Update to 2021-12-01 19:13

roles/matrix_synapse/tasks/archive_post.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ synapse_root_dir }}/archives/{{ synapse_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ synapse_root_dir }}/archives/{{ synapse_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: matrix

roles/matrix_synapse/tasks/archive_pre.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Create archive dir
+  file: path={{ synapse_root_dir }}/archives/{{ synapse_current_version }} state=directory
+  tags: matrix
+
+- name: Archive previous version
+  synchronize:
+    src: "{{ synapse_root_dir }}/{{ item }}"
+    dest: "{{ synapse_root_dir }}/archives/{{ synapse_current_version }}/"
+    delete: True
+    compress: False
+  loop:
+    - etc
+    - res
+    - venv
+  delegate_to: "{{ inventory_hostname }}"
+  tags: matrix
+
+- name: Archive a database dump
+  shell: >
+    /usr/pgsql-14/bin/pg_dump
+    --clean
+    --create
+    --host={{ synapse_pg_db_server }}
+    --port={{ synapse_pg_db_port }}
+    --username=sqladmin {{ synapse_pg_db_name }} |
+    zstd -T0 -10 -c > {{ synapse_root_dir }}/archives/{{ synapse_current_version }}/{{ synapse_pg_db_name }}.sql.zst
+  environment:
+    - PGPASSWORD: "{{ pg_admin_pass }}"
+  tags: matrix

roles/matrix_synapse/tasks/cleanup.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Remove unused and tmp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ synapse_root_dir }}/lib"
+    - "{{ synapse_root_dir }}/lib64"
+    - "{{ synapse_root_dir }}/include"
+    - "{{ synapse_root_dir }}/bin"
+    - "{{ synapse_root_dir }}/db_dumps"
+    - "{{ synapse_root_dir }}/res/synapse_janitor.sql"
+    - "{{ synapse_root_dir }}/venv/bin/synapse_janitor.sh"
+    - /etc/cron.d/matrix_synapse
+    - "{{ synapse_root_dir }}/archives/{{ synapse_current_version }}"
+  tags: matrix
+

roles/matrix_synapse/tasks/conf.yml

@@ -0,0 +1,31 @@
+---
+- name: Deploy main config file
+  template: src=homeserver.yaml.j2 dest={{ synapse_root_dir }}/etc/homeserver.yaml group={{ synapse_user }} mode=640
+  notify: restart synapse
+  tags: matrix
+
+- name: Deploy logging config file
+  template: src=logging.conf.j2 dest={{ synapse_root_dir }}/etc/logging.conf
+  notify: restart synapse
+  tags: matrix
+
+- name: Generate certificates
+  command: "{{ synapse_root_dir }}/venv/bin/python3 -m synapse.app.homeserver --generate-keys -c {{ synapse_root_dir }}/etc/homeserver.yaml"
+  args:
+    creates: "{{ synapse_root_dir }}/etc/{{ synapse_server_name }}.signing.key"
+  tags: matrix
+
+- name: List sensitive files
+  stat: path={{ synapse_root_dir }}/etc/{{ item }}
+  register: synapse_sensitive_files
+  with_items:
+    - "{{ synapse_server_name }}.tls.key"
+    - "{{ synapse_server_name }}.signing.key"
+  tags: matrix
+
+- name: Restrict permissions on sensitive files
+  file: path={{ synapse_root_dir }}/etc/{{ item.item }} mode=640 group={{ synapse_user }}
+  with_items: "{{ synapse_sensitive_files.results }}"
+  when: item.stat.exists
+  tags: matrix
+

roles/matrix_synapse/tasks/directories.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Create needed directories
+  file:
+    state: directory
+    path: "{{ synapse_root_dir }}/{{ item.dir }}"
+    mode: "{{ item.mode | default(omit) }}"
+    group: "{{ synapse_user }}"
+  with_items:
+    - dir: meta
+      mode: 700
+    - dir: media_store
+      mode: 770
+    - dir: uploads
+      mode: 770
+    - dir: tmp
+      mode: 770
+    - dir: etc
+      mode: 750
+    - dir: res/templates
+    - dir: backup
+      mode: 700
+    - dir: venv
+  tags: matrix

roles/matrix_synapse/tasks/facts.yml

@@ -0,0 +1,46 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: matrix
+
+# Detect installed version (if any)
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ synapse_root_dir }}"
+        - version: "{{ synapse_version }}"
+    - set_fact: synapse_install_mode={{ (install_mode == 'upgrade' and not synapse_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: synapse_current_version={{ current_version | default('') }}
+  tags: matrix
+
+- when: synapse_pg_db_pass is not defined
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ synapse_root_dir }}/meta/ansible_dbpass"
+    - set_fact: synapse_pg_db_pass={{ rand_pass }}
+  tags: matrix
+
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ synapse_root_dir }}/meta/ansible_macaroon_key"
+    - set_fact: synapse_macaroon_key={{ rand_pass }}
+  tags: matrix
+
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ synapse_root_dir }}/meta/ansible_form_secret"
+    - set_fact: synapse_form_secret={{ rand_pass }}
+  tags: matrix
+
+- name: Check if the old venv is present
+  stat: path={{ synapse_root_dir }}/lib
+  register: synapse_old_venv
+  tags: matrix

