Merge pull request #862 from s-thom/nginx-additional
Add additional domains for Let's Encrypt certificates to be obtained
This commit is contained in:
commit
894679750e
|
@ -59,3 +59,26 @@ This will disable the access logging for nginx.
|
||||||
```yaml
|
```yaml
|
||||||
matrix_nginx_proxy_access_log_enabled: false
|
matrix_nginx_proxy_access_log_enabled: false
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Additional configuration
|
||||||
|
|
||||||
|
This playbook also allows for additional configuration to be applied to the nginx server.
|
||||||
|
|
||||||
|
If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable (as mentioned in the [Obtaining SSL certificates for additional domains](configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains) documentation as well). Make sure that you have set the DNS configuration for the domains you want to include to point at your server.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_ssl_additional_domains_to_obtain_certificates_for:
|
||||||
|
- domain.one.example
|
||||||
|
- domain.two.example
|
||||||
|
```
|
||||||
|
|
||||||
|
You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks:
|
||||||
|
- |
|
||||||
|
# These lines will be included in the nginx configuration.
|
||||||
|
# This is at the top level of the file, so you will need to define all of the `server { ... }` blocks.
|
||||||
|
- |
|
||||||
|
# For advanced use, have a look at the template files in `roles/matrix-nginx-proxy/templates/nginx/conf.d`
|
||||||
|
```
|
||||||
|
|
|
@ -74,15 +74,12 @@ If you are hosting other domains on the Matrix machine, you can make the playboo
|
||||||
To do that, simply define your own custom configuration like this:
|
To do that, simply define your own custom configuration like this:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
# Note: we need to explicitly list the aforementioned Matrix domains that you use (Matrix, Element, Dimension).
|
# In this example, we retrieve 2 extra certificates,
|
||||||
# In this example, we retrieve an extra certificate - one for the base domain (in the `matrix_domain` variable).
|
# one for the base domain (in the `matrix_domain` variable) and one for a hardcoded domain.
|
||||||
# Adding any other additional domains (hosted on the same machine) is possible.
|
# Adding any other additional domains (hosted on the same machine) is possible.
|
||||||
matrix_ssl_domains_to_obtain_certificates_for:
|
matrix_ssl_additional_domains_to_obtain_certificates_for:
|
||||||
- '{{ matrix_server_fqn_matrix }}'
|
|
||||||
- '{{ matrix_server_fqn_element }}'
|
|
||||||
- '{{ matrix_server_fqn_dimension }}'
|
|
||||||
- '{{ matrix_server_fqn_jitsi }}'
|
|
||||||
- '{{ matrix_domain }}'
|
- '{{ matrix_domain }}'
|
||||||
|
- 'another.domain.example.com'
|
||||||
```
|
```
|
||||||
|
|
||||||
After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should:
|
After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should:
|
||||||
|
@ -91,9 +88,9 @@ After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually ob
|
||||||
|
|
||||||
- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start`
|
- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start`
|
||||||
|
|
||||||
The certificate files would be available in `/matrix/ssl/config/live/<your-other-domain>/...`.
|
The certificate files would be made available in `/matrix/ssl/config/live/<your-other-domain>/...`.
|
||||||
|
|
||||||
For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal.
|
For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal.
|
||||||
|
|
||||||
See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf`
|
See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf`
|
||||||
Don't be alarmed if the above configuraiton file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers.
|
Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers.
|
||||||
|
|
|
@ -1031,6 +1031,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
|
||||||
([matrix_server_fqn_grafana] if matrix_grafana_enabled else [])
|
([matrix_server_fqn_grafana] if matrix_grafana_enabled else [])
|
||||||
+
|
+
|
||||||
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
|
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
|
||||||
|
+
|
||||||
|
matrix_ssl_additional_domains_to_obtain_certificates_for
|
||||||
}}
|
}}
|
||||||
|
|
||||||
matrix_ssl_architecture: "{{
|
matrix_ssl_architecture: "{{
|
||||||
|
|
|
@ -297,8 +297,13 @@ matrix_ssl_retrieval_method: "lets-encrypt"
|
||||||
|
|
||||||
matrix_ssl_architecture: "amd64"
|
matrix_ssl_architecture: "amd64"
|
||||||
|
|
||||||
# The list of domains that this role will obtain certificates for.
|
# The full list of domains that this role will obtain certificates for.
|
||||||
matrix_ssl_domains_to_obtain_certificates_for: []
|
# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).
|
||||||
|
# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.
|
||||||
|
matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
|
||||||
|
|
||||||
|
# A list of additional domain names to obtain certificates for.
|
||||||
|
matrix_ssl_additional_domains_to_obtain_certificates_for: []
|
||||||
|
|
||||||
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
||||||
matrix_ssl_lets_encrypt_staging: false
|
matrix_ssl_lets_encrypt_staging: false
|
||||||
|
|
Loading…
Reference in a new issue