Merge remote-tracking branch 'origin/master' into synapse-workers
This commit is contained in:
Marcel Partap
@ -215,12 +215,46 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
|
||||
# A list of strings containing additional configuration blocks to add to the base domain server configuration.
|
||||
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||||
|
||||
# Specifies when to reload the matrix-nginx-proxy service so that
|
||||
# a new SSL certificate could go into effect.
|
||||
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||
#
|
||||
# The posible values are:
|
||||
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
# - "intermediate" - Recommended configuration for a general-purpose server
|
||||
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
#
|
||||
# For more information visit:
|
||||
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# - https://ssl-config.mozilla.org/#server=nginx
|
||||
matrix_nginx_proxy_ssl_preset: "intermediate"
|
||||
|
||||
# Specifies which SSL protocols to use when serving all the various vhosts
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
|
||||
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||||
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
||||
# if you wish to use something more custom.
|
||||
matrix_nginx_proxy_ssl_presets:
|
||||
modern:
|
||||
protocols: TLSv1.3
|
||||
ciphers: ""
|
||||
prefer_server_ciphers: "off"
|
||||
intermediate:
|
||||
protocols: TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
prefer_server_ciphers: "off"
|
||||
old:
|
||||
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||
prefer_server_ciphers: "on"
|
||||
|
||||
|
||||
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||||
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
||||
|
||||
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
||||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
||||
|
||||
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||||
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||||
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_nginx_proxy_self_check_validate_certificates: true
|
||||
|
||||
@ -1,3 +1,8 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}"
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
|
||||
when: matrix_nginx_proxy_enabled|bool
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
|
||||
when: "item.applicable|bool and item.enableable|bool"
|
||||
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
|
||||
|
||||
@ -10,71 +10,56 @@
|
||||
- "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
|
||||
- "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
|
||||
- "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
|
||||
|
||||
- "/etc/cron.d/matrix-ssl-lets-encrypt"
|
||||
- "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
|
||||
#
|
||||
# Tasks related to setting up Let's Encrypt's management of certificates
|
||||
#
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable, which now has a different name.
|
||||
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
with_items:
|
||||
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
||||
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars"
|
||||
- block:
|
||||
- name: Ensure certbot Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
|
||||
|
||||
- name: Fail if required variables are undefined
|
||||
fail:
|
||||
msg: "Detected an undefined required variable"
|
||||
with_items:
|
||||
- "matrix_ssl_lets_encrypt_support_email"
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none"
|
||||
- name: Obtain Let's Encrypt certificates
|
||||
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
|
||||
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
|
||||
loop_control:
|
||||
loop_var: domain_name
|
||||
|
||||
- name: Ensure certbot Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
|
||||
- name: Ensure Let's Encrypt SSL renewal script installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
mode: 0750
|
||||
|
||||
- name: Ensure SSL renewal systemd units installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
|
||||
dest: "{{ matrix_systemd_path }}/{{ item.name }}"
|
||||
mode: 0644
|
||||
when: "item.applicable|bool"
|
||||
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
- name: Obtain Let's Encrypt certificates
|
||||
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
|
||||
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
|
||||
loop_control:
|
||||
loop_var: domain_name
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
- name: Ensure Let's Encrypt SSL renewal script installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
mode: 0750
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
- name: Ensure periodic SSL renewal cronjob configured
|
||||
template:
|
||||
src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2"
|
||||
dest: /etc/cron.d/matrix-ssl-lets-encrypt
|
||||
mode: 0644
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of Let's Encrypt's management of certificates
|
||||
#
|
||||
|
||||
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
|
||||
file:
|
||||
path: /etc/cron.d/matrix-ssl-lets-encrypt
|
||||
state: absent
|
||||
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
|
||||
- block:
|
||||
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/{{ item.name }}"
|
||||
state: absent
|
||||
when: "{{ not item.applicable }}"
|
||||
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
|
||||
|
||||
- name: Ensure Let's Encrypt SSL renewal script removed
|
||||
file:
|
||||
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
state: absent
|
||||
- name: Ensure Let's Encrypt SSL renewal script removed
|
||||
file:
|
||||
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
state: absent
|
||||
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
|
||||
|
||||
@ -12,9 +12,36 @@
|
||||
# People who configured this to disable Riot, would now wish to be disabling Element.
|
||||
# We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default.
|
||||
- {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'}
|
||||
- {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': '<not configurable anymore>'}
|
||||
- {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}
|
||||
|
||||
- name: Fail on unknown matrix_ssl_retrieval_method
|
||||
fail:
|
||||
msg: >-
|
||||
`matrix_ssl_retrieval_method` needs to be set to a known value.
|
||||
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
|
||||
|
||||
- name: Fail on unknown matrix_nginx_proxy_ssl_config
|
||||
fail:
|
||||
msg: >-
|
||||
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
|
||||
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
|
||||
|
||||
- block:
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable, which now has a different name.
|
||||
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
with_items:
|
||||
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
||||
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
||||
when: "item.old in vars"
|
||||
|
||||
- name: Fail if required variables are undefined
|
||||
fail:
|
||||
msg: "Detected an undefined required variable"
|
||||
with_items:
|
||||
- "matrix_ssl_lets_encrypt_support_email"
|
||||
when: "vars[item] is none"
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
@ -1,5 +0,0 @@
|
||||
MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
|
||||
15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
|
||||
{% endif %}
|
||||
@ -5,7 +5,7 @@
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
@ -67,9 +67,12 @@ server {
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
||||
@ -65,9 +65,12 @@ server {
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
||||
@ -58,9 +58,12 @@ server {
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
||||
@ -86,9 +86,12 @@ server {
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
||||
@ -51,9 +51,12 @@ server {
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
||||
@ -314,9 +314,12 @@ server {
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
@ -346,9 +349,13 @@ server {
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
||||
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
||||
|
||||
@ -12,6 +12,7 @@ DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy
|
||||
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Renews Let's Encrypt SSL certificates
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
|
||||
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Renews Let's Encrypt SSL certificates periodically
|
||||
|
||||
[Timer]
|
||||
Unit=matrix-ssl-lets-encrypt-certificates-renew.service
|
||||
OnCalendar=Sunday *-*-* 05:00:00
|
||||
RandomizedDelaySec=3h
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
@ -0,0 +1,6 @@
|
||||
[Unit]
|
||||
Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
|
||||
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in
|
||||
|
||||
[Timer]
|
||||
Unit=matrix-ssl-nginx-proxy-reload.service
|
||||
OnCalendar=Sunday *-*-* 13:00:00
|
||||
RandomizedDelaySec=3h
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
@ -24,8 +24,8 @@ docker run \
|
||||
{% if matrix_ssl_lets_encrypt_staging %}
|
||||
--staging \
|
||||
{% endif %}
|
||||
--quiet \
|
||||
--standalone \
|
||||
--preferred-challenges http \
|
||||
--agree-tos \
|
||||
--email={{ matrix_ssl_lets_encrypt_support_email }}
|
||||
--email={{ matrix_ssl_lets_encrypt_support_email }} \
|
||||
--no-random-sleep-on-renew
|
||||
|
||||
@ -1,4 +1,18 @@
|
||||
---
|
||||
|
||||
# Tells whether this role had executed or not. Toggled to `true` during runtime.
|
||||
matrix_nginