--- synapse_systemd_name: "synapse.service" synapse_systemd_service_directory: /etc/systemd/system synapse_systemd_service_file: >-2 {{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }} synapse_systemd_state: >-2 {{ (synapse_state == 'present') | ternary('started', 'stopped') }} synapse_systemd_enabled: >-2 {{ (synapse_state == 'present') | bool }} synapse_systemd_unit_description: "Synapse matrix homeserver" synapse_systemd_service_type: notify synapse_systemd_service_exec_start: >-2 {{ synapse_venv_path }}/bin/synapse_homeserver \ --config-path={{ synapse_homeserver_config_file }} synapse_systemd_service_exec_stop: >-2 {{ synapse_venv_path }}/bin/synctl \ stop {{ synapse_homeserver_config_file }} synapse_systemd_service_exec_reload: >-2 /usr/bin/env kill -HUP $MAINPID synapse_systemd_service_restart: on-failure synapse_systemd_unit_after: - "network.target" synapse_systemd_unit_wants: [] synapse_systemd_install_wanted_by: "default.target" # Hardening synapse_systemd_service_read_write_paths: - "{{ synapse_base_path }}" - "{{ synapse_data_path }}" - "{{ synapse_media_store_path }}" - "{{ synapse_log_path }}" synapse_systemd_service_restrict_address_families: - "AF_INET" - "AF_INET6" - "AF_UNIX" synapse_systemd_service_protect_system: strict synapse_systemd_service_protect_home: true synapse_systemd_service_protect_clock: true synapse_systemd_service_protect_hostname: true synapse_systemd_service_protect_protect_kernel_logs: true synapse_systemd_service_protect_protect_kernel_modules: true synapse_systemd_service_protect_protect_kernel_tunables: true synapse_systemd_service_protect_protect_control_groups: true synapse_systemd_service_restrict_namespaces: true synapse_systemd_service_restrict_suid_sgid: true synapse_systemd_service_remove_ipc: true synapse_systemd_service_lock_personality: true synapse_systemd_service_no_new_privileges: true