feat(synapse): add ansible role

plugins/modules/synapse_signing_key.py

@@ -94,7 +94,7 @@ def main() -> None:
 
     if not module.check_mode:
         if state == 'present' and not existing_key_found and path:
-            _save_signing_keys(path, keys)
+            _write_signing_keys(path, keys)
         if state == 'absent' and existing_key_found:
             os.remove(path)
             result['changed'] = True
@@ -124,8 +124,8 @@ def _read_signing_keys(file):
         return read_signing_keys(stream)
 
 def _write_signing_keys(file, keys) -> None:
-    with open(file, "w", opener=lambda path, f: op.open(path, f, mode=0o640)) as stream:
+    with open(file, "w", opener=lambda path, f: os.open(path, f, mode=0o640)) as stream:
-        write_signing_keys(strea, keys)
+        write_signing_keys(stream, keys)
 
 def _generate_signing_key():
     id = ''

roles/synapse/defaults/main/container.yml

@@ -18,7 +18,9 @@ synapse_container_image_repository: >-2
 synapse_container_image_source: pull
 synapse_container_image_tag: ~
 synapse_container_env: {}
-synapse_container_user: ~
+synapse_container_user: >-
+  {{ ((synapse_user_info is defined) and ('uid' in synapse_user_info))
+  | ternary(synapse_user_info.uid, synapse_user) }}
 synapse_container_group: ~
 synapse_container_ports: ~
 synapse_container_labels: ~
@@ -35,9 +37,12 @@ synapse_container_restart_policy: "unless-stopped"
 
 synapse_container_volumes: ~
 synapse_container_default_volumes:
-  - "{{ synapse_homeserver_config_file }}:{{ synapse_homeserver_config_file }}:ro"
+  - "{{ synapse_homeserver_config_file }}:/data/homeserver.yaml:ro"
   - "{{ synapse_logging_config_file }}:{{ synapse_logging_config_file }}:ro"
   - "{{ synapse_signing_key_file }}:{{ synapse_signing_key_file }}:ro"
   - "{{ synapse_data_path }}:{{ synapse_data_path }}:z"
   - "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z"
-
+  - "{{ synapse_log_path }}:{{ synapse_log_path }}:z"
+synapse_container_all_volumes: >-
+  {{ synapse_container_default_volumes | default([], true)
+  + synapse_container_volumes | default([], true) }}

roles/synapse/defaults/main/homeserver.api.yml

@@ -0,0 +1,31 @@
+---
+synapse_config_macaroon_secret_key: ~
+synapse_config_form_secret: ~
+synapse_config_use_appservice_legacy_authorization: false
+synapse_config_track_appservice_user_ips: false
+synapse_config_track_puppeted_user_ips: false
+synapse_config_app_service_config_files: []
+synapse_config_room_prejoin_state_disable_default_event_types: false
+synapse_config_room_prejoin_state_additional_event_types: []
+
+synapse_base_api_config:
+  app_service_config_files: "{{ synapse_config_app_service_config_files }}" 
+  use_appservice_legacy_authorization: >-
+    {{ synapse_config_use_appservice_legacy_authorization }}
+  track_appservice_user_ips: >-
+    {{ synapse_config_track_appservice_user_ips }}
+  track_puppeted_user_ips: >-
+    {{ synapse_config_track_puppeted_user_ips }}
+  room_prejoin_state:
+    disable_default_event_types: >-2
+      {{ synapse_config_room_prejoin_state_disable_default_event_types }}
+    additional_event_types: >-2
+      {{ synapse_config_room_prejoin_state_additional_event_types }}
+synapse_api_config: >-2
+  {{
+    synapse_base_api_config
+    | combine(({"macaroon_secret_key": synapse_config_macaroon_secret_key})
+      if synapse_config_macaroon_secret_key | default(false, true) else {})
+    | combine(({"form_secret": synapse_config_form_secret})
+      if synapse_config_form_secret | default(false, true) else {})
+  }}

roles/synapse/defaults/main/homeserver.cache.yml

@@ -1,6 +1,6 @@
 ---
 synapse_config_event_cache_size: "10K"
-synapse_config_caches_global_factor: "0.5"
+synapse_config_caches_global_factor: 0.5
 synapse_config_caches_per_cache_factors: {}
 synapse_config_caches_expire_caches: true
 synapse_config_caches_sync_response_cache_duration: "2m"

roles/synapse/defaults/main/homeserver.config.yml

@@ -7,7 +7,7 @@ synapse_config_media_store_path: >-
 synapse_config_signing_key_path: >-
   {{ synapse_signing_key_file }}
 synapse_config_trusted_key_servers:
-  - "matrix.org"
+  - server_name: "matrix.org"
 synapse_listeners_config: "{{ synapse_config_listeners }}"
 
 synapse_default_config: >-
@@ -21,6 +21,8 @@ synapse_default_config: >-
     | combine(synapse_cache_config)
     | combine(synapse_ratelimit_config)
     | combine(synapse_metrics_config)
+    | combine(synapse_api_config)
+    | combine(synapse_push_config)
   }}
 
 synapse_homeserver_config: >-

roles/synapse/defaults/main/homeserver.federation.yml

@@ -20,7 +20,6 @@ synapse_federation_tls_config:
     {{ synapse_config_federation_client_minimum_tls_version }}
   federation_certificate_verification_whitelist: >-
     {{ synapse_config_federation_verification_whitelist }}
-  federation_custom_ca_list: "{{ synapse_config_federation_custom_ca_list }}"
 
