matrix-docker-ansible-deploy/roles/matrix-server/tasks/setup_nginx_proxy.yml
Slavi Pantaleev 3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00

89 lines
2.7 KiB
YAML

---
#
# Generic tasks that we always want to happen, regardless
# if the user wants matrix-nginx-proxy or not.
#
# If the user would set up their own nginx proxy server,
# the config files from matrix-nginx-proxy can be reused.
#
# It doesn't hurt to put them in place, even if they turn out
# to be unnecessary.
#
- name: Ensure Matrix nginx-proxy paths exists
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: root
group: root
with_items:
- "{{ matrix_nginx_proxy_data_path }}"
- "{{ matrix_nginx_proxy_confd_path }}"
- name: Ensure Matrix Synapse proxy vhost configured
template:
src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
mode: 0644
with_items:
- "matrix-synapse.conf"
- "matrix-riot-web.conf"
#
# Tasks related to setting up matrix-nginx-proxy
#
- name: Ensure nginx Docker image is pulled
docker_image:
name: "{{ docker_nginx_image }}"
when: matrix_nginx_proxy_enabled
- name: Allow access to nginx proxy ports in firewalld
firewalld:
service: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- "http"
- "https"
when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled"
- name: Ensure matrix-nginx-proxy.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
dest: "/etc/systemd/system/matrix-nginx-proxy.service"
mode: 0644
when: matrix_nginx_proxy_enabled
- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
template:
src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
mode: 0600
when: matrix_nginx_proxy_enabled
#
# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
#
- name: Check existence of matrix-nginx-proxy service
stat: path="/etc/systemd/system/matrix-nginx-proxy.service"
register: matrix_nginx_proxy_service_stat
- name: Ensure matrix-nginx-proxy is stopped
service: name=matrix-nginx-proxy state=stopped daemon_reload=yes
register: stopping_result
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure matrix-nginx-proxy.service doesn't exist
file:
path: "/etc/systemd/system/matrix-nginx-proxy.service"
state: absent
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure periodic restarting of matrix-nginx-proxy is removed
file:
path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
state: absent
when: "not matrix_nginx_proxy_enabled"