diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml
deleted file mode 100644
index 7da30ba..0000000
--- a/playbooks/matrix.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Install & configure Matrix
- hosts: matrix
- roles:
- - docker
- - docker_cleanup
- - traefik
- - matrix
diff --git a/playbooks/matrix_delegate.yml b/playbooks/matrix_delegate.yml
deleted file mode 100644
index e5e6375..0000000
--- a/playbooks/matrix_delegate.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2021 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Install & configure Matrix Delegate
- hosts: matrix_delegate
- roles:
- - docker
- - docker_cleanup
- - traefik
- - matrix_delegate
diff --git a/playbooks/synapse.yml b/playbooks/synapse.yml
new file mode 100644
index 0000000..40728bc
--- /dev/null
+++ b/playbooks/synapse.yml
@@ -0,0 +1,17 @@
+- name: Install Synapse.
+
+ hosts: synapse
+
+ roles:
+ - role: podman
+ become: true
+ tags:
+ - always
+ - podman
+ - role: caddy
+ become: true
+ tags:
+ - always
+ - caddy
+ - role: synapse
+ become: true
diff --git a/roles/matrix/README.md b/roles/matrix/README.md
deleted file mode 100644
index 8013035..0000000
--- a/roles/matrix/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-Matrix
-=========
-
-This will setup a Matrix (Synapse) instance using their official docker container and traefik as a reverse proxy.
-Additionally, you may need to configure delegation, to do so take a look at the matrix_delegation role.
-
-Requirements
-------------
-
-You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
-
-**This role assumes that you have setup traefik with an endpoint called `websecure`.**
-
-Role Variables
---------------
-
-**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
-
-**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
-
-### Global variables, that are used:
-
-- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
-- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
-
-Dependencies
-------------
-
-- docker
-- docker-compose
-- traefik
-
-License
--------
-
-GPL-3.0-only
diff --git a/roles/matrix/defaults/main.yml b/roles/matrix/defaults/main.yml
deleted file mode 100644
index a75f52e..0000000
--- a/roles/matrix/defaults/main.yml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-# Default variables for the matrix role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2021 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-# The install location
-matrix_install_location: /srv/matrix
-
-# The container data volume mount locations
-matrix_data_location: "{{ matrix_install_location }}/data"
-matrix_database_location: "{{ matrix_install_location }}/database"
-
-# The certresolver that is used by traefik for this domain
-matrix_traefik_certresolver: letsencrypt_http
-
-# The domain that traefik will server synapse under
-matrix_synapse_servername: matrix.example.com
-matrix_synapse_domain: "{{ matrix_synapse_servername }}"
-
-# Additional synapse ENV options (keys will automatically be prefixed with SYNAPSE_)
-# see https://github.com/matrix-org/synapse/tree/develop/docker#generating-a-configuration-file
-# Note: Some keys are needed for generating the initial config file like "SYNAPSE_REPORT_STATS" and "SYNAPSE_SERVER_NAME"!
-matrix_synapse_options: {}
-
-# The database password to use
-matrix_database_password: "{{ lookup('passwordstore', matrix_synapse_domain + '/db create=true length=42') }}"
-
-# Container versions
-# renovate: depName=docker.io/matrixdotorg/synapse
-matrix_synapse_version: "1.118.0"
-# renovate: depName=docker.io/library/postgres
-matrix_database_version: "13.16"
-
-# Container tag definitions
-matrix_synapse_image_version: "v{{ matrix_synapse_version }}"
-matrix_database_image_version: "{{ matrix_database_version }}-alpine"
-
-# Enable or disable selinux handling
-matrix_selinux_enabled: true
diff --git a/roles/matrix/meta/main.yml b/roles/matrix/meta/main.yml
deleted file mode 100644
index 1288fe3..0000000
--- a/roles/matrix/meta/main.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-galaxy_info:
- author: saibotk
- description: "Deploys a matrix server via docker using traefik."
