From cb323f5b4cb8429e4ac0506a9384217df103ff84 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <s.pantaleev@gmail.com>
Date: Mon, 11 Sep 2017 23:50:14 +0300
Subject: [PATCH] Move SSL certificates from /etc/pki/acmetool-certs to
 /matrix/ssl

Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
---
 examples/host-vars.yml                            |  2 +-
 roles/matrix-server/defaults/main.yml             |  5 ++---
 roles/matrix-server/tasks/setup_main.yml          | 12 +++++++++++-
 roles/matrix-server/tasks/setup_postgres.yml      |  6 +++---
 roles/matrix-server/tasks/setup_s3fs.yml          |  4 ++--
 roles/matrix-server/tasks/setup_ssl.yml           | 15 +++++++++------
 roles/matrix-server/tasks/setup_synapse.yml       |  1 -
 .../templates/cron.d/matrix-periodic-restarter.j2 |  4 ++--
 ...newal.j2 => matrix-ssl-certificate-renewal.j2} |  4 ++--
 .../systemd/matrix-nginx-proxy.service.j2         |  2 +-
 .../templates/systemd/matrix-synapse.service.j2   |  4 ++--
 11 files changed, 35 insertions(+), 24 deletions(-)
 rename roles/matrix-server/templates/cron.d/{ssl-certificate-renewal.j2 => matrix-ssl-certificate-renewal.j2} (76%)

diff --git a/examples/host-vars.yml b/examples/host-vars.yml
index d7abcb93..ef911ecf 100644
--- a/examples/host-vars.yml
+++ b/examples/host-vars.yml
@@ -5,7 +5,7 @@
 # an email notification there.
 #
 # Example value: someone@example.com
-host_specific_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE
+host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE
 
 # This is your bare domain name (`<your-domain`).
 #
diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml
index db6d6d8f..d61af287 100644
--- a/roles/matrix-server/defaults/main.yml
+++ b/roles/matrix-server/defaults/main.yml
@@ -11,9 +11,6 @@ hostname_matrix: "matrix.{{ hostname_identity }}"
 # This and the Matrix hostname (see above) are expected to be on the same server.
 hostname_riot: "riot.{{ hostname_identity }}"
 
-ssl_certs_path: /etc/pki/acmetool-certs
-ssl_support_email: "{{ host_specific_ssl_support_email }}"
-
 matrix_user_username: "matrix"
 matrix_user_uid: 991
 matrix_user_gid: 991
@@ -27,6 +24,8 @@ matrix_postgres_connection_password: "synapse-password"
 matrix_postgres_db_name: "homeserver"
 
 matrix_base_data_path: "/matrix"
+matrix_ssl_certs_path: "{{ matrix_base_data_path }}/ssl"
+matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}"
 matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
diff --git a/roles/matrix-server/tasks/setup_main.yml b/roles/matrix-server/tasks/setup_main.yml
index 2c3cec4e..75ab6c87 100644
--- a/roles/matrix-server/tasks/setup_main.yml
+++ b/roles/matrix-server/tasks/setup_main.yml
@@ -17,4 +17,14 @@
   file:
     path: "{{ matrix_environment_variables_data_path }}"
     state: directory
-    mode: 0700
\ No newline at end of file
+    mode: 0700
+
+- name: Ensure Matrix base path exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_synapse_base_path }}"
\ No newline at end of file
diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup_postgres.yml
index 04b186fa..c52e0b6a 100644
--- a/roles/matrix-server/tasks/setup_postgres.yml
+++ b/roles/matrix-server/tasks/setup_postgres.yml
@@ -48,7 +48,7 @@
 # Tasks related to getting rid of the internal postgres server (if it was previously enabled)
 #
 
-- name: Check existance of matrix-postgres service
+- name: Check existence of matrix-postgres service
   stat: path="/etc/systemd/system/matrix-postgres.service"
   register: matrix_postgres_service_stat
   when: matrix_postgres_use_external
@@ -63,7 +63,7 @@
     state: absent
   when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
 
-- name: Check existance of matrix-postgres local data path
+- name: Check existence of matrix-postgres local data path
   stat: path="{{ matrix_postgres_data_path }}"
   register: matrix_postgres_data_path_stat
   when: matrix_postgres_use_external
@@ -72,4 +72,4 @@
 - name: Notify if matrix-postgres local data remains
   debug:
     msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that."
-  when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
\ No newline at end of file
+  when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
diff --git a/roles/matrix-server/tasks/setup_s3fs.yml b/roles/matrix-server/tasks/setup_s3fs.yml
index b37cc568..15fe590b 100644
--- a/roles/matrix-server/tasks/setup_s3fs.yml
+++ b/roles/matrix-server/tasks/setup_s3fs.yml
@@ -26,7 +26,7 @@
 # Tasks related to getting rid of s3fs (if it was previously enabled)
 #
 
-- name: Check existance of matrix-s3fs service
+- name: Check existence of matrix-s3fs service
   stat: path="/etc/systemd/system/matrix-s3fs.service"
   register: matrix_s3fs_service_stat
 
@@ -51,4 +51,4 @@
   docker_image:
     name: "{{ docker_s3fs_image }}"
     state: absent
-  when: "not matrix_s3_media_store_enabled"
\ No newline at end of file
+  when: "not matrix_s3_media_store_enabled"
diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml
index c9b7afe0..21242392 100644
--- a/roles/matrix-server/tasks/setup_ssl.yml
+++ b/roles/matrix-server/tasks/setup_ssl.yml
@@ -17,7 +17,7 @@
 
 - name: Ensure SSL certificates path exists
   file:
-    path: "{{ ssl_certs_path }}"
+    path: "{{ matrix_ssl_certs_path }}"
     state: directory
     mode: 0770
     owner: "{{ matrix_user_username }}"
@@ -34,10 +34,13 @@
 - name: Ensure SSL certificates are marked as wanted in acmetool
   shell: >-
     /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
-    -v {{ ssl_certs_path }}:/certs
-    -e ACME_EMAIL={{ ssl_support_email }}
+    -v {{ matrix_ssl_certs_path }}:/certs
+    -e ACME_EMAIL={{ matrix_ssl_support_email }}
     willwill/acme-docker
-    acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug
+    acmetool want {{ item }} --xlog.severity=debug
+  with_items:
+    - "{{ hostname_matrix }}"
+    - "{{ hostname_riot }}"
 
 - name: Ensure matrix-nginx-proxy is started (if previously installed & started)
   service: name=matrix-nginx-proxy state=started
@@ -45,6 +48,6 @@
 
 - name: Ensure periodic SSL renewal cronjob configured
   template:
-    src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2"
-    dest: "/etc/cron.d/ssl-certificate-renewal"
+    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
+    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
     mode: 0600
diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml
index bd5ddc7b..7cb42728 100644
--- a/roles/matrix-server/tasks/setup_synapse.yml
+++ b/roles/matrix-server/tasks/setup_synapse.yml
@@ -8,7 +8,6 @@
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
   with_items:
-    - "{{ matrix_synapse_base_path }}"
     - "{{ matrix_synapse_config_dir_path }}"
     - "{{ matrix_synapse_run_path }}"
     # We handle matrix_synapse_media_store_path below, not here,
diff --git a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
index 174eb36b..719ca253 100644
--- a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
@@ -1,8 +1,8 @@
-MAILTO="{{ ssl_support_email }}"
+MAILTO="{{ matrix_ssl_support_email }}"
 
 # This periodically restarts the Matrix services
 # to ensure they're using the latest SSL certificate
-# in case it got renewed by the `ssl-certificate-renewal` cronjob
+# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
 # (which happens once every ~2-3 months).
 #
 # Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
diff --git a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
similarity index 76%
rename from roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2
rename to roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
index cf67917f..3769bf1a 100644
--- a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
@@ -1,4 +1,4 @@
-MAILTO="{{ ssl_support_email }}"
+MAILTO="{{ matrix_ssl_support_email }}"
 
 # The goal of this cronjob is to ask acmetool to check
 # the current SSL certificates and to see if some need renewal.
@@ -18,4 +18,4 @@ MAILTO="{{ ssl_support_email }}"
 # These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
 # because it aliases `/.well-known/acme-challenge` to that same directory.
 
-15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
+15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
index 3b9cfbbb..5a47939b 100644
--- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
@@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			--link matrix-synapse:synapse \
 			--link matrix-riot-web:riot \
 			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \
-			-v {{ ssl_certs_path }}:/acmetool-certs \
+			-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
 			{{ docker_nginx_image }}
 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2
index fd755d36..e14e8d23 100644
--- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2
@@ -15,7 +15,7 @@ Requires=matrix-s3fs.service
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-synapse
 ExecStartPre=-/usr/bin/docker rm matrix-synapse
-ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R
+ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if not matrix_postgres_use_external %}
 			--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
@@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			-v {{ matrix_synapse_config_dir_path }}:/data \
 			-v {{ matrix_synapse_run_path }}:/matrix-run \
 			-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
-			-v {{ ssl_certs_path }}:/acmetool-certs \
+			-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
 			{{ docker_matrix_image }}
 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse