From 586a02e5459fdbd30ac4420e5fdf6a3ea93a6121 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Wed, 6 Sep 2023 21:37:39 +0200
Subject: [PATCH] heisenbridge: new role

---
 roles/heisenbridge/defaults/main.yml          |  7 +++
 roles/heisenbridge/handlers/main.yml          |  7 +++
 roles/heisenbridge/tasks/main.yml             | 56 +++++++++++++++++++
 .../templates/heisenbridge.service.j2         | 15 +++++
 .../matrix-synapse/homeserver.yaml.j2         | 19 ++++++-
 site.yml                                      |  1 +
 6 files changed, 103 insertions(+), 2 deletions(-)
 create mode 100644 roles/heisenbridge/defaults/main.yml
 create mode 100644 roles/heisenbridge/handlers/main.yml
 create mode 100644 roles/heisenbridge/tasks/main.yml
 create mode 100644 roles/heisenbridge/templates/heisenbridge.service.j2

diff --git a/roles/heisenbridge/defaults/main.yml b/roles/heisenbridge/defaults/main.yml
new file mode 100644
index 0000000..1aca652
--- /dev/null
+++ b/roles/heisenbridge/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+
+heisenbridge_user: heisenbridge
+heisenbridge_group: heisenbridge
+
+heisenbridge_directory: /opt/heisenbridge
+heisenbridge_config: "{{ heisenbridge_directory }}/heisenbridge.yaml"
diff --git a/roles/heisenbridge/handlers/main.yml b/roles/heisenbridge/handlers/main.yml
new file mode 100644
index 0000000..78bf9ba
--- /dev/null
+++ b/roles/heisenbridge/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart heisenbridge
+  service: name=heisenbridge state=restarted
diff --git a/roles/heisenbridge/tasks/main.yml b/roles/heisenbridge/tasks/main.yml
new file mode 100644
index 0000000..e3a787e
--- /dev/null
+++ b/roles/heisenbridge/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - python3-pip
+    - python3-venv
+
+- name: Create group
+  group:
+    name: "{{ heisenbridge_group }}"
+    system: yes
+
+- name: Create user
+  user:
+    name: "{{ heisenbridge_user }}"
+    group: "{{ heisenbridge_group }}"
+    system: yes
+    create_home: no
+    home: "{{ heisenbridge_directory }}"
+
+- name: Create directory
+  file:
+    path: "{{ heisenbridge_directory }}"
+    state: directory
+    owner: "{{ heisenbridge_user }}"
+    group: "{{ heisenbridge_group }}"
+    mode: 0755
+
+- name: Install heisenbridge
+  pip:
+    name: heisenbridge
+    virtualenv: "{{ heisenbridge_directory }}"
+    virtualenv_command: python3 -m venv
+  become: true
+  become_user: "{{ heisenbridge_user }}"
+  environment:
+    MULTIDICT_NO_EXTENSIONS: 1
+    YARL_NO_EXTENSIONS: 1
+
+- name: Create configuration
+  command:
+    cmd: "{{ heisenbridge_directory }}/bin/heisenbridge -c {{ heisenbridge_config }} --generate"
+    creates: "{{ heisenbridge_config }}"
+  become: true
+  become_user: "{{ heisenbridge_user }}"
+  notify: Restart heisenbridge
+
+- name: Install systemd unit
+  template: src=heisenbridge.service.j2 dest=/lib/systemd/system/heisenbridge.service
+  notify:
+  - Reload systemd
+  - Restart heisenbridge
+
+- name: Enable heisenbridge
+  service: name=heisenbridge enabled=yes
diff --git a/roles/heisenbridge/templates/heisenbridge.service.j2 b/roles/heisenbridge/templates/heisenbridge.service.j2
new file mode 100644
index 0000000..f723c58
--- /dev/null
+++ b/roles/heisenbridge/templates/heisenbridge.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=Heisenbridge
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User={{ heisenbridge_user }}
+Group={{ heisenbridge_user }}
+WorkingDirectory={{ heisenbridge_directory }}
+ExecStart={{ heisenbridge_directory }}/bin/heisenbridge -c {{ heisenbridge_config }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2 b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
index 62e3684..fb100f3 100644
--- a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
+++ b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
@@ -1512,11 +1512,26 @@ room_prejoin_state:
    #additional_event_types:
    #  - org.example.custom.event.type
 
+# We record the IP address of clients used to access the API for various
+# reasons, including displaying it to the user in the "Where you're signed in"
+# dialog.
+#
+# By default, when puppeting another user via the admin API, the client IP
+# address is recorded against the user who created the access token (ie, the
+# admin user), and *not* the puppeted user.
+#
+# Uncomment the following to also record the IP address against the puppeted
+# user. (This also means that the puppeted user will count as an "active" user
+# for the purpose of monthly active user tracking - see 'limit_usage_by_mau' etc
+# above.)
+#
+#track_puppeted_user_ips: true
+
 
 # A list of application service config files to use
 #
-#app_service_config_files:
-#  - app_service_1.yaml
+app_service_config_files:
+  - /opt/heisenbridge/heisenbridge.yaml
 #  - app_service_2.yaml
 
 # Uncomment to enable tracking of application service IP addresses. Implicitly
diff --git a/site.yml b/site.yml
index 214de66..7c41661 100644
--- a/site.yml
+++ b/site.yml
@@ -116,6 +116,7 @@
   hosts: sodium.binary-kitchen.net
   roles:
   - matrix
+  - heisenbridge
 
 - name: Setup turn server
   hosts: magnesium.binary-kitchen.net