meta: bump collection version to 0.1.1

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: matrix
-version: 0.0.1
+version: 0.1.1
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -9,4 +9,4 @@ license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/matrix
-issues: https://git.finally.coffee/finallycoffee/matrix/issues
+issues: https://codeberg.org/finallycoffee/ansible-collection-matrix/issues

plugins/modules/synapse_signing_key.md

@@ -8,7 +8,7 @@ Module to generate and manage synapse signing keys.
 ## Requirements
 
 - `python >= 3.9`
-- `signed_json >= 1.1.4`
+- (pip) `signed_json >= 1.1.4`
 
 
 ## Usage examples

plugins/modules/synapse_signing_key.py

@@ -94,7 +94,7 @@ def main() -> None:
 
     if not module.check_mode:
         if state == 'present' and not existing_key_found and path:
-            _save_signing_keys(path, keys)
+            _write_signing_keys(path, keys)
         if state == 'absent' and existing_key_found:
             os.remove(path)
             result['changed'] = True
@@ -124,8 +124,8 @@ def _read_signing_keys(file):
         return read_signing_keys(stream)
 
 def _write_signing_keys(file, keys) -> None:
-    with open(file, "w", opener=lambda path, f: op.open(path, f, mode=0o640)) as stream:
+    with open(file, "w", opener=lambda path, f: os.open(path, f, mode=0o640)) as stream:
-        write_signing_keys(strea, keys)
+        write_signing_keys(stream, keys)
 
 def _generate_signing_key():
     id = ''

roles/synapse/README.md

@@ -14,15 +14,27 @@ The following variables need to be populated:
 
 - [Configure your database](docs/database.md)
 - [Configure your listeners](docs/listeners.md)
+- [Configure logging](docs/logging.md)
 
 ## Deployment methods
 
-### Docker
+- `docker`
+- `podman`
+- `virtualenv` - Python virtual env supervised with `systemd`
 
-Set `synapse_deployment_method: docker` to deploy synapse in docker container(s).
+Set `synapse_deployment_method` to one of the supported deployment methods.
-This is currently the default.
+The current default is `docker`.
 
-### Planned methods
+### `virtualenv` deployment method
 
-- virtual env + systemd
+This deployment method installs a `systemd` service called `synapse.service` to
-- podman
+control the homeserver process. The service depends on the `network.target` by
+default (see [`synapse_systemd_unit_after`](synapse/main/systemd.yml)), and
+uses the `default.target` as it's `WantedBy`
+(see [`synapse_systemd_install_wanted_by`](synapse/main/systemd.yml)).
+
+To only start synapse after, for example, services for redis and postgresql are up,
+set `synapse_systemd_unit_wants: [ "postgresql.service", "redis.service" ]`.
+
+> [!NOTE]
+> Requires `systemd >= 245` on the target machine

roles/synapse/defaults/main/container.yml

@@ -18,8 +18,14 @@ synapse_container_image_repository: >-2
 synapse_container_image_source: pull
 synapse_container_image_tag: ~
 synapse_container_env: {}
-synapse_container_user: ~
+synapse_container_user: >-2
-synapse_container_group: ~
+  {{ ((synapse_user_info is defined) and ('uid' in synapse_user_info))
+  | ternary(synapse_user_info.uid, synapse_user) }}
+synapse_container_group: >-2
+  {{ ((synapse_user_info is defined) and ('group' in synapse_user_info))
+  | ternary(synapse_user_info.group, synapse_user) }}
+synapse_container_groups:
+  - "{{ synapse_container_group }}"
 synapse_container_ports: ~
 synapse_container_labels: ~
 synapse_container_ulimits: ~
@@ -30,14 +36,30 @@ synapse_container_etc_hosts: ~
 synapse_container_memory: ~
 synapse_container_memory_reservation: ~
 synapse_container_memory_swap: ~
-synapse_container_state: "started"
+synapse_container_state: >-2
-synapse_container_restart_policy: "unless-stopped"
+  {{ (synapse_state == 'present')
+  | ternary('started', 'absent') }}
+synapse_container_restart_policy: >-2
+  {{ (synapse_deployment_method == 'docker')
+    | ternary('unless-stopped', ((synapse_deployment_method == 'podman')
+      | ternary('on-failure', 'always')))
+  }}
 
 synapse_container_volumes: ~
 synapse_container_default_volumes:
-  - "{{ synapse_homeserver_config_file }}:{{ synapse_homeserver_config_file }}:ro"
+  - "{{ synapse_homeserver_config_file }}:/data/homeserver.yaml:ro"
   - "{{ synapse_logging_config_file }}:{{ synapse_logging_config_file }}:ro"
   - "{{ synapse_signing_key_file }}:{{ synapse_signing_key_file }}:ro"
   - "{{ synapse_data_path }}:{{ synapse_data_path }}:z"
   - "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z"
-
+  - "{{ synapse_log_path }}:{{ synapse_log_path }}:z"
+synapse_container_tls_volumes:
+  - "{{ synapse_config_tls_certificate_path }}:{{ synapse_config_tls_certificate_path }}:ro"
+  - "{{ synapse_config_tls_private_key_path }}:{{ synapse_config_tls_private_key_path_path }}:ro"
+synapse_container_all_volumes: >-
+  {{ synapse_container_default_volumes | default([], true)
+  + (synapse_container_tls_volumes
+      if (synapse_config_tls_private_key_path | default(false, true) | bool
+        and synapse_config_tls_certificate_path | default(false, true) | bool)
+      else [])
+  + synapse_container_volumes | default([], true) }}

roles/synapse/defaults/main/homeserver.api.yml

@@ -0,0 +1,31 @@
+---
+synapse_config_macaroon_secret_key: ~
+synapse_config_form_secret: ~
+synapse_config_use_appservice_legacy_authorization: false
+synapse_config_track_appservice_user_ips: false
+synapse_config_track_puppeted_user_ips: false
+synapse_config_app_service_config_files: []
+synapse_config_room_prejoin_state_disable_default_event_types: false
+synapse_config_room_prejoin_state_additional_event_types: []
+
+synapse_base_api_config:
+  app_service_config_files: "{{ synapse_config_app_service_config_files }}" 
+  use_appservice_legacy_authorization: >-
+    {{ synapse_config_use_appservice_legacy_authorization }}
+  track_appservice_user_ips: >-
+    {{ synapse_config_track_appservice_user_ips }}
+  track_puppeted_user_ips: >-
+    {{ synapse_config_track_puppeted_user_ips }}
+  room_prejoin_state:
+    disable_default_event_types: >-2
+      {{ synapse_config_room_prejoin_state_disable_default_event_types }}
+    additional_event_types: >-2
+      {{ synapse_config_room_prejoin_state_additional_event_types }}
+synapse_api_config: >-2
+  {{
+    synapse_base_api_config
+    | combine(({"macaroon_secret_key": synapse_config_macaroon_secret_key})
+      if synapse_config_macaroon_secret_key | default(false, true) else {})
+    | combine(({"form_secret": synapse_config_form_secret})
+      if synapse_config_form_secret | default(false, true) else {})
+  }}

roles/synapse/defaults/main/homeserver.cache.yml

@@ -1,6 +1,6 @@
 ---
 synapse_config_event_cache_size: "10K"
-synapse_config_caches_global_factor: "0.5"
+synapse_config_caches_global_factor: 0.5
 synapse_config_caches_per_cache_factors: {}
 synapse_config_caches_expire_caches: true
 synapse_config_caches_sync_response_cache_duration: "2m"

roles/synapse/defaults/main/homeserver.config.yml

@@ -7,7 +7,7 @@ synapse_config_media_store_path: >-
 synapse_config_signing_key_path: >-
   {{ synapse_signing_key_file }}
 synapse_config_trusted_key_servers:
-  - "matrix.org"
+  - server_name: "matrix.org"
 synapse_listeners_config: "{{ synapse_config_listeners }}"
 
 synapse_default_config: >-
@@ -21,6 +21,8 @@ synapse_default_config: >-
     | combine(synapse_cache_config)
     | combine(synapse_ratelimit_config)
     | combine(synapse_metrics_config)
+    | combine(synapse_api_config)
+    | combine(synapse_push_config)
   }}
 
 synapse_homeserver_config: >-

roles/synapse/defaults/main/homeserver.federation.yml

@@ -20,7 +20,6 @@ synapse_federation_tls_config:
     {{ synapse_config_federation_client_minimum_tls_version }}
   federation_certificate_verification_whitelist: >-
     {{ synapse_config_federation_verification_whitelist }}
-  federation_custom_ca_list: "{{ synapse_config_federation_custom_ca_list }}"
 
 synapse_federation_config: >-
   {{
@@ -32,6 +31,9 @@ synapse_federation_config: >-
       "federation": synapse_config_federation
     }
     | combine(synapse_federation_tls_config)
+    | combine(({"federation_custom_ca_list": synapse_config_federation_custom_ca_list})
+      if (synapse_config_federation_custom_ca_list | default(false, true)
+        and synapse_config_federation_custom_ca_list | length > 0) else {})
     | combine(({"federation_domain_whitelist": synapse_config_federation_domain_whitelist})
       if synapse_config_federation_domain_whitelist | default(false, true) else {})
   }}

roles/synapse/defaults/main/homeserver.listeners.yml

@@ -1,7 +1,7 @@
 ---
 synapse_config_listeners: >-
   {{ synapse_listeners_default_config }}
-synapse_config_listeners_port: "8080"
+synapse_config_listeners_port: 8080
 synapse_config_listeners_tls: false
 synapse_config_listeners_type: http
 synapse_config_listeners_x_forwarded: true
@@ -22,3 +22,20 @@ synapse_listeners_default_config:
     x_forwarded: "{{ synapse_config_listeners_x_forwarded }}"
     bind_addresses: "{{ synapse_config_listeners_bind_addresses }}"
     resources: "{{ synapse_config_listeners_resources }}"
+synapse_config_metrics_listener_port: 9000
+synapse_config_metrics_listener_tls: false
+synapse_config_metrics_listener_type: http
+synapse_config_metrics_listener_x_forwarded: false
+synapse_config_metrics_listener_bind_addresses:
+  - "127.0.0.1"
+  - "::1"
+synapse_config_metrics_listener_resources:
+  - names: metrics
+    compress: false
+synapse_metrics_listener:
+  - port: "{{ synapse_config_metrics_listener_port }}"
+    tls: "{{ synapse_config_metrics_listener_tls }}"
+    type: "{{ synapse_config_metrics_listener_type }}"
+    x_forwarded: "{{ synapse_config_metrics_listener_x_forwarded }}"
+    bind_addresses: "{{ synapse_config_metrics_listener_bind_addresses }}"
+    resources: "{{ synapse_config_metrics_listener_resources }}"

roles/synapse/defaults/main/homeserver.metrics.yml

@@ -15,10 +15,14 @@ synapse_metrics_sentry_config: >-
       if synapse_config_sentry_dsn | default(false, true) else {})
   }}
 
-synapse_metrics_config:
+synapse_base_metrics_config:
   enable_metrics: "{{ synapse_config_enable_metrics }}"
-  sentry: "{{ synapse_metrics_sentry_config }}"
   metrics_flags:
     known_servers: "{{ synapse_config_metrics_flags_known_servers }}"
   report_stats: "{{ synapse_config_report_stats }}"
   report_stats_endpoint: "{{ synapse_config_report_stats_endpoint }}"
+synapse_metrics_config: >-
+  {{ synapse_base_metrics_config
+  | combine(({"sentry": synapse_metrics_sentry_config})
+    if (synapse_config_sentry_dsn or synapse_config_sentry_environment) else {})
+  }}

roles/synapse/defaults/main/homeserver.push.yml

@@ -0,0 +1,13 @@
+---
+synapse_config_push_enabled: true
+synapse_config_push_include_content: true
+synapse_config_push_group_unread_count_by_room: true
+synapse_config_push_jitter_delay: "1s"
+
+synapse_push_config:
+  push:
+    enabled: "{{ synapse_config_push_enabled }}"
+    include_content: "{{ synapse_config_push_include_content }}"
+    group_unread_count_by_room: >-
+      {{ synapse_config_push_group_unread_count_by_room }}
+    jitter_delay: "{{ synapse_config_push_jitter_delay }}"

roles/synapse/defaults/main/homeserver.server.yml

@@ -17,6 +17,8 @@ synapse_config_block_non_admin_invites: false
 synapse_config_enable_search: true
 synapse_config_dummy_events_threshold: 10
 synapse_config_delete_stale_devices_after: "90d"
+synapse_config_key_refresh_interval: "1d"
+synapse_config_suppress_key_server_warning: false
 
 synapse_config_ip_range_blacklist:
   - '127.0.0.0/8'
@@ -44,10 +46,12 @@ synapse_default_server_config:
   server_name: "{{ synapse_config_server_name }}"
   pid_file: "{{ synapse_config_pid_file }}"
   listeners: "{{ synapse_listeners_config }}"
-  database: "{{ synapse_listeners_config }}"
+  database: "{{ synapse_database_config }}"
   log_config: "{{ synapse_config_log_config_path }}"
   signing_key_path: "{{ synapse_config_signing_key_path }}"
+  key_refresh_interval: "{{ synapse_config_key_refresh_interval }}"
   trusted_key_servers: "{{ synapse_config_trusted_key_servers }}"
+  suppress_key_server_warning: "{{ synapse_config_suppress_key_server_warning }}"
   public_baseurl: "{{ synapse_config_public_baseurl }}"
   serve_server_wellknown: "{{ synapse_config_serve_server_wellknown }}"
   extra_well_known_client_content: >-

