diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9139b913..30800a01 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -43,10 +43,6 @@ docker_nginx_image: "nginx:1.13.5-alpine" docker_riot_image: "silviof/matrix-riot-docker:latest" docker_s3fs_image: "xueshanf/s3fs:latest" -# Specifies when to restart the Matrix services so that -# a new SSL certificate could go into effect (UTC time). -matrix_services_restart_cron_time_definition: "15 4 3 * *" - # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 @@ -72,3 +68,7 @@ matrix_riot_web_enabled: true # But in case that's not the case, you may wish to prevent that # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true + +# Specifies when to reload the matrix-nginx-proxy service so that +# a new SSL certificate could go into effect (UTC time). +matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 0363d062..57108064 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -56,6 +56,13 @@ mode: 0644 when: matrix_nginx_proxy_enabled +- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal) + template: + src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2" + dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" + mode: 0600 + when: matrix_nginx_proxy_enabled + # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) # @@ -74,3 +81,9 @@ path: "/etc/systemd/system/matrix-nginx-proxy.service" state: absent when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure periodic restarting of matrix-nginx-proxy is removed + file: + path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" + state: absent + when: "not matrix_nginx_proxy_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 7cb42728..9c15d8c2 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -53,14 +53,6 @@ - "{{ matrix_synapse_config_dir_path }}:/data" when: "not matrix_synapse_config_stat.stat.exists" -- name: Ensure self-signed certificates are removed - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" - - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key" - - name: Augment Matrix log config lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" args: @@ -78,8 +70,6 @@ line: '{{ item.line }}' with_items: - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} - - {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'} - - {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'} - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} @@ -148,9 +138,3 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 - -- name: Ensure periodic restarting of Matrix is configured (for SSL renewal) - template: - src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2" - dest: "/etc/cron.d/matrix-periodic-restarter" - mode: 0600 diff --git a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 new file mode 100644 index 00000000..e8dfb72b --- /dev/null +++ b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 @@ -0,0 +1,8 @@ +MAILTO="{{ matrix_ssl_support_email }}" + +# This periodically reloads the matrix-nginx-proxy service +# to ensure it's using the latest SSL certificate +# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob +# (which happens once every ~2-3 months). + +{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service diff --git a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 deleted file mode 100644 index 719ca253..00000000 --- a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 +++ /dev/null @@ -1,11 +0,0 @@ -MAILTO="{{ matrix_ssl_support_email }}" - -# This periodically restarts the Matrix services -# to ensure they're using the latest SSL certificate -# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob -# (which happens once every ~2-3 months). -# -# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`, -# both would be restarted. - -{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 47d2cbe9..fa0c98ad 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -19,6 +19,6 @@ MAILTO="{{ matrix_ssl_support_email }}" # because it aliases `/.well-known/acme-challenge` to that same directory. # # When a custom proxy server (not matrix-nginx-proxy provided by this playbook), -# you'd need to make sure you alias these files corretly or SSL renewal would not work. +# you'd need to make sure you alias these files correctly or SSL renewal would not work. 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c105c63b..975b6edb 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -21,6 +21,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {{ docker_nginx_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy +ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index a647db03..717bd3a8 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -15,7 +15,6 @@ Requires=matrix-s3fs.service Type=simple ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse -ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_postgres_use_external %} --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ @@ -30,7 +29,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ - -v {{ matrix_ssl_certs_path }}:/acmetool-certs \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse