cb323f5b4c
Moving keeps everything in the /matrix directory, so that we wouldn't contaminate anything else on the system or risk clashing with something else. Also retrieving certificates separately for the Riot and Matrix domains, which should help in multiple ways: - allows them to be very different (completely separate base domain..) - allows for Riot to be disabled for the playbook some time later and still have the code not break
22 lines
1.1 KiB
Django/Jinja
22 lines
1.1 KiB
Django/Jinja
MAILTO="{{ matrix_ssl_support_email }}"
|
|
|
|
# The goal of this cronjob is to ask acmetool to check
|
|
# the current SSL certificates and to see if some need renewal.
|
|
# If so, it would attempt to renew.
|
|
#
|
|
# Various services depend on these certificates and would need to be restarted.
|
|
# This is not our concern here. We simply make sure the certificates are up to date.
|
|
# Restarting of services happens on its own different schedule (other cronjobs).
|
|
#
|
|
#
|
|
# How renewal works?
|
|
#
|
|
# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there),
|
|
# and will fall back to its "webroot" validation method.
|
|
#
|
|
# Thus, it would put validation files in `/var/run/acme/acme-challenge`.
|
|
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
|
|
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
|
|
|
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|