roles/matrix_synapse/tasks/install.yml

@@ -0,0 +1,113 @@
+---
+
+- name: Install system dependencies
+  yum: name={{ synapse_packages }}
+  tags: matrix
+
+- name: Check if pg_config is available
+  stat: path=/bin/pg_config
+  register: synapse_pg_config
+  tags: matrix
+
+- name: Setup pg_config
+  alternatives:
+    name: psql-pg_config
+    link: /bin/pg_config
+    path: /usr/pgsql-14/bin/pg_config
+  when: not synapse_pg_config.stat.exists
+  tags: matrix
+
+- name: Wipe pip cache
+  file: path=/root/.cache/pip state=absent
+  when: synapse_old_venv.stat.exists
+  tags: matrix
+
+- name: Wipe the venv during upgrades
+  file: path={{ synapse_root_dir }}/venv state=absent
+  when: synapse_install_mode == 'upgrade'
+  tags: matrix
+
+- name: Install or update dependencies in the virtual env
+  pip:
+    state: "{{ (synapse_install_mode == 'upgrade') | ternary('latest','present') }}"
+    virtualenv: "{{ synapse_root_dir }}/venv"
+    virtualenv_command: /usr/bin/virtualenv-3
+    virtualenv_python: /usr/bin/python3
+    name:
+      - bleach
+      - matrix-synapse-ldap3
+      - psycopg2
+      - txacme
+      - Jinja2
+      - lxml
+      - pysaml2
+      - mock
+      - six
+      - authlib
+      - twisted
+  notify: restart synapse
+  tags: matrix
+
+- name: Install or update synapse in a virtualenv
+  pip:
+    virtualenv: "{{ synapse_root_dir }}/venv"
+    virtualenv_command: /usr/bin/virtualenv-3
+    virtualenv_python: /usr/bin/python3
+    name:
+      - matrix-synapse
+    version: "{{ synapse_version }}"
+  notify: restart synapse
+  tags: matrix
+
+- name: Install the service unit file
+  template: src=matrix-synapse.service.j2 dest=/etc/systemd/system/matrix-synapse.service
+  register: synapse_service_unit
+  notify: restart synapse
+  tags: matrix
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: synapse_service_unit.changed
+  tags: matrix
+
+- name: Install REST auth module
+  get_url:
+    url: https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/master/rest_auth_provider.py
+    dest: "{{ synapse_root_dir }}/venv/lib/python3.6/site-packages/"
+  tags: matrix
+
+- name: Create the PostgreSQL role
+  postgresql_user:
+    db: postgres
+    name: "{{ synapse_pg_db_user }}"
+    password: "{{ synapse_pg_db_pass }}"
+    login_host: "{{ synapse_pg_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: matrix
+
+- name: Create the PostgreSQL database
+  postgresql_db:
+    name: "{{ synapse_pg_db_name }}"
+    encoding: UTF-8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ synapse_pg_db_user }}"
+    login_host: "{{ synapse_pg_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: matrix
+
+- name: Deploy backup scripts
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/matrix_synapse.sh mode=750
+  loop:
+    - pre
+    - post
+  tags: matrix
+
+- name: Reset SELinux contexts
+  command: restorecon -R {{ synapse_root_dir }}
+  changed_when: False
+  when: ansible_selinux.status == 'enabled'
+  tags: matrix

roles/matrix_synapse/tasks/iptables.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Handle Synapse TLS port
+  iptables_raw:
+    name: synapse_tls_port
+    state: "{{ (synapse_tls_src_ip | length > 0) | ternary('present', 'absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ synapse_tls_port }} -s {{ synapse_tls_src_ip | join(',') }} -j ACCEPT"
+  tags: matrix,firewall
+
+- name: Handle Synapse port
+  iptables_raw:
+    name: synapse_port
+    state: "{{ (synapse_src_ip | length > 0) | ternary('present', 'absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ synapse_port }} -s {{ synapse_src_ip | join(',') }} -j ACCEPT"
+  tags: matrix,firewall
+

roles/matrix_synapse/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: synapse_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: service.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: synapse_install_mode == 'upgrade'
+- include: cleanup.yml
+

roles/matrix_synapse/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=matrix-synapse state=started enabled=True
+  register: synapse_started
+  tags: matrix

roles/matrix_synapse/tasks/user.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Create synapse user account
+  user: name={{ synapse_user }} home={{ synapse_root_dir }} shell=/bin/bash state=present
+  tags: matrix
+

roles/matrix_synapse/tasks/write_version.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Write current version
+  copy: content={{ synapse_version }} dest={{ synapse_root_dir }}/meta/ansible_version
+  tags: matrix