Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we wouldn't contaminate anything else on the system or risk clashing with something else. Also retrieving certificates separately for the Riot and Matrix domains, which should help in multiple ways: - allows them to be very different (completely separate base domain..) - allows for Riot to be disabled for the playbook some time later and still have the code not break
This commit is contained in:
parent
ded7c274f6
commit
cb323f5b4c
|
@ -5,7 +5,7 @@
|
||||||
# an email notification there.
|
# an email notification there.
|
||||||
#
|
#
|
||||||
# Example value: someone@example.com
|
# Example value: someone@example.com
|
||||||
host_specific_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE
|
host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE
|
||||||
|
|
||||||
# This is your bare domain name (`<your-domain`).
|
# This is your bare domain name (`<your-domain`).
|
||||||
#
|
#
|
||||||
|
|
|
@ -11,9 +11,6 @@ hostname_matrix: "matrix.{{ hostname_identity }}"
|
||||||
# This and the Matrix hostname (see above) are expected to be on the same server.
|
# This and the Matrix hostname (see above) are expected to be on the same server.
|
||||||
hostname_riot: "riot.{{ hostname_identity }}"
|
hostname_riot: "riot.{{ hostname_identity }}"
|
||||||
|
|
||||||
ssl_certs_path: /etc/pki/acmetool-certs
|
|
||||||
ssl_support_email: "{{ host_specific_ssl_support_email }}"
|
|
||||||
|
|
||||||
matrix_user_username: "matrix"
|
matrix_user_username: "matrix"
|
||||||
matrix_user_uid: 991
|
matrix_user_uid: 991
|
||||||
matrix_user_gid: 991
|
matrix_user_gid: 991
|
||||||
|
@ -27,6 +24,8 @@ matrix_postgres_connection_password: "synapse-password"
|
||||||
matrix_postgres_db_name: "homeserver"
|
matrix_postgres_db_name: "homeserver"
|
||||||
|
|
||||||
matrix_base_data_path: "/matrix"
|
matrix_base_data_path: "/matrix"
|
||||||
|
matrix_ssl_certs_path: "{{ matrix_base_data_path }}/ssl"
|
||||||
|
matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}"
|
||||||
matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
|
matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
|
||||||
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
||||||
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
|
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
|
||||||
|
|
|
@ -17,4 +17,14 @@
|
||||||
file:
|
file:
|
||||||
path: "{{ matrix_environment_variables_data_path }}"
|
path: "{{ matrix_environment_variables_data_path }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0700
|
mode: 0700
|
||||||
|
|
||||||
|
- name: Ensure Matrix base path exists
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0750
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_username }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ matrix_synapse_base_path }}"
|
|
@ -48,7 +48,7 @@
|
||||||
# Tasks related to getting rid of the internal postgres server (if it was previously enabled)
|
# Tasks related to getting rid of the internal postgres server (if it was previously enabled)
|
||||||
#
|
#
|
||||||
|
|
||||||
- name: Check existance of matrix-postgres service
|
- name: Check existence of matrix-postgres service
|
||||||
stat: path="/etc/systemd/system/matrix-postgres.service"
|
stat: path="/etc/systemd/system/matrix-postgres.service"
|
||||||
register: matrix_postgres_service_stat
|
register: matrix_postgres_service_stat
|
||||||
when: matrix_postgres_use_external
|
when: matrix_postgres_use_external
|
||||||
|
@ -63,7 +63,7 @@
|
||||||
state: absent
|
state: absent
|
||||||
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
|
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
|
||||||
|
|
||||||
- name: Check existance of matrix-postgres local data path
|
- name: Check existence of matrix-postgres local data path
|
||||||
stat: path="{{ matrix_postgres_data_path }}"
|
stat: path="{{ matrix_postgres_data_path }}"
|
||||||
register: matrix_postgres_data_path_stat
|
register: matrix_postgres_data_path_stat
|
||||||
when: matrix_postgres_use_external
|
when: matrix_postgres_use_external
|
||||||
|
@ -72,4 +72,4 @@
|
||||||
- name: Notify if matrix-postgres local data remains
|
- name: Notify if matrix-postgres local data remains
|
||||||
debug:
|
debug:
|
||||||
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that."
|
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that."
|
||||||
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
|
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
|
||||||
|
|
|
@ -26,7 +26,7 @@
|
||||||
# Tasks related to getting rid of s3fs (if it was previously enabled)
|
# Tasks related to getting rid of s3fs (if it was previously enabled)
|
||||||
#
|
#
|
||||||
|
|
||||||
- name: Check existance of matrix-s3fs service
|
- name: Check existence of matrix-s3fs service
|
||||||
stat: path="/etc/systemd/system/matrix-s3fs.service"
|
stat: path="/etc/systemd/system/matrix-s3fs.service"
|
||||||
register: matrix_s3fs_service_stat
|
register: matrix_s3fs_service_stat
|
||||||
|
|
||||||
|
@ -51,4 +51,4 @@
|
||||||
docker_image:
|
docker_image:
|
||||||
name: "{{ docker_s3fs_image }}"
|
name: "{{ docker_s3fs_image }}"
|
||||||
state: absent
|
state: absent
|
||||||
when: "not matrix_s3_media_store_enabled"
|
when: "not matrix_s3_media_store_enabled"
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
- name: Ensure SSL certificates path exists
|
- name: Ensure SSL certificates path exists
|
||||||
file:
|
file:
|
||||||
path: "{{ ssl_certs_path }}"
|
path: "{{ matrix_ssl_certs_path }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0770
|
mode: 0770
|
||||||
owner: "{{ matrix_user_username }}"
|
owner: "{{ matrix_user_username }}"
|
||||||
|
@ -34,10 +34,13 @@
|
||||||
- name: Ensure SSL certificates are marked as wanted in acmetool
|
- name: Ensure SSL certificates are marked as wanted in acmetool
|
||||||
shell: >-
|
shell: >-
|
||||||
/usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
|
/usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
|
||||||
-v {{ ssl_certs_path }}:/certs
|
-v {{ matrix_ssl_certs_path }}:/certs
|
||||||
-e ACME_EMAIL={{ ssl_support_email }}
|
-e ACME_EMAIL={{ matrix_ssl_support_email }}
|
||||||
willwill/acme-docker
|
willwill/acme-docker
|
||||||
acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug
|
acmetool want {{ item }} --xlog.severity=debug
|
||||||
|
with_items:
|
||||||
|
- "{{ hostname_matrix }}"
|
||||||
|
- "{{ hostname_riot }}"
|
||||||
|
|
||||||
- name: Ensure matrix-nginx-proxy is started (if previously installed & started)
|
- name: Ensure matrix-nginx-proxy is started (if previously installed & started)
|
||||||
service: name=matrix-nginx-proxy state=started
|
service: name=matrix-nginx-proxy state=started
|
||||||
|
@ -45,6 +48,6 @@
|
||||||
|
|
||||||
- name: Ensure periodic SSL renewal cronjob configured
|
- name: Ensure periodic SSL renewal cronjob configured
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2"
|
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
|
||||||
dest: "/etc/cron.d/ssl-certificate-renewal"
|
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
|
@ -8,7 +8,6 @@
|
||||||
owner: "{{ matrix_user_username }}"
|
owner: "{{ matrix_user_username }}"
|
||||||
group: "{{ matrix_user_username }}"
|
group: "{{ matrix_user_username }}"
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ matrix_synapse_base_path }}"
|
|
||||||
- "{{ matrix_synapse_config_dir_path }}"
|
- "{{ matrix_synapse_config_dir_path }}"
|
||||||
- "{{ matrix_synapse_run_path }}"
|
- "{{ matrix_synapse_run_path }}"
|
||||||
# We handle matrix_synapse_media_store_path below, not here,
|
# We handle matrix_synapse_media_store_path below, not here,
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
MAILTO="{{ ssl_support_email }}"
|
MAILTO="{{ matrix_ssl_support_email }}"
|
||||||
|
|
||||||
# This periodically restarts the Matrix services
|
# This periodically restarts the Matrix services
|
||||||
# to ensure they're using the latest SSL certificate
|
# to ensure they're using the latest SSL certificate
|
||||||
# in case it got renewed by the `ssl-certificate-renewal` cronjob
|
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
|
||||||
# (which happens once every ~2-3 months).
|
# (which happens once every ~2-3 months).
|
||||||
#
|
#
|
||||||
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
|
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
MAILTO="{{ ssl_support_email }}"
|
MAILTO="{{ matrix_ssl_support_email }}"
|
||||||
|
|
||||||
# The goal of this cronjob is to ask acmetool to check
|
# The goal of this cronjob is to ask acmetool to check
|
||||||
# the current SSL certificates and to see if some need renewal.
|
# the current SSL certificates and to see if some need renewal.
|
||||||
|
@ -18,4 +18,4 @@ MAILTO="{{ ssl_support_email }}"
|
||||||
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
|
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
|
||||||
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
||||||
|
|
||||||
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
|
@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
|
||||||
--link matrix-synapse:synapse \
|
--link matrix-synapse:synapse \
|
||||||
--link matrix-riot-web:riot \
|
--link matrix-riot-web:riot \
|
||||||
-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \
|
-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \
|
||||||
-v {{ ssl_certs_path }}:/acmetool-certs \
|
-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
|
||||||
{{ docker_nginx_image }}
|
{{ docker_nginx_image }}
|
||||||
ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
|
ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
|
||||||
ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
|
ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
|
||||||
|
|
|
@ -15,7 +15,7 @@ Requires=matrix-s3fs.service
|
||||||
Type=simple
|
Type=simple
|
||||||
ExecStartPre=-/usr/bin/docker kill matrix-synapse
|
ExecStartPre=-/usr/bin/docker kill matrix-synapse
|
||||||
ExecStartPre=-/usr/bin/docker rm matrix-synapse
|
ExecStartPre=-/usr/bin/docker rm matrix-synapse
|
||||||
ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R
|
ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
|
||||||
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
|
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
|
||||||
{% if not matrix_postgres_use_external %}
|
{% if not matrix_postgres_use_external %}
|
||||||
--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
|
--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
|
||||||
|
@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
|
||||||
-v {{ matrix_synapse_config_dir_path }}:/data \
|
-v {{ matrix_synapse_config_dir_path }}:/data \
|
||||||
-v {{ matrix_synapse_run_path }}:/matrix-run \
|
-v {{ matrix_synapse_run_path }}:/matrix-run \
|
||||||
-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
|
-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
|
||||||
-v {{ ssl_certs_path }}:/acmetool-certs \
|
-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
|
||||||
{{ docker_matrix_image }}
|
{{ docker_matrix_image }}
|
||||||
ExecStop=-/usr/bin/docker kill matrix-synapse
|
ExecStop=-/usr/bin/docker kill matrix-synapse
|
||||||
ExecStop=-/usr/bin/docker rm matrix-synapse
|
ExecStop=-/usr/bin/docker rm matrix-synapse
|
||||||
|
|
Loading…
Reference in a new issue