feat(synapse): add ansible role

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: matrix
-version: 0.1.0
+version: 0.0.1
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -9,4 +9,4 @@ license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/matrix
-issues: https://codeberg.org/finallycoffee/ansible-collection-matrix/issues
+issues: https://git.finally.coffee/finallycoffee/matrix/issues

plugins/modules/synapse_signing_key.md

@@ -8,7 +8,7 @@ Module to generate and manage synapse signing keys.
 ## Requirements
 
 - `python >= 3.9`
-- (pip) `signed_json >= 1.1.4`
+- `signed_json >= 1.1.4`
 
 
 ## Usage examples

roles/synapse/README.md

@@ -18,23 +18,12 @@ The following variables need to be populated:
 
 ## Deployment methods
 
-- `docker`
+### Docker
-- `podman`
-- `virtualenv` - Python virtual env supervised with `systemd`
 
-Set `synapse_deployment_method` to one of the supported deployment methods.
+Set `synapse_deployment_method: docker` to deploy synapse in docker container(s).
-The current default is `docker`.
+This is currently the default.
 
-### `virtualenv` deployment method
+### Planned methods
 
-This deployment method installs a `systemd` service called `synapse.service` to
+- virtual env + systemd
-control the homeserver process. The service depends on the `network.target` by
+- podman
-default (see [`synapse_systemd_unit_after`](synapse/main/systemd.yml)), and
-uses the `default.target` as it's `WantedBy`
-(see [`synapse_systemd_install_wanted_by`](synapse/main/systemd.yml)).
-
-To only start synapse after, for example, services for redis and postgresql are up,
-set `synapse_systemd_unit_wants: [ "postgresql.service", "redis.service" ]`.
-
-> [!NOTE]
-> Requires `systemd >= 245` on the target machine

roles/synapse/defaults/main/container.yml

@@ -18,14 +18,10 @@ synapse_container_image_repository: >-2
 synapse_container_image_source: pull
 synapse_container_image_tag: ~
 synapse_container_env: {}
-synapse_container_user: >-2
+synapse_container_user: >-
   {{ ((synapse_user_info is defined) and ('uid' in synapse_user_info))
   | ternary(synapse_user_info.uid, synapse_user) }}
-synapse_container_group: >-2
+synapse_container_group: ~
-  {{ ((synapse_user_info is defined) and ('group' in synapse_user_info))
-  | ternary(synapse_user_info.group, synapse_user) }}
-synapse_container_groups:
-  - "{{ synapse_container_group }}"
 synapse_container_ports: ~
 synapse_container_labels: ~
 synapse_container_ulimits: ~
@@ -36,14 +32,8 @@ synapse_container_etc_hosts: ~
 synapse_container_memory: ~
 synapse_container_memory_reservation: ~
 synapse_container_memory_swap: ~
-synapse_container_state: >-2
+synapse_container_state: "started"
-  {{ (synapse_state == 'present')
+synapse_container_restart_policy: "unless-stopped"
-  | ternary('started', 'absent') }}
-synapse_container_restart_policy: >-2
-  {{ (synapse_deployment_method == 'docker')
-    | ternary('unless-stopped', ((synapse_deployment_method == 'podman')
-      | ternary('on-failure', 'always')))
-  }}
 
 synapse_container_volumes: ~
 synapse_container_default_volumes:
@@ -53,13 +43,6 @@ synapse_container_default_volumes:
   - "{{ synapse_data_path }}:{{ synapse_data_path }}:z"
   - "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z"
   - "{{ synapse_log_path }}:{{ synapse_log_path }}:z"
-synapse_container_tls_volumes:
-  - "{{ synapse_config_tls_certificate_path }}:{{ synapse_config_tls_certificate_path }}:ro"
-  - "{{ synapse_config_tls_private_key_path }}:{{ synapse_config_tls_private_key_path_path }}:ro"
 synapse_container_all_volumes: >-
   {{ synapse_container_default_volumes | default([], true)
-  + (synapse_container_tls_volumes
-      if (synapse_config_tls_private_key_path | default(false, true) | bool
-        and synapse_config_tls_certificate_path | default(false, true) | bool)
-      else [])
   + synapse_container_volumes | default([], true) }}

roles/synapse/defaults/main/homeserver.turn.yml

@@ -2,7 +2,6 @@
 # TURN / RTC configuration
 synapse_config_turn_uris: []
 synapse_config_turn_shared_secret: ~
-synapse_config_turn_shared_secret_path: ~
 synapse_config_turn_username: ~
 synapse_config_turn_password: ~
 synapse_config_turn_user_lifetime: "2h"
@@ -17,8 +16,6 @@ synapse_turn_config: >-2
     synapse_turn_config_base
     | combine(({ turn_shared_secret: synapse_config_turn_shared_secret })
       if synapse_config_turn_shared_secret | default(false, true) else {})
-    | combine(({ turn_shared_secret_path: synapse_config_turn_shared_secret_path })
-      if synapse_config_turn_shared_secret_path | default(false, true) else {})
     | combine(({ turn_username: synapse_config_turn_username })
       if synapse_config_username | default(false, true) else {})
     | combine(({ turn_password: synapse_config_turn_password })

roles/synapse/defaults/main/main.yml

@@ -1,17 +1,16 @@
 ---
+
 synapse_user: synapse
-synapse_group: synapse
+synapse_version: "1.115.0"
-synapse_version: "1.116.0"
 synapse_state: "present"
 synapse_deployment_method: "docker"
 
 synapse_base_path: /opt/synapse
-synapse_config_path: "/etc/synapse"
+synapse_config_path: "{{ synapse_base_path }}/config"
 synapse_data_path: "{{ synapse_base_path }}/data"
 synapse_media_store_path: "{{ synapse_data_path }}/media_store"
 synapse_log_path: "/var/log/synapse"
 synapse_homeserver_log_path: "{{ synapse_log_path }}/homeserver.log"
-synapse_venv_path: "{{ synapse_base_path }}/venv"
 
 synapse_signing_key: ~
 synapse_signing_key_file: >-

roles/synapse/defaults/main/systemd.yml

@@ -1,53 +0,0 @@
----
-synapse_systemd_name: "synapse.service"
-synapse_systemd_service_directory: /etc/systemd/system
-synapse_systemd_service_file: >-2
-  {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
-
-synapse_systemd_state: >-2
-  {{ (synapse_state == 'present') | ternary('started', 'stopped') }}
-synapse_systemd_enabled: >-2
-  {{ (synapse_state == 'present') | bool }}
-
-synapse_systemd_unit_description: "Synapse matrix homeserver"
-synapse_systemd_service_type: notify
-synapse_systemd_service_exec_start: >-2
-  {{ synapse_venv_path }}/bin/synapse_homeserver \
-    --config-path={{ synapse_homeserver_config_file }}
-synapse_systemd_service_exec_stop: >-2
-  {{ synapse_venv_path }}/bin/synctl \
-    stop {{ synapse_homeserver_config_file }}
-synapse_systemd_service_exec_reload: >-2
-  /usr/bin/env kill -HUP $MAINPID
-synapse_systemd_service_restart: on-failure
-
-synapse_systemd_unit_after:
-  - "network.target"
-synapse_systemd_unit_wants: []
-synapse_systemd_install_wanted_by: "default.target"
-
-# Hardening
-synapse_systemd_service_read_write_paths:
-  - "{{ synapse_base_path }}"
-  - "{{ synapse_data_path }}"
-  - "{{ synapse_media_store_path }}"
-  - "{{ synapse_log_path }}"
-synapse_systemd_service_restrict_address_families:
-  - "AF_INET"
-  - "AF_INET6"
-  - "AF_UNIX"
-synapse_systemd_service_protect_system: strict
-synapse_systemd_service_protect_home: true
-synapse_systemd_service_protect_clock: true
-synapse_systemd_service_protect_hostname: true
-synapse_systemd_service_protect_protect_kernel_logs: true
-synapse_systemd_service_protect_protect_kernel_modules: true
-synapse_systemd_service_protect_protect_kernel_tunables: true
-synapse_systemd_service_protect_protect_control_groups: true
-
-synapse_systemd_service_restrict_namespaces: true
-synapse_systemd_service_restrict_suid_sgid: true
-
-synapse_systemd_service_remove_ipc: true
-synapse_systemd_service_lock_personality: true
-synapse_systemd_service_no_new_privileges: true

roles/synapse/defaults/main/user.yml

@@ -1,21 +0,0 @@
----
-synapse_user_base_groups:
-  - "{{ synapse_run_group }}"
-synapse_user_groups: ~
-synapse_user_all_groups: >-2
-  {{ synapse_user_base_groups | default([], true)
-    + synapse_user_groups | default([], true) }}
-synapse_user_groups_append: "{{ synapse_user_all_groups | length > 0 }}"
-synapse_run_user: >-2
-  {{ synapse_user_info.name | default(synapse_user) }}
-synapse_run_group: >-2
-  {{ (synapse_user_info is defined and ('groups' in synapse_user_info))
-    | ternary(
-      (synapse_user_info.groups | default("") | split(",") | first),
-      synapse_group
-    )
-  }}
-synapse_run_user_id: >-2
-  {{ synapse_user_info.uid | default(synapse_user) }}
-synapse_run_group_id: >-2
-  {{ synapse_user_info.group | default(synapse_user) }}

roles/synapse/defaults/main/virtualenv.yml

@@ -1,11 +0,0 @@
----
-synapse_venv_package: "matrix-synapse[all]"
-synapse_venv_pip_dependencies:
-  - pip
-  - setuptools
-synapse_venv_package_full: >-2
-  {{ synapse_venv_package }}@{{ synapse_version }}
-
-synapse_venv_python_binary: >-2
-  {{ ansible_python_interpreter | default(omit, true) }}
-synapse_venv_extra_args: ~

roles/synapse/handlers/main.yml

@@ -6,26 +6,3 @@
     state: started
     restart: true
   when: synapse_deployment_method == 'docker'
-
-- name: Ensure synapse is restarted
-  listen: synapse-restart
-  containers.podman.podman_container:
-    name: "{{ synapse_container_name }}"
-    state: "{{ synapse_container_state }}"
-    force_restart: true
-  when: synapse_deployment_method == 'podman'
-
-- name: Ensure synapse is restarted
-  listen: synapse-restart
-  ansible.builtin.systemd_service:
-    name: "{{ synapse_systemd_service_name }}"
-    state: restarted
-  when:
-    - synapse_deployment_method == 'virtualenv'
-    - ansible_facts['service_mgr'] == systemd
-    - synapse_systemd_state == 'started'
-
-- name: Ensure systemd units are reloaded
-  listen: systemd-daemon-reload
-  ansible.builtin.systemd:
-    daemon_reload: true

roles/synapse/tasks/check.yml

@@ -13,7 +13,7 @@
   when: synapse_deployment_method not in synapse_deployment_methods
 
 - name: Ensure required variables are given
-  ansible.builtin.fail:
+  fail:
     msg: "Required variable '{{ item }}' is undefined!"
   loop: "{{ synapse_required_variables }}"
   when: >-2
@@ -21,7 +21,7 @@
     or hostvars[ansible_host][item] | length == 0
 
