RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
+{% for path in synapse_systemd_service_read_write_paths | default([]) %}
+ReadWritePaths={{ path }}
+{% endfor %}
+{% for addr_family in synapse_systemd_service_restrict_address_families | default([]) %}
+RestrictAddressFamilies={{ addr_family }}
+{% endfor %}
+
+RemoveIPC={{ synapse_systemd_service_remove_ipc }}
+LockPersonality={{ synapse_systemd_service_lock_personality }}
+NoNewPersonalities={{ synapse_systemd_service_no_new_privileges }}
+
 [Install]
 WantedBy={{ synapse_systemd_install_wanted_by }}