feat(synapse): add ansible role

roles/synapse/README.md

@@ -14,16 +14,15 @@ The following variables need to be populated:
 
 - [Configure your database](docs/database.md)
 - [Configure your listeners](docs/listeners.md)
-- [Configure logging](docs/logging.md)
 
 ## Deployment methods
 
-- `docker`
+### Docker
-- `podman`
 
-Set `synapse_deployment_method` to one of the supported deployment methods.
+Set `synapse_deployment_method: docker` to deploy synapse in docker container(s).
-The current default is `docker`.
+This is currently the default.
 
-### Planned deployment methods
+### Planned methods
 
-- `venv` - Python virtual env supervised with `systemd`
+- virtual env + systemd
+- podman

roles/synapse/defaults/main/container.yml

@@ -18,14 +18,10 @@ synapse_container_image_repository: >-2
 synapse_container_image_source: pull
 synapse_container_image_tag: ~
 synapse_container_env: {}
-synapse_container_user: >-2
+synapse_container_user: >-
   {{ ((synapse_user_info is defined) and ('uid' in synapse_user_info))
   | ternary(synapse_user_info.uid, synapse_user) }}
-synapse_container_group: >-2
+synapse_container_group: ~
-  {{ ((synapse_user_info is defined) and ('group' in synapse_user_info))
-  | ternary(synapse_user_info.group, synapse_user) }}
-synapse_container_groups:
-  - "{{ synapse_container_group }}"
 synapse_container_ports: ~
 synapse_container_labels: ~
 synapse_container_ulimits: ~
@@ -36,14 +32,8 @@ synapse_container_etc_hosts: ~
 synapse_container_memory: ~
 synapse_container_memory_reservation: ~
 synapse_container_memory_swap: ~
-synapse_container_state: >-2
+synapse_container_state: "started"
-  {{ (synapse_state == 'present')
+synapse_container_restart_policy: "unless-stopped"
-  | ternary('started', 'absent') }}
-synapse_container_restart_policy: >-2
-  {{ (synapse_deployment_method == 'docker')
-    | ternary('unless-stopped', ((synapse_deployment_method == 'podman')
-      | ternary('on-failure', 'always')))
-  }}
 
 synapse_container_volumes: ~
 synapse_container_default_volumes:
@@ -53,13 +43,6 @@ synapse_container_default_volumes:
   - "{{ synapse_data_path }}:{{ synapse_data_path }}:z"
   - "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z"
   - "{{ synapse_log_path }}:{{ synapse_log_path }}:z"
-synapse_container_tls_volumes:
-  - "{{ synapse_config_tls_certificate_path }}:{{ synapse_config_tls_certificate_path }}:ro"
-  - "{{ synapse_config_tls_private_key_path }}:{{ synapse_config_tls_private_key_path_path }}:ro"
 synapse_container_all_volumes: >-
   {{ synapse_container_default_volumes | default([], true)
-  + (synapse_container_tls_volumes
-      if (synapse_config_tls_private_key_path | default(false, true) | bool
-        and synapse_config_tls_certificate_path | default(false, true) | bool)
-      else [])
   + synapse_container_volumes | default([], true) }}

roles/synapse/defaults/main/homeserver.listeners.yml

@@ -22,20 +22,3 @@ synapse_listeners_default_config:
     x_forwarded: "{{ synapse_config_listeners_x_forwarded }}"
     bind_addresses: "{{ synapse_config_listeners_bind_addresses }}"
     resources: "{{ synapse_config_listeners_resources }}"
-synapse_config_metrics_listener_port: 9000
-synapse_config_metrics_listener_tls: false
-synapse_config_metrics_listener_type: http
-synapse_config_metrics_listener_x_forwarded: false
-synapse_config_metrics_listener_bind_addresses:
-  - "127.0.0.1"
-  - "::1"
-synapse_config_metrics_listener_resources:
-  - names: metrics
-    compress: false
-synapse_metrics_listener:
-  - port: "{{ synapse_config_metrics_listener_port }}"
-    tls: "{{ synapse_config_metrics_listener_tls }}"
-    type: "{{ synapse_config_metrics_listener_type }}"
-    x_forwarded: "{{ synapse_config_metrics_listener_x_forwarded }}"
-    bind_addresses: "{{ synapse_config_metrics_listener_bind_addresses }}"
-    resources: "{{ synapse_config_metrics_listener_resources }}"

roles/synapse/defaults/main/homeserver.push.yml

@@ -2,12 +2,11 @@
 synapse_config_push_enabled: true
 synapse_config_push_include_content: true
 synapse_config_push_group_unread_count_by_room: true
-synapse_config_push_jitter_delay: "1s"
+synapse_config_push_jitter_delay: "0.5s"
 
 synapse_push_config:
-  push:
+  enabled: "{{ synapse_config_push_enabled }}"
-    enabled: "{{ synapse_config_push_enabled }}"
+  include_content: "{{ synapse_config_push_include_content }}"
-    include_content: "{{ synapse_config_push_include_content }}"
+  group_unread_count_by_room: >-
-    group_unread_count_by_room: >-
+    {{ synapse_config_push_group_unread_count_by_room }}
-      {{ synapse_config_push_group_unread_count_by_room }}
+  jitter_delay: "{{ synapse_config_push_jitter_delay }}"
-    jitter_delay: "{{ synapse_config_push_jitter_delay }}"

roles/synapse/docs/database.md

@@ -13,7 +13,7 @@ synapse_config_database_args:
   user: my_synapse_db_user
   password: my_synapse_db_password
   host: my_database_host
-  port: my_database_port_to_connect_to
+  port: my_database_port_to_connect_to | int
   # connection pooling (cp) settings, min and max connections
   cp_min: 5 | int
   cp_max: 20 | int

roles/synapse/docs/listeners.md

@@ -2,7 +2,7 @@
 
 Synapse serves endpoints under so-called listeners, which are
 defined in `synapse_listeners_config`. The role gives some pre-
-configured options to set for use in various scenarios.
+configured options to set for use in various scenarios:
 
 ## Behind reverse proxy which does SSL offloading
 
@@ -15,71 +15,10 @@ Use it like this:
 ```yaml
 synapse_listeners_config: "{{ synapse_listeners_default_config }}"
 # Change the port like this
-synapse_config_listeners_port: 8090
+synapse_config_listeners_port: "8090"
 # If you use docker or your reverse-proxy is not local,
 # set the listen_addresses like this
 synapse_config_listeners_bind_addresses:
   - "::"
   - "0.0.0.0"
 ```
-
-### Additional local metrics listener
-
-The role provides a ready-to-use configuration for a locally-reachable
-metrics listener in `synapse_metrics_listener`.
-
-To enable it, set `synapse_config_listeners: "{{ synapse_listeners_default_config + synapse_metrics_listener}}`.
-
-To customize the listener, see [the `synapse_config_metrics_listener_*` variables
-in `defaults/main/homeserver.listeners.yml`](../defaults/main/homeserver.listeners.yml).
-
-The defaults will create a http-only metrics listener on port 9000 which
-will listen on `127.0.0.1` and `::1`.
-
-## Synapse handling TLS without reverse proxy
-
-Supply your certificates using `synapse_config_tls_{certificate,private_key}_path`.
-
-Then you can either customize the default listener like this:
-```yaml
-# synapse_config_tls_certificate_path: "/etc/ssl/{{ synapse_domain }}.pem"
-# synapse_config_tls_private_key_path: "/etc/ssl/{{ synapse_domain }}.key"
-synapse_config_listeners_port: 443
-synapse_config_listeners_tls: true
-synapse_config_listeners_type: https
-synapse_config_listeners_x_forwarded: false
-synapse_config_listeners_resources_compress: true
-synapse_config_serve_server_wellknown: true
-```
-
-or you can serve federation over a different port, by completely rewriting
-the role's defaults:
-```yaml
-synapse_config_listeners:
-  - port: 8448
-    tls: true
-    type: https
-    x_forwarded: true
-    bind_addresses:
-      - 10.0.0.1
-      - fd00::1
-    resources:
-      - names: federation
-        compress: true
-  - port: 443
-    tls: true
-    type: https
-    x_forwarded: true
-    bind_addresses:
-      - 10.0.0.2
-      - fd00::2
-    resources:
-      - names: client
-        compress: true
-```
-
-It is possible to mix and match those listeners to almost all requirements,
-like listening locally without HTTPs for federation and using a WAF / firewall /
-reverse proxy infront of synapse for federation (see: "Secure Border Gateways")
-and trusting the `X-Forwarded-For` Header, while having clients
-directly connect to synapse.

roles/synapse/docs/logging.md

@@ -1,48 +0,0 @@
-# `synapse` logging configuration
-
-Synapse uses a `buffer` handler per default, which flushes
-periodically, but flushes logs immediately for log events
-with a level greater or equal to WARNING.
-
-To set your desired log level, specify it in `synapse_log_config_root_level`.
-
-## Formatters
-
-By default, the upstream `precise` formatter is availabe. To define and use
-more formatters, extend `synapse_log_config_formatters` like this:
-
-```yaml
-synapse_log_config_formatters_custom_json:
-  custom_json:
-    format: >-
-      {"lineno": %(lineno)d, "level": "%(levelname)s", "req_id": "%(request)s", "msg": "%(message)s"}
-synapse_log_config_formatters: >-2
-  {{
-    ({ synapse_log_config_formatters_precise_name: synapse_log_config_formatters_precise })
-    | combine(synapse_log_config_formatters_custom_json)
-  }}
-
-# Set handlers to use your formatter like this
-synapse_log_config_handlers_file_formatter: custom_json
-synapse_log_config_handlers_console_formatter: custom_json
-```
-
-## Handlers
-
-For modifying the built-in `file`/`buffer`/`console` handlers, see
-[the defaults in `../defaults/main/log.config.yml`](../defaults/main/log.config.yml).
-
-### Containers
-
-For typical container setups, it is often recommended to log all
-logs to `stdout`/`stderr`. This can be easily archieved by setting
-`synapse_log_config_root_handlers: [ synapse_log_config_handlers_console_name ]`.
-
-## Child loggers
-
-To set a different configuration / log level for child loggers of
-the root logger (currently, this is only `synapse.storage.SQL`),
-override `synapse_log_config_loggers` directly or for the SQL loggers,
-set the level in `synapse_log_config_loggers_synapse_storage_sql_level`
-(which defaults to `synapse_log_config_root_level`).
-

roles/synapse/handlers/main.yml

@@ -6,11 +6,3 @@
     state: started
     restart: true
   when: synapse_deployment_method == 'docker'
-
-- name: Ensure synapse is restarted
-  listen: synapse-restart
-  containers.podman.podman_container:
-    name: "{{ synapse_container_name }}"
-    state: "{{ synapse_container_state }}"
-    force_restart: true
-  when: synapse_deployment_method == 'podman'

roles/synapse/tasks/check.yml

@@ -13,7 +13,7 @@
   when: synapse_deployment_method not in synapse_deployment_methods
 
 - name: Ensure required variables are given
-  ansible.builtin.fail:
+  fail:
     msg: "Required variable '{{ item }}' is undefined!"
   loop: "{{ synapse_required_variables }}"
   when: >-2
@@ -21,7 +21,7 @@
     or hostvars[ansible_host][item] | length == 0
 
 - name: Ensure conditionally required variables are given
-  ansible.builtin.fail:
+  fail:
     msg: "Required variable '{{ item.name }}' is undefined!"
   loop: "{{ synapse_conditionally_required_variables }}"
   loop_control:

roles/synapse/tasks/configure.yml

@@ -20,11 +20,8 @@
     - path: "{{ synapse_base_path }}"
       mode: "0755"
     - path: "{{ synapse_config_path }}"
-      mode: "0755"
     - path: "{{ synapse_data_path }}"
-      mode: "0755"
     - path: "{{ synapse_media_store_path }}"
-      mode: "0755"
     - path: "{{ synapse_log_path }}"
       mode: "0755"
   loop_control:

roles/synapse/tasks/deploy-docker.yml

@@ -16,7 +16,7 @@
     image: "{{ synapse_container_image }}"
     env: "{{ synapse_container_env | default(omit, true) }}"
     user: "{{ synapse_container_user | default(omit, true) }}"
-    groups: "{{ synapse_container_groups | default(omit, true) }}"
+    group: "{{ synapse_container_group | default(omit, true) }}"
     ports: "{{ synapse_container_ports | default(omit, true) }}"
     labels: "{{ synapse_container_labels | default(omit, true) }}"
     ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"

roles/synapse/tasks/deploy-podman.yml

@@ -1,31 +0,0 @@
----
-- name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host
-  containers.podman.podman_image:
-    name: "{{ synapse_container_image }}"
-    state: "{{ synapse_state }}"
-    pull: "{{ synapse_container_image_source == 'pull' }}"
-    force: "{{ synapse_container_image_tag | default(false, true) | bool }}"
-  register: synapse_container_image_info
-  until: synapse_container_image_info is success
-  retries: 5
-  delay: 3
-
-- name: Ensure synapse container '{{ synapse_container_name }}' is {{ synapse_container_state }}
-  containers.podman.podmain_container:
-    name: "{{ synapse_container_name }}"
-    image: "{{ synapse_container_image }}"
-    env: "{{ synapse_container_env | default(omit, true) }}"
-    user: "{{ synapse_container_user | default(omit, true) }}"
-    groups: "{{ synapse_container_groups | default(omit, true) }}"
-    ports: "{{ synapse_container_ports | default(omit, true) }}"
-    labels: "{{ synapse_container_labels | default(omit, true) }}"
-    ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
-    volumes: "{{ synapse_container_all_volumes }}"
-    network: "{{ synapse_container_networks | default(omit, true) }}"
-    dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
-    etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
-    memory: "{{ synapse_container_memory | default(omit, true) }}"
-    memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}"
-    memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}"
-    restart_policy: "{{ synapse_container_restart_policy }}"
-    state: "{{ synapse_container_state }}"

roles/synapse/vars/main.yml

@@ -5,7 +5,6 @@ synapse_states:
 
 synapse_deployment_methods:
   - docker
-  - podman
 
 synapse_required_variables:
   - synapse_domain