From 56548430c050b9360b4793ced06f9783da9a0395 Mon Sep 17 00:00:00 2001
From: Saibotk <git@saibotk.de>
Date: Sun, 24 Sep 2023 14:24:53 +0200
Subject: [PATCH] feat: Add matrix sliding sync role

---
 playbooks/matrix_sliding_sync.yml             | 27 ++++++
 roles/matrix_delegate/defaults/main.yml       |  4 +
 .../templates/client-delegation.json          |  6 +-
 roles/matrix_sliding_sync/README.md           | 31 ++++++
 roles/matrix_sliding_sync/defaults/main.yml   | 54 +++++++++++
 roles/matrix_sliding_sync/meta/main.yml       | 45 +++++++++
 roles/matrix_sliding_sync/tasks/main.yml      | 77 +++++++++++++++
 .../templates/docker-compose.yml              | 97 +++++++++++++++++++
 8 files changed, 340 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/matrix_sliding_sync.yml
 create mode 100644 roles/matrix_sliding_sync/README.md
 create mode 100644 roles/matrix_sliding_sync/defaults/main.yml
 create mode 100644 roles/matrix_sliding_sync/meta/main.yml
 create mode 100644 roles/matrix_sliding_sync/tasks/main.yml
 create mode 100644 roles/matrix_sliding_sync/templates/docker-compose.yml

diff --git a/playbooks/matrix_sliding_sync.yml b/playbooks/matrix_sliding_sync.yml
new file mode 100644
index 0000000..effdb7a
--- /dev/null
+++ b/playbooks/matrix_sliding_sync.yml
@@ -0,0 +1,27 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2023       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Matrix Sliding Sync
+  hosts: matrix_sliding_sync
+  roles:
+    - docker
+    - docker_compose
+    - docker_cleanup
+    - traefik
+    - matrix_sliding_sync
+  environment:
+    PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages
diff --git a/roles/matrix_delegate/defaults/main.yml b/roles/matrix_delegate/defaults/main.yml
index 4804b64..531bb55 100644
--- a/roles/matrix_delegate/defaults/main.yml
+++ b/roles/matrix_delegate/defaults/main.yml
@@ -31,6 +31,10 @@ matrix_delegate_domain: example.com
 # The domain that the matrix homeserver is actually available under
 matrix_delegate_matrix_domain: matrix.example.com
 
+# The sliding sync proxy url to advertise
+matrix_delegate_sliding_sync_enabled: false
+matrix_delegate_sliding_sync_url: "https://{{ matrix_synapse_domain }}/sliding-sync"
+
 # Container versions
 # renovate: depName=docker.io/library/nginx
 matrix_delegate_nginx_version: "1.25"
diff --git a/roles/matrix_delegate/templates/client-delegation.json b/roles/matrix_delegate/templates/client-delegation.json
index d8e15b9..463d36b 100644
--- a/roles/matrix_delegate/templates/client-delegation.json
+++ b/roles/matrix_delegate/templates/client-delegation.json
@@ -1,5 +1,9 @@
 {
     "m.homeserver": {
       "base_url": "https://{{ matrix_delegate_matrix_domain }}"
-    }
+    }{% if matrix_delegate_sliding_sync_enabled %},
+    "org.matrix.msc3575.proxy": {
+		"url": "{{ matrix_delegate_sliding_sync_url }}"
+	}
+{% endif %}
 }
diff --git a/roles/matrix_sliding_sync/README.md b/roles/matrix_sliding_sync/README.md
new file mode 100644
index 0000000..1e0f568
--- /dev/null
+++ b/roles/matrix_sliding_sync/README.md
@@ -0,0 +1,31 @@
+# Matrix Sliding Sync
+
+This will setup a Matrix Sliding Sync instance using their official docker container and traefik as a reverse proxy.
+Additionally, you may need to configure delegation, to do so take a look at the matrix_delegation role.
+
+## Requirements
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+## Role Variables
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
+
+### Global variables, that are used:
+
+-   `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+-   `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+## Dependencies
+
+-   docker
+-   docker-compose
+-   traefik
+
+## License
+
+GPL-3.0-only
diff --git a/roles/matrix_sliding_sync/defaults/main.yml b/roles/matrix_sliding_sync/defaults/main.yml
new file mode 100644
index 0000000..84f7fe8
--- /dev/null
+++ b/roles/matrix_sliding_sync/defaults/main.yml
@@ -0,0 +1,54 @@
+---
+# Default variables for the matrix_sliding_sync role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2023       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# The install location
+matrix_sliding_sync_install_location: /srv/matrix_sliding_sync
+
+# The container data volume mount locations
+matrix_sliding_sync_data_location: "{{ matrix_sliding_sync_install_location }}/data"
+matrix_sliding_sync_database_location: "{{ matrix_sliding_sync_install_location }}/database"
+
+# The certresolver that is used by traefik for this domain
+matrix_sliding_sync_traefik_certresolver: letsencrypt_http
+
+# The domain that the sliding sync proxy is available under.
+# Note: This should be the same as the synapse domain, otherwise you will need
+# Custom dns entries etc.
+matrix_sliding_sync_domain: "{{ matrix_synapse_domain }}"
+
+# The database password to use
+matrix_sliding_sync_database_password: "{{ lookup('passwordstore', matrix_sliding_sync_synapse_domain + '/sliding-sync/db create=true length=42') }}"
+
+# A secret used to encrypt credentials in the DB
+matrix_sliding_sync_secret: "{{ lookup('passwordstore', matrix_sliding_sync_synapse_domain + '/sliding-sync/secret create=true length=42') }}"
+
+# Container versions
+# renovate: depName=ghcr.io/matrix-org/sliding-sync
+matrix_sliding_sync_version: "0.99.10"
+# renovate: depName=docker.io/library/postgres
+matrix_sliding_sync_database_version: "16.0"
+
+# Container tag definitions
+matrix_sliding_sync_image_version: "v{{ matrix_sliding_sync_version }}"
+matrix_sliding_sync_database_image_version: "{{ matrix_sliding_sync_database_version }}-alpine"
+
+# Enable or disable selinux handling
+matrix_sliding_sync_selinux_enabled: true
diff --git a/roles/matrix_sliding_sync/meta/main.yml b/roles/matrix_sliding_sync/meta/main.yml
new file mode 100644
index 0000000..648ba0e
--- /dev/null
+++ b/roles/matrix_sliding_sync/meta/main.yml
@@ -0,0 +1,45 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys a matrix sliding sync server via docker using traefik."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: docker_compose
+  - role: traefik
diff --git a/roles/matrix_sliding_sync/tasks/main.yml b/roles/matrix_sliding_sync/tasks/main.yml
new file mode 100644
index 0000000..bd191d7
--- /dev/null
+++ b/roles/matrix_sliding_sync/tasks/main.yml
@@ -0,0 +1,77 @@
+---
+# Tasks file for the matrix_sliding_sync role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2019-2020  Alexander (w4tsn) Wellbrock
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ matrix_sliding_sync_database_location }}"
+    - "{{ matrix_sliding_sync_data_location }}"
+  when:
+    - matrix_sliding_sync_selinux_enabled
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ matrix_sliding_sync_install_location }}"
+  become: true
+
+- name: Create data directory
+  ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
+    path: "{{ item }}"
+    state: directory
+    setype: "container_file_t"
+  with_items:
+    - "{{ matrix_sliding_sync_database_location }}"
+    - "{{ matrix_sliding_sync_data_location }}"
