Merge branch '__matrix_synapse' into 'master'

__matrix_synapse types

See merge request ungleich-public/cdist-contrib!9

type/__matrix_synapse/files/log.config.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+
+cat << EOF
+###############################################################
+# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. #
+###############################################################
+
+
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md
+#
+version: 1
+
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+
+filters:
+  context:
+    (): synapse.util.logcontext.LoggingContextFilter
+    request: ""
+
+handlers:
+  file:
+    class: logging.handlers.TimedRotatingFileHandler
+    formatter: precise
+    filename: ${LOG_DIR:?}/homeserver.log
+    when: midnight
+    backupCount: 3  # Does not include the current log file.
+    filters: [context]
+    encoding: utf8
+  # Default to buffering writes to log file for efficiency. This means that
+  # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
+  # logs will still be flushed immediately.
+  buffer:
+    class: logging.handlers.MemoryHandler
+    target: file
+    # The capacity is the number of log lines that are buffered before
+    # being written to disk. Increasing this will lead to better
+    # performance, at the expensive of it taking longer for log lines to
+    # be written to disk.
+    capacity: 10
+    flushLevel: 30  # Flush for WARNING logs as well
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    level: WARN
+
+loggers:
+  synapse:
+    level: INFO
+  synapse.storage.SQL:
+    # beware: increasing this to DEBUG will make synapse log sensitive
+    # information such as access tokens.
+    level: INFO
+  twisted:
+    level: INFO
+
+root:
+  level: INFO
+  handlers: [buffer, console]
+EOF

type/__matrix_synapse/gencode-remote

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+os=$(cat "$__global/explorer/os")
+init=$(cat "$__global/explorer/init")
+
+case "$os" in
+	alpine)
+		synapse_conf_dir=/etc/synapse
+		synapse_service=synapse
+		;;
+	debian)
+		synapse_conf_dir=/etc/matrix-synapse
+		synapse_service=matrix-synapse
+		;;
+	*)
+		echo "Unknown OS $os." >&2
+		exit 1
+	;;
+esac
+
+if grep -qE "^__file$synapse_conf_dir" "${__messages_in}"; then
+	case "$init" in
+		systemd)
+			echo "systemctl restart $synapse_service"
+			;;
+		initd)
+			echo "service --ifstopped $synapse_service start"
+			echo "service --ifstarted $synapse_service restart"
+			;;
+		*)
+			echo "Unknown init $init." >&2
+			exit 1
+			;;
+	esac
+fi

type/__matrix_synapse/man.rst

@@ -0,0 +1,330 @@
+cdist-type__matrix_synapse(7)
+======================
+
+NAME
+----
+cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
+
+
+DESCRIPTION
+-----------
+This type install and configure the Synapse Matrix homeserver. This is a
+signleton type.
+
+
+REQUIRED PARAMETERS
+-------------------
+server-name
+  Name of your homeserver (e.g. ungleich.ch) used as part of your MXIDs. This
+  value cannot be changed later on.
+
+base-url
+  Public URL of your homeserver (e.g. `<http://matrix.ungleich.ch>`_).
+
+database-engine
+  'sqlite3' or 'psycopg2' (= Postgresql).
+
+database-name
+  Path to database file if SQLite3 is used or database name if PostgresSQL is
+  used.
+
+OPTIONAL PARAMETERS
+-------------------
+database-host
+  Database node address, only used with PostgresSQL.
+
+database-user
+  Database user, only used with PostgresSQL.
+
+database-password
+  Database password, only used with PostgresSQL.
+
+database-connection-pool-min
+  The minimum number of connections in pool, defaults to 3.
+
+database-connection-pool-max
+  The maximum number of connections in pool, defaults to 5.
+
+ldap-uri
+  Address of your LDAP server.
+
+ldap-base-dn
+  Base DN of your LDAP tree.
+
+ldap-uid-attribute
+  LDAP attriute mapping to Synapse's uid field, default to uid.
+
+ldap-mail-attribute
+  LDAP attriute mapping to Synapse's mail field, default to mail.
+
+ldap-name-attribute
+  LDAP attriute mapping to Synapse's name field, default to givenName.
+
+ldap-bind-dn
+  User used to authenticate against your LDAP server in 'search' mode.
+
+ldap-bind-password
+  Password used to authenticate against your LDAP server in 'search' mode.
+
+ldap-filter
+  LDAP user filter, defaulting to `(objectClass=posixAccount)`.
+
+tls-cert
+  Path to PEM-encoded X509 TLS certificate. Not needed if TLS termination is
+  handled by a reverse Proxy such as NGINX.
+
+tls-private-key
+  Path to PEM-encoded TLS private key. Not needed if TLS termination is
+  handled by a reverse Proxy such as NGINX.
+
+smtp-host
+  The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
+
+smtp-port
+  # The port on the mail server for outgoing SMTP. Defaults to 25.
+
+smtp-user
+  Username for authentication to the SMTP server. By
+  default, no authentication is attempted.
+
+smtp-password
+  Password for authentication to the SMTP server. By
+  default, no authentication is attempted.
+
+notification-from
+  From address to use when sending emails. Defaults
+  to "%(app)s <no-reply@$SERVER_NAME>".
+
+message-max-lifetime
+  Default retention policy. If set, Synapse will apply it to rooms that lack
+  the 'm.room.retention' state event. Ignored if
+  enable-message-retention-policy is not set. Defaults to 1y.
+
+web-client-url
+  Custom URL for client links within the email
+  notifications. By default links will be based on
+  "https://matrix.to".
+
+global-cache-factor
+  Controls the global cache factor, which is the default cache factor for all
+  caches if a specific factor for that cache is not otherwise set. Defaults to
+  0.5, which will half the size of all caches.
+
+event-cache-size
+  The number of events to cache in memory. Not affected by
+  caches.global_factor. Defaults to 10K.
+
+remote-room-complexity-threshold
+  The limit above which rooms cannot be joined when
+  limit-remote-room-complexity is set. Room complexity is an arbitrary measure
+  based on factors such as the number of users in the room. The default is 1.0.
+
+room-encrypt-policy
+  Controls whether locally-created rooms should be end-to-end encrypted by
+  default. Possible options are "all" (any locally-created room), "invite"
+  (any room created with the private_chat or trusted_private_chat room
+  creation presets , and "off" (this option will take no effect). Defaults to
+  "off".
+
+turn-uri
+  URI to TURN server, can be provided multiple times if there is more than one
+  server.
+
+turn-shared-secret
+  Shared secret used to access the TURN REST API.
+
+turn-user-lifetime
+  Lifetime of TURN credentials. Defaults to 1h.
+
+max-upload-size
+  Maximum size for user-uploaded files. Defaults to 10M.
+
+rc-message-per-second
+  Message rate-limiting (per second). Defaults to 0.17.
+
+rc-message-burst
+  Message rate-limiting (burst). Defaults to 3.
+
+rc-login-per-second
+  Login rate-limiting (per-second). Defaults to 0.17.
+
+rc-login-burst
+  Login rate-limiting (burst). Defaults to 3.
+
+registration-allows-email-pattern
+    Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
+
+auto-join-room
+  Room where newly-registered users are automatically added. Can be specified multiple times.
+
+app-service-config-file
+  Path (on remote) of an application service configuration file to load. Can be specified multiple times.
+
+worker-replication-secret
+  A shared secret used by the replication APIs to authenticate HTTP requests
+  from workers. Ignored if worker-mode is not set. By default this is unused and
+  traffic is not authenticated.
+
+background-tasks-worker
+  The worker that is used to run background tasks (e.g. cleaning up expired
+  data). If not provided this defaults to the main process.
+
+outbound-federation-worker
+  Worker to be used for sending federation requests. Can be specified multiple
+  times. Disables sending outbound federation requests from the master process.
+
+registration-shared-secret
+  If set, allows registration of standard or admin accounts by anyone who
+  has the shared secret, even if registration is otherwise disabled.
+
+bind-address
+  Address used to bind the synapse listeners. Can be specified multiple times.
+  Defaults to '::1' and '127.0.0.1'.
+
+extra-setting
+  Arbitrary string to be added to the configuration file. Can be specified multiple times.
+
+BOOLEAN PARAMETERS
+------------------
+enable-registrations
+  Enables user registration on the homeserver.
+
+enable-ldap-auth
+  Enables ldap-backed authentication.
+
+ldap-use-starttls
+  Use STARTTLS when connection to the LDAP server.
+
+report-stats
+  Whether or not to report anonymized homeserver usage statistics.
+
+expose-metrics
+  Expose metrics endpoint for Prometheus.
+
+enable-notifications
+  Enable mail notifications (see smtp-* optinal parameters).
+
+smtp-use-starttls
+  Use STARTTLS when connection to the SMTP server.
+
+disable-federation
+  Disable federation to the broader matrix network.
+
+registration-require-email
+  Make email a required field on registration.
+
+allow-public-rooms-over-federation
+  Allow other homeservers to fetch this server's public room directory.
+
+allow-public-rooms-without-auth
+  If set to 'false', requires authentication to access the server's public rooms directory through the client API.
+
+enable-server-notices
+  Enable the server notices room.
+
+allow-guest-access
+  Allows users to register as guests without a password/email/etc, and
+  participate in rooms hosted on this server which have been made accessible
+  to anonymous users.
+
+limit-remote-room-complexity
+  When this is enabled, the room "complexity" will be checked before a user joins
+  a new remote room. If it is above the complexity limit (see
+  remote-room-complexity-threshold parameter), the server will disallow
+  joining, or will instantly leave.
+
+disable-presence
+  Disable presence tracking on this homeserver.
+
+user-directory-search-all-users
+  Defines whether to search all users visible to your HS when searching the
+  user directory, rather than limiting to users visible in public rooms.
+  If you set it True, you'll have to rebuild the user_directory search indexes,
+  see
+  `<https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md>`_.
+
+enable-message-retention-policy
+  If this feature is enabled, Synapse will regularly look for and purge events
+  which are older than the room's maximum retention period. Synapse will also
+  filter events received over federation so that events that should have been
+  purged are ignored and not stored again. See message-max-lifetime flag.
+
+worker-mode
+  For small instances it recommended to run Synapse in the default monolith
+  mode. For larger instances where performance is a concern it can be helpful
+  to split out functionality into multiple separate python processes. These
+  processes are called 'workers'. Please read the  WORKER MODE section of this
+  manpage before enabling, as extra work and considerations are required.
+
+PERFORMANCE
+-----------
+
+The Synapse server is not very performant (initial implementation, pretty
+resource hungry, etc.) and will eventually be replaced by Dendrite. The
+following parameters (see above descriptions) will help you with performance
+tuning:
+
+  * global-cache-factor
+  * event-cache-size
+  * disable-presence
+  * limit-remote-room-complexity and remote-room-complexity-threshold
+
+WORKER MODE
+-----------
+
+Worker mode allows to move some processing out of the main synapse process for
+horizontal scaling. You are expected to use the
+`cdist-type__matrix_synapse_worker(7)
+<cdist-type__matrix_synapse_worker.html>`_ type to set up workers when the
+worker-mode flag is set.
+
+Worker mode depend on the following components:
+
+  * A working `redis <https://redis.io/>`_ server
+  * The hiredis python package (`python3-hiredis
+    <https://packages.debian.org/buster/python3-hiredis>`_ on debian, not
+    packaged in alpine as of 2021-02-17).
+  * The txredisapi python package, which is not packaged on debian nor alpine
+    as of 2021-02-17.
+
+The current way to install the above two python packages (if not packaged in
+your distribution) is sadly to use pip (see `cdist-type__python_pip(7)
+<cdist-type__python_pip.html>`_ core cdist type).
+
+It is also recommended to first take a look at:
+
+  - `upstream's high-level overview on workers (matrix.org blog post) <https://matrix.org/blog/2020/11/03/how-we-fixed-synapses-scalability>`_
+  - `upstream's documentation on workers <https://github.com/matrix-org/synapse/blob/develop/docs/workers.md>`_
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __matrix_synapse --server-name ungleich.ch \
+      --base-url https://matrix.ungleich.ch \
+      --database-engine sqlite3 \
+      --database-name /var/lib/matrix-syanpse/homeserver.db
+
+You might also be interested in ungleich's `__ungleich_matrix
+<https://code.ungleich.ch/ungleich-public/cdist-ungleich/-/tree/master/type/__ungleich_matrix>`_
+meta-type.
+
+SEE ALSO
+--------
+- `cdist-type__matrix_element(7) <cdist-type__matrix_element.html>`_
+- `cdist-type__matrix_synapse_admin(7) <cdist-type__matrix_synapse_admin.html>`_
+- `cdist-type__matrix_synapse_worker(7) <cdist-type__matrix_synapse_worker.html>`_
+
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2019-2021 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__matrix_synapse/manifest

@@ -0,0 +1,369 @@
+#!/bin/sh -e
+#
+# 2019 Timothée Floure (timothee.floure@ungleich.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# OS-specific configuration.
+os=$(cat "$__global/explorer/os")
+distribution=$(cat "$__global/explorer/lsb_codename")
+
+case "$os" in
+	debian)
+		synapse_user=matrix-synapse
+		synapse_pkg=matrix-synapse
+		synapse_service=matrix-synapse
+		ldap_auth_provider_pkg=matrix-synapse-ldap3
+		synapse_conf_dir='/etc/matrix-synapse'
+		synapse_data_dir='/var/lib/matrix-synapse'
+
+		# See https://packages.debian.org/bullseye/matrix-synapse for state of
+		# synapse packaging in debian.
+		case "$distribution" in
+			stretch)
+				echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2
+				exit 1
+				;;
+			buster)
+				# Enable debian-backports for debian Buster, as the 'stable'
+				# matrix-synapse package is ways too old (< 1.0).
+				apt_target_release=buster-backports
+				__apt_backports
+				;;
+				bullseye|sid)
+					# As of writting (2021-02), the default matrix-synapse of those
+					# release is perfectly usable.
+					:
+				;;
+				*)
+					echo "Unknown debian release '$distribution'. Exiting" >&2
+					exit 1
+				;;
+		esac
+		;;
+	alpine)
+		synapse_user=synapse
+		synapse_pkg=synapse
+		synapse_service=synapse
+		# Note available as of writing (2021-02-15)
+		ldap_auth_provider_pkg=
+		synapse_conf_dir='/etc/synapse'
+		synapse_data_dir='/var/lib/synapse'
+		;;
+	*)
+		printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+		;;
+esac
+
+# Small helper used to get boolean values which can be used as-is in the
+# configuration template.
+get_boolean_for () {
+	if [ -f "$__object/parameter/${1:?}" ]; then
+		echo 'true'
+	else
+		echo 'false'
+	fi
+}
+
+# Small helper for erroring out on invalid combinations.
+is_required_when () {
+	value=$1
+	flag=$2
+	when=$3
+
+	if [ -z "$value" ]; then
+		echo "$flag is required when $when." >&2
+		exit 1
+	fi
+}
+
+# Generic configuration.
+export DATA_DIR=$synapse_data_dir
+export LOG_DIR='/var/log/matrix-synapse'
+export PIDFILE='/var/run/matrix/homeserver.pid'
+export LOG_CONFIG_PATH="$synapse_conf_dir/log.yaml"
+export SIGNING_KEY_PATH="$synapse_conf_dir/signin.key"
+
+# Base parameters.
+SERVER_NAME=$(cat "$__object/parameter/server-name")
+BASE_URL=$(cat "$__object/parameter/base-url")
+REPORT_STATS=$(get_boolean_for 'report-stats')
+MAX_UPLOAD_SIZE=$(cat "$__object/parameter/max-upload-size")
+EXPOSE_METRICS=$(get_boolean_for 'expose-metrics')
+WEB_CLIENT_URL=$(cat "$__object/parameter/web-client-url")
+ROOM_ENCRYPTION_POLICY=$(cat "$__object/parameter/room-encryption-policy")
+BIND_ADDRESSES=$(cat "$__object/parameter/bind-address")
+export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \
+	WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES
+
+if [ -f "$__object/parameter/enable-server-notices" ]; then
+    export ENABLE_SERVER_NOTICES=1
+fi
+
+# TLS.
+if [ -f "$__object/parameter/tls-cert" ]; then
+	TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert")
+	export TLS_CERTIFICATE_PATH
+fi
+if [ -f "$__object/parameter/tls-private-key" ]; then
+	TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key")
+	export TLS_PRIVATE_KEY_PATH
+fi
+
+# Performance flags.
+GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor")
+EVENT_CACHE_SIZE=$(cat "$__object/parameter/event-cache-size")
+export GLOBAL_CACHE_FACTOR EVENT_CACHE_SIZE
+
+if [ -f "$__object/parameter/disable-presence" ]; then
+	export USE_PRESENCE='false'
+else
+	export USE_PRESENCE='true'
+fi
+
+# Database configuration.
+DATABASE_ENGINE=$(cat "$__object/parameter/database-engine")
+DATABASE_NAME=$(cat "$__object/parameter/database-name")
+DATABASE_HOST=$(cat "$__object/parameter/database-host")
+DATABASE_USER=$(cat "$__object/parameter/database-user")
+DATABASE_PASSWORD=$(cat "$__object/parameter/database-password")
+DATABASE_CP_MIN=$(cat "$__object/parameter/database-connection-pool-min")
+DATABASE_CP_MAX=$(cat "$__object/parameter/database-connection-pool-max")
+export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \
+	DATABASE_PASSWORD DATABASE_CP_MIN DATABASE_CP_MAX
+
+# LDAP-based authentication.
+if [ -f "$__object/parameter/enable-ldap-auth" ]; then
+	ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth')
+	export ENABLE_LDAP_AUTH
+fi
+
+LDAP_FILTER=$(cat "$__object/parameter/ldap-filter")
+LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute")
+LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute")
+LDAP_NAME_ATTRIBUTE=$(cat "$__object/parameter/ldap-name-attribute")
+LDAP_URI=$(cat "$__object/parameter/ldap-uri")
+LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn")
+LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
+LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
+LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls')
+export LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE \
+	LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USE_STARTTLS
+
+# Outgoing emails (= notifications).
+ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications')
+SMTP_HOST=$(cat "$__object/parameter/smtp-host")
+SMTP_PORT=$(cat "$__object/parameter/smtp-port")
+SMTP_USE_STARTTLS=$(get_boolean_for 'smtp-use-starttls')
+SMTP_USER=$(cat "$__object/parameter/smtp-user")
+SMTP_PASSWORD=$(cat "$__object/parameter/smtp-password")
+export SMTP_HOST SMTP_PORT SMTP_USER SMTP_PASSWORD SMTP_USE_STARTTLS \
+	ENABLE_NOTIFICATIONS
+
+if [ -f "$__object/parameter/notification-from" ]; then
+	NOTIFICATION_FROM=$(cat "$__object/parameter/notification-from")
+	export NOTIFICATION_FROM
+else
+	export NOTIFICATION_FROM="%(app)s <no-reply@$SERVER_NAME>"
+fi
+
+# Registrations and users.
+ALLOW_GUEST_ACCESS=$(get_boolean_for 'allow-guest-access')
+ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
+USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
+export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
+
+if [ -f "$__object/parameter/registration-shared-token" ]; then
+	REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
+	export REGISTRATION_SHARED_SECRET
+fi
+
+if [ -f "$__object/parameter/registration-requires-email" ]; then
+    export REGISTRATION_REQUIRES_EMAIL=1
+fi
+
+if [ -f "$__object/parameter/auto-join-room" ]; then
+    AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
+    export AUTO_JOIN_ROOMS
+fi
+
+if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
+    RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
+    export RESGISTRATION_ALLOWS_EMAIL_PATTERN
+fi
+
+# Federation.
+ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
+ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
+LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity')
+REMOTE_ROOM_COMPLEXITY_THRESHOLD=$(cat "$__object/parameter/remote-room-complexity-threshold")
+export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH \
+	LIMIT_REMOTE_ROOM_COMPLEXITY REMOTE_ROOM_COMPLEXITY_THRESHOLD
+
+if [ -f "$__object/parameter/disable-federation" ]; then
+	export DISABLE_FEDERATION=1
+fi
+
+# Message retention.
+ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
+MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
+export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME
+
+# Previews.
+ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
+export ENABLE_URL_PREVIEW
+
+# Rate-limiting
+RC_MESSAGE_PER_SECOND=$(cat "$__object/parameter/rc-message-per-second")
+RC_MESSAGE_BURST=$(cat "$__object/parameter/rc-message-burst")
+RC_LOGIN_PER_SECOND=$(cat "$__object/parameter/rc-login-per-second")
+RC_LOGIN_BURST=$(cat "$__object/parameter/rc-login-burst")
+export RC_MESSAGE_PER_SECOND RC_MESSAGE_BURST RC_LOGIN_PER_SECOND \
+	RC_LOGIN_BURST
+
+# Application services.
+if [ -f "$__object/parameter/app-service-config-file" ]; then
+	APP_SERVICE_CONFIG_FILES=$(cat "$__object/parameter/app-service-config-file")
