Synapse role

LICENSE

@@ -0,0 +1,19 @@
+MIT License Copyright (c) 2023 uumas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next
+paragraph) shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
+OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
+OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+# uumas.matrix
+
+Roles for matrix services

galaxy.yml

@@ -0,0 +1,11 @@
+---
+
+namespace: uumas
+name: matrix
+description: Matrix roles
+version: 0.0.1
+readme: README.md
+repository: https://git.uumas.fi/uumas/ansible-matrix
+license_file: LICENSE
+authors:
+  - uumas

meta/runtime.yml

@@ -0,0 +1,3 @@
+---
+
+requires_ansible: ">=2.10"

roles/synapse/defaults/main.yml

@@ -0,0 +1,24 @@
+---
+
+depends:
+
+synapse_psql_host: localhost
+synapse_psql_user: "{{ psql_dbs['matrix-synapse']['user'] }}"
+synapse_psql_pw: "{{ psql_dbs['matrix-synapse']['password'] }}"
+synapse_psql_db: "{{ synapse_psql_user }}"
+
+matrix_max_upload_size_mb: 100
+synapse_metrics: no
+synapse_presence: yes
+
+synchrotron_workers:
+  balancer: generic_sync
+  init: generic_init_sync
+
+persister_workers:
+  - event_persister
+  - typing_persister
+  - account_persister
+  - device_persister
+  - presence_persister
+  - receipt_persister

roles/synapse/handlers/main.yml

@@ -0,0 +1,23 @@
+---
+
+- name: config synapse service
+  systemd:
+    daemon_reload: yes
+    name: matrix-synapse.service
+    enabled: yes
+  notify: config matrix target
+
+- name: config matrix target
+  systemd:
+    daemon_reload: yes
+    name: matrix.target
+    enabled: yes
+    state: restarted
+
+- name: config worker services
+  systemd:
+    daemon_reload: yes
+    name: "matrix-synapse-worker@{{ item }}.service"
+    enabled: yes
+  loop: "{{ synapse_worker_services }}"
+  notify: config matrix target

roles/synapse/tasks/config.yml

@@ -0,0 +1,55 @@
+---
+
+
+- name: Put synapse configs in place
+  template:
+    src: "conf.d/{{ item }}.yaml.j2"
+    dest: "/etc/matrix-synapse/conf.d/{{ item }}.yaml"
+    mode: '644'
+  loop:
+    - database
+    - general
+    - listeners
+    - server_name
+    - url_preview
+  notify: config matrix target
+
+- name: autojoin config
+  template:
+    src: 'conf.d/autojoin.yaml.j2'
+    dest: '/etc/matrix-synapse/conf.d/autojoin.yaml'
+    mode: '644'
+  when: matrix_auto_join_rooms is defined
+  notify: config matrix target
+
+- name: password provider config
+  template:
+    src: 'conf.d/password_providers.yaml.j2'
+    dest: '/etc/matrix-synapse/conf.d/password_providers.yaml'
+    mode: '644'
+  when: synapse_ldap_servers is defined 
+  notify: config matrix target
+
+- name: modules config
+  template:
+    src: 'conf.d/modules.yaml.j2'
+    dest: '/etc/matrix-synapse/conf.d/modules.yaml'
+    mode: '644'
+  when: synapse_shared_secret_auth is defined
+  notify: config matrix target
+
+- name: sso config
+  template:
+    src: 'conf.d/sso.yaml.j2'
+    dest: '/etc/matrix-synapse/conf.d/sso.yaml'
+    mode: '644'
+  when: matrix_openidc_providers is defined
+  notify: config matrix target
+
+- name: turn config
+  template:
+    src: 'conf.d/turn.yaml.j2'
+    dest: '/etc/matrix-synapse/conf.d/turn.yaml'
+    mode: '644'
+  when: turn_domain is defined
+  notify: config matrix target

roles/synapse/tasks/install_debian.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+      - lsb-release
+      - wget
+      - apt-transport-https
+      - python3-pysaml2
+      - python3-psycopg2
+      - acl
+
+- name: Add matrix.org repo signing key
+  apt_key:
+    url: 'https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg'
+    id: 'AAF9AE843A7584B5A3E4CD2BCF45A512DE2DA058'
+
+- name: Add matrix.org repo
+  apt_repository:
+    repo: "deb https://packages.matrix.org/debian/ {{ ansible_distribution_release }} main"
+
+- name: Install synapse
+  apt:
+    name: matrix-synapse-py3
+    state: latest
+
+- name: Install redis
+  apt:
+    name: redis-server
+  when: synapse_workers is defined

roles/synapse/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Fail if not debian
+  fail:
+  when: ansible_os_family != "Debian"
+
+- name: Install synapse on debian
+  include_tasks: install_debian.yml
+  when: ansible_os_family=="Debian"
+
+- name: Synapse configuration
+  import_tasks: config.yml
+
+- name: Install matrix-synapse-shared-secret-auth
+  pip:
+    name: 'git+https://github.com/devture/matrix-synapse-shared-secret-auth'
+    state: latest
+    virtualenv: /opt/venvs/matrix-synapse
+  notify: config synapse service
+  when: synapse_shared_secret_auth is defined
+
+- name: Put systemd units in place
+  template:
+    src: "systemd/{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: '644'
+  loop:
+    - matrix-synapse.service
+    - matrix.target
+  notify: 
+    - config synapse service
+    - config matrix target
+
+- name: Synapse workers
+  include_tasks: workers.yml
+  when: synapse_workers is defined
+
+- meta: flush_handlers

roles/synapse/tasks/matrix-synchrotron.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Create matrix-synchrotron-{{ item }} workdir
+  file: 
+    path: /opt/matrix-synchrotron/{{ item }}
+    state: directory
+    mode: 0755
+- name: Put matrix-synchrotron-{{ item }} config in place
+  template:
+    src: "matrix-synchrotron-config.yaml.j2"
+    dest: "/opt/matrix-synchrotron/{{ item }}/config.yaml.ansibled"
+  notify: config synapse service
+  register: config
+- name: Put matrix-synchrotron-{{ item }} config in final destination
+  copy:
+    src: "/opt/matrix-synchrotron/{{ item }}/config.yaml.ansibled"
+    dest: "/opt/matrix-synchrotron/{{ item }}/config.yaml"
+    remote_src: yes
+  when: config.changed

roles/synapse/tasks/matrix-synchrotrons.yml

@@ -0,0 +1,65 @@
+---
+
+- block:
+  - name: Add backports
+    apt_repository:
+      repo: "deb http://deb.debian.org/debian/ buster-backports main"
+      filename: backports
+      mode: '644'
+  - name: Install go from backports
+    apt:
+      name: golang
+      default_release: buster-backports
+  when: ansible_distribution_release == 'buster'
+
+- name: Install git and golang
+  apt:
+    name:
+      - git
+      - golang
+
+- name: Create matrix-synchrotron user
+  user:
+    name: matrix-synchrotron
+    system: yes
+    home: /opt/matrix-synchrotron
+    shell: /bin/false
+
+- block:
+  - name: Clone matrix-synchrotron git repo
+    git:
+      repo: 'https://github.com/Sorunome/matrix-synchrotron-balancer.git'
+      dest: /opt/matrix-synchrotron/src
+      force: yes
+    register: install
+
+  - name: Build matrix-synchrotron
+    command: go build
+    args:
+      chdir: /opt/matrix-synchrotron/src
+    when: install.changed
+    notify: config synapse service
+
+  - name: Configure matrix-synchrotron(s)
+    include_tasks: matrix-synchrotron.yml
+    loop: "{{ synapse_synchrotrons }}"
+    loop_control:
+      extended: yes
+
+  become_user: matrix-synchrotron
+
+- name: Put systemd matrix-synchrotron unit in place
+  template:
+    src: 'systemd/matrix-synchrotron@.service.j2'
+    dest: "/etc/systemd/system/matrix-synchrotron@.service"
+    mode: '644'
+  register: systemd_unit
+
+- name: Enable systemd matrix-synchrotron-{{ item }} unit
+  systemd:
+    daemon_reload: yes
+    name: "matrix-synchrotron@{{ item }}.service"
+    enabled: yes
+    state: restarted
+  when: systemd_unit.changed
+  loop: "{{ synapse_synchrotrons }}"

roles/synapse/tasks/worker_instance.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Set worker var
+  set_fact:
+    worker: "{{ worker_type }}-{{ worker_index|default('0') }}"
+
+- name: Put {{ worker }} config in place
+  template:
+    src: "worker.yaml.j2"
+    dest: "/etc/matrix-synapse/workers/{{ worker }}.yaml"
+    mode: '644'
+  notify: config worker services
+
+- name: Put {{ worker }} logging config in place
+  template:
+    src: "log.yaml.j2"
+    dest: "/etc/matrix-synapse/worker-logs/{{ worker }}-log.yaml"
+    mode: '644'
+  notify: config worker services
+
+- name: Add {{ worker }} to synapse_worker_services
+  set_fact:
+    synapse_worker_services: "{{ synapse_worker_services + [ worker ] }}"

roles/synapse/tasks/worker_type.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Set worker type to {{ synapse_worker.key }}
+  set_fact:
+    worker_type: "{{ synapse_worker.key }}"
+
+- name: Include default variables
+  include_vars: defaults.yml
+
+- name: Include {{ worker_type }} variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files: 
+        - "{{ worker_type }}.yml"
+      skip: yes
+
+- name: Reset worker_ports
+  set_fact:
+    worker_ports: []
+
+- name: Set worker_ports
+  set_fact:
+    worker_ports: "{{ synapse_worker.value }}"
+  when: synapse_worker.value is iterable
+
+- name: "Setup {{ worker_type }}(s) if they have listeners"
+  include_tasks: worker_instance.yml
+  loop: "{{ worker_ports }}"
+  loop_control:
+    loop_var: worker_port
+    index_var: worker_index
+  when: worker_ports|length != 0
+
+- name: "Setup {{ worker_type }}(s) if they don't have listeners"
+  include_tasks: worker_instance.yml
+  when: worker_ports|length == 0
+
+- name: Append synchrotron var
+  set_fact:
+    synapse_synchrotrons: "{{ synapse_synchrotrons + [ synchrotron_type ] }}"
+  when: synchrotron_type is defined and synchrotron_type not in synapse_synchrotrons

roles/synapse/tasks/workers.yml

@@ -0,0 +1,49 @@
+---
+
+- name: synapse-wide worker config
+  template:
+    src: 'conf.d/workers.yaml.j2'
+    dest: '/etc/matrix-synapse/conf.d/workers.yaml'
+
+- name: Put worker systemd unit in place
+  template:
+    src: "systemd/matrix-synapse-worker@.service.j2"
+    dest: '/etc/systemd/system/matrix-synapse-worker@.service'
+    mode: '644'
+  notify: config worker services
+
+- name: Create workers config directories
+  file:
+    path: /etc/matrix-synapse/{{ item }}
+    state: directory
+  loop:
+    - workers
+    - worker-logs
+
+- name: Initialize synapse worker vars
+  set_fact:
+    synapse_worker_services: []
+    synapse_synchrotrons: []
+
+- name: 'Create worker pidfile dir in /run'
+  file:
+    path: /run/matrix-synapse/
+    state: directory
+    owner: matrix-synapse
+    group: nogroup
+
+- name: Create tmpfiles config for pidfile dir in run
+  template:
+    src: 'tmpfiles-matrix-synapse.conf.j2'
+    dest: '/etc/tmpfiles.d/matrix-synapse.conf'
+    mode: '644'
+
+- name: Configure workers
+  include_tasks: worker_type.yml
+  loop: "{{ synapse_workers | dict2items }}"
+  loop_control:
+    loop_var: synapse_worker
+
+- name: Configure synchrotron balancer
+  include_tasks: matrix-synchrotrons.yml
+  when: synapse_synchrotrons | length != 0

roles/synapse/templates/conf.d/autojoin.yaml.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+auto_join_rooms:
+{% for room_id in matrix_auto_join_rooms %}
+  - "{{ room_id }}"
+{% endfor %}

roles/synapse/templates/conf.d/database.yaml.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+database:
+  name: "psycopg2"
+  args:
+    user: "{{ synapse_psql_user }}"
+    password: "{{ synapse_psql_pw }}"
+    database: {{ synapse_psql_db }}
+    host: {{ synapse_psql_host }}
+    cp_min: 2
+    cp_max: 3
+

roles/synapse/templates/conf.d/general.yaml.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+public_baseurl: '{{ matrix_external_url }}'
+admin_contact: '{{ synapse_admin_contact }}'
+max_upload_size: {{ matrix_max_upload_size_mb }}M
+enable_registration: false
+allow_public_rooms_over_federation: true
+registration_shared_secret: '{{ matrix_registration_shared_secret }}'
+enable_group_creation: true
+enable_metrics: {{ synapse_metrics }}
+use_presence: {{ synapse_presence }}
+enable_media_repo: {{ matrix_media_repo_server is not defined and 'media_repository' not in synapse_workers }}
+retention:
+  enabled: true
+experimental_features:
+  msc2716_enabled: true

roles/synapse/templates/conf.d/listeners.yaml.j2

@@ -0,0 +1,33 @@
+# {{ ansible_managed }}
+
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client, federation]
+        compress: false
+{% if matrix_extras is defined and synapse_workers is not defined %}
+  - port: 8009
+    tls: false
+    type: http
+    x_forwarded: false
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client]
+        compress: false
+{% endif %}
+{% if synapse_metrics %}
+  - port: 9656
+    type: metrics
+    bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses
+{% endif %}
+{% if synapse_workers is defined %}
+  - port: 9093
+    bind_addresses: ['::1', '127.0.0.1']
+    type: http
+    resources:
+      - names: [replication]
+{% endif %}

roles/synapse/templates/conf.d/modules.yaml.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+modules:
+{% if synapse_shared_secret_auth is defined %}
+  - module: "shared_secret_authenticator.SharedSecretAuthProvider"
+    config:
+      shared_secret: "{{ synapse_shared_secret_auth }}"
+      m_login_password_support_enabled: true # Remove this once this isn't needed anymore
+      com_devture_shared_secret_auth_support_enabled: false # this works around https://github.com/vector-im/element-web/issues/19605
+{% endif %}

roles/synapse/templates/conf.d/password_providers.yaml.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+password_providers:
+{% if synapse_ldap_servers is defined %}
+  - module: "ldap_auth_provider.LdapAuthProvider"
+    config:
+      enabled: true
+      mode: "search"
+      uri:
+{% for synapse_ldap_server in synapse_ldap_servers %}
+        - {{ synapse_ldap_server }}
+{% endfor %}
+      start_tls: false
+      base: "{{ synapse_ldap_search_base }}"
+      attributes:
+        uid: "uid"
+        name: "{{ synapse_ldap_user_name }}"
+        mail: "mail"
+      filter: "(objectClass=posixAccount)"
+{% if synapse_ldap_bind_dn is defined %}
+      bind_dn: "{{ synapse_ldap_bind_dn }}"
+      bind_password: "{{ synapse_ldap_bind_pw }}"
+{% endif %}
+{% endif %}
+

roles/synapse/templates/conf.d/server_name.yaml.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+server_name: {{ matrix_domain }}

roles/synapse/templates/conf.d/sso.yaml.j2

@@ -0,0 +1,74 @@
+# {{ ansible_managed }}
+
+password_config:
+  enabled: false
+
+{% if synapse_sso_client_whitelist is defined %}
+sso:
+  client_whitelist:
+{% for client in synapse_sso_client_whitelist %}
+    - {{ client }}
+{% endfor %}
+{% endif %}
+
+oidc_providers:
+{% for provider in matrix_openidc_providers %}
+  - idp_id: "{{ provider.idp_id }}"
+    idp_name: "{{ provider.idp_name }}"
+{% if provider.idp_icon is defined %}
+    idp_icon: "{{ provider.idp_icon }}"
+{% endif %}
+{% if provider.idp_brand is defined %}
+    idp_brand: "{{ provider.idp_brand }}"
+{% endif %}
+    discover: {{ provider.discover | default(true) | bool | lower }}
+    issuer: "{{ provider.issuer }}"
+    client_id: "{{ provider.client_id }}"
+{% if provider.client_secret is defined %}
+    client_secret: "{{ provider.client_secret }}"
+{% else %}
+    client_secret_jwt_key: "{{ provider.client_secret_jwt_key }}"
+{% endif %}
+    client_auth_method: "{{ provider.client_auth_method | default('client_secret_basic') }}"
+    scopes: {{ provider.scopes }}
+{% if provider.discover == false %}
+    authorization_endpoint: "{{ provider.authorization_endpoint }}"
+    token_endpoint: "{{ provider.token_endpoint }}"
+{% if provider.userinfo_endpoint is defined %}
+    userinfo_endpoint: "{{ provider.userinfo_endpoint }}"
+{% endif %}
+{% if provider.jwks_uri is defined %}
+    jwks_uri: "{{ provider.jwks_uri }}"
+{% endif %}
+{% endif %}
+{% if provider.skip_verification is defined %}
+    skip_verification: "{{ provider.skip_verification }}"
+{% endif %}
+    user_profile_method: "{{ provider.user_profile_method | default('auto') }}"
+    allow_existing_users: {{ provider.allow_existing_users | default(false) | bool | lower }}
+{% if provider.user_mapping_provider is defined %}
+    user_mapping_provider:
+{% for mapping_provider in provider.user_mapping_provider %}
+        "{{ mapping_provider }}":
+{% if provider.user_mapping_provider[mapping_provider].subject_claim is defined %}
+          subject_claim: "{{ provider.user_mapping_provider[mapping_provider].subject_claim }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].localpart_template is defined %}
+          localpart_template: "{{ provider.user_mapping_provider[mapping_provider].localpart_template }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].display_name_template is defined %}
+          display_name_template: "{{ provider.user_mapping_provider[mapping_provider].display_name_template }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].email_template is defined %}
+          email_template: "{{ provider.user_mapping_provider[mapping_provider].email_template }}"
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if provider.attribute_requirements is defined %}
+    attribute_requirements:
+{% for attribute in provider.attribute_requirements %}
+      - attribute: "{{ attribute }}"
+        value: "{{ attribute.value }}"
+{% endfor %}
+{% endif %}
+{% endfor %}

roles/synapse/templates/conf.d/turn.yaml.j2

@@ -0,0 +1,11 @@
+---
+
+turn_uris:
+  - "turns:{{ turn_domain }}:443?transport=udp"
+  - "turn:{{ turn_domain }}:443?transport=udp"
+  - "turns:{{ turn_domain }}:443?transport=tcp"
+  - "turn:{{ turn_domain }}:443?transport=tcp"
+turn_shared_secret: "{{ turn_secret }}"
+turn_user_lifetime: 1d
+turn_allow_guests: false
+

roles/synapse/templates/conf.d/url_preview.yaml.j2

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+url_preview_enabled: true
+url_preview_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'

roles/synapse/templates/conf.d/workers.yaml.j2

@@ -0,0 +1,90 @@
+---
+
+redis:
+  enabled: true
+{% if 'appservice' in synapse_workers %}
+notify_appservices_from_worker: appservice-0
+{% endif %}
+{% if 'pusher' in synapse_workers %}
+start_pushers: false
+{% endif %}
+{% if 'user_dir' in synapse_workers %}
+update_user_directory_from_worker: user_dir-0
+{% endif %}
+
+
+{% if 'event_persister' in synapse_workers or 'typing_persister' in synapse_workers or 'account_persister' in synapse_workers or 'device_persister' in synapse_workers or 'presence_persister' in synapse_workers or 'receipt_persister' in synapse_workers %}
+instance_map:
+
+{% for persister_type in persister_workers %}
+
+{% if persister_type in synapse_workers %}
+{% for port in synapse_workers[persister_type] %}
+  {{ persister_type }}-{{ loop.index0 }}:
+    host: localhost
+    port: {{ port }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
+
+stream_writers:
+{% if 'event_persister' in synapse_workers %}
+  events:
+{% for port in synapse_workers.event_persister %}
+    - event_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'typing_persister' in synapse_workers %}
+  typing:
+{% for port in synapse_workers.typing_persister %}
+    - typing_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'account_persister' in synapse_workers %}
+  account_data:
+{% for port in synapse_workers.account_persister %}
+    - account_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'device_persister' in synapse_workers %}
+  to_device:
+{% for port in synapse_workers.device_persister %}
+    - device_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'presence_persister' in synapse_workers %}
+  presence:
+{% for port in synapse_workers.presence_persister %}
+    - presence_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'receipt_persister' in synapse_workers %}
+  receipts:
+{% for port in synapse_workers.receipt_persister %}
+    - receipt_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% endif %}
+
+{% if 'background_tasks' in synapse_workers %}
+run_background_tasks_on: background_tasks-0
+{% endif %}
+
+{% if 'federation_sender' in synapse_workers %}
+send_federation: false
+
+{% if synapse_workers.federation_sender|length > 1 %}
+federation_sender_instances:
+{% for port in synapse_workers.federation_sender %}
+  - federation_sender-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% endif %}

roles/synapse/templates/log.yaml.j2

@@ -0,0 +1,69 @@
+# {{ ansible_managed }}
+# Log configuration for Synapse {{ worker }} worker.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /var/log/matrix-synapse/{{ worker }}.log
+        when: midnight
+        backupCount: 3
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency. This means that
+    # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
+    # logs will still be flushed immediately.
+    buffer:
+        class: logging.handlers.MemoryHandler
+        target: file
+        # The capacity is the number of log lines that are buffered before
+        # being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        capacity: 10
+        flushLevel: 30  # Flush for WARNING logs as well
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+    twisted:
+        # We send the twisted logging directly to the file handler,
+        # to work around https://github.com/matrix-org/synapse/issues/3471
+        # when using "buffer" logger. Use "console" to log to stderr instead.
+        handlers: [file]
+        propagate: false
+
+root:
+    level: WARNING
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuation for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false
+

roles/synapse/templates/matrix-synchrotron-config.yaml.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+homeserver_url: http://localhost:8008 # homeserver URL for the whoami request
+listener: localhost:{{ 8183 + ansible_loop.index0 }} # host:port to listen to
+
+synchrotrons:
+{% for port in synapse_workers[synchrotron_workers[item]] %}
+  - address: 127.0.0.1:{{ port }}
+    pid_file: /run/matrix-synapse/{{ synchrotron_workers[item] }}-{{ loop.index0 }}.pid
+{% endfor %}
+
+balancer:
+  interval: 2

roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2

@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Synapse %i
+AssertPathExists=/etc/matrix-synapse/workers/%i.yaml
+PartOf=matrix-synapse.service
+After=matrix-synapse.service
+
+[Service]
+Type=notify
+PIDFile=/run/matrix-synapse/%i.pid
+NotifyAccess=main
+User=matrix-synapse
+WorkingDirectory=/var/lib/matrix-synapse
+EnvironmentFile=/etc/default/matrix-synapse
+ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
+ExecStartPost=/bin/sh -c "echo $MAINPID > /run/matrix-synapse/%i.pid"
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+SyslogIdentifier=matrix-synapse-%i
+
+[Install]
+WantedBy=matrix-synapse.service

roles/synapse/templates/systemd/matrix-synapse.service.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Synapse Matrix homeserver
+PartOf=matrix.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+User=matrix-synapse
+WorkingDirectory=/var/lib/matrix-synapse
+EnvironmentFile=/etc/default/matrix-synapse
+ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
+ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+SyslogIdentifier=matrix-synapse
+
+[Install]
+WantedBy=matrix.target