- license: GPL-3.0-only
- min_ansible_version: "2.9"
- standalone: true
-
- platforms:
- - name: EL
- versions:
- - all
- - name: GenericUNIX
- versions:
- - all
- - name: Fedora
- versions:
- - all
- - name: opensuse
- versions:
- - all
- - name: GenericBSD
- versions:
- - all
- - name: FreeBSD
- versions:
- - all
- - name: Ubuntu
- versions:
- - all
- - name: SLES
- versions:
- - all
- - name: GenericLinux
- versions:
- - all
- - name: Debian
- versions:
- - all
-
- galaxy_tags: []
-
-dependencies:
- - role: docker
- - role: traefik
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
deleted file mode 100644
index 16c6bc1..0000000
--- a/roles/matrix/tasks/main.yml
+++ /dev/null
@@ -1,98 +0,0 @@
----
-# Tasks file for the matrix role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-- name: Update default SELinux contexts
- community.general.sefcontext:
- target: "{{ item }}(/.*)?"
- setype: "container_file_t"
- state: present
- with_items:
- - "{{ matrix_database_location }}"
- - "{{ matrix_data_location }}"
- when:
- - matrix_selinux_enabled
- become: true
-
-- name: Create install directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: "0700"
- owner: "root"
- group: "root"
- with_items:
- - "{{ matrix_install_location }}"
- become: true
-
-- name: Create data directory
- ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
- path: "{{ item }}"
- state: directory
- setype: "container_file_t"
- with_items:
- - "{{ matrix_database_location }}"
- - "{{ matrix_data_location }}"
- become: true
-
-- name: Deploy docker-compose.yml
- ansible.builtin.template:
- src: "docker-compose.yml"
- dest: "{{ matrix_install_location }}/docker-compose.yml"
- mode: "0600"
- owner: "root"
- group: "root"
- validate: docker compose -f %s config -q
- tags:
- - matrix
- become: true
-
-- name: Check if homeserver.yaml (config) exists
- ansible.builtin.stat:
- path: "{{ matrix_data_location }}/homeserver.yaml"
- register: matrix_synapse_homeserver_yaml
- tags:
- - docker
- - matrix
- become: true
-
-- name: Generate synapse config
- ansible.builtin.command: 'docker-compose run -e "SYNAPSE_SERVER_NAME={{ matrix_synapse_servername }}" synapse generate'
- args:
- chdir: "{{ matrix_install_location }}"
- creates: "{{ matrix_data_location }}/homeserver.yaml"
- tags:
- - docker
- - matrix
- become: true
- when:
- - not matrix_synapse_homeserver_yaml.stat.exists
-
-- name: Compose matrix
- community.docker.docker_compose_v2:
- state: present
- project_src: "{{ matrix_install_location }}"
- pull: always
- remove_orphans: true
- tags:
- - docker
- - matrix
- become: true
diff --git a/roles/matrix/templates/docker-compose.yml b/roles/matrix/templates/docker-compose.yml
deleted file mode 100644
index f7f4730..0000000
--- a/roles/matrix/templates/docker-compose.yml
+++ /dev/null
@@ -1,101 +0,0 @@
----
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
-# Copyright (C) 2021 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-version: '2'
-services:
- synapse:
- image: docker.io/matrixdotorg/synapse:{{ matrix_synapse_image_version }}
- cpu_shares: 256
- mem_limit: 1280mb
- memswap_limit: 1536mb
- read_only: true
- restart: always
- dns:
- - "1.1.1.1"
- security_opt:
- - no-new-privileges
- tmpfs:
- - "/tmp:size=64M"
- - "/compiled:size=128K"
- environment:
-{% for key, value in matrix_synapse_options.items() %}
- - "SYNAPSE_{{ key }}={{ value }}"
-{% endfor %}
-
- - "POSTGRES_HOST=database"
- - "POSTGRES_PASSWORD={{ matrix_database_password }}"
- volumes:
- - "{{ matrix_data_location }}:/data"
- depends_on:
- - database
- labels:
- - "traefik.http.routers.matrix.rule=Host(`{{ matrix_synapse_domain }}`) && PathPrefix(`/`)"
- - "traefik.http.routers.matrix.entrypoints=websecure"
- - "traefik.http.routers.matrix.tls.certresolver={{ matrix_traefik_certresolver }}"
- - "traefik.http.routers.matrix.middlewares=matrix,compress"
- - "traefik.http.routers.matrix.service=matrix"
- - "traefik.http.services.matrix.loadbalancer.server.port=8008"
- - "traefik.http.middlewares.matrix.headers.sslredirect=true"
- - "traefik.http.middlewares.matrix.headers.stsSeconds=63072000"
- - "traefik.http.middlewares.matrix.headers.referrerPolicy=no-referrer"
-
- - "traefik.enable=true"
-{% if proxy_network is defined %}
- - "traefik.docker.network={{ proxy_network }}"
-{% endif %}
-{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- - "traefik.http.middlewares.matrix.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
-{% endif %}
-
- networks:
- database:
-{% if proxy_network is defined %}
- {{ proxy_network }}:
-{% endif %}
-
- database:
- image: docker.io/library/postgres:{{ matrix_database_image_version }}
- mem_limit: 512mb
- memswap_limit: 768mb
- read_only: true
- security_opt:
- - no-new-privileges
- tmpfs:
- - /run/postgresql:size=512K
- - /tmp:size=128K
- stop_grace_period: 2m
- stop_signal: SIGINT
- environment:
- - "POSTGRES_USER=synapse"
- - "POSTGRES_PASSWORD={{ matrix_database_password }}"
- - "POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8"
- volumes:
- - "{{ matrix_database_location }}:/var/lib/postgresql/data"
- networks:
- database:
- restart: always
-
-networks:
- database:
- internal: true
-{% if proxy_network is defined %}
- {{ proxy_network }}:
- external: true
-{% endif %}
diff --git a/roles/matrix_delegate/README.md b/roles/matrix_delegate/README.md
deleted file mode 100644
index c5e7a38..0000000
--- a/roles/matrix_delegate/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-Matrix_delegate
-=========
-
-This will setup a small Matrix delegate nginx server using docker and traefik as a reverse proxy.
-
-Requirements
-------------
-
-You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
-
-**This role assumes that you have setup traefik with an endpoint called `websecure`.**
-
-Role Variables
---------------
-
-**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
-
-**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
-
-### Global variables, that are used:
-
-- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
-- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
-
-Dependencies
-------------
-
-- docker
-- docker-compose
-- traefik
-
-License
--------
-
-GPL-3.0-only
diff --git a/roles/matrix_delegate/defaults/main.yml b/roles/matrix_delegate/defaults/main.yml
deleted file mode 100644
index d0b9833..0000000
--- a/roles/matrix_delegate/defaults/main.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-# Default variables for the matrix_delegate role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2021 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-# The install location
-matrix_delegate_install_location: /srv/matrix_delegate
-
-# The certresolver that is used by traefik for this domain
-matrix_delegate_traefik_certresolver: letsencrypt_http
-
-# The domain that traefik will serve the delegate under
-# NOTE: This should be the same as the servername (right side of user ids).
-matrix_delegate_domain: example.com
-
-# The domain that the matrix homeserver is actually available under
-matrix_delegate_matrix_domain: matrix.example.com
-
-# The sliding sync proxy url to advertise
-matrix_delegate_sliding_sync_enabled: false
-matrix_delegate_sliding_sync_url: "https://{{ matrix_synapse_domain }}/sliding-sync"
-
-# Container versions
-# renovate: depName=docker.io/library/nginx
-matrix_delegate_nginx_version: "1.27"
-
-# Container tag definitions
-matrix_delegate_nginx_image_version: "{{ matrix_delegate_nginx_version }}-alpine"
diff --git a/roles/matrix_delegate/handlers/main.yml b/roles/matrix_delegate/handlers/main.yml
deleted file mode 100644
index b3ac906..0000000
--- a/roles/matrix_delegate/handlers/main.yml
+++ /dev/null
@@ -1,31 +0,0 @@
----
-# Handlers file for the matrix_delegate role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-- name: Restart matrix delegate nginx
- community.docker.docker_compose_v2:
- services:
- - delegate
- state: restarted
- project_src: "{{ matrix_delegate_install_location }}"
- tags:
- - docker
- - matrix
- - delegate
- become: true
diff --git a/roles/matrix_delegate/meta/main.yml b/roles/matrix_delegate/meta/main.yml
deleted file mode 100644
index 03e9e3d..0000000
--- a/roles/matrix_delegate/meta/main.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-galaxy_info:
- author: saibotk
- description: "Deploys a matrix delegate server via docker using traefik."
- license: GPL-3.0-only
- min_ansible_version: "2.9"
- standalone: true
-
- platforms:
- - name: EL
- versions:
- - all
- - name: GenericUNIX
- versions:
- - all
- - name: Fedora
- versions:
- - all
- - name: opensuse
- versions:
- - all
- - name: GenericBSD
- versions:
- - all
- - name: FreeBSD
- versions:
- - all
- - name: Ubuntu
- versions:
- - all
- - name: SLES
- versions:
- - all
- - name: GenericLinux
- versions:
- - all
- - name: Debian
- versions:
- - all
-
- galaxy_tags: []
-
-dependencies:
- - role: docker
- - role: traefik
diff --git a/roles/matrix_delegate/tasks/main.yml b/roles/matrix_delegate/tasks/main.yml
deleted file mode 100644
index 6f4bf0b..0000000
--- a/roles/matrix_delegate/tasks/main.yml
+++ /dev/null
@@ -1,89 +0,0 @@
----
-# Tasks file for the matrix_delegate role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
-# Copyright (C) 2021 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-- name: Create install directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: "0700"
- owner: "root"
- group: "root"
- with_items:
- - "{{ matrix_delegate_install_location }}"
- become: true
-
-- name: Deploy docker-compose.yml
- ansible.builtin.template:
- src: "docker-compose.yml"
- dest: "{{ matrix_delegate_install_location }}/docker-compose.yml"
- mode: "0600"
- owner: "root"
- group: "root"
- validate: docker compose -f %s config -q
- tags:
- - matrix
- - delegate
- become: true
-
-- name: Deploy delegation config files
- ansible.builtin.template:
- src: "{{ item }}"
- dest: "{{ matrix_delegate_install_location }}/{{ item }}"
- setype: "container_file_t"
- mode: "0644"
- owner: "root"
- group: "root"
- with_items:
- - "server-delegation.json"
- - "client-delegation.json"
- tags:
- - docker
- - matrix
- - delegate
- become: true
-
-- name: Deploy nginx delegate config
- ansible.builtin.template:
- src: "delegate-nginx.conf"
- dest: "{{ matrix_delegate_install_location }}/nginx.conf"
- setype: "container_file_t"
- mode: "0600"
- owner: "root"
- group: "root"
- tags:
- - docker
- - matrix
- - delegate
- notify: Restart matrix delegate nginx
- become: true
-
-- name: Compose matrix_delegate
- community.docker.docker_compose_v2:
- state: present
- project_src: "{{ matrix_delegate_install_location }}"
- pull: always
- remove_orphans: true
- tags:
- - docker
- - matrix
- - delegate
- become: true
diff --git a/roles/matrix_delegate/templates/client-delegation.json b/roles/matrix_delegate/templates/client-delegation.json
deleted file mode 100644
index 463d36b..0000000
--- a/roles/matrix_delegate/templates/client-delegation.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
- "m.homeserver": {
- "base_url": "https://{{ matrix_delegate_matrix_domain }}"
- }{% if matrix_delegate_sliding_sync_enabled %},
- "org.matrix.msc3575.proxy": {
- "url": "{{ matrix_delegate_sliding_sync_url }}"
- }
-{% endif %}
-}
diff --git a/roles/matrix_delegate/templates/delegate-nginx.conf b/roles/matrix_delegate/templates/delegate-nginx.conf
deleted file mode 100644
index bdcc2dd..0000000
--- a/roles/matrix_delegate/templates/delegate-nginx.conf
+++ /dev/null
@@ -1,74 +0,0 @@
-{{ ansible_managed | comment }}
-
-# From https://git.shivering-isles.com/w4tsn/infrastructure/-/blob/2d8d03a025b833e11533fa8610cc77cff7a59bb9/roles/matrix/templates/delegate-nginx.conf.j2
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-worker_processes 1;
-
-error_log stderr;
-
-pid /tmp/nginx.pid;
-
-events {
- worker_connections 1024;
-}
-
-http {
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- access_log off;
-
- # Turn off the bloody buffering to temp files
- proxy_buffering off;
-
- sendfile on;
- keepalive_timeout 120;
-
- gzip on;
- gzip_types text/plain application/json;
-
- server_names_hash_bucket_size 128;
-
- # These two should be the same or nginx will start writing
- # large request bodies to temp files
- client_body_buffer_size 10m;
- client_max_body_size 10m;
-
- server {
- listen 80;
- server_name localhost;
- server_tokens off;
- set_real_ip_from 10.0.0.0/8;
- set_real_ip_from 172.16.0.0/12;
-
- location /.well-known/matrix {
- root /usr/share/nginx/html;
- {#
- A somewhat long expires value is used to prevent outages
- in case this is unreachable due to network failure or
- due to the base domain's server completely dying.
- #}
- expires 4h;
- default_type application/json;
- add_header Access-Control-Allow-Origin *;
- }
- }
-}
diff --git a/roles/matrix_delegate/templates/docker-compose.yml b/roles/matrix_delegate/templates/docker-compose.yml
deleted file mode 100644
index d485feb..0000000
--- a/roles/matrix_delegate/templates/docker-compose.yml
+++ /dev/null
@@ -1,65 +0,0 @@
----
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
-# Copyright (C) 2021 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-#
-
-version: '2'
-services:
- delegate:
- image: docker.io/library/nginx:{{ matrix_delegate_nginx_image_version }}
- mem_limit: 256mb
- memswap_limit: 512mb
- read_only: true
- tmpfs:
- - "/var/cache/nginx:size=10M"
- - "/run/nginx:size=512K"
- - "/tmp:size=128K"
- security_opt:
- - no-new-privileges
- volumes:
- - "{{ matrix_delegate_install_location }}/server-delegation.json:/usr/share/nginx/html/.well-known/matrix/server:ro"
- - "{{ matrix_delegate_install_location }}/client-delegation.json:/usr/share/nginx/html/.well-known/matrix/client:ro"
- - "{{ matrix_delegate_install_location }}/nginx.conf:/etc/nginx/nginx.conf:ro"
- labels:
- - "traefik.enable=true"
-
- - "traefik.http.routers.matrix-delegate.rule=Host(`{{ matrix_delegate_domain }}`) && PathPrefix(`/.well-known/matrix`)"
- - "traefik.http.routers.matrix-delegate.entrypoints=websecure"
- - "traefik.http.routers.matrix-delegate.tls.certresolver={{ matrix_delegate_traefik_certresolver }}"
- - "traefik.http.routers.matrix-delegate.middlewares=matrix-delegate,compress"
- - "traefik.http.middlewares.matrix-delegate.headers.sslredirect=true"
- - "traefik.http.middlewares.matrix-delegate.headers.stsSeconds=63072000"
- - "traefik.http.middlewares.matrix-delegate.headers.referrerPolicy=no-referrer"
-
-{% if proxy_network is defined %}
- - "traefik.docker.network={{ proxy_network }}"
-{% endif %}
-{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- - "traefik.http.middlewares.matrix-delegate.headers.customresponseheaders.alt-svc:h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
-{% endif %}
- restart: always
-{% if proxy_network is defined %}
- networks:
- {{ proxy_network }}:
-{% endif %}
-
-{% if proxy_network is defined %}
-networks:
- {{ proxy_network }}:
- external: true
-{% endif %}
diff --git a/roles/matrix_delegate/templates/server-delegation.json b/roles/matrix_delegate/templates/server-delegation.json
deleted file mode 100644
index 5c38d85..0000000
--- a/roles/matrix_delegate/templates/server-delegation.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
- "m.server": "{{ matrix_delegate_matrix_domain }}:443"
-}
diff --git a/roles/synapse/defaults/main.yml b/roles/synapse/defaults/main.yml
new file mode 100644
index 0000000..f34c2ed
--- /dev/null
+++ b/roles/synapse/defaults/main.yml
@@ -0,0 +1,38 @@
+synapse_install_dir: "/opt/synapse"
+
+# The domain that users should be identified with, can be different than the server domain
+synapse_domain: matrix.example.com
+# The actual synapse domain
+synapse_server_domain: matrix.example.com
+
+synapse_containerimage: ghcr.io/element-hq/synapse
+# renovate: depName=ghcr.io/element-hq/synapse
+synapse_image_tag: "v1.122.0"
+
+synapse_postgres_containerimage: docker.io/library/postgres
+# renovate: depName=docker.io/library/postgres
+synapse_postgres_image_tag: "17.2-alpine"
+
+synapse_selinux_level: "{{ omit }}"
+synapse_postgres_selinux_level: "{{ omit }}"
+
+synapse_memory_low: 512m
+synapse_memory_high: 0
+synapse_swap_max: -1
+
+synapse_postgres_memory_low: 128m
+synapse_postgres_memory_high: 0
+synapse_postgres_swap_max: -1
+
+synapse_postgres_database_password: "{{ lookup('passwordstore', 'synapse.example.com/postgres/synapse_password' + ' create=true length=64') }}"
+
+# These are only needed for the inital run to setup the synapse database and user. On subsequent runs you can remove these.
+synapse_postgres_environment_vars:
+ POSTGRES_DB: "synapse"
+ POSTGRES_USER: "synapse"
+ POSTGRES_PASSWORD: "{{ synapse_postgres_database_password }}"
+ POSTGRES_INITDB_ARGS: "--lc-collate C --lc-ctype C --encoding UTF8"
+
+synapse_environment_vars:
+ SERVER_NAME: "{{ synapse_domain }}" # This can be different e.g. example.com with delegation
+ REPORT_STATS: 'no'
diff --git a/roles/synapse/handlers/main.yml b/roles/synapse/handlers/main.yml
new file mode 100644
index 0000000..f74ddf3
--- /dev/null
+++ b/roles/synapse/handlers/main.yml
@@ -0,0 +1,24 @@
+- name: Apply new SELinux file context to filesystem.
+ ansible.builtin.command: "restorecon -irF {{ synapse_install_dir }}"
+ become: true
+ listen: "synapse selinux context changed"
+
+- name: Restart synapse service.
+ ansible.builtin.systemd:
+ state: restarted
+ name: synapse.service
+ daemon_reload: true
+ become: true
+ listen:
+ - "synapse service changed"
+ - "synapse selinux context changed"
+
+- name: Restart synapse-postgres service.
+ ansible.builtin.systemd:
+ state: restarted
+ name: synapse-postgres.service
+ daemon_reload: true
+ become: true
+ listen:
+ - "synapse postgres service changed"
+ - "synapse selinux context changed"
diff --git a/roles/synapse/meta/main.yml b/roles/synapse/meta/main.yml
new file mode 100644
index 0000000..06c31d0
--- /dev/null
+++ b/roles/synapse/meta/main.yml
@@ -0,0 +1,20 @@
+galaxy_info:
+ author: saibotk
+ description: Deploy synapse with podman and systemd.
+
+ issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
+
+ license: GPL-3.0-only
+
+ min_ansible_version: "2.10"
+
+ platforms:
+ - name: Fedora
+ versions:
+ - "41"
+
+ standalone: true
+
+ galaxy_tags: []
+
+dependencies: []
diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml
new file mode 100644
index 0000000..333a086
--- /dev/null
+++ b/roles/synapse/tasks/main.yml
@@ -0,0 +1,140 @@
+- name: Update default SELinux contexts
+ community.general.sefcontext:
+ target: "{{ item.target }}"
+ setype: "container_file_t"
+ selevel: "{{ item.selevel }}"
+ state: present
+ loop:
+ - target: "{{ synapse_install_dir }}/data(/.*)?"
+ selevel: "{{ synapse_selinux_level }}"
+ - target: "{{ synapse_install_dir }}/postgres(/.*)?"
+ selevel: "{{ synapse_postgres_selinux_level }}"
+ become: true
+ notify: "synapse selinux context changed"
+
+- name: Create synapse directories.
+ ansible.builtin.file:
+ path: "{{ synapse_install_dir }}"
+ owner: "root"
+ group: "root"
+ mode: "0700"
+ state: directory
+ become: true
+
+- name: Ensure synapse data directories exist.
+ block:
+ - name: Stat synapse data dir.
+ ansible.builtin.stat:
+ path: "{{ synapse_install_dir }}/data"
+ become: true
+ register: synapse_stat_data_dir
+
+ - name: Stat synapse postgres dir.
+ ansible.builtin.stat:
+ path: "{{ synapse_install_dir }}/postgres"
+ become: true
+ register: synapse_stat_postgres_dir
+
+ - name: Create synapse data directories.
+ ansible.builtin.file:
+ path: "{{ item.path }}"
+ state: directory
+ mode: "0700"
+ owner: "{{ item.owner }}"
+ group: "{{ item.group }}"
+ loop:
+ - path: "{{ synapse_install_dir }}/data"
+ owner: "{{ synapse_stat_data_dir.stat.uid | default('root') }}"
+ group: "{{ synapse_stat_data_dir.stat.gid | default('root') }}"
+ - path: "{{ synapse_install_dir }}/postgres"
+ owner: "{{ synapse_stat_postgres_dir.stat.uid | default('root') }}"
+ group: "{{ synapse_stat_postgres_dir.stat.gid | default('root') }}"
+ become: true
+
+- name: Deploy synapse environment file.
+ ansible.builtin.template:
+ src: synapse.env.j2
+ dest: "{{ synapse_install_dir }}/synapse.env"
+ mode: "0600"
+ owner: "root"
+ group: "root"
+ become: true
+ notify:
+ - "synapse service changed"
+
+- name: Deploy postgres environment file.
+ ansible.builtin.template:
+ src: synapse-postgres.env.j2
+ dest: "{{ synapse_install_dir }}/synapse-postgres.env"
+ mode: "0600"
+ owner: "root"
+ group: "root"
+ become: true
+ notify:
+ - "synapse postgres service changed"
+
+- name: Add caddy config file.
+ block:
+ - name: Check caddy config dir.
+ ansible.builtin.stat:
+ path: "{{ caddy_install_dir }}/config"
+ become: true
+ register: caddy_stat_config_dir
+
+ - name: Template caddy config for synapse.
+ ansible.builtin.template:
+ src: synapse.caddy.j2
+ dest: "{{ caddy_install_dir }}/config/synapse.caddy"
+ mode: "0600"
+ setype: "container_file_t"
+ selevel: "{{ caddy_selinux_level }}"
+ owner: "{{ caddy_stat_config_dir.stat.uid }}"
+ group: "{{ caddy_stat_config_dir.stat.gid }}"
+ notify: "caddy config changed"
+ become: true
+
+- name: Create synapse postgres socket volume.
+ ansible.builtin.template:
+ src: synapse-postgres-socket.volume
+ dest: /etc/containers/systemd/synapse-postgres-socket.volume
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify:
+ - "synapse service changed"
+ - "synapse postgres service changed"
+
+- name: Create synapse container file.
+ ansible.builtin.template:
+ src: synapse.container.j2
+ dest: /etc/containers/systemd/synapse.container
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify: "synapse service changed"
+
+- name: Create synapse postgres container file.
+ ansible.builtin.template:
+ src: synapse-postgres.container.j2
+ dest: /etc/containers/systemd/synapse-postgres.container
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify: "synapse postgres service changed"
+
+- name: Flush handlers
+ ansible.builtin.meta: flush_handlers
+
+- name: Ensure synapse services are started and enabled.
+ ansible.builtin.systemd:
+ state: started
+ enabled: true
+ name: "{{ item }}"
+ daemon_reload: true
+ loop:
+ - synapse.service
+ - synapse-postgres.service
+ become: true
diff --git a/roles/synapse/templates/synapse-postgres-socket.volume b/roles/synapse/templates/synapse-postgres-socket.volume
new file mode 100644
index 0000000..8c9ba5d
--- /dev/null
+++ b/roles/synapse/templates/synapse-postgres-socket.volume
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+[Volume]
+
+VolumeName = synapse-postgres-socket
diff --git a/roles/synapse/templates/synapse-postgres.container.j2 b/roles/synapse/templates/synapse-postgres.container.j2
new file mode 100644
index 0000000..c7f07f4
--- /dev/null
+++ b/roles/synapse/templates/synapse-postgres.container.j2
@@ -0,0 +1,39 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description = Postgres for synapse
+
+[Service]
+Restart = always
+RestartSec = 5s
+
+[Container]
+Image = {{ synapse_postgres_containerimage }}:{{ synapse_postgres_image_tag }}
+ContainerName = synapse-postgres
+
+# AutoUpdate = registry
+LogDriver = journald
+
+# NoNewPrivileges = true
+ReadOnly = true
+DropCapability = all
+AddCapability = CHOWN DAC_OVERRIDE SETUID SETGID
+UserNS = auto:size=65535
+{% if synapse_postgres_selinux_level != omit %}
+SecurityLabelLevel = {{ synapse_postgres_selinux_level }}
+{% endif %}
+
+EnvironmentFile = {{ synapse_install_dir }}/synapse-postgres.env
+
+Volume = synapse-postgres-socket:/var/run/postgresql:U,z
+Volume = {{ synapse_install_dir }}/postgres:/var/lib/postgresql/data:U
+Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=1m
+
+PodmanArgs = --memory={{ synapse_postgres_memory_high }}
+PodmanArgs = --memory-swap={{ synapse_postgres_swap_max }}
+PodmanArgs = --memory-reservation={{ synapse_postgres_memory_low }}
+
+PodmanArgs = --stop-signal=SIGINT
+
+[Install]
+WantedBy = default.target
