cb323f5b4c
Moving keeps everything in the /matrix directory, so that we wouldn't contaminate anything else on the system or risk clashing with something else. Also retrieving certificates separately for the Riot and Matrix domains, which should help in multiple ways: - allows them to be very different (completely separate base domain..) - allows for Riot to be disabled for the playbook some time later and still have the code not break
54 lines
1.6 KiB
YAML
54 lines
1.6 KiB
YAML
---
|
|
|
|
- name: Allow access to HTTP/HTTPS in firewalld
|
|
firewalld:
|
|
service: "{{ item }}"
|
|
state: enabled
|
|
immediate: yes
|
|
permanent: yes
|
|
with_items:
|
|
- http
|
|
- https
|
|
when: ansible_os_family == 'RedHat'
|
|
|
|
- name: Ensure acmetool Docker image is pulled
|
|
docker_image:
|
|
name: willwill/acme-docker
|
|
|
|
- name: Ensure SSL certificates path exists
|
|
file:
|
|
path: "{{ matrix_ssl_certs_path }}"
|
|
state: directory
|
|
mode: 0770
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
|
|
- name: Check matrix-nginx-proxy state
|
|
service: name=matrix-nginx-proxy
|
|
register: matrix_nginx_proxy_state
|
|
|
|
- name: Ensure matrix-nginx-proxy is stopped (if previously installed & started)
|
|
service: name=matrix-nginx-proxy state=stopped
|
|
when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"
|
|
|
|
- name: Ensure SSL certificates are marked as wanted in acmetool
|
|
shell: >-
|
|
/usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
|
|
-v {{ matrix_ssl_certs_path }}:/certs
|
|
-e ACME_EMAIL={{ matrix_ssl_support_email }}
|
|
willwill/acme-docker
|
|
acmetool want {{ item }} --xlog.severity=debug
|
|
with_items:
|
|
- "{{ hostname_matrix }}"
|
|
- "{{ hostname_riot }}"
|
|
|
|
- name: Ensure matrix-nginx-proxy is started (if previously installed & started)
|
|
service: name=matrix-nginx-proxy state=started
|
|
when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"
|
|
|
|
- name: Ensure periodic SSL renewal cronjob configured
|
|
template:
|
|
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
|
|
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
|
|
mode: 0600
|