pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl

Browse source 
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
This commit is contained in:
Slavi Pantaleev 2017-09-11 23:50:14 +03:00
parent ded7c274f6
commit cb323f5b4c
11 changed files with 35 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
examples/host-vars.yml
View file

@ -5,7 +5,7 @@
# an email notification there. # an email notification there.
# #
# Example value: someone@example.com # Example value: someone@example.com
host_specific_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE
# This is your bare domain name (`<your-domain`). # This is your bare domain name (`<your-domain`).
# #

5
roles/matrix-server/defaults/main.yml
View file

@ -11,9 +11,6 @@ hostname_matrix: "matrix.{{ hostname_identity }}"
# This and the Matrix hostname (see above) are expected to be on the same server. # This and the Matrix hostname (see above) are expected to be on the same server.
hostname_riot: "riot.{{ hostname_identity }}" hostname_riot: "riot.{{ hostname_identity }}"
ssl_certs_path: /etc/pki/acmetool-certs
ssl_support_email: "{{ host_specific_ssl_support_email }}"
matrix_user_username: "matrix" matrix_user_username: "matrix"
matrix_user_uid: 991 matrix_user_uid: 991
matrix_user_gid: 991 matrix_user_gid: 991
@ -27,6 +24,8 @@ matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver" matrix_postgres_db_name: "homeserver"
matrix_base_data_path: "/matrix" matrix_base_data_path: "/matrix"
matrix_ssl_certs_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}"
matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"

10
roles/matrix-server/tasks/setup_main.yml
View file

@ -18,3 +18,13 @@
path: "{{ matrix_environment_variables_data_path }}" path: "{{ matrix_environment_variables_data_path }}"
state: directory state: directory
mode: 0700 mode: 0700
- name: Ensure Matrix base path exists
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_synapse_base_path }}"

4
roles/matrix-server/tasks/setup_postgres.yml
View file

@ -48,7 +48,7 @@
# Tasks related to getting rid of the internal postgres server (if it was previously enabled) # Tasks related to getting rid of the internal postgres server (if it was previously enabled)
# #
- name: Check existance of matrix-postgres service - name: Check existence of matrix-postgres service
stat: path="/etc/systemd/system/matrix-postgres.service" stat: path="/etc/systemd/system/matrix-postgres.service"
register: matrix_postgres_service_stat register: matrix_postgres_service_stat
when: matrix_postgres_use_external when: matrix_postgres_use_external
@ -63,7 +63,7 @@
state: absent state: absent
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
- name: Check existance of matrix-postgres local data path - name: Check existence of matrix-postgres local data path
stat: path="{{ matrix_postgres_data_path }}" stat: path="{{ matrix_postgres_data_path }}"
register: matrix_postgres_data_path_stat register: matrix_postgres_data_path_stat
when: matrix_postgres_use_external when: matrix_postgres_use_external

2
roles/matrix-server/tasks/setup_s3fs.yml
View file

@ -26,7 +26,7 @@
# Tasks related to getting rid of s3fs (if it was previously enabled) # Tasks related to getting rid of s3fs (if it was previously enabled)
# #
- name: Check existance of matrix-s3fs service - name: Check existence of matrix-s3fs service
stat: path="/etc/systemd/system/matrix-s3fs.service" stat: path="/etc/systemd/system/matrix-s3fs.service"
register: matrix_s3fs_service_stat register: matrix_s3fs_service_stat

15
roles/matrix-server/tasks/setup_ssl.yml
View file

@ -17,7 +17,7 @@
- name: Ensure SSL certificates path exists - name: Ensure SSL certificates path exists
file: file:
path: "{{ ssl_certs_path }}" path: "{{ matrix_ssl_certs_path }}"
state: directory state: directory
mode: 0770 mode: 0770
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
@ -34,10 +34,13 @@
- name: Ensure SSL certificates are marked as wanted in acmetool - name: Ensure SSL certificates are marked as wanted in acmetool
shell: >- shell: >-
/usr/bin/docker run --rm --name acmetool-host-grab -p 80:80 /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
-v {{ ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}:/certs
-e ACME_EMAIL={{ ssl_support_email }} -e ACME_EMAIL={{ matrix_ssl_support_email }}
willwill/acme-docker willwill/acme-docker
acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug acmetool want {{ item }} --xlog.severity=debug
with_items:
- "{{ hostname_matrix }}"
- "{{ hostname_riot }}"
- name: Ensure matrix-nginx-proxy is started (if previously installed & started) - name: Ensure matrix-nginx-proxy is started (if previously installed & started)
service: name=matrix-nginx-proxy state=started service: name=matrix-nginx-proxy state=started
@ -45,6 +48,6 @@
- name: Ensure periodic SSL renewal cronjob configured - name: Ensure periodic SSL renewal cronjob configured
template: template:
src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2" src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
dest: "/etc/cron.d/ssl-certificate-renewal" dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
mode: 0600 mode: 0600

1
roles/matrix-server/tasks/setup_synapse.yml
View file

@ -8,7 +8,6 @@
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
with_items: with_items:
- "{{ matrix_synapse_base_path }}"
- "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_config_dir_path }}"
- "{{ matrix_synapse_run_path }}" - "{{ matrix_synapse_run_path }}"
# We handle matrix_synapse_media_store_path below, not here, # We handle matrix_synapse_media_store_path below, not here,

4
roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
View file

@ -1,8 +1,8 @@
MAILTO="{{ ssl_support_email }}" MAILTO="{{ matrix_ssl_support_email }}"
# This periodically restarts the Matrix services # This periodically restarts the Matrix services
# to ensure they're using the latest SSL certificate # to ensure they're using the latest SSL certificate
# in case it got renewed by the `ssl-certificate-renewal` cronjob # in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
# (which happens once every ~2-3 months). # (which happens once every ~2-3 months).
# #
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`, # Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,

4
roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 → roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
View file

@ -1,4 +1,4 @@
MAILTO="{{ ssl_support_email }}" MAILTO="{{ matrix_ssl_support_email }}"
# The goal of this cronjob is to ask acmetool to check # The goal of this cronjob is to ask acmetool to check
# the current SSL certificates and to see if some need renewal. # the current SSL certificates and to see if some need renewal.
@ -18,4 +18,4 @@ MAILTO="{{ ssl_support_email }}"
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy, # These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
# because it aliases `/.well-known/acme-challenge` to that same directory. # because it aliases `/.well-known/acme-challenge` to that same directory.
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug

2
roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
View file

@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
--link matrix-synapse:synapse \ --link matrix-synapse:synapse \
--link matrix-riot-web:riot \ --link matrix-riot-web:riot \
-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \
-v {{ ssl_certs_path }}:/acmetool-certs \ -v {{ matrix_ssl_certs_path }}:/acmetool-certs \
{{ docker_nginx_image }} {{ docker_nginx_image }}
ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
ExecStop=-/usr/bin/docker rm matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy

4
roles/matrix-server/templates/systemd/matrix-synapse.service.j2
View file

@ -15,7 +15,7 @@ Requires=matrix-s3fs.service
Type=simple Type=simple
ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker kill matrix-synapse
ExecStartPre=-/usr/bin/docker rm matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse
ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
{% if not matrix_postgres_use_external %} {% if not matrix_postgres_use_external %}
--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
-v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_config_dir_path }}:/data \
-v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_run_path }}:/matrix-run \
-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
-v {{ ssl_certs_path }}:/acmetool-certs \ -v {{ matrix_ssl_certs_path }}:/acmetool-certs \
{{ docker_matrix_image }} {{ docker_matrix_image }}
ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker kill matrix-synapse
ExecStop=-/usr/bin/docker rm matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse