Merge Synapse reverse-proxy companion role into matrix-synapse

The companion role was tightly coupled to Synapse through shared tags, worker routing, and lifecycle ordering. Keeping them separate added coordination overhead without practical benefits, especially for parallelized execution.

This merges the role into matrix-synapse while keeping companion logic organized under dedicated reverse_proxy_companion task/template subdirectories.

Compatibility is preserved:
- matrix_synapse_reverse_proxy_companion_* variable names remain unchanged
- install/setup companion-specific tags remain available

Cross-role/global wiring is now in group_vars (matrix-synapse section), while role defaults provide sensible standalone defaults and self-wiring for Synapse-owned values.

roles/custom/matrix-synapse/tasks/main.yml

@@ -47,6 +47,16 @@
     # This always runs because it handles uninstallation for sub-components too.
     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
 
+- tags:
+    - setup-all
+    - setup-synapse-reverse-proxy-companion
+    - setup-synapse
+    - install-all
+    - install-synapse-reverse-proxy-companion
+    - install-synapse
+  block:
+    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/main.yml"
+
 - tags:
     - import-synapse-media-store
   block:

roles/custom/matrix-synapse/tasks/reverse_proxy_companion/main.yml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- tags:
+    - setup-all
+    - setup-synapse-reverse-proxy-companion
+    - setup-synapse
+    - install-all
+    - install-synapse-reverse-proxy-companion
+    - install-synapse
+  block:
+    - when: matrix_synapse_reverse_proxy_companion_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/validate_config.yml"
+
+    - when: matrix_synapse_reverse_proxy_companion_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/setup_install.yml"
+
+- tags:
+    - setup-all
+    - setup-synapse-reverse-proxy-companion
+    - setup-synapse
+  block:
+    - when: not matrix_synapse_reverse_proxy_companion_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/setup_uninstall.yml"

roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_install.yml

@@ -0,0 +1,86 @@
+# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2024 David Mehren
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure matrix-synapse-reverse-proxy-companion paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: '0750'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - {path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}", when: true}
+    - {path: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}", when: true}
+    - {path: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}", when: "{{ matrix_synapse_reverse_proxy_companion_njs_enabled }}"}
+  when: item.when | bool
+
+- name: Ensure matrix-synapse-reverse-proxy-companion is configured
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+    mode: '0644'
+  with_items:
+    - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/nginx.conf.j2"
+      dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf"
+    - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2"
+      dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf"
+    - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2"
+      dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf"
+    - src: "{{ role_path }}/templates/reverse_proxy_companion/labels.j2"
+      dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels"
+  register: matrix_synapse_reverse_proxy_companion_config_result
+
+- name: Ensure matrix-synapse-reverse-proxy-companion whoami sync worker router njs script is deployed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2"
+    dest: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}/whoami_sync_worker_router.js"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+    mode: '0644'
+  when: matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled | bool
+
+- name: Ensure matrix-synapse-reverse-proxy-companion njs path is removed when njs is disabled
+  ansible.builtin.file:
+    path: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}"
+    state: absent
+  when: not matrix_synapse_reverse_proxy_companion_njs_enabled
+
+- name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_synapse_reverse_proxy_companion_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_synapse_reverse_proxy_companion_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_reverse_proxy_companion_container_image_force_pull }}"
+  register: matrix_synapse_reverse_proxy_companion_container_image_pull_result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: matrix_synapse_reverse_proxy_companion_container_image_pull_result is not failed
+
+- name: Ensure matrix-synapse-reverse-proxy-companion container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure matrix-synapse-reverse-proxy-companion.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service"
+    mode: '0644'
+  register: matrix_synapse_reverse_proxy_companion_systemd_service_result
+
+- name: Determine whether Synapse reverse-proxy companion needs a restart
+  ansible.builtin.set_fact:
+    matrix_synapse_reverse_proxy_companion_restart_necessary: >-
+      {{
+        matrix_synapse_reverse_proxy_companion_config_result.changed | default(false)
+        or matrix_synapse_reverse_proxy_companion_systemd_service_result.changed | default(false)
+        or matrix_synapse_reverse_proxy_companion_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_uninstall.yml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check existence of matrix-synapse-reverse-proxy-companion service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service"
+  register: matrix_synapse_reverse_proxy_companion_service_stat
+
+- when: matrix_synapse_reverse_proxy_companion_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-synapse-reverse-proxy-companion.service is stopped
+      ansible.builtin.service:
+        name: matrix-synapse-reverse-proxy-companion
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure matrix-synapse-reverse-proxy-companion.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service"
+        state: absent
+
+    - name: Ensure matrix-synapse-reverse-proxy-companion data deleted
+      ansible.builtin.file:
+        path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}"
+        state: absent

roles/custom/matrix-synapse/tasks/reverse_proxy_companion/validate_config.yml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2024 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if required matrix-synapse-reverse-proxy-companion settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
+  with_items:
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_network', when: true}
+
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled }}"}
+
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled }}"}
+
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled }}"}
+
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}"}
+
+
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled }}"}