Add Sygnal support

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
5 lat temu · 9a0222fa47
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@

 # 2021-03-20

 ## Sygnal push gateway support

 The playbook can now install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you.

 This is only useful to people who develop/build their own Matrix client applications.

 Additional details are available in our [Setting up Sygnal](docs/configuring-playbook-sygnal.md) docs.


 # 2021-03-16

 ## Go-NEB support
--- a/README.md
+++ b/README.md
@@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve

 - (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation

 - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation

 Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.

 **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@@ -35,6 +35,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
 | CNAME | `jitsi` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `stats` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `goneb` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `sygnal` (*)                 | -        | -      | -    | `matrix.<your-domain>` |

 ## Subdomains setup

@@ -51,6 +52,8 @@ The `stats.<your-domain>` subdomain may be necessary, because this playbook coul

 The `goneb.<your-domain>` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.<your-domain>` DNS record.

 The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.


 ## `_matrix-identity._tcp` SRV record setup

--- a/docs/configuring-playbook-sygnal.md
+++ b/docs/configuring-playbook-sygnal.md
@@ -0,0 +1,71 @@
 # Setting up Sygnal (optional)

 The playbook can install and configure the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you.

 See the project's [documentation](https://github.com/matrix-org/sygnal) to learn what it does and why it might be useful to you.

 **Note**: most people don't need to install their own gateway. As Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) documentation says:

 > It is not feasible to allow end-users to configure their own Sygnal instance, because the Sygnal instance needs the appropriate FCM or APNs secrets that belong to the application.

 This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves.


 ## Adjusting the playbook configuration

 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):

 ```yaml
 matrix_sygnal_enabled: true

 # You need at least 1 app defined.
 # The configuration below is incomplete. Read more below.
 matrix_sygnal_apps:
  com.example.myapp.ios:
    type: apns
 	keyfile: /data/my_key.p8
    # .. more configuration ..
  com.example.myapp.android:
    type: gcm
    api_key: your_api_key_for_gcm
    # .. more configuration ..

 matrix_aux_file_definitions:
  - dest: "{{ matrix_sygnal_data_path }}/my_key.p8"
    content: |
      some
      content
      here
    mode: '0600'
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 ```

 For a more complete example of available fields and values they can take, see `roles/matrix-sygnal/templates/sygnal.yaml.j2` (or the [upstream `sygnal.yaml.sample` configuration file](https://github.com/matrix-org/sygnal/blob/master/sygnal.yaml.sample)).

 Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easier, as it only requires that you provide some config values.

 To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files.
 To do that, the above example configuration:

 - makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`.

 - references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container)


 ## Installing

 Don't forget to add `sygnal.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.

 After configuring the playbook, run the [installation](installing.md) command again:

 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```


 ## Usage

 To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server.

 Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document.
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -132,3 +132,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional)

 - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional)


 ### Other specialized services

 - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)
--- a/docs/container-images.md
+++ b/docs/container-images.md
@@ -97,3 +97,5 @@ These services are not part of our default installation, but can be enabled by [
 - [prom/node-exporter](https://hub.docker.com/r/prom/node-exporter/) - [Prometheus Node Exporter](https://github.com/prometheus/node_exporter/) is an addon for Prometheus that gathers standard system metrics

 - [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and  [Node Exporter](https://github.com/rfrail3/grafana-dashboards)

 - [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1095,6 +1095,7 @@ matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
 matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
 matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"

 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -1169,6 +1170,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    +
    ([matrix_server_fqn_grafana] if matrix_grafana_enabled else [])
    +
    ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
    +
    ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
    +
    matrix_ssl_additional_domains_to_obtain_certificates_for
@@ -1341,6 +1344,12 @@ matrix_postgres_additional_databases: |
      'username': matrix_etherpad_database_username,
      'password': matrix_etherpad_database_password,
    }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else [])
    +
    ([{
      'name': matrix_sygnal_database_name,
      'username': matrix_sygnal_database_username,
      'password': matrix_sygnal_database_password,
    }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else [])
   }}

 matrix_postgres_import_roles_to_ignore: |
@@ -1365,6 +1374,32 @@ matrix_postgres_import_databases_to_ignore: |



 ######################################################################
 #
 # matrix-sygnal
 #
 ######################################################################

 # Most people don't need their own push-server, because they also need their own app to utilize it from.
 matrix_sygnal_enabled: false

 # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal.
 matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}"

 matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_sygnal_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
 matrix_sygnal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sygnal') | to_uuid }}"

 ######################################################################
 #
 # /matrix-sygnal
 #
 ######################################################################



 ######################################################################
 #
 # matrix-redis
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -27,6 +27,9 @@ matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
 # This is where you access Grafana.
 matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"

 # This is where you access the Sygnal push gateway.
 matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"

 matrix_federation_public_port: 8448

 # The architecture that your server runs.
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -133,6 +133,10 @@ matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
 matrix_nginx_proxy_proxy_grafana_enabled: false
 matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"

 # Controls whether proxying the sygnal domain should be done.
 matrix_nginx_proxy_proxy_sygnal_enabled: false
 matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"

 # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -250,6 +254,9 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).
 matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []

 # A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
 matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []

 # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
 matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -100,6 +100,13 @@
    mode: 0644
  when: matrix_nginx_proxy_proxy_grafana_enabled|bool

 - name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
  template:
    src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
    mode: 0644
  when: matrix_nginx_proxy_proxy_sygnal_enabled|bool

 - name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
  template:
    src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
@@ -221,6 +228,12 @@
    state: absent
