From a3ecb7bfd998a48d57c4a210f1a24a1d2578c67d Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <s.pantaleev@gmail.com>
Date: Sun, 6 Aug 2017 19:10:50 +0300
Subject: [PATCH] Add http->http redirection for Matrix/Riot

Doing this means that matrix-nginx-proxy now starts
occupying port 80, which necessitates that
SSL renewal happens slightly differently.
---
 roles/matrix-server/tasks/main.yml               |  5 +++++
 .../templates/cron.d/ssl-certificate-renewal.j2  | 15 +++++++++++----
 .../nginx-conf.d/matrix-riot-web.conf.j2         | 16 ++++++++++++++++
 .../nginx-conf.d/matrix-synapse.conf.j2          | 16 ++++++++++++++++
 .../systemd/matrix-nginx-proxy.service.j2        |  1 +
 5 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml
index aa501bb63..25cad8952 100644
--- a/roles/matrix-server/tasks/main.yml
+++ b/roles/matrix-server/tasks/main.yml
@@ -11,22 +11,27 @@
 - include: tasks/setup_ssl.yml
   tags:
     - setup-main
+    - setup-ssl
 
 - include: tasks/setup_postgres.yml
   tags:
     - setup-main
+    - setup-postgres
 
 - include: tasks/setup_synapse.yml
   tags:
     - setup-main
+    - setup-synapse
 
 - include: tasks/setup_riot_web.yml
   tags:
     - setup-main
+    - setup-riot-web
 
 - include: tasks/setup_nginx_proxy.yml
   tags:
     - setup-main
+    - setup-nginx-proxy
 
 - include: tasks/start.yml
   tags:
diff --git a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2
index 09e0734da..cf67917ff 100644
--- a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2
+++ b/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2
@@ -2,13 +2,20 @@ MAILTO="{{ ssl_support_email }}"
 
 # The goal of this cronjob is to ask acmetool to check
 # the current SSL certificates and to see if some need renewal.
-# It so, it would attempt to renew.
+# If so, it would attempt to renew.
 #
 # Various services depend on these certificates and would need to be restarted.
 # This is not our concern here. We simply make sure the certificates are up to date.
 # Restarting of services happens on its own different schedule (other cronjobs).
 #
-# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly.
-# We can afford to do that, because all our services run on other ports.
+#
+# How renewal works?
+#
+# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there),
+# and will fall back to its "webroot" validation method.
+#
+# Thus, it would put validation files in `/var/run/acme/acme-challenge`.
+# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
+# because it aliases `/.well-known/acme-challenge` to that same directory.
 
-15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
+15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
index d20be3732..ac6d735ca 100644
--- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
@@ -1,3 +1,19 @@
+server {
+	listen 80;
+	server_name {{ hostname_riot }};
+
+	server_tokens off;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /acmetool-certs/run/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$http_host$request_uri;
+	}
+}
+
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
index 04283f367..4db628f6a 100644
--- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
@@ -1,3 +1,19 @@
+server {
+	listen 80;
+	server_name {{ hostname_matrix }};
+
+	server_tokens off;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /acmetool-certs/run/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$http_host$request_uri;
+	}
+}
+
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
index c7e8e9005..3b9cfbbb6 100644
--- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
@@ -12,6 +12,7 @@ Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
 ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
+			-p 80:80 \
 			-p 443:443 \
 			--link matrix-synapse:synapse \
 			--link matrix-riot-web:riot \