diff --git a/roles/synapse/templates/synapse-postgres.env.j2 b/roles/synapse/templates/synapse-postgres.env.j2
new file mode 100644
index 0000000..52e5e7b
--- /dev/null
+++ b/roles/synapse/templates/synapse-postgres.env.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment}}
+
+{% if synapse_postgres_environment_vars is mapping %}
+{% for key, value in synapse_postgres_environment_vars.items() %}
+{{ key }}={{ value }}
+{% endfor %}
+{% endif %}
diff --git a/roles/synapse/templates/synapse.caddy.j2 b/roles/synapse/templates/synapse.caddy.j2
new file mode 100644
index 0000000..112188a
--- /dev/null
+++ b/roles/synapse/templates/synapse.caddy.j2
@@ -0,0 +1,63 @@
+{{ ansible_managed | comment }}
+
+{{ synapse_server_domain }} {
+ encode gzip
+
+ header {
+ # enable HSTS
+ Strict-Transport-Security "max-age=31536000; preload;"
+
+ # disable clients from sniffing the media type
+ X-Content-Type-Options nosniff
+
+ # clickjacking protection
+ X-Frame-Options DENY
+
+ # keep referrer data off of HTTP connections
+ Referrer-Policy no-referrer-when-downgrade
+
+ # Server name removing
+ -Server
+ }
+
+ reverse_proxy synapse:8008
+}
+
+{{ synapse_domain }} {
+ encode gzip
+
+ header {
+ # enable HSTS
+ Strict-Transport-Security "max-age=31536000; preload;"
+
+ # disable clients from sniffing the media type
+ X-Content-Type-Options nosniff
+
+ # clickjacking protection
+ X-Frame-Options DENY
+
+ # keep referrer data off of HTTP connections
+ Referrer-Policy no-referrer-when-downgrade
+
+ # Server name removing
+ -Server
+ }
+
+ ## matrix client/server delegation
+ handle_path /.well-known/matrix/* {
+
+ header Access-Control-Allow-Origin *
+
+ ## `Content-Type: application/json` isn't required by the matrix spec
+ ## but some browsers (firefox) and some other tooling might preview json
+ ## content prettier when they are made aware via Content-Type
+ header Content-Type application/json
+
+ respond /client `{ "m.homeserver": { "base_url": "https://{{ synapse_server_domain }}" } }`
+
+ respond /server `{ "m.server": "{{ synapse_server_domain }}:443" }`
+
+ ## return http/404 if nothing matches
+ respond 404
+ }
+}
diff --git a/roles/synapse/templates/synapse.container.j2 b/roles/synapse/templates/synapse.container.j2
new file mode 100644
index 0000000..4aa1e26
--- /dev/null
+++ b/roles/synapse/templates/synapse.container.j2
@@ -0,0 +1,44 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description = Synapse Server
+Requires = synapse-postgres.service
+After = synapse-postgres.service
+
+[Service]
+Restart = always
+RestartSec = 5s
+
+[Container]
+Image = {{ synapse_containerimage }}:{{ synapse_image_tag }}
+ContainerName = synapse
+
+# AutoUpdate = registry
+LogDriver = journald
+
+User = 991
+
+ReadOnly = true
+NoNewPrivileges = true
+DropCapability = all
+UserNS = auto:size=65535
+{% if synapse_selinux_level != omit %}
+SecurityLabelLevel = {{ synapse_selinux_level }}
+{% endif %}
+
+Network = caddy.network
+
+Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=64M
+Tmpfs = /compiled:rw,noexec,nosuid,nodev,size=128K
+
+EnvironmentFile = {{ synapse_install_dir }}/synapse.env
+
+Volume = {{ synapse_install_dir }}/data:/data:U
+Volume = synapse-postgres-socket:/var/run/postgresql:z
+
+PodmanArgs = --memory={{ synapse_memory_high }}
+PodmanArgs = --memory-swap={{ synapse_swap_max }}
+PodmanArgs = --memory-reservation={{ synapse_memory_low }}
+
+[Install]
+WantedBy = default.target
diff --git a/roles/synapse/templates/synapse.env.j2 b/roles/synapse/templates/synapse.env.j2
new file mode 100644
index 0000000..a6debc0
--- /dev/null
+++ b/roles/synapse/templates/synapse.env.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment}}
+
+{% if synapse_environment_vars is mapping %}
+{% for key, value in synapse_environment_vars.items() %}
+{{ key }}={{ value }}
+{% endfor %}
+{% endif %}