As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable.
71 lines
2.8 KiB
YAML
71 lines
2.8 KiB
YAML
- debug:
|
|
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
|
|
|
|
- set_fact:
|
|
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/cert.pem"
|
|
|
|
- name: Check if a certificate for the domain already exists
|
|
stat:
|
|
path: "{{ domain_name_certificate_path }}"
|
|
register: domain_name_certificate_path_stat
|
|
|
|
- set_fact:
|
|
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
|
|
|
|
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
|
|
# We suppress the error, as we'll try another method below.
|
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
|
|
shell: >-
|
|
/usr/bin/docker run
|
|
--rm
|
|
--name=matrix-certbot
|
|
--net=host
|
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
|
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
|
|
certonly
|
|
--non-interactive
|
|
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
|
|
--standalone
|
|
--preferred-challenges http
|
|
--agree-tos
|
|
--email={{ matrix_ssl_lets_encrypt_support_email }}
|
|
-d {{ domain_name }}
|
|
when: "domain_name_needs_cert"
|
|
register: result_certbot_direct
|
|
ignore_errors: true
|
|
|
|
# If matrix-nginx-proxy is configured from a previous run of this playbook,
|
|
# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
|
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
|
|
shell: >-
|
|
/usr/bin/docker run
|
|
--rm
|
|
--name=matrix-certbot
|
|
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80
|
|
--network={{ matrix_docker_network }}
|
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
|
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
|
|
certonly
|
|
--non-interactive
|
|
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
|
|
--standalone
|
|
--preferred-challenges http
|
|
--agree-tos
|
|
--email={{ matrix_ssl_lets_encrypt_support_email }}
|
|
-d {{ domain_name }}
|
|
when: "domain_name_needs_cert and result_certbot_direct.failed"
|
|
register: result_certbot_proxy
|
|
ignore_errors: true
|
|
|
|
- name: Fail if all SSL certificate retrieval attempts failed
|
|
fail:
|
|
msg: |
|
|
Failed to obtain a certificate directly (by listening on port 80)
|
|
and also failed to obtain by relying on the server at port 80 to proxy the request.
|
|
See above for details.
|
|
You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
|
|
more easily, stop the server on port 80 while this playbook runs.
|
|
when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"
|