  when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool"

 - name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
  file:
    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
    state: absent
  when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"

 - name: Ensure Matrix nginx-proxy homepage for base domain deleted
  file:
    path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@@ -0,0 +1,79 @@
 #jinja2: lstrip_blocks: "True"

 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options DENY;
 {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}

 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			set $backend "matrix-sygnal:6000";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://127.0.0.1:6000;
 		{% endif %}

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 {% endmacro %}

 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};

 	server_tokens off;
 	root /dev/null;

 	{% if matrix_nginx_proxy_https_enabled %}
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
 				{# Generic configuration for use outside of our container setup #}
 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
 			{% endif %}
 		}

 		location / {
 			return 301 https://$http_host$request_uri;
 		}
 	{% else %}
 		{{ render_vhost_directives() }}
 	{% endif %}
 }

 {% if matrix_nginx_proxy_https_enabled %}
 server {
 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

 	server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};

 	server_tokens off;
 	root /dev/null;

 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem;
 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem;

 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

 	{{ render_vhost_directives() }}
 }
 {% endif %}
--- a/roles/matrix-sygnal/defaults/main.yml
+++ b/roles/matrix-sygnal/defaults/main.yml
@@ -0,0 +1,95 @@
 # Sygnal is a reference Push Gateway for Matrix.
 # To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app.
 # Learn more here: https://github.com/matrix-org/sygnal
 matrix_sygnal_enabled: false

 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
 matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"
 matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data"

 matrix_sygnal_version: v0.9.0
 matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}"
 matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}"

 # List of systemd services that matrix-sygnal.service depends on.
 matrix_sygnal_systemd_required_services_list: ['docker.service']

 # List of systemd services that matrix-sygnal.service wants
 matrix_sygnal_systemd_wanted_services_list: []

 # Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:6000"), or empty string to not expose.
 matrix_sygnal_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_sygnal_container_extra_arguments: []

 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.
 #
 # To use Postgres:
 # - change the engine (`matrix_sygnal_database_engine: 'postgres'`)
 # - adjust your database credentials via the `matrix_sygnal_postgres_*` variables
 matrix_sygnal_database_engine: 'sqlite'

 matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db"
 matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db"

 matrix_sygnal_database_username: 'matrix_sygnal'
 matrix_sygnal_database_password: 'some-password'
 matrix_sygnal_database_hostname: 'matrix-postgres'
 matrix_sygnal_database_port: 5432
 matrix_sygnal_database_name: 'matrix_sygnal'

 matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}'

 # A map (dictionary) of apps instances that this server works with.
 #
 # Example configuration:
 #
 # matrix_sygnal_apps:
 #   com.example.myapp.ios:
 #     type: apns
 #     # .. more configuration ..
 #   com.example.myapp.android:
 #     type: gcm
 #     api_key: your_api_key_for_gcm
 #     # .. more configuration ..
 #
 # The APNS configuration needs to reference some certificate files.
 # One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container.
 # The `matrix_sygnal_apps` paths need to use the in-container path (`/data`).
 # To install these files via the playbook, one can use the `matrix-aux` role.
 # Examples and more details are available in `docs/configuring-playbook-sygnal.md`.
 matrix_sygnal_apps: []

 matrix_sygnal_metrics_prometheus_enabled: false

 # Default Sygnal configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}"

 matrix_sygnal_configuration_extension_yaml: |
  # Your custom YAML configuration for Sygnal goes here.
  # This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_sygnal_configuration_yaml`.
  #
  # Example configuration extension follows:
  # metrics:
  #   opentracing:
  #     enabled: true

 matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}"

 # Holds the final sygnal configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`.
 matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}"
--- a/roles/matrix-sygnal/tasks/init.yml
+++ b/roles/matrix-sygnal/tasks/init.yml
@@ -0,0 +1,3 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}"
  when: matrix_sygnal_enabled|bool
--- a/roles/matrix-sygnal/tasks/main.yml
+++ b/roles/matrix-sygnal/tasks/main.yml
@@ -0,0 +1,21 @@
 - import_tasks: "{{ role_path }}/tasks/init.yml"
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: run_setup|bool
  tags:
    - setup-all
    - setup-sygnal

 - import_tasks: "{{ role_path }}/tasks/setup_install.yml"
  when: run_setup|bool and matrix_sygnal_enabled|bool
  tags:
    - setup-all
    - setup-sygnal

 - import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  when: run_setup|bool and not matrix_sygnal_enabled|bool
  tags:
    - setup-all
    - setup-sygnal
--- a/roles/matrix-sygnal/tasks/setup_install.yml
+++ b/roles/matrix-sygnal/tasks/setup_install.yml
@@ -0,0 +1,73 @@
 ---

 - set_fact:
    matrix_sygnal_requires_restart: false

 - block:
    - name: Check if an SQLite database already exists
      stat:
        path: "{{ matrix_sygnal_sqlite_database_path_local }}"
      register: matrix_sygnal_sqlite_database_path_local_stat_result

    - block:
        - set_fact:
            matrix_postgres_db_migration_request:
              src: "{{ matrix_sygnal_sqlite_database_path_local }}"
              dst: "{{ matrix_sygnal_database_connection_string }}"
              caller: "{{ role_path|basename }}"
