Add Sygnal support

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683

CHANGELOG.md

@@ -1,3 +1,15 @@
+
+# 2021-03-20
+
+## Sygnal push gateway support
+
+The playbook can now install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you.
+
+This is only useful to people who develop/build their own Matrix client applications.
+
+Additional details are available in our [Setting up Sygnal](docs/configuring-playbook-sygnal.md) docs.
+
+
 # 2021-03-16
 
 ## Go-NEB support

README.md

@@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation
 
+- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation
+
 Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
 
 **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.

docs/configuring-dns.md

@@ -35,6 +35,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
 | CNAME | `jitsi` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `stats` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `goneb` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `sygnal` (*)                 | -        | -      | -    | `matrix.<your-domain>` |
 
 ## Subdomains setup
 
@@ -51,6 +52,8 @@ The `stats.<your-domain>` subdomain may be necessary, because this playbook coul
 
 The `goneb.<your-domain>` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.<your-domain>` DNS record.
 
+The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.
+
 
 ## `_matrix-identity._tcp` SRV record setup
 

docs/configuring-playbook-sygnal.md

@@ -0,0 +1,71 @@
+# Setting up Sygnal (optional)
+
+The playbook can install and configure the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you.
+
+See the project's [documentation](https://github.com/matrix-org/sygnal) to learn what it does and why it might be useful to you.
+
+**Note**: most people don't need to install their own gateway. As Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) documentation says:
+
+> It is not feasible to allow end-users to configure their own Sygnal instance, because the Sygnal instance needs the appropriate FCM or APNs secrets that belong to the application.
+
+This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves.
+
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
+
+```yaml
+matrix_sygnal_enabled: true
+
+# You need at least 1 app defined.
+# The configuration below is incomplete. Read more below.
+matrix_sygnal_apps:
+  com.example.myapp.ios:
+    type: apns
+	keyfile: /data/my_key.p8
+    # .. more configuration ..
+  com.example.myapp.android:
+    type: gcm
+    api_key: your_api_key_for_gcm
+    # .. more configuration ..
+
+matrix_aux_file_definitions:
+  - dest: "{{ matrix_sygnal_data_path }}/my_key.p8"
+    content: |
+      some
+      content
+      here
+    mode: '0600'
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+```
+
+For a more complete example of available fields and values they can take, see `roles/matrix-sygnal/templates/sygnal.yaml.j2` (or the [upstream `sygnal.yaml.sample` configuration file](https://github.com/matrix-org/sygnal/blob/master/sygnal.yaml.sample)).
+
+Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easier, as it only requires that you provide some config values.
+
+To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files.
+To do that, the above example configuration:
+
+- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`.
+
+- references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container)
+
+
+## Installing
+
+Don't forget to add `sygnal.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
+
+After configuring the playbook, run the [installation](installing.md) command again:
+
+```
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+
+## Usage
+
+To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server.
+
+Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document.

docs/configuring-playbook.md

@@ -132,3 +132,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional)
 
 - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional)
+
+
+### Other specialized services
+
+- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)

docs/container-images.md

@@ -97,3 +97,5 @@ These services are not part of our default installation, but can be enabled by [
 - [prom/node-exporter](https://hub.docker.com/r/prom/node-exporter/) - [Prometheus Node Exporter](https://github.com/prometheus/node_exporter/) is an addon for Prometheus that gathers standard system metrics
 
 - [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and  [Node Exporter](https://github.com/rfrail3/grafana-dashboards)
+
+- [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix

group_vars/matrix_servers

@@ -1095,6 +1095,7 @@ matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
 matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
+matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
 
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -1169,6 +1170,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
     +
     ([matrix_server_fqn_grafana] if matrix_grafana_enabled else [])
     +
+    ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
+    +
     ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
     +
     matrix_ssl_additional_domains_to_obtain_certificates_for
@@ -1341,6 +1344,12 @@ matrix_postgres_additional_databases: |
       'username': matrix_etherpad_database_username,
       'password': matrix_etherpad_database_password,
     }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_sygnal_database_name,
+      'username': matrix_sygnal_database_username,
+      'password': matrix_sygnal_database_password,
+    }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else [])
    }}
 
 matrix_postgres_import_roles_to_ignore: |
@@ -1365,6 +1374,32 @@ matrix_postgres_import_databases_to_ignore: |
 
 
 
+######################################################################
+#
+# matrix-sygnal
+#
+######################################################################
+
+# Most people don't need their own push-server, because they also need their own app to utilize it from.
+matrix_sygnal_enabled: false
+
+# If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal.
+matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}"
+
+matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}"
+
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_sygnal_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_sygnal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sygnal') | to_uuid }}"
+
+######################################################################
+#
+# /matrix-sygnal
+#
+######################################################################
+
+
+
 ######################################################################
 #
 # matrix-redis

roles/matrix-base/defaults/main.yml

@@ -27,6 +27,9 @@ matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
 # This is where you access Grafana.
 matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
 
+# This is where you access the Sygnal push gateway.
+matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
+
 matrix_federation_public_port: 8448
 
 # The architecture that your server runs.

roles/matrix-nginx-proxy/defaults/main.yml

@@ -133,6 +133,10 @@ matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
 matrix_nginx_proxy_proxy_grafana_enabled: false
 matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
 
+# Controls whether proxying the sygnal domain should be done.
+matrix_nginx_proxy_proxy_sygnal_enabled: false
+matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
+
 # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -250,6 +254,9 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).
 matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
 
+# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
+matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
+
 # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
 matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
 

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -100,6 +100,13 @@
     mode: 0644
   when: matrix_nginx_proxy_proxy_grafana_enabled|bool
 
+- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_sygnal_enabled|bool
+
 - name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
   template:
     src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
@@ -221,6 +228,12 @@
     state: absent
   when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool"
 
+- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"
+
 - name: Ensure Matrix nginx-proxy homepage for base domain deleted
   file:
     path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2

@@ -0,0 +1,79 @@
+#jinja2: lstrip_blocks: "True"
+
+{% macro render_vhost_directives() %}
+	gzip on;
+	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	add_header X-Content-Type-Options nosniff;
+	add_header X-Frame-Options DENY;
+{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}
+
+	location / {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-sygnal:6000";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://127.0.0.1:6000;
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+{% endmacro %}
+
+server {
+	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
+	server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	{% if matrix_nginx_proxy_https_enabled %}
+		location /.well-known/acme-challenge {
+			{% if matrix_nginx_proxy_enabled %}
+				{# Use the embedded DNS resolver in Docker containers to discover the service #}
+				resolver 127.0.0.11 valid=5s;
+				set $backend "matrix-certbot:8080";
+				proxy_pass http://$backend;
+			{% else %}
+				{# Generic configuration for use outside of our container setup #}
+				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
+			{% endif %}
+		}
+
+		location / {
+			return 301 https://$http_host$request_uri;
+		}
+	{% else %}
+		{{ render_vhost_directives() }}
+	{% endif %}
+}
+
+{% if matrix_nginx_proxy_https_enabled %}
+server {
+	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+
+	server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem;
+
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
+	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
+	{% endif %}
+	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+
+	{{ render_vhost_directives() }}
+}
+{% endif %}

roles/matrix-sygnal/defaults/main.yml

@@ -0,0 +1,95 @@
+# Sygnal is a reference Push Gateway for Matrix.
+# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app.
+# Learn more here: https://github.com/matrix-org/sygnal
+matrix_sygnal_enabled: false
+
+matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
+matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"
+matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data"
+
+matrix_sygnal_version: v0.9.0
+matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}"
+matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}"
+
+# List of systemd services that matrix-sygnal.service depends on.
+matrix_sygnal_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-sygnal.service wants
+matrix_sygnal_systemd_wanted_services_list: []
+
+# Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:6000"), or empty string to not expose.
+matrix_sygnal_container_http_host_bind_port: ''
+
+# A list of extra arguments to pass to the container
+matrix_sygnal_container_extra_arguments: []
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_sygnal_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables
+matrix_sygnal_database_engine: 'sqlite'
+
+matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db"
+matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db"
+
+matrix_sygnal_database_username: 'matrix_sygnal'
+matrix_sygnal_database_password: 'some-password'
+matrix_sygnal_database_hostname: 'matrix-postgres'
+matrix_sygnal_database_port: 5432
+matrix_sygnal_database_name: 'matrix_sygnal'
+
+matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}'
+
+# A map (dictionary) of apps instances that this server works with.
+#
+# Example configuration:
+#
+# matrix_sygnal_apps:
+#   com.example.myapp.ios:
+#     type: apns
+#     # .. more configuration ..
+#   com.example.myapp.android:
+#     type: gcm
+#     api_key: your_api_key_for_gcm
+#     # .. more configuration ..
+#
+# The APNS configuration needs to reference some certificate files.
+# One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container.
+# The `matrix_sygnal_apps` paths need to use the in-container path (`/data`).
+# To install these files via the playbook, one can use the `matrix-aux` role.
+# Examples and more details are available in `docs/configuring-playbook-sygnal.md`.
+matrix_sygnal_apps: []
+
+matrix_sygnal_metrics_prometheus_enabled: false
+
+# Default Sygnal configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}"
+
+matrix_sygnal_configuration_extension_yaml: |
+  # Your custom YAML configuration for Sygnal goes here.
+  # This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_sygnal_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  # metrics:
+  #   opentracing:
+  #     enabled: true
+
+matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final sygnal configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`.
+matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}"