roles/synapse/templates/systemd/matrix-synchrotron@.service.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Matrix Synchrotron %i
+After=matrix-synapse.service
+PartOf=matrix-synapse.service
+
+[Service]
+Type=simple
+User=matrix-synchrotron
+WorkingDirectory=/opt/matrix-synchrotron/%i
+ExecStart=/opt/matrix-synchrotron/src/matrix-synchrotron-balancer
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=matrix-synapse.service

roles/synapse/templates/systemd/matrix.target.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Contains matrix services like synapse, bridges and bots
+After=network.target
+
+[Install]
+WantedBy=multi-user.target

roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2

@@ -0,0 +1 @@
+d /run/matrix-synapse 0755 matrix-synapse nogroup - -

roles/synapse/templates/worker.yaml.j2

@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+worker_app: synapse.app.{{ worker_app }}
+worker_name: {{ worker }}
+
+# The replication listener on the synapse to talk to.
+worker_replication_host: 127.0.0.1
+worker_replication_http_port: 9093
+
+worker_log_config: /etc/matrix-synapse/worker-logs/{{ worker }}-log.yaml
+{% if worker_port is defined and worker_listeners|length !=0 or synapse_metrics %}
+worker_listeners:
+{% if worker_listeners|length != 0 %}
+  - type: http
+    port: {{ worker_port }}
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: {{ worker_listeners }}
+{% endif %}
+
+{% if synapse_metrics %}
+  - type: metrics
+    port: {{ worker_port + 1000 }}
+    bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses
+{% endif %}
+{% endif %}
+{% if worker_app == 'frontend_proxy' %}
+worker_main_http_uri: http://localhost:8008
+{% endif %}

roles/synapse/vars/account_persister.yml

@@ -0,0 +1,5 @@
+---
+
+worker_listeners:
+  - replication
+  - client

roles/synapse/vars/appservice.yml

@@ -0,0 +1,3 @@
+---
+
+worker_listeners: []

roles/synapse/vars/background_tasks.yml

@@ -0,0 +1,4 @@
+---
+
+worker_listeners:
+  - replication

roles/synapse/vars/defaults.yml

@@ -0,0 +1,5 @@
+---
+
+worker_app: generic_worker
+worker_listeners:
+  - client

roles/synapse/vars/device_persister.yml

@@ -0,0 +1,5 @@
+---
+
+worker_listeners:
+  - replication
+  - client

roles/synapse/vars/event_persister.yml

@@ -0,0 +1,4 @@
+---
+
+worker_listeners:
+  - replication

roles/synapse/vars/federation_sender.yml

@@ -0,0 +1,4 @@
+---
+
+worker_app: federation_sender
+worker_listeners: []

roles/synapse/vars/frontend_proxy.yml

@@ -0,0 +1,3 @@
+---
+
+worker_app: frontend_proxy

roles/synapse/vars/generic_federation.yml

@@ -0,0 +1,4 @@
+---
+
+worker_listeners:
+  - federation

roles/synapse/vars/generic_federation_send.yml

@@ -0,0 +1,4 @@
+---
+
+worker_listeners:
+  - federation

roles/synapse/vars/generic_init_sync.yml

@@ -0,0 +1,3 @@
+---
+
+synchrotron_type: init

roles/synapse/vars/generic_sync.yml

@@ -0,0 +1,3 @@
+---
+
+synchrotron_type: balancer

roles/synapse/vars/media_repository.yml

@@ -0,0 +1,5 @@
+---
+
+worker_app: media_repository
+worker_listeners:
+  - media

roles/synapse/vars/presence_persister.yml

@@ -0,0 +1,5 @@
+---
+
+worker_listeners:
+  - replication
+  - client

roles/synapse/vars/pusher.yml

@@ -0,0 +1,4 @@
+---
+
+worker_app: pusher
+worker_listeners: []

roles/synapse/vars/receipt_persister.yml

@@ -0,0 +1,5 @@
+---
+
+worker_listeners:
+  - replication
+  - client

roles/synapse/vars/typing_persister.yml

@@ -0,0 +1,5 @@
+---
+
+worker_listeners:
+  - replication
+  - client