              engine_variable_name: 'matrix_sygnal_database_engine'
              engine_old: 'sqlite'
              systemd_services_to_stop: ['matrix-sygnal.service']
              pgloader_options: ['--with "quote identifiers"']

        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"

        - set_fact:
            matrix_sygnal_requires_restart: true
      when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool"
  when: "matrix_sygnal_database_engine == 'postgres'"

 - name: Ensure Sygnal image is pulled
  docker_image:
    name: "{{ matrix_sygnal_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}"

 - name: Ensure Sygnal paths exists
  file:
    path: "{{ item }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_sygnal_base_path }}"
    - "{{ matrix_sygnal_config_path }}"
    - "{{ matrix_sygnal_data_path }}"

 - name: Ensure Sygnal config installed
  copy:
    content: "{{ matrix_sygnal_configuration|to_nice_yaml }}"
    dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml"
    mode: 0640
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-sygnal.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-sygnal.service"
    mode: 0644
  register: matrix_sygnal_systemd_service_result

 - name: Ensure systemd reloaded after matrix-sygnal.service installation
  service:
    daemon_reload: yes
  when: "matrix_sygnal_systemd_service_result.changed|bool"

 - name: Ensure matrix-sygnal.service restarted, if necessary
  service:
    name: "matrix-sygnal.service"
    state: restarted
  when: "matrix_sygnal_requires_restart|bool"
--- a/roles/matrix-sygnal/tasks/setup_uninstall.yml
+++ b/roles/matrix-sygnal/tasks/setup_uninstall.yml
@@ -0,0 +1,35 @@
 ---

 - name: Check existence of matrix-sygnal service
  stat:
    path: "{{ matrix_systemd_path }}/matrix-sygnal.service"
  register: matrix_sygnal_service_stat

 - name: Ensure matrix-sygnal is stopped
  service:
    name: matrix-sygnal
    state: stopped
    daemon_reload: yes
  register: stopping_result
  when: "matrix_sygnal_service_stat.stat.exists|bool"

 - name: Ensure matrix-sygnal.service doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-sygnal.service"
    state: absent
  when: "matrix_sygnal_service_stat.stat.exists|bool"

 - name: Ensure systemd reloaded after matrix-sygnal.service removal
  service:
    daemon_reload: yes
  when: "matrix_sygnal_service_stat.stat.exists|bool"

 - name: Ensure Sygnal base directory doesn't exist
  file:
    path: "{{ matrix_sygnal_base_path }}"
    state: absent

 - name: Ensure Sygnal Docker image doesn't exist
  docker_image:
    name: "{{ matrix_sygnal_docker_image }}"
    state: absent
--- a/roles/matrix-sygnal/tasks/validate_config.yml
+++ b/roles/matrix-sygnal/tasks/validate_config.yml
@@ -0,0 +1,7 @@
 - name: Fail if no Sygnal apps defined
  fail:
    msg: >-
      Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps`
  with_items:
    - "matrix_sygnal_access_token"
  when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0"
--- a/roles/matrix-sygnal/templates/sygnal.yaml.j2
+++ b/roles/matrix-sygnal/templates/sygnal.yaml.j2
@@ -0,0 +1,288 @@
 ##
 # This is a configuration for Sygnal, the reference Push Gateway for Matrix
 # See: matrix.org
 ##

 # The 'database' setting defines the database that sygnal uses to store all of
 # its data.
 #
 # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
 # 'psycopg2' (for PostgreSQL).
 #
 # 'args' gives options which are passed through to the database engine,
 # except for options starting 'cp_', which are used to configure the Twisted
 # connection pool. For a reference to valid arguments, see:
 #   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
 #   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
 #   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
 #
 #
 # Example SQLite configuration:
 #
 #database:
 #  name: sqlite3
 #  args:
 #    dbfile: /path/to/database.db
 #
 #
 # Example Postgres configuration:
 #
 #database:
 #  name: psycopg2
 #  args:
 #    host: localhost
 #    database: sygnal
 #    user: sygnal
 #    password: pass
 #    cp_min: 1
 #    cp_max: 5
 #
 {% if matrix_sygnal_database_engine == 'sqlite' %}
 database:
  name: sqlite3
  args:
    dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }}
 {% else %}
 database:
  name: psycopg2
  args:
    host: {{ matrix_sygnal_database_hostname|to_json }}
    database: {{ matrix_sygnal_database_name|to_json }}
    user: {{ matrix_sygnal_database_username|to_json }}
    password: {{ matrix_sygnal_database_password|to_json }}
    cp_min: 1
    cp_max: 5
 {% endif %}

 ## Logging #
 #
 log:
  # Specify a Python logging 'dictConfig', as described at:
  #   https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig
  #
  setup:
    version: 1
    formatters:
      normal:
        format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s"
    handlers:
      # This handler prints to Standard Error
      #
      stderr:
        class: "logging.StreamHandler"
        formatter: "normal"
        stream: "ext://sys.stderr"

      # This handler prints to Standard Output.
      #
      stdout:
        class: "logging.StreamHandler"
        formatter: "normal"
        stream: "ext://sys.stdout"

      # This handler demonstrates logging to a text file on the filesystem.
      # You can use logrotate(8) to perform log rotation.
      #
      #file:
      #  class: "logging.handlers.WatchedFileHandler"
      #  formatter: "normal"
      #  filename: "./sygnal.log"
    loggers:
      # sygnal.access contains the access logging lines.
      # Comment out this section if you don't want to give access logging
      # any special treatment.
      #
      sygnal.access:
        propagate: false
        handlers: ["stdout"]
        level: "INFO"

      # sygnal contains log lines from Sygnal itself.
      # You can comment out this section to fall back to the root logger.
      #
      sygnal:
        propagate: false
        handlers: ["stderr"]

    root:
      # Specify the handler(s) to send log messages to.
      handlers: ["stderr"]
      level: "INFO"

    disable_existing_loggers: false


  access:
    # Specify whether or not to trust the IP address in the `X-Forwarded-For`
    # header. In general, you want to enable this if and only if you are using a
    # reverse proxy which is configured to emit it.
    #
    x_forwarded_for: true

 ## HTTP Server (Matrix Push Gateway API) #
 #
 http:
  # Specify a list of interface addresses to bind to.
  #
  # This example listens on the IPv4 loopback device:
  #bind_addresses: ['127.0.0.1']
  # This example listens on all IPv4 interfaces:
  #bind_addresses: ['0.0.0.0']
  # This example listens on all IPv4 and IPv6 interfaces:
  #bind_addresses: ['0.0.0.0', '::']
  bind_addresses: ['::']

  # Specify the port number to listen on.
  #
  port: 6000

 ## Proxying for outgoing connections #
 #
 # Specify the URL of a proxy to use for outgoing traffic
 # (e.g. to Apple & Google) if desired.
 # Currently only HTTP proxies with CONNECT capability are supported.
 #
 # If you do not specify a value, the `HTTPS_PROXY` environment variable will
 # be used if present. Otherwise, no proxy will be used.
 #
 # Default is unspecified.
 #
 #proxy: 'http://user:secret@prox:8080'

 ## Metrics #
 #
 metrics:
  ## Prometheus #
  #
  prometheus:
    # Specify whether or not to enable Prometheus.
    #
    enabled: false

    # Specify an address for the Prometheus HTTP Server to listen on.
    #
    address: '0.0.0.0'

    # Specify a port for the Prometheus HTTP Server to listen on.
    #
    port: 8000

  ## OpenTracing #
  #
  opentracing:
    # Specify whether or not to enable OpenTracing.
    #
    enabled: false

    # Specify an implementation of OpenTracing to use. Currently only 'jaeger'
    # is supported.
    #
    implementation: jaeger

    # Specify the service name to be reported to the tracer.
    #
    service_name: sygnal

    # Specify configuration values to pass to jaeger_client.
    #
    jaeger:
      sampler:
        type: 'const'
        param: 1
 #        local_agent:
 #          reporting_host: '127.0.0.1'
 #          reporting_port:
      logging: true

  ## Sentry #
  #
  sentry:
    # Specify whether or not to enable Sentry.
    #
    enabled: false

    # Specify your Sentry DSN if you enable Sentry
    #
    #dsn: "https://<key>@sentry.example.org/<project>"

 ## Pushkins/Apps #
 #
 # Add a section for every push application here.
 # Specify the pushkey for the application and also the type.
 # For the type, you may specify a fully-qualified Python classname if desired.
 #
 #apps:
  # This is an example APNs push configuration
  #
  #com.example.myapp.ios:
  #  type: apns
  #
  #  # Authentication
  #  #
  #  # Two methods of authentication to APNs are currently supported.
  #  #
  #  # You can authenticate using a key:
  #  keyfile: my_key.p8
  #  key_id: MY_KEY_ID
  #  team_id: MY_TEAM_ID
  #  topic: MY_TOPIC
  #
  #  # Or, a certificate can be used instead:
  #  certfile: com.example.myApp_prod_APNS.pem
  #
  #  # This is the maximum number of in-flight requests *for this pushkin*
  #  # before additional notifications will be failed.
  #  # (This is a robustness measure to prevent one pushkin stacking up with
  #  #  queued requests and saturating the inbound connection queue of a load
  #  #  balancer or reverse proxy).
  #  # Defaults to 512 if unset.
  #  #
  #  #inflight_request_limit: 512
  #
  #  # Specifies whether to use the production or sandbox APNs server. Note that
  #  # sandbox tokens should only be used with the sandbox server and vice versa.
  #  #
  #  # Valid options are:
  #  #   * production
  #  #   * sandbox
  #  #
  #  # The default is 'production'. Uncomment to use the sandbox instance.
  #  #platform: sandbox

  # This is an example GCM/FCM push configuration.
  #
  #com.example.myapp.android:
  #  type: gcm
  #  api_key: your_api_key_for_gcm
  #
  #  # This is the maximum number of connections to GCM servers at any one time
  #  # the default is 20.
  #  #max_connections: 20
  #
  #  # This is the maximum number of in-flight requests *for this pushkin*
  #  # before additional notifications will be failed.
  #  # (This is a robustness measure to prevent one pushkin stacking up with
  #  #  queued requests and saturating the inbound connection queue of a load
  #  #  balancer or reverse proxy).
  #  # Defaults to 512 if unset.
  #  #
  #  #inflight_request_limit: 512
  #
  #  # This allows you to specify additional options to send to Firebase.
  #  #
  #  # Of particular interest, admins who wish to support iOS apps using Firebase
  #  # probably wish to set content_available, and may need to set mutable_content.
  #  # (content_available allows your iOS app to be woken up by data messages,
  #  # and mutable_content allows your notification to be modified by a
  #  # Notification Service app extension).
  #  #
  #  # See https://firebase.google.com/docs/cloud-messaging/http-server-ref
  #  # for the exhaustive list of valid options.
  #  #
  #  # Do not specify `data`, `priority`, `to` or `registration_ids` as they may
  #  # be overwritten or lead to an invalid request.
  #  #
  #  #fcm_options:
  #  #  content_available: true
  #  #  mutable_content: true
 apps: {{ matrix_sygnal_apps|to_json }}
--- a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2
+++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2
@@ -0,0 +1,42 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Sygnal
 {% for service in matrix_sygnal_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_sygnal_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 DefaultDependencies=no

 [Service]
 Type=simple
 Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null'
 ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null'

 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--env=SYGNAL_CONF=/config/sygnal.yaml \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_sygnal_container_http_host_bind_port %}
 			-p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \
 			{% endif %}
 			--mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \
 			{% for arg in matrix_sygnal_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_sygnal_docker_image }}

 ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null'
 ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-sygnal

 [Install]
 WantedBy=multi-user.target
--- a/setup.yml
+++ b/setup.yml
@@ -46,6 +46,7 @@
    - matrix-dimension
    - matrix-etherpad
    - matrix-email2matrix
    - matrix-sygnal
    - matrix-nginx-proxy
    - matrix-coturn
    - matrix-aux