roles/matrix-sygnal/tasks/init.yml

@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}"
+  when: matrix_sygnal_enabled|bool

roles/matrix-sygnal/tasks/main.yml

@@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-sygnal
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: run_setup|bool and matrix_sygnal_enabled|bool
+  tags:
+    - setup-all
+    - setup-sygnal
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: run_setup|bool and not matrix_sygnal_enabled|bool
+  tags:
+    - setup-all
+    - setup-sygnal

roles/matrix-sygnal/tasks/setup_install.yml

@@ -0,0 +1,73 @@
+---
+
+- set_fact:
+    matrix_sygnal_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_sygnal_sqlite_database_path_local }}"
+      register: matrix_sygnal_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_sygnal_sqlite_database_path_local }}"
+              dst: "{{ matrix_sygnal_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_sygnal_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-sygnal.service']
+              pgloader_options: ['--with "quote identifiers"']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_sygnal_requires_restart: true
+      when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_sygnal_database_engine == 'postgres'"
+
+- name: Ensure Sygnal image is pulled
+  docker_image:
+    name: "{{ matrix_sygnal_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}"
+
+- name: Ensure Sygnal paths exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_sygnal_base_path }}"
+    - "{{ matrix_sygnal_config_path }}"
+    - "{{ matrix_sygnal_data_path }}"
+
+- name: Ensure Sygnal config installed
+  copy:
+    content: "{{ matrix_sygnal_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-sygnal.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-sygnal.service"
+    mode: 0644
+  register: matrix_sygnal_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-sygnal.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_sygnal_systemd_service_result.changed|bool"
+
+- name: Ensure matrix-sygnal.service restarted, if necessary
+  service:
+    name: "matrix-sygnal.service"
+    state: restarted
+  when: "matrix_sygnal_requires_restart|bool"

roles/matrix-sygnal/tasks/setup_uninstall.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Check existence of matrix-sygnal service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-sygnal.service"
+  register: matrix_sygnal_service_stat
+
+- name: Ensure matrix-sygnal is stopped
+  service:
+    name: matrix-sygnal
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_sygnal_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-sygnal.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-sygnal.service"
+    state: absent
+  when: "matrix_sygnal_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-sygnal.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_sygnal_service_stat.stat.exists|bool"
+
+- name: Ensure Sygnal base directory doesn't exist
+  file:
+    path: "{{ matrix_sygnal_base_path }}"
+    state: absent
+
+- name: Ensure Sygnal Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_sygnal_docker_image }}"
+    state: absent

roles/matrix-sygnal/tasks/validate_config.yml

@@ -0,0 +1,7 @@
+- name: Fail if no Sygnal apps defined
+  fail:
+    msg: >-
+      Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps`
+  with_items:
+    - "matrix_sygnal_access_token"
+  when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0"

roles/matrix-sygnal/templates/sygnal.yaml.j2

@@ -0,0 +1,288 @@
+##
+# This is a configuration for Sygnal, the reference Push Gateway for Matrix
+# See: matrix.org
+##
+
+# The 'database' setting defines the database that sygnal uses to store all of
+# its data.
+#
+# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
+# 'psycopg2' (for PostgreSQL).
+#
+# 'args' gives options which are passed through to the database engine,
+# except for options starting 'cp_', which are used to configure the Twisted
+# connection pool. For a reference to valid arguments, see:
+#   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+#   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
+#   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
+#
+#
+# Example SQLite configuration:
+#
+#database:
+#  name: sqlite3
+#  args:
+#    dbfile: /path/to/database.db
+#
+#
+# Example Postgres configuration:
+#
+#database:
+#  name: psycopg2
+#  args:
+#    host: localhost
+#    database: sygnal
+#    user: sygnal
+#    password: pass
+#    cp_min: 1
+#    cp_max: 5
+#
+{% if matrix_sygnal_database_engine == 'sqlite' %}
+database:
+  name: sqlite3
+  args:
+    dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }}
+{% else %}
+database:
+  name: psycopg2
+  args:
+    host: {{ matrix_sygnal_database_hostname|to_json }}
+    database: {{ matrix_sygnal_database_name|to_json }}
+    user: {{ matrix_sygnal_database_username|to_json }}
+    password: {{ matrix_sygnal_database_password|to_json }}
+    cp_min: 1
+    cp_max: 5
+{% endif %}
+
+## Logging #
+#
+log:
+  # Specify a Python logging 'dictConfig', as described at:
+  #   https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig
+  #
+  setup:
+    version: 1
+    formatters:
+      normal:
+        format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s"
+    handlers:
+      # This handler prints to Standard Error
+      #
+      stderr:
+        class: "logging.StreamHandler"
+        formatter: "normal"
+        stream: "ext://sys.stderr"
+
+      # This handler prints to Standard Output.
+      #
+      stdout:
+        class: "logging.StreamHandler"
+        formatter: "normal"
+        stream: "ext://sys.stdout"
+
+      # This handler demonstrates logging to a text file on the filesystem.
+      # You can use logrotate(8) to perform log rotation.
+      #
+      #file:
+      #  class: "logging.handlers.WatchedFileHandler"
+      #  formatter: "normal"
+      #  filename: "./sygnal.log"
+    loggers:
+      # sygnal.access contains the access logging lines.
+      # Comment out this section if you don't want to give access logging
+      # any special treatment.
+      #
+      sygnal.access:
+        propagate: false
+        handlers: ["stdout"]
+        level: "INFO"
+
+      # sygnal contains log lines from Sygnal itself.
+      # You can comment out this section to fall back to the root logger.
+      #
+      sygnal:
+        propagate: false
+        handlers: ["stderr"]
+
+    root:
+      # Specify the handler(s) to send log messages to.
+      handlers: ["stderr"]
+      level: "INFO"
+
+    disable_existing_loggers: false
+
+
+  access:
+    # Specify whether or not to trust the IP address in the `X-Forwarded-For`
+    # header. In general, you want to enable this if and only if you are using a
+    # reverse proxy which is configured to emit it.
+    #
+    x_forwarded_for: true
+
+## HTTP Server (Matrix Push Gateway API) #
+#
+http:
+  # Specify a list of interface addresses to bind to.
+  #
+  # This example listens on the IPv4 loopback device:
+  #bind_addresses: ['127.0.0.1']
+  # This example listens on all IPv4 interfaces:
+  #bind_addresses: ['0.0.0.0']
+  # This example listens on all IPv4 and IPv6 interfaces:
+  #bind_addresses: ['0.0.0.0', '::']
+  bind_addresses: ['::']
+
+  # Specify the port number to listen on.
+  #
+  port: 6000
+
+## Proxying for outgoing connections #
+#
+# Specify the URL of a proxy to use for outgoing traffic
+# (e.g. to Apple & Google) if desired.
+# Currently only HTTP proxies with CONNECT capability are supported.
+#
+# If you do not specify a value, the `HTTPS_PROXY` environment variable will
+# be used if present. Otherwise, no proxy will be used.
+#
+# Default is unspecified.
+#
+#proxy: 'http://user:secret@prox:8080'
+
+## Metrics #
+#
+metrics:
+  ## Prometheus #
+  #
+  prometheus:
+    # Specify whether or not to enable Prometheus.
+    #
+    enabled: false
+
+    # Specify an address for the Prometheus HTTP Server to listen on.
+    #
+    address: '0.0.0.0'
+
+    # Specify a port for the Prometheus HTTP Server to listen on.
+    #
+    port: 8000
+
+  ## OpenTracing #
+  #
+  opentracing:
+    # Specify whether or not to enable OpenTracing.
+    #
+    enabled: false
+
+    # Specify an implementation of OpenTracing to use. Currently only 'jaeger'
+    # is supported.
+    #
+    implementation: jaeger
+
+    # Specify the service name to be reported to the tracer.
+    #
+    service_name: sygnal
+
+    # Specify configuration values to pass to jaeger_client.
+    #
+    jaeger:
+      sampler:
+        type: 'const'
+        param: 1
+#        local_agent:
+#          reporting_host: '127.0.0.1'
+#          reporting_port:
+      logging: true
+
+  ## Sentry #
+  #
+  sentry:
+    # Specify whether or not to enable Sentry.
+    #
+    enabled: false
+
+    # Specify your Sentry DSN if you enable Sentry
+    #
+    #dsn: "https://<key>@sentry.example.org/<project>"
+
+## Pushkins/Apps #
+#
+# Add a section for every push application here.
+# Specify the pushkey for the application and also the type.
+# For the type, you may specify a fully-qualified Python classname if desired.
+#
+#apps:
+  # This is an example APNs push configuration
+  #
+  #com.example.myapp.ios:
+  #  type: apns
+  #
+  #  # Authentication
+  #  #
+  #  # Two methods of authentication to APNs are currently supported.
+  #  #
+  #  # You can authenticate using a key:
+  #  keyfile: my_key.p8
+  #  key_id: MY_KEY_ID
+  #  team_id: MY_TEAM_ID
+  #  topic: MY_TOPIC
+  #
+  #  # Or, a certificate can be used instead:
+  #  certfile: com.example.myApp_prod_APNS.pem
+  #
+  #  # This is the maximum number of in-flight requests *for this pushkin*
+  #  # before additional notifications will be failed.
+  #  # (This is a robustness measure to prevent one pushkin stacking up with
+  #  #  queued requests and saturating the inbound connection queue of a load
+  #  #  balancer or reverse proxy).
+  #  # Defaults to 512 if unset.
+  #  #
+  #  #inflight_request_limit: 512
+  #
+  #  # Specifies whether to use the production or sandbox APNs server. Note that
+  #  # sandbox tokens should only be used with the sandbox server and vice versa.
+  #  #
+  #  # Valid options are:
+  #  #   * production
+  #  #   * sandbox
+  #  #
+  #  # The default is 'production'. Uncomment to use the sandbox instance.
+  #  #platform: sandbox
+
+  # This is an example GCM/FCM push configuration.
+  #
+  #com.example.myapp.android:
+  #  type: gcm
+  #  api_key: your_api_key_for_gcm
+  #
+  #  # This is the maximum number of connections to GCM servers at any one time
+  #  # the default is 20.
+  #  #max_connections: 20
+  #
+  #  # This is the maximum number of in-flight requests *for this pushkin*
+  #  # before additional notifications will be failed.
+  #  # (This is a robustness measure to prevent one pushkin stacking up with
+  #  #  queued requests and saturating the inbound connection queue of a load
+  #  #  balancer or reverse proxy).
+  #  # Defaults to 512 if unset.
+  #  #
+  #  #inflight_request_limit: 512
+  #
+  #  # This allows you to specify additional options to send to Firebase.
+  #  #
+  #  # Of particular interest, admins who wish to support iOS apps using Firebase
+  #  # probably wish to set content_available, and may need to set mutable_content.
+  #  # (content_available allows your iOS app to be woken up by data messages,
+  #  # and mutable_content allows your notification to be modified by a
+  #  # Notification Service app extension).
+  #  #
+  #  # See https://firebase.google.com/docs/cloud-messaging/http-server-ref
+  #  # for the exhaustive list of valid options.
+  #  #
+  #  # Do not specify `data`, `priority`, `to` or `registration_ids` as they may
+  #  # be overwritten or lead to an invalid request.
+  #  #
+  #  #fcm_options:
+  #  #  content_available: true
+  #  #  mutable_content: true
+apps: {{ matrix_sygnal_apps|to_json }}

roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2

@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Sygnal
+{% for service in matrix_sygnal_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_sygnal_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null'
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--env=SYGNAL_CONF=/config/sygnal.yaml \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_sygnal_container_http_host_bind_port %}
+			-p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \
+			{% endif %}
+			--mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \
+			--mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \
+			{% for arg in matrix_sygnal_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_sygnal_docker_image }}
+
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null'
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-sygnal
+
+[Install]
+WantedBy=multi-user.target

setup.yml

@@ -46,6 +46,7 @@
     - matrix-dimension
     - matrix-etherpad
     - matrix-email2matrix
+    - matrix-sygnal
     - matrix-nginx-proxy
     - matrix-coturn
     - matrix-aux