 synapse_federation_config: >-
   {{
@@ -32,6 +31,9 @@ synapse_federation_config: >-
       "federation": synapse_config_federation
     }
     | combine(synapse_federation_tls_config)
+    | combine(({"federation_custom_ca_list": synapse_config_federation_custom_ca_list})
+      if (synapse_config_federation_custom_ca_list | default(false, true)
+        and synapse_config_federation_custom_ca_list | length > 0) else {})
     | combine(({"federation_domain_whitelist": synapse_config_federation_domain_whitelist})
       if synapse_config_federation_domain_whitelist | default(false, true) else {})
   }}

roles/synapse/defaults/main/homeserver.listeners.yml

@@ -1,7 +1,7 @@
 ---
 synapse_config_listeners: >-
   {{ synapse_listeners_default_config }}
-synapse_config_listeners_port: "8080"
+synapse_config_listeners_port: 8080
 synapse_config_listeners_tls: false
 synapse_config_listeners_type: http
 synapse_config_listeners_x_forwarded: true

roles/synapse/defaults/main/homeserver.metrics.yml

@@ -15,10 +15,14 @@ synapse_metrics_sentry_config: >-
       if synapse_config_sentry_dsn | default(false, true) else {})
   }}
 
-synapse_metrics_config:
+synapse_base_metrics_config:
   enable_metrics: "{{ synapse_config_enable_metrics }}"
-  sentry: "{{ synapse_metrics_sentry_config }}"
   metrics_flags:
     known_servers: "{{ synapse_config_metrics_flags_known_servers }}"
   report_stats: "{{ synapse_config_report_stats }}"
   report_stats_endpoint: "{{ synapse_config_report_stats_endpoint }}"
+synapse_metrics_config: >-
+  {{ synapse_base_metrics_config
+  | combine(({"sentry": synapse_metrics_sentry_config})
+    if (synapse_config_sentry_dsn or synapse_config_sentry_environment) else {})
+  }}

roles/synapse/defaults/main/homeserver.push.yml

@@ -0,0 +1,12 @@
+---
+synapse_config_push_enabled: true
+synapse_config_push_include_content: true
+synapse_config_push_group_unread_count_by_room: true
+synapse_config_push_jitter_delay: "0.5s"
+
+synapse_push_config:
+  enabled: "{{ synapse_config_push_enabled }}"
+  include_content: "{{ synapse_config_push_include_content }}"
+  group_unread_count_by_room: >-
+    {{ synapse_config_push_group_unread_count_by_room }}
+  jitter_delay: "{{ synapse_config_push_jitter_delay }}"

roles/synapse/defaults/main/homeserver.server.yml

@@ -17,6 +17,8 @@ synapse_config_block_non_admin_invites: false
 synapse_config_enable_search: true
 synapse_config_dummy_events_threshold: 10
 synapse_config_delete_stale_devices_after: "90d"
+synapse_config_key_refresh_interval: "1d"
+synapse_config_suppress_key_server_warning: false
 
 synapse_config_ip_range_blacklist:
   - '127.0.0.0/8'
@@ -44,10 +46,12 @@ synapse_default_server_config:
   server_name: "{{ synapse_config_server_name }}"
   pid_file: "{{ synapse_config_pid_file }}"
   listeners: "{{ synapse_listeners_config }}"
-  database: "{{ synapse_listeners_config }}"
+  database: "{{ synapse_database_config }}"
   log_config: "{{ synapse_config_log_config_path }}"
   signing_key_path: "{{ synapse_config_signing_key_path }}"
+  key_refresh_interval: "{{ synapse_config_key_refresh_interval }}"
   trusted_key_servers: "{{ synapse_config_trusted_key_servers }}"
+  suppress_key_server_warning: "{{ synapse_config_suppress_key_server_warning }}"
   public_baseurl: "{{ synapse_config_public_baseurl }}"
   serve_server_wellknown: "{{ synapse_config_serve_server_wellknown }}"
   extra_well_known_client_content: >-

roles/synapse/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Ensure synapse is restarted
+  listen: synapse-restart
+  community.docker.docker_container:
+    name: "{{ synapse_container_name }}"
+    state: started
+    restart: true
+  when: synapse_deployment_method == 'docker'

roles/synapse/tasks/configure.yml

@@ -32,6 +32,8 @@
     path: "{{ synapse_signing_key_file }}"
     state: "{{ synapse_state }}"
   when: synapse_role_generate_signing_key
+  notify:
+    - synapse-restart
 
 - name: Ensure configuration files are templated
   ansible.builtin.copy:
@@ -57,5 +59,5 @@
       - content: "{{ synapse_signing_key }}"
         path: "{{ synapse_signing_key_file }}"
         mode: "0640"
-
+  notify:
-# TODO: signing key generation/handling
+    - synapse-restart

roles/synapse/tasks/deploy-docker.yml

@@ -7,8 +7,8 @@
     force_source: "{{ synapse_container_image_tag | default(false, true) | bool }}"
   register: synapse_container_image_info
   until: synapse_container_image_info is success
-  retries: 10
+  retries: 4
-  delay: 5
+  delay: 2
 
 - name: Ensure synapse container '{{ synapse_container_name }}' is {{ (synapse_state == 'present') | ternary('started', 'absent') }}
   community.docker.docker_container:
@@ -20,7 +20,7 @@
     ports: "{{ synapse_container_ports | default(omit, true) }}"
     labels: "{{ synapse_container_labels | default(omit, true) }}"
     ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
-    volumes: "{{ synapse_container_volumes | default(omit, true) }}"
+    volumes: "{{ synapse_container_all_volumes }}"
     networks: "{{ synapse_container_networks | default(omit, true) }}"
     purge_networks: "{{ synapse_container_purge_networks | default(omit, true) }}"
     dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"