+	export APP_SERVICE_CONFIG_FILES
+fi
+
+# Anything that did not fit in this type's template.
+if [ -f "$__object/parameter/extra-setting" ]; then
+	EXTRA_SETTINGS=$(cat "$__object/parameter/extra-setting")
+	export EXTRA_SETTINGS
+fi
+
+# TURN server (NAT traversal for P2P calls).
+TURN_USER_LIFETIME=$(cat "$__object/parameter/turn-user-lifetime")
+export TURN_USER_LIFETIME
+
+if [ -f "$__object/parameter/turn-shared-secret" ]; then
+	TURN_SHARED_SECRET=$(cat "$__object/parameter/turn-shared-secret")
+	export TURN_SHARED_SECRET
+fi
+
+if [ -f "$__object/parameter/turn-uri" ]; then
+	TURN_URIS=$(cat "$__object/parameter/turn-uri")
+	export TURN_URIS
+fi
+
+# Worker-mode configuration.
+export MAIN_LISTENER_PORT=8008
+export ENABLE_MEDIA_REPO='true'
+if [ -f "$__object/parameter/outbound-federation-worker" ]; then
+	FEDERATION_SENDER_INSTANCES=$(cat "$__object/parameter/outbound-federation-worker")
+	export FEDERATION_SENDER_INSTANCES
+fi
+MAIN_LISTENER_RESOURCES="[federation,client]"
+if [ "$EXPOSE_METRICS" = "true" ]; then
+	MAIN_LISTENER_RESOURCES="$(echo "$MAIN_LISTENER_RESOURCES" | tr -d ']'),metrics]"
+fi
+if [ -n "$FEDERATION_SENDER_INSTANCES" ]; then
+	export SEND_FEDERATION_FROM_MAIN_PROCESS='false'
+else
+	export SEND_FEDERATION_FROM_MAIN_PROCESS='true'
+fi
+export MAIN_LISTENER_RESOURCES
+
+ENABLE_REPLICATION=
+ENABLE_REDIS_SUPPORT='false'
+WORKER_REPLICATION_SECRET=$(cat "$__object/parameter/worker-replication-secret")
+BACKGROUND_TASKS_WORKER=$(cat "$__object/parameter/background-tasks-worker")
+if [ -f "$__object/parameter/worker-mode" ]; then
+	ENABLE_REPLICATION=1
+	ENABLE_REDIS_SUPPORT='true'
+fi
+export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \
+	BACKGROUND_TASKS_WORKER
+
+# Error out on invalid parameter combination.
+case "$DATABASE_ENGINE" in
+	sqlite3)
+		:
+	;;
+	psycopg2)
+		when='database engine is psycopg2'
+		is_required_when "$DATABASE_HOST" '--database-host' "$when"
+		is_required_when "$DATABASE_USER" '--database-user' "$when"
+	;;
+	*)
+		echo "Invalid database engine: $DATABASE_ENGINE." >&2
+		exit 1
+	;;
+esac
+
+
+# Install OS packages. We have a bit of boilerplate to handle the debian
+# backports situation.
+synapse_req=
+if [ -n "$apt_target_release" ]; then
+	require="__apt_backports" __package_apt "$synapse_pkg" \
+		--target-release "$apt_target_release"
+	synapse_req="__package_apt/$synapse_pkg"
+else
+	__package "$synapse_pkg"
+	synapse_req="__package/$synapse_pkg"
+fi
+
+if [ -n "$ENABLE_LDAP_AUTH" ]; then
+	if [ -n "$apt_target_release" ]; then
+		require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
+			--target-release "$apt_target_release"
+		else
+			__package "$ldap_auth_provider_pkg"
+	fi
+fi
+
+# Generate and deploy configuration files.
+mkdir -p "$__object/files"
+"$__type/files/homeserver.yaml.sh" > "$__object/files/homeserver.yaml"
+"$__type/files/log.config.sh" > "$__object/files/log.config"
+
+require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \
+  --owner $synapse_user \
+  --mode 600 \
+  --source "$__object/files/homeserver.yaml"
+require="$synapse_req" __file "$LOG_CONFIG_PATH" \
+  --owner $synapse_user \
+  --mode 600 \
+  --source "$__object/files/log.config"
+
+for directory in $DATA_DIR $LOG_DIR; do
+	require="$synapse_req" __directory $directory \
+		--state present \
+		--owner $synapse_user
+done
+
+# Make dpkg-reconfigure happy on debian systems.
+if [ "$os" = "debian" ]; then
+	require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
+		--owner $synapse_user \
+		--source - <<- EOF
+		server_name: "$SERVER_NAME"
+		EOF
+
+	require="$synapse_req" __file "$synapse_conf_dir/conf.d/report_stats.yaml" \
+		--owner $synapse_user \
+		--source - <<- EOF
+		report_stats: $REPORT_STATS
+		EOF
+fi
+
+# Start service at boot - started/reload in gencode-remote.
+require="$synapse_req" __start_on_boot $synapse_service

type/__matrix_synapse/parameter/boolean

@@ -0,0 +1,19 @@
+enable-registrations
+enable-ldap-auth
+report-stats
+expose-metrics
+enable-notifications
+smtp-use-starttls
+disable-federation
+registration-requires-email
+allow-public-rooms-over-federation
+enable-server-notices
+allow-guest-access
+allow-public-rooms-without-auth
+limit-remote-room-complexity
+disable-presence
+ldap-use-starttls
+user-directory-search-all-users
+enable-message-retention-policy
+worker-mode
+enable-url-preview

type/__matrix_synapse/parameter/default/bind-address

@@ -0,0 +1 @@
+::1 127.0.0.1

type/__matrix_synapse/parameter/default/database-connection-pool-max

@@ -0,0 +1 @@
+5

type/__matrix_synapse/parameter/default/database-connection-pool-min

@@ -0,0 +1 @@
+3

type/__matrix_synapse/parameter/default/event-cache-size

@@ -0,0 +1 @@
+10K

type/__matrix_synapse/parameter/default/global-cache-factor

@@ -0,0 +1 @@
+0.5

type/__matrix_synapse/parameter/default/ldap-filter

@@ -0,0 +1 @@
+(objectClass=posixAccount)

type/__matrix_synapse/parameter/default/ldap-mail-attribute

@@ -0,0 +1 @@
+mail

type/__matrix_synapse/parameter/default/ldap-name-attribute

@@ -0,0 +1 @@
+givenName

type/__matrix_synapse/parameter/default/ldap-uid-attribute

@@ -0,0 +1 @@
+uid

type/__matrix_synapse/parameter/default/max-upload-size

@@ -0,0 +1 @@
+10M

type/__matrix_synapse/parameter/default/message-max-lifetime

@@ -0,0 +1 @@
+1y

type/__matrix_synapse/parameter/default/rc-login-burst

@@ -0,0 +1 @@
+3

type/__matrix_synapse/parameter/default/rc-login-per-second

@@ -0,0 +1 @@
+0.17

type/__matrix_synapse/parameter/default/rc-message-burst

@@ -0,0 +1 @@
+3

type/__matrix_synapse/parameter/default/rc-message-per-second

@@ -0,0 +1 @@
+0.17

type/__matrix_synapse/parameter/default/remote-room-complexity-threshold

@@ -0,0 +1 @@
+1.0

type/__matrix_synapse/parameter/default/room-encryption-policy

@@ -0,0 +1 @@
+off

type/__matrix_synapse/parameter/default/smtp-host

@@ -0,0 +1 @@
+localhost

type/__matrix_synapse/parameter/default/smtp-port

@@ -0,0 +1 @@
+25

type/__matrix_synapse/parameter/default/turn-user-lifetime

@@ -0,0 +1 @@
+1h

type/__matrix_synapse/parameter/optional

@@ -0,0 +1,36 @@
+database-host
+database-user
+database-password
+database-connection-pool-min
+database-connection-pool-max
+ldap-uri
+ldap-base-dn
+ldap-uid-attribute
+ldap-mail-attribute
+ldap-name-attribute
+ldap-bind-dn
+ldap-bind-password
+ldap-filter
+turn-shared-secret
+turn-user-lifetime
+max-upload-size
+smtp-host
+smtp-port
+smtp-user
+smtp-password
+web-client-url
+rc-message-per-second
+rc-message-burst
+rc-login-per-second
+rc-login-burst
+global-cache-factor
+event-cache-size
+remote-room-complexity-threshold
+room-encryption-policy
+notification-from
+message-max-lifetime
+worker-replication-secret
+background-tasks-worker
+tls-cert
+tls-private-key
+registration-shared-secret

type/__matrix_synapse/parameter/optional_multiple

@@ -0,0 +1,7 @@
+turn-uri
+registration-allows-email-pattern
+auto-join-room
+app-service-config-file
+extra-setting
+bind-address
+outbound-federation-worker

type/__matrix_synapse/parameter/required

@@ -0,0 +1,4 @@
+server-name
+base-url
+database-engine
+database-name

type/__matrix_synapse_worker/files/matrix-synapse-worker@.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Synapse %i
+AssertPathExists=/etc/matrix-synapse/workers/%i.yaml
+
+# This service should be restarted when the synapse target is restarted.
+PartOf=matrix-synapse.target
+
+# if this is started at the same time as the main, let the main process start
+# first, to initialise the database schema.
+After=matrix-synapse.service
+
+[Service]
+Type=notify
+NotifyAccess=main
+User=matrix-synapse
+WorkingDirectory=/var/lib/matrix-synapse
+EnvironmentFile=/etc/default/matrix-synapse
+ExecStart=/usr/bin/python3 -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=3
+SyslogIdentifier=matrix-synapse-%i
+
+[Install]
+WantedBy=matrix-synapse.target

type/__matrix_synapse_worker/files/worker.yaml.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+generate_bind_addresses () {
+	if [ -n "$WORKER_BIND_ADDRESSES" ]; then
+		echo "bind_addresses:"
+		for addr in $WORKER_BIND_ADDRESSES; do
+			echo "    - '$addr'"
+		done
+	else
+		echo "bind_addresses: []"
+	fi
+}
+
+cat << EOF
+worker_app: "${WORKER_APP:?}"
+worker_name: "${WORKER_NAME:?}"
+
+# The replication listener on the main synapse process.
+worker_replication_host: "${WORKER_REPLICATION_HOST:?}"
+worker_replication_http_port: ${WORKER_REPLICATION_PORT:?}
+
+worker_listeners:
+ - type: http
+   port: ${WORKER_PORT:?}
+   x_forwarded: true
+   $(generate_bind_addresses)
+   resources:
+     - names:
+EOF
+
+for resource in ${WORKER_RESOURCES:?}; do
+echo "       - $resource"
+done
+
+cat << EOF
+
+worker_log_config: "${WORKER_LOG_CONFIG:?}"
+EOF

type/__matrix_synapse_worker/gencode-remote

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Designed for Debian/systemd - make sure to adapt when you add support for other
+# distributions/OSs.
+name=$__object_id
+synapse_conf_dir='/etc/matrix-synapse'
+synapse_workers_conf_dir="$synapse_conf_dir/workers"
+systemd_worker_service="matrix-synapse-worker@$name"
+
+if grep -qE "^__file$synapse_workers_conf_dir/$name" "${__messages_in}"; then
+	echo "systemctl restart $systemd_worker_service"
+fi

type/__matrix_synapse_worker/man.rst

@@ -0,0 +1,83 @@
+cdist-type__matrix_synapse(7)
+======================
+
+NAME
+----
+cdist-type__matrix_synapse_worker - Configure a synapse worker
+
+
+DESCRIPTION
+-----------
+This type configures and start a matrix worker. This type does not install
+synapse: `cdist-type__matrix_synapse(7) <cdist-type__matrix_synapse.html>`_
+type must be run first.
+
+It is also recommended to take a look at:
+
+  - `upstream's high-level overview on workers (matrix.org blog post) <https://matrix.org/blog/2020/11/03/how-we-fixed-synapses-scalability>`_
+  - `upstream's documentation on workers <https://github.com/matrix-org/synapse/blob/develop/docs/workers.md>`_
+
+REQUIRED PARAMETERS
+-------------------
+app
+  Worker application to be used. A detailed list is available on `upstream's
+  documentation
+  <https://github.com/matrix-org/synapse/blob/master/docs/workers.md#available-worker-applications>`_.
+
+port
+  Port on which this worker will listen.
+
+OPTIONAL PARAMETERS
+-------------------
+replication-host
+  Replication endpoint host of your main synapse process. Defaults to
+  localhost.
+
+replication-port
+  Replication endpoint port of your main synapse process. Defaults to 9093.
+
+log-config
+  Path to log configuration. Defaults to synapse's main process log
+  configuration.
+
+resource
+  Resources to be served by this worker. Can be specified multiple times.
+  Defaults to 'client' and 'federation'.
+
+bind-address
+  Address used to bind the synapse listeners. Can be specified multiple times.
+  Defaults to '::1' and '127.0.0.1'.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __matrix_synapse --server-name ungleich.ch \
+      --base-url https://matrix.ungleich.ch \
+      --database-engine sqlite3 \
+      --database-name /var/lib/matrix-syanpse/homeserver.db \
+      --worker-mode
+    require="__matrix_synapse" __matrix_synapse_worker generic \
+      --app 'synapse.app.generic_worker' \
+      --port 8083 \
+      --resource 'federation' \
+      --resource 'client'
+
+SEE ALSO
+--------
+- `cdist-type__matrix_synapse(7) <cdist-type__matrix_synapse.html>`_
+
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2019-2021 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__matrix_synapse_worker/manifest

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# TODO: check if matrix-synapse package is installed (fail if not - it's not
+# this type's job to install it).
+
+name=$__object_id
+os=$(cat "$__global/explorer/os")
+
+case "$os" in
+	debian)
+		synapse_conf_dir='/etc/matrix-synapse'
+		synapse_workers_conf_dir="$synapse_conf_dir/workers"
+
+		# Synapse log configuration on debian - default value of config-log
+		# parameter.
+		WORKER_LOG_CONFIG="$synapse_conf_dir/log.yaml"
+
+		# As of writing, debian's matrix-synapse package does not install the
+		# matrix-synapse-worker@.service systemd unit.
+		systemd_worker_service_override=present
+		systemd_worker_service="matrix-synapse-worker@$name"
+		;;
+	*)
+		printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+		;;
+esac
+
+# Type parameters.
+WORKER_NAME=$__object_id
+WORKER_APP=$(cat "$__object/parameter/app")
+WORKER_PORT=$(cat "$__object/parameter/port")
+WORKER_RESOURCES=$(cat "$__object/parameter/resource")
+WORKER_BIND_ADDRESSES=$(cat "$__object/parameter/bind-address")
+export WORKER_APP WORKER_NAME WORKER_PORT WORKER_RESOURCES WORKER_BIND_ADDRESSES
+
+if [ -f "$__object/parameter/log-config" ]; then
+	WORKER_LOG_CONFIG=$(cat "$__object/parameter/log-config")
+fi
+export WORKER_LOG_CONFIG
+
+WORKER_REPLICATION_HOST=$(cat "$__object/parameter/replication-host")
+WORKER_REPLICATION_PORT=$(cat "$__object/parameter/replication-port")
+export WORKER_REPLICATION_HOST WORKER_REPLICATION_PORT
+
+# Generate and deploy configuration files.
+mkdir -p "$__object/files"
+"$__type/files/worker.yaml.sh" > "$__object/files/worker.yaml"
+
+__directory "$synapse_workers_conf_dir" --parents
+require="__directory/$synapse_workers_conf_dir" \
+	__file "$synapse_workers_conf_dir/$name.yaml" \
+	--source "$__object/files/worker.yaml" \
+	--mode 0644
+
+__file "/etc/systemd/system/matrix-synapse-worker@.service" \
+	--source "$__type/files/matrix-synapse-worker@.service" \
+	--mode 0644 \
+	--state $systemd_worker_service_override
+
+# Start service, enable at boot.
+service_req=
+if [ "$systemd_worker_service_override" ]; then
+	service_req="__file/etc/systemd/system/matrix-synapse-worker@.service"
+fi
+require="__file/$synapse_workers_conf_dir/$name.yaml $service_req" \
+	__start_on_boot "$systemd_worker_service"

type/__matrix_synapse_worker/parameter/default/bind-address

@@ -0,0 +1 @@
+::1 127.0.0.1

type/__matrix_synapse_worker/parameter/default/replication-host

@@ -0,0 +1 @@
+localhost

type/__matrix_synapse_worker/parameter/default/replication-port

@@ -0,0 +1 @@
+9093

type/__matrix_synapse_worker/parameter/default/resource

@@ -0,0 +1 @@
+client federation

type/__matrix_synapse_worker/parameter/optional

@@ -0,0 +1,3 @@
+replication-host
+replication-port
+log-config

type/__matrix_synapse_worker/parameter/optional_multiple

@@ -0,0 +1,2 @@
+resource
+bind-address

type/__matrix_synapse_worker/parameter/required

@@ -0,0 +1,2 @@
+app
+port