pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
Slavi Pantaleev af1c9ae59d Do not force firewalld on people 
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00

116 lines
4 KiB
YAML
Raw Blame History

---
# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
# This migration task can be removed some time in the future.
- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
file:
path: "{{ item }}"
state: absent
with_items:
- /usr/local/bin/matrix-ssl-certificates-renew
- /etc/cron.d/matrix-ssl-certificate-renewal
- /etc/cron.d/matrix-nginx-proxy-periodic-restarter
#
# Tasks related to setting up Let's Encrypt's management of certificates
#
- name: (Deprecation) Catch and report renamed settings
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
with_items:
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars"
- name: Fail if required variables are undefined
fail:
msg: "Detected an undefined required variable"
with_items:
- "{{ matrix_ssl_lets_encrypt_support_email }}"
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none"
- name: Ensure certbot Docker image is pulled
docker_image:
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Ensure Let's Encrypt SSL renewal script installed
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
mode: 0750
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- block:
- name: Ensure periodic SSL renewal cronjob configured (MAILTO)
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
env: yes
name: MAILTO
value: "{{ matrix_ssl_lets_encrypt_support_email }}"
- name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-ssl-lets-encrypt-certificates-renew
state: present
hour: 4
minute: 15
day: "*/5"
job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
- name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-nginx-proxy-reload
state: present
hour: 4
minute: 20
day: "*/5"
job: /bin/systemctl reload matrix-nginx-proxy.service
when: matrix_nginx_proxy_enabled
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
#
# Tasks related to getting rid of Let's Encrypt's management of certificates
#
# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
# Other cronjobs can potentially remain there (see below).
- name: Ensure matrix-nginx-proxy-reload cronjob removed
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-nginx-proxy-reload
state: absent
when: "not matrix_nginx_proxy_enabled"
# When Let's Encrypt is not used at all, remove all cronjobs in that cron file.
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
- name: Ensure Let's Encrypt SSL renewal script removed
file:
path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
Reference in a new issue View git blame Copy permalink