roles/synapse/defaults/main/homeserver.turn.yml

@@ -2,6 +2,7 @@
 # TURN / RTC configuration
 synapse_config_turn_uris: []
 synapse_config_turn_shared_secret: ~
+synapse_config_turn_shared_secret_path: ~
 synapse_config_turn_username: ~
 synapse_config_turn_password: ~
 synapse_config_turn_user_lifetime: "2h"
@@ -16,6 +17,8 @@ synapse_turn_config: >-2
     synapse_turn_config_base
     | combine(({ turn_shared_secret: synapse_config_turn_shared_secret })
       if synapse_config_turn_shared_secret | default(false, true) else {})
+    | combine(({ turn_shared_secret_path: synapse_config_turn_shared_secret_path })
+      if synapse_config_turn_shared_secret_path | default(false, true) else {})
     | combine(({ turn_username: synapse_config_turn_username })
       if synapse_config_username | default(false, true) else {})
     | combine(({ turn_password: synapse_config_turn_password })

roles/synapse/defaults/main/main.yml

@@ -1,16 +1,17 @@
 ---
-
 synapse_user: synapse
-synapse_version: "1.115.0"
+synapse_group: synapse
+synapse_version: "1.116.0"
 synapse_state: "present"
 synapse_deployment_method: "docker"
 
 synapse_base_path: /opt/synapse
-synapse_config_path: "{{ synapse_base_path }}/config"
+synapse_config_path: "/etc/synapse"
 synapse_data_path: "{{ synapse_base_path }}/data"
 synapse_media_store_path: "{{ synapse_data_path }}/media_store"
 synapse_log_path: "/var/log/synapse"
 synapse_homeserver_log_path: "{{ synapse_log_path }}/homeserver.log"
+synapse_venv_path: "{{ synapse_base_path }}/venv"
 
 synapse_signing_key: ~
 synapse_signing_key_file: >-

roles/synapse/defaults/main/systemd.yml

@@ -0,0 +1,53 @@
+---
+synapse_systemd_name: "synapse.service"
+synapse_systemd_service_directory: /etc/systemd/system
+synapse_systemd_service_file: >-2
+  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
+
+synapse_systemd_state: >-2
+  {{ (synapse_state == 'present') | ternary('started', 'stopped') }}
+synapse_systemd_enabled: >-2
+  {{ (synapse_state == 'present') | bool }}
+
+synapse_systemd_unit_description: "Synapse matrix homeserver"
+synapse_systemd_service_type: notify
+synapse_systemd_service_exec_start: >-2
+  {{ synapse_venv_path }}/bin/synapse_homeserver \
+    --config-path={{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_stop: >-2
+  {{ synapse_venv_path }}/bin/synctl \
+    stop {{ synapse_homeserver_config_file }}
+synapse_systemd_service_exec_reload: >-2
+  /usr/bin/env kill -HUP $MAINPID
+synapse_systemd_service_restart: on-failure
+
+synapse_systemd_unit_after:
+  - "network.target"
+synapse_systemd_unit_wants: []
+synapse_systemd_install_wanted_by: "default.target"
+
+# Hardening
+synapse_systemd_service_read_write_paths:
+  - "{{ synapse_base_path }}"
+  - "{{ synapse_data_path }}"
+  - "{{ synapse_media_store_path }}"
+  - "{{ synapse_log_path }}"
+synapse_systemd_service_restrict_address_families:
+  - "AF_INET"
+  - "AF_INET6"
+  - "AF_UNIX"
+synapse_systemd_service_protect_system: strict
+synapse_systemd_service_protect_home: true
+synapse_systemd_service_protect_clock: true
+synapse_systemd_service_protect_hostname: true
+synapse_systemd_service_protect_protect_kernel_logs: true
+synapse_systemd_service_protect_protect_kernel_modules: true
+synapse_systemd_service_protect_protect_kernel_tunables: true
+synapse_systemd_service_protect_protect_control_groups: true
+
+synapse_systemd_service_restrict_namespaces: true
+synapse_systemd_service_restrict_suid_sgid: true
+
+synapse_systemd_service_remove_ipc: true
+synapse_systemd_service_lock_personality: true
+synapse_systemd_service_no_new_privileges: true

roles/synapse/defaults/main/user.yml

@@ -0,0 +1,21 @@
+---
+synapse_user_base_groups:
+  - "{{ synapse_run_group }}"
+synapse_user_groups: ~
+synapse_user_all_groups: >-2
+  {{ synapse_user_base_groups | default([], true)
+    + synapse_user_groups | default([], true) }}
+synapse_user_groups_append: "{{ synapse_user_all_groups | length > 0 }}"
+synapse_run_user: >-2
+  {{ synapse_user_info.name | default(synapse_user) }}
+synapse_run_group: >-2
+  {{ (synapse_user_info is defined and ('groups' in synapse_user_info))
+    | ternary(
+      (synapse_user_info.groups | default("") | split(",") | first),
+      synapse_group
+    )
+  }}
+synapse_run_user_id: >-2
+  {{ synapse_user_info.uid | default(synapse_user) }}
+synapse_run_group_id: >-2
+  {{ synapse_user_info.group | default(synapse_user) }}

roles/synapse/defaults/main/virtualenv.yml

@@ -0,0 +1,11 @@
+---
+synapse_venv_package: "matrix-synapse[all]"
+synapse_venv_pip_dependencies:
+  - pip
+  - setuptools
+synapse_venv_package_full: >-2
+  {{ synapse_venv_package }}@{{ synapse_version }}
+
+synapse_venv_python_binary: >-2
+  {{ ansible_python_interpreter | default(omit, true) }}
+synapse_venv_extra_args: ~

roles/synapse/docs/database.md

@@ -13,7 +13,7 @@ synapse_config_database_args:
   user: my_synapse_db_user
   password: my_synapse_db_password
   host: my_database_host
-  port: my_database_port_to_connect_to | int
+  port: my_database_port_to_connect_to
   # connection pooling (cp) settings, min and max connections
   cp_min: 5 | int
   cp_max: 20 | int

roles/synapse/docs/listeners.md

@@ -2,7 +2,7 @@
 
 Synapse serves endpoints under so-called listeners, which are
 defined in `synapse_listeners_config`. The role gives some pre-
-configured options to set for use in various scenarios:
+configured options to set for use in various scenarios.
 
 ## Behind reverse proxy which does SSL offloading
 
@@ -15,10 +15,71 @@ Use it like this:
 ```yaml
 synapse_listeners_config: "{{ synapse_listeners_default_config }}"
 # Change the port like this
-synapse_config_listeners_port: "8090"
+synapse_config_listeners_port: 8090
 # If you use docker or your reverse-proxy is not local,
 # set the listen_addresses like this
 synapse_config_listeners_bind_addresses:
   - "::"
   - "0.0.0.0"
 ```
+
+### Additional local metrics listener
+
+The role provides a ready-to-use configuration for a locally-reachable
+metrics listener in `synapse_metrics_listener`.
+
+To enable it, set `synapse_config_listeners: "{{ synapse_listeners_default_config + synapse_metrics_listener}}`.
+
+To customize the listener, see [the `synapse_config_metrics_listener_*` variables
+in `defaults/main/homeserver.listeners.yml`](../defaults/main/homeserver.listeners.yml).
+
+The defaults will create a http-only metrics listener on port 9000 which
+will listen on `127.0.0.1` and `::1`.
+
+## Synapse handling TLS without reverse proxy
+
+Supply your certificates using `synapse_config_tls_{certificate,private_key}_path`.
+
+Then you can either customize the default listener like this:
+```yaml
+# synapse_config_tls_certificate_path: "/etc/ssl/{{ synapse_domain }}.pem"
+# synapse_config_tls_private_key_path: "/etc/ssl/{{ synapse_domain }}.key"
+synapse_config_listeners_port: 443
+synapse_config_listeners_tls: true
+synapse_config_listeners_type: https
+synapse_config_listeners_x_forwarded: false
+synapse_config_listeners_resources_compress: true
+synapse_config_serve_server_wellknown: true
+```
+
+or you can serve federation over a different port, by completely rewriting
+the role's defaults:
+```yaml
+synapse_config_listeners:
+  - port: 8448
+    tls: true
+    type: https
+    x_forwarded: true
+    bind_addresses:
+      - 10.0.0.1
+      - fd00::1
+    resources:
+      - names: federation
+        compress: true
+  - port: 443
+    tls: true
+    type: https
+    x_forwarded: true
+    bind_addresses:
+      - 10.0.0.2
+      - fd00::2
+    resources:
+      - names: client
+        compress: true
+```
+
+It is possible to mix and match those listeners to almost all requirements,
+like listening locally without HTTPs for federation and using a WAF / firewall /
+reverse proxy infront of synapse for federation (see: "Secure Border Gateways")
+and trusting the `X-Forwarded-For` Header, while having clients
+directly connect to synapse.

roles/synapse/docs/logging.md

@@ -0,0 +1,48 @@
+# `synapse` logging configuration
+
+Synapse uses a `buffer` handler per default, which flushes
+periodically, but flushes logs immediately for log events
+with a level greater or equal to WARNING.
+
+To set your desired log level, specify it in `synapse_log_config_root_level`.
+
+## Formatters
+
+By default, the upstream `precise` formatter is availabe. To define and use
+more formatters, extend `synapse_log_config_formatters` like this:
+
+```yaml
+synapse_log_config_formatters_custom_json:
+  custom_json:
+    format: >-
+      {"lineno": %(lineno)d, "level": "%(levelname)s", "req_id": "%(request)s", "msg": "%(message)s"}
+synapse_log_config_formatters: >-2
+  {{
+    ({ synapse_log_config_formatters_precise_name: synapse_log_config_formatters_precise })
+    | combine(synapse_log_config_formatters_custom_json)
+  }}
+
+# Set handlers to use your formatter like this
+synapse_log_config_handlers_file_formatter: custom_json
+synapse_log_config_handlers_console_formatter: custom_json
+```
+
+## Handlers
+
+For modifying the built-in `file`/`buffer`/`console` handlers, see
+[the defaults in `../defaults/main/log.config.yml`](../defaults/main/log.config.yml).
+
+### Containers
+
+For typical container setups, it is often recommended to log all
+logs to `stdout`/`stderr`. This can be easily archieved by setting
+`synapse_log_config_root_handlers: [ synapse_log_config_handlers_console_name ]`.
+
+## Child loggers
+
+To set a different configuration / log level for child loggers of
+the root logger (currently, this is only `synapse.storage.SQL`),
+override `synapse_log_config_loggers` directly or for the SQL loggers,
+set the level in `synapse_log_config_loggers_synapse_storage_sql_level`
+(which defaults to `synapse_log_config_root_level`).
+

roles/synapse/handlers/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure synapse is restarted
+  listen: synapse-restart
+  community.docker.docker_container:
+    name: "{{ synapse_container_name }}"
+    state: started
+    restart: true
+  when: synapse_deployment_method == 'docker'
+
+- name: Ensure synapse is restarted
+  listen: synapse-restart
+  containers.podman.podman_container:
+    name: "{{ synapse_container_name }}"
+    state: "{{ synapse_container_state }}"
+    force_restart: true
+  when: synapse_deployment_method == 'podman'
+
+- name: Ensure synapse is restarted
+  listen: synapse-restart
+  ansible.builtin.systemd_service:
+    name: "{{ synapse_systemd_service_name }}"
+    state: restarted
+  when:
+    - synapse_deployment_method == 'virtualenv'
+    - ansible_facts['service_mgr'] == systemd
+    - synapse_systemd_state == 'started'
+
+- name: Ensure systemd units are reloaded
+  listen: systemd-daemon-reload
+  ansible.builtin.systemd:
+    daemon_reload: true

roles/synapse/tasks/check.yml

@@ -13,7 +13,7 @@
   when: synapse_deployment_method not in synapse_deployment_methods
 
 - name: Ensure required variables are given
-  fail:
+  ansible.builtin.fail:
     msg: "Required variable '{{ item }}' is undefined!"
   loop: "{{ synapse_required_variables }}"
   when: >-2
@@ -21,7 +21,7 @@
     or hostvars[ansible_host][item] | length == 0
 
 - name: Ensure conditionally required variables are given
-  fail:
+  ansible.builtin.fail:
     msg: "Required variable '{{ item.name }}' is undefined!"
   loop: "{{ synapse_conditionally_required_variables }}"
   loop_control:

roles/synapse/tasks/configure.yml

@@ -1,12 +1,19 @@
 ---
+- name: Ensure synapse group '{{ synapse_group }}' is {{ synapse_state }}
+  ansible.builtin.group:
+    name: "{{ synapse_group }}"
+    system: "{{ synapse_group_system | default(true, true) }}"
+    state: "{{ synapse_state }}"
+  register: synapse_group_info
+
 - name: Ensure synapse user '{{ synapse_user }}' is {{ synapse_state }}
   ansible.builtin.user:
     name: "{{ synapse_user }}"
     state: "{{ synapse_state }}"
     system: "{{ synapse_user_system | default(true, true) }}"
     create_home: "{{ synapse_user_create_home | default(false, true) }}"
-    groups: "{{ synapse_user_groups | default(omit, true) }}"
+    groups: "{{ synapse_user_all_groups | default(omit, true) }}"
-    append: "{{ (synapse_user_groups is defined) | ternary(true, omit) }}"
+    append: "{{ synapse_user_groups_append | default(omit, true) }}"
   register: synapse_user_info
 
 - name: Ensure directories for synapse are {{ synapse_state }}
@@ -20,8 +27,11 @@
     - path: "{{ synapse_base_path }}"
       mode: "0755"
     - path: "{{ synapse_config_path }}"
+      mode: "0755"
     - path: "{{ synapse_data_path }}"
+      mode: "0755"
     - path: "{{ synapse_media_store_path }}"
+      mode: "0755"
     - path: "{{ synapse_log_path }}"
       mode: "0755"
   loop_control:
@@ -32,6 +42,8 @@
     path: "{{ synapse_signing_key_file }}"
     state: "{{ synapse_state }}"
   when: synapse_role_generate_signing_key
+  notify:
+    - synapse-restart
 
 - name: Ensure configuration files are templated
   ansible.builtin.copy:
@@ -57,5 +69,6 @@
       - content: "{{ synapse_signing_key }}"
         path: "{{ synapse_signing_key_file }}"
         mode: "0640"
-
+  notify:
-# TODO: signing key generation/handling
+    - synapse-restart
+  when: synapse_state != 'absent'

roles/synapse/tasks/deploy-docker.yml

@@ -7,8 +7,8 @@
     force_source: "{{ synapse_container_image_tag | default(false, true) | bool }}"
   register: synapse_container_image_info
   until: synapse_container_image_info is success
-  retries: 10
+  retries: 4
-  delay: 5
+  delay: 2
 
 - name: Ensure synapse container '{{ synapse_container_name }}' is {{ (synapse_state == 'present') | ternary('started', 'absent') }}
   community.docker.docker_container:
@@ -16,11 +16,11 @@
     image: "{{ synapse_container_image }}"
     env: "{{ synapse_container_env | default(omit, true) }}"
     user: "{{ synapse_container_user | default(omit, true) }}"
-    group: "{{ synapse_container_group | default(omit, true) }}"
+    groups: "{{ synapse_container_groups | default(omit, true) }}"
     ports: "{{ synapse_container_ports | default(omit, true) }}"
     labels: "{{ synapse_container_labels | default(omit, true) }}"
     ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
-    volumes: "{{ synapse_container_volumes | default(omit, true) }}"
+    volumes: "{{ synapse_container_all_volumes }}"
     networks: "{{ synapse_container_networks | default(omit, true) }}"
     purge_networks: "{{ synapse_container_purge_networks | default(omit, true) }}"
     dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"

roles/synapse/tasks/deploy-podman.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host
+  containers.podman.podman_image:
+    name: "{{ synapse_container_image }}"
+    state: "{{ synapse_state }}"
+    pull: "{{ synapse_container_image_source == 'pull' }}"
+    force: "{{ synapse_container_image_tag | default(false, true) | bool }}"
+  register: synapse_container_image_info
+  until: synapse_container_image_info is success
+  retries: 5
+  delay: 3
+
+- name: Ensure synapse container '{{ synapse_container_name }}' is {{ synapse_container_state }}
+  containers.podman.podmain_container:
+    name: "{{ synapse_container_name }}"
+    image: "{{ synapse_container_image }}"
+    env: "{{ synapse_container_env | default(omit, true) }}"
+    user: "{{ synapse_container_user | default(omit, true) }}"
+    groups: "{{ synapse_container_groups | default(omit, true) }}"
+    ports: "{{ synapse_container_ports | default(omit, true) }}"
+    labels: "{{ synapse_container_labels | default(omit, true) }}"
+    ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
+    volumes: "{{ synapse_container_all_volumes }}"
+    network: "{{ synapse_container_networks | default(omit, true) }}"
+    dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
+    etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
+    memory: "{{ synapse_container_memory | default(omit, true) }}"
+    memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}"
+    memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}"
+    restart_policy: "{{ synapse_container_restart_policy }}"
+    state: "{{ synapse_container_state }}"

roles/synapse/tasks/deploy-virtualenv.yml

@@ -0,0 +1,67 @@
+---
+- name: Ensure directory for virtualenv is {{ synapse_state }}
+  ansible.builtin.file:
+    path: "{{ synapse_venv_path }}"
+    owner: >-2
+      {{ synapse_user_info.uid | default(synapse_user) }}
+    group: >-2
+      {{ synapse_user_info.group | default(synapse_user) }}
+    mode: "{{ synapse_venv_path_mode | default('0755') }}"
+    state: >-
+      {{ (synapse_state == 'present')
+        | ternary('directory', 'absent') }}
+
+- name: Ensure virtual environment is {{ synapse_state }}
+  ansible.builtin.pip:
+    name: "{{ synapse_venv_pip_dependencies }}"
+    virtualenv: "{{ synapse_venv_path }}"
+    virtualenv_python: "{{ synapse_venv_python_binary }}"
+    extra_args: "{{ synapse_venv_extra_args | default(omit, true) }}"
+    state: "{{ synapse_state }}"
+
+- name: Ensure synapse pip package is {{ synapse_state }}
+  ansible.builtin.pip:
+    name: "{{ synapse_venv_package }}"
+    version: "{{ synapse_version }}"
+    state: "{{ synapse_state }}"
+    virtualenv: "{{ synapse_venv_path }}"
+  notify:
+    - synapse-restart
+  when: synapse_state != 'absent'
+
+- name: Ensure synapse virtualenv is {{ synapse_state }}
+  ansible.builtin.file:
+    path: "{{ synapse_venv_path }}"
+    state: "{{ synapse_state }}"
+  when: synapse_state == 'absent'
+
+- name: Ensure systemd unit is {{ synapse_state }}
+  ansible.builtin.template:
+    src: "synapse.service.j2"
+    dest: "{{ synapse_systemd_service_file }}"
+  notify:
+    - systemd-daemon-reload
+  when: synapse_state != 'absent'
+
+- name: Ensure systemd unit is {{ synapse_state }}
+  ansible.builtin.file:
+    path: "{{ synapse_systemd_service_file }}"
+    state: "{{ synapse_state }}"
+  when: synapse_state == 'absent'
+  notify:
+    - systemd-daemon-reload
+
+- name: Ensure handlers are flushed for systemd daemon reload and synapse service state propagation
+  meta: flush_handlers
+
+- name: Ensure systemd service is {{ synapse_systemd_state }}
+  ansible.builtin.systemd_service:
+    name: "{{ synapse_systemd_name }}"
+    state: "{{ synapse_systemd_state }}"
+  when: synapse_state != 'absent'
+
+- name: Ensure systemd service is {{ synapse_systemd_enabled | ternary('enabled', 'disabled') }}
+  ansible.builtin.systemd_service:
+    name: "{{ synapse_systemd_name }}"
+    enabled: "{{ synapse_systemd_enabled }}"
+  when: synapse_state != 'absent'

roles/synapse/templates/synapse.service.j2

@@ -0,0 +1,44 @@
+[Unit]
+Description={{ synapse_systemd_unit_description }}
+
+{% if synapse_systemd_unit_after | default([]) | length > 0 %}
+After={{ synapse_systemd_unit_after | join(' ') }}
+{% endif %}
+{% if synapse_systemd_unit_wants | default([]) | length > 0 %}
+Wants={{ synapse_systemd_unit_wants | join(' ') }}
+{% endif %}
+
+[Service]
+Type={{ synapse_systemd_service_type }}
+WorkingDirectory={{ synapse_venv_path }}
+ExecStart={{ synapse_systemd_service_exec_start }}
+ExecStop={{ synapse_systemd_service_exec_stop }}
+ExecReload={{ synapse_systemd_service_exec_reload }}
+
+User={{ synapse_run_user }}
+Group={{ synapse_run_group }}
+
+Restart={{ synapse_systemd_service_restart }}
+
+ProtectSystem={{ synapse_systemd_service_protect_system }}
+ProtectHome={{ synapse_systemd_service_protect_home }}
+ProtectClock={{ synapse_systemd_service_protect_clock }}
+ProtectHostname={{ synapse_systemd_service_protect_hostname }}
+ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
+ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
+ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
+ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
+
+RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
+RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
+{% for path in synapse_systemd_service_read_write_paths | default([]) %}
+ReadWritePaths={{ path }}
+{% endfor %}
+RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }}
+
+RemoveIPC={{ synapse_systemd_service_remove_ipc }}
+LockPersonality={{ synapse_systemd_service_lock_personality }}
+NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }}
+
+[Install]
+WantedBy={{ synapse_systemd_install_wanted_by }}

roles/synapse/vars/main.yml

@@ -5,6 +5,8 @@ synapse_states:
 
 synapse_deployment_methods:
   - docker
+  - podman
+  - virtualenv
 
 synapse_required_variables:
   - synapse_domain