68 lines
2.4 KiB
YAML
68 lines
2.4 KiB
YAML
---
|
|
|
|
- name: Determine domains to obtain certificates for (Matrix)
|
|
set_fact:
|
|
domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']"
|
|
|
|
- name: Determine domains to obtain certificates for (Riot)
|
|
set_fact:
|
|
domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}"
|
|
when: matrix_riot_web_enabled
|
|
|
|
- name: Allow access to HTTP/HTTPS in firewalld
|
|
firewalld:
|
|
service: "{{ item }}"
|
|
state: enabled
|
|
immediate: yes
|
|
permanent: yes
|
|
with_items:
|
|
- http
|
|
- https
|
|
when: ansible_os_family == 'RedHat'
|
|
|
|
- name: Ensure acmetool Docker image is pulled
|
|
docker_image:
|
|
name: willwill/acme-docker
|
|
|
|
# Granting +rx to others as well, because the `nginx` user from within
|
|
# matrix-nginx-proxy needs to be able to read the acme-challenge files inside
|
|
# for renewal purposes.
|
|
#
|
|
# This should not be causing security trouble outside of the container,
|
|
# as the parent directory (/matrix) does not allow "others" to access it or any of its children.
|
|
# Still, it works when the /ssl subtree is mounted in the container.
|
|
- name: Ensure SSL certificates path exists
|
|
file:
|
|
path: "{{ matrix_ssl_certs_path }}"
|
|
state: directory
|
|
mode: 0775
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
|
|
- name: Check matrix-nginx-proxy state
|
|
service: name=matrix-nginx-proxy
|
|
register: matrix_nginx_proxy_state
|
|
|
|
- name: Ensure matrix-nginx-proxy is stopped (if previously installed & started)
|
|
service: name=matrix-nginx-proxy state=stopped
|
|
when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"
|
|
|
|
- name: Ensure SSL certificates are marked as wanted in acmetool
|
|
shell: >-
|
|
/usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
|
|
-v {{ matrix_ssl_certs_path }}:/certs
|
|
-e ACME_EMAIL={{ matrix_ssl_support_email }}
|
|
willwill/acme-docker
|
|
acmetool want {{ item }} --xlog.severity=debug
|
|
with_items: "{{ domains_to_obtain_certificate_for }}"
|
|
|
|
- name: Ensure matrix-nginx-proxy is started (if previously installed & started)
|
|
service: name=matrix-nginx-proxy state=started
|
|
when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"
|
|
|
|
- name: Ensure periodic SSL renewal cronjob configured
|
|
template:
|
|
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
|
|
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
|
|
mode: 0600
|