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: "docker-compose.yml"
+    dest: "{{ matrix_sliding_sync_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker-compose -f %s config -q
+  tags:
+    - matrix_sliding_sync
+  become: true
+
+- name: Compose matrix_sliding_sync
+  community.docker.docker_compose:
+    state: present
+    project_src: "{{ matrix_sliding_sync_install_location }}"
+    pull: true
+    remove_orphans: true
+  tags:
+    - docker
+    - matrix_sliding_sync
+  become: true
diff --git a/roles/matrix_sliding_sync/templates/docker-compose.yml b/roles/matrix_sliding_sync/templates/docker-compose.yml
new file mode 100644
index 0000000..0486f23
--- /dev/null
+++ b/roles/matrix_sliding_sync/templates/docker-compose.yml
@@ -0,0 +1,97 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2019-2020  Alexander (w4tsn) Wellbrock
+# Copyright (C) 2021-2023  Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+version: '2'
+services:
+  sliding_sync:
+    image: ghcr.io/matrix-org/sliding-sync:{{ matrix_sliding_sync_image_version }}
+    cpu_shares: 256
+    mem_limit: 512mb
+    memswap_limit: 756mb
+    read_only: true
+    restart: always
+    security_opt:
+      - no-new-privileges
+    tmpfs:
+      - "/tmp:size=64M"
+    environment:
+      - "SYNCV3_DB=user=slidingsync password={{ matrix_sliding_sync_database_password }} host=database port=5432 dbname=slidingsync sslmode=disable"
+      - "SYNCV3_SERVER=https://{{ matrix_synapse_domain }}"
+      - "SYNCV3_SECRET={{ matrix_sliding_sync_secret }}"
+      - "SYNCV3_BINDADDR=:8008"
+    volumes:
+      - "{{ matrix_sliding_sync_data_location }}:/data"
+    depends_on:
+      - database
+    labels:
+      - "traefik.http.routers.matrix-sliding-sync.rule=Host(`{{ matrix_sliding_sync_domain }}`) && PathPrefix(`/sliding-sync`)"
+      - "traefik.http.routers.matrix-sliding-sync.entrypoints=websecure"
+      - "traefik.http.routers.matrix-sliding-sync.tls.certresolver={{ matrix_sliding_sync_traefik_certresolver }}"
+      - "traefik.http.routers.matrix-sliding-sync.middlewares=matrix-sliding-sync,matrix-sliding-sync-strip-prefix"
+      - "traefik.http.routers.matrix-sliding-sync.service=matrix-sliding-sync"
+      - "traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008"
+      - "traefik.http.middlewares.matrix-sliding-sync-strip-prefix.stripprefix.prefixes=/sliding-sync"
+      - "traefik.http.middlewares.matrix-sliding-sync.headers.sslredirect=true"
+      - "traefik.http.middlewares.matrix-sliding-sync.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.matrix-sliding-sync.headers.referrerPolicy=no-referrer"
+
+      - "traefik.enable=true"
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
+      - "traefik.http.middlewares.matrix-sliding-sync.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
+{% endif %}
+
+    networks:
+      database:
+{% if proxy_network is defined %}
+      {{ proxy_network }}:
+{% endif %}
+
+  database:
+    image: docker.io/library/postgres:{{ matrix_sliding_sync_database_image_version }}
+    mem_limit: 512mb
+    memswap_limit: 768mb
+    read_only: true
+    security_opt:
+      - no-new-privileges
+    tmpfs:
+      - /run/postgresql:size=512K
+      - /tmp:size=128K
+    stop_grace_period: 2m
+    stop_signal: SIGINT
+    environment:
+      - "POSTGRES_USER=slidingsync"
+      - "POSTGRES_PASSWORD={{ matrix_sliding_sync_database_password }}"
+      - "POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8"
+    volumes:
+      - "{{ matrix_sliding_sync_database_location }}:/var/lib/postgresql/data"
+    networks:
+      database:
+    restart: always
+
+networks:
+  database:
+    internal: true
+{% if proxy_network is defined %}
+  {{ proxy_network }}:
+    external: true
+{% endif %}