Make roles more independent of one another

With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).

roles/matrix-corporal/defaults/main.yml

@@ -1,12 +1,13 @@
-# Enable this to add support for matrix-corporal.
+# matrix-corporal is a reconciliator and gateway for a managed Matrix server.
 # See: https://github.com/devture/matrix-corporal
-matrix_corporal_enabled: false
 
-# Controls whether the matrix-corporal web server's ports are exposed outside of the container.
-# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
-# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
-matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
+matrix_corporal_enabled: true
+
+# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container.
+matrix_corporal_container_expose_ports: false
+
+# List of systemd services that matrix-corporal.service depends on
+matrix_corporal_systemd_required_services_list: ['docker.service']
 
 matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
@@ -14,6 +15,20 @@ matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
 matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
 matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
 
+matrix_corporal_matrix_homeserver_domain_name: "{{ hostname_identity }}"
+
+# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008").
+# If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`.
+matrix_corporal_matrix_homeserver_api_endpoint: ""
+
+# The shared secret between matrix-corporal and Synapse's shared-secret-auth password provider module.
+# To use matrix-corporal, the shared-secret-auth password provider needs to be enabled and the secret needs to be identical.
+matrix_corporal_matrix_auth_shared_secret: ""
+
+# The shared secret for registering users with Synapse.
+# Needs to be identical to Synapse's `registration_shared_secret` setting.
+matrix_corporal_matrix_registration_shared_secret: ""
+
 matrix_corporal_matrix_timeout_milliseconds: 45000
 
 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000

roles/matrix-corporal/tasks/init.yml

@@ -1,9 +1,3 @@
-- name: Override configuration specifying where the Matrix Client API is
-  set_fact:
-    matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
-    matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
-  when: "matrix_corporal_enabled"
-
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
   when: "matrix_corporal_enabled"

roles/matrix-corporal/tasks/main.yml

@@ -2,6 +2,12 @@
   tags:
     - always
 
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup and matrix_corporal_enabled"
+  tags:
+    - setup-all
+    - setup-corporal
+
 - import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
   when: run_setup
   tags:

roles/matrix-corporal/tasks/setup_corporal.yml

@@ -4,24 +4,6 @@
 # Tasks related to setting up matrix-corporal
 #
 
-- name: Fail if Shared Secret Auth extension not enabled
-  fail:
-    msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)"
-  when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
-
-- name: Fail if HTTP API enabled, but no token set
-  fail:
-    msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token"
-  when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
-
-- name: Fail if policy provider configuration not set
-  fail:
-    msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config"
-  when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''"
-
-# There are some additional initialization tasks in setup_corporal_overrides.yml,
-# which need to always run, no matter what tag the playbook is running with.
-
 - name: Ensure Matrix Corporal paths exist
   file:
     path: "{{ item }}"

roles/matrix-corporal/tasks/validate_config.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Fail if required matrix-corporal settings not defined
+  fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_corporal_matrix_homeserver_api_endpoint"
+    - "matrix_corporal_matrix_auth_shared_secret"
+    - "matrix_corporal_matrix_registration_shared_secret"
+    - "matrix_corporal_policy_provider_config"
+
+- name: Fail if HTTP API enabled, but no token set
+  fail:
+    msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
+  when: "matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"

roles/matrix-corporal/templates/config.json.j2

@@ -1,9 +1,9 @@
 {
 	"Matrix": {
-		"HomeserverDomainName": "{{ hostname_identity }}",
-		"HomeserverApiEndpoint": "http://matrix-synapse:8008",
-		"AuthSharedSecret": "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}",
-		"RegistrationSharedSecret": "{{ matrix_synapse_registration_shared_secret }}",
+		"HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}",
+		"HomeserverApiEndpoint": "{{ matrix_corporal_matrix_homeserver_api_endpoint }}",
+		"AuthSharedSecret": "{{ matrix_corporal_matrix_auth_shared_secret }}",
+		"RegistrationSharedSecret": "{{ matrix_corporal_matrix_registration_shared_secret }}",
 		"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
 	},
 

roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2

@@ -1,9 +1,9 @@
 [Unit]
 Description=Matrix Corporal
-After=docker.service
-Requires=docker.service
-Requires=matrix-synapse.service
-After=matrix-synapse.service
+{% for service in matrix_corporal_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
 
 [Service]
 Type=simple