matrix-docker-ansible-deploy/roles/matrix-server/tasks/setup_ssl.yml
Slavi Pantaleev cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00

54 lines
1.6 KiB
YAML

---
- name: Allow access to HTTP/HTTPS in firewalld
firewalld:
service: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- http
- https
when: ansible_os_family == 'RedHat'
- name: Ensure acmetool Docker image is pulled
docker_image:
name: willwill/acme-docker
- name: Ensure SSL certificates path exists
file:
path: "{{ matrix_ssl_certs_path }}"
state: directory
mode: 0770
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Check matrix-nginx-proxy state
service: name=matrix-nginx-proxy
register: matrix_nginx_proxy_state
- name: Ensure matrix-nginx-proxy is stopped (if previously installed & started)
service: name=matrix-nginx-proxy state=stopped
when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"
- name: Ensure SSL certificates are marked as wanted in acmetool
shell: >-
/usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
-v {{ matrix_ssl_certs_path }}:/certs
-e ACME_EMAIL={{ matrix_ssl_support_email }}
willwill/acme-docker
acmetool want {{ item }} --xlog.severity=debug
with_items:
- "{{ hostname_matrix }}"
- "{{ hostname_riot }}"
- name: Ensure matrix-nginx-proxy is started (if previously installed & started)
service: name=matrix-nginx-proxy state=started
when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"
- name: Ensure periodic SSL renewal cronjob configured
template:
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
mode: 0600