 - name: Ensure conditionally required variables are given
-  ansible.builtin.fail:
+  fail:
     msg: "Required variable '{{ item.name }}' is undefined!"
   loop: "{{ synapse_conditionally_required_variables }}"
   loop_control:

roles/synapse/tasks/configure.yml

@@ -1,19 +1,12 @@
 ---
-- name: Ensure synapse group '{{ synapse_group }}' is {{ synapse_state }}
-  ansible.builtin.group:
-    name: "{{ synapse_group }}"
-    system: "{{ synapse_group_system | default(true, true) }}"
-    state: "{{ synapse_state }}"
-  register: synapse_group_info
-
 - name: Ensure synapse user '{{ synapse_user }}' is {{ synapse_state }}
   ansible.builtin.user:
     name: "{{ synapse_user }}"
     state: "{{ synapse_state }}"
     system: "{{ synapse_user_system | default(true, true) }}"
     create_home: "{{ synapse_user_create_home | default(false, true) }}"
-    groups: "{{ synapse_user_all_groups | default(omit, true) }}"
+    groups: "{{ synapse_user_groups | default(omit, true) }}"
-    append: "{{ synapse_user_groups_append | default(omit, true) }}"
+    append: "{{ (synapse_user_groups is defined) | ternary(true, omit) }}"
   register: synapse_user_info
 
 - name: Ensure directories for synapse are {{ synapse_state }}
@@ -71,4 +64,3 @@
         mode: "0640"
   notify:
     - synapse-restart
-  when: synapse_state != 'absent'

roles/synapse/tasks/deploy-docker.yml

@@ -16,7 +16,7 @@
     image: "{{ synapse_container_image }}"
     env: "{{ synapse_container_env | default(omit, true) }}"
     user: "{{ synapse_container_user | default(omit, true) }}"
-    groups: "{{ synapse_container_groups | default(omit, true) }}"
+    group: "{{ synapse_container_group | default(omit, true) }}"
     ports: "{{ synapse_container_ports | default(omit, true) }}"
     labels: "{{ synapse_container_labels | default(omit, true) }}"
     ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"

roles/synapse/tasks/deploy-podman.yml

@@ -1,31 +0,0 @@
----
-- name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host
-  containers.podman.podman_image:
-    name: "{{ synapse_container_image }}"
-    state: "{{ synapse_state }}"
-    pull: "{{ synapse_container_image_source == 'pull' }}"
-    force: "{{ synapse_container_image_tag | default(false, true) | bool }}"
-  register: synapse_container_image_info
-  until: synapse_container_image_info is success
-  retries: 5
-  delay: 3
-
-- name: Ensure synapse container '{{ synapse_container_name }}' is {{ synapse_container_state }}
-  containers.podman.podmain_container:
-    name: "{{ synapse_container_name }}"
-    image: "{{ synapse_container_image }}"
-    env: "{{ synapse_container_env | default(omit, true) }}"
-    user: "{{ synapse_container_user | default(omit, true) }}"
-    groups: "{{ synapse_container_groups | default(omit, true) }}"
-    ports: "{{ synapse_container_ports | default(omit, true) }}"
-    labels: "{{ synapse_container_labels | default(omit, true) }}"
-    ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
-    volumes: "{{ synapse_container_all_volumes }}"
-    network: "{{ synapse_container_networks | default(omit, true) }}"
-    dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
-    etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
-    memory: "{{ synapse_container_memory | default(omit, true) }}"
-    memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}"
-    memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}"
-    restart_policy: "{{ synapse_container_restart_policy }}"
-    state: "{{ synapse_container_state }}"

roles/synapse/tasks/deploy-virtualenv.yml

@@ -1,67 +0,0 @@
----
-- name: Ensure directory for virtualenv is {{ synapse_state }}
-  ansible.builtin.file:
-    path: "{{ synapse_venv_path }}"
-    owner: >-2
-      {{ synapse_user_info.uid | default(synapse_user) }}
-    group: >-2
-      {{ synapse_user_info.group | default(synapse_user) }}
-    mode: "{{ synapse_venv_path_mode | default('0755') }}"
-    state: >-
-      {{ (synapse_state == 'present')
-        | ternary('directory', 'absent') }}
-
-- name: Ensure virtual environment is {{ synapse_state }}
-  ansible.builtin.pip:
-    name: "{{ synapse_venv_pip_dependencies }}"
-    virtualenv: "{{ synapse_venv_path }}"
-    virtualenv_python: "{{ synapse_venv_python_binary }}"
-    extra_args: "{{ synapse_venv_extra_args | default(omit, true) }}"
-    state: "{{ synapse_state }}"
-
-- name: Ensure synapse pip package is {{ synapse_state }}
-  ansible.builtin.pip:
-    name: "{{ synapse_venv_package }}"
-    version: "{{ synapse_version }}"
-    state: "{{ synapse_state }}"
-    virtualenv: "{{ synapse_venv_path }}"
-  notify:
-    - synapse-restart
-  when: synapse_state != 'absent'
-
-- name: Ensure synapse virtualenv is {{ synapse_state }}
-  ansible.builtin.file:
-    path: "{{ synapse_venv_path }}"
-    state: "{{ synapse_state }}"
-  when: synapse_state == 'absent'
-
-- name: Ensure systemd unit is {{ synapse_state }}
-  ansible.builtin.template:
-    src: "synapse.service.j2"
-    dest: "{{ synapse_systemd_service_file }}"
-  notify:
-    - systemd-daemon-reload
-  when: synapse_state != 'absent'
-
-- name: Ensure systemd unit is {{ synapse_state }}
-  ansible.builtin.file:
-    path: "{{ synapse_systemd_service_file }}"
-    state: "{{ synapse_state }}"
-  when: synapse_state == 'absent'
-  notify:
-    - systemd-daemon-reload
-
-- name: Ensure handlers are flushed for systemd daemon reload and synapse service state propagation
-  meta: flush_handlers
-
-- name: Ensure systemd service is {{ synapse_systemd_state }}
-  ansible.builtin.systemd_service:
-    name: "{{ synapse_systemd_name }}"
-    state: "{{ synapse_systemd_state }}"
-  when: synapse_state != 'absent'
-
-- name: Ensure systemd service is {{ synapse_systemd_enabled | ternary('enabled', 'disabled') }}
-  ansible.builtin.systemd_service:
-    name: "{{ synapse_systemd_name }}"
-    enabled: "{{ synapse_systemd_enabled }}"
-  when: synapse_state != 'absent'

roles/synapse/templates/synapse.service.j2

@@ -1,44 +0,0 @@
-[Unit]
-Description={{ synapse_systemd_unit_description }}
-
-{% if synapse_systemd_unit_after | default([]) | length > 0 %}
-After={{ synapse_systemd_unit_after | join(' ') }}
-{% endif %}
-{% if synapse_systemd_unit_wants | default([]) | length > 0 %}
-Wants={{ synapse_systemd_unit_wants | join(' ') }}
-{% endif %}
-
-[Service]
-Type={{ synapse_systemd_service_type }}
-WorkingDirectory={{ synapse_venv_path }}
-ExecStart={{ synapse_systemd_service_exec_start }}
-ExecStop={{ synapse_systemd_service_exec_stop }}
-ExecReload={{ synapse_systemd_service_exec_reload }}
-
-User={{ synapse_run_user }}
-Group={{ synapse_run_group }}
-
-Restart={{ synapse_systemd_service_restart }}
-
-ProtectSystem={{ synapse_systemd_service_protect_system }}
-ProtectHome={{ synapse_systemd_service_protect_home }}
-ProtectClock={{ synapse_systemd_service_protect_clock }}
-ProtectHostname={{ synapse_systemd_service_protect_hostname }}
-ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
-ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
-ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
-ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
-
-RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
-RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
-{% for path in synapse_systemd_service_read_write_paths | default([]) %}
-ReadWritePaths={{ path }}
-{% endfor %}
-RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }}
-
-RemoveIPC={{ synapse_systemd_service_remove_ipc }}
-LockPersonality={{ synapse_systemd_service_lock_personality }}
-NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }}
-
-[Install]
-WantedBy={{ synapse_systemd_install_wanted_by }}

roles/synapse/vars/main.yml

@@ -5,8 +5,6 @@ synapse_states:
 
 synapse_deployment_methods:
   - docker
-  - podman
-  - virtualenv
 
 synapse_required_variables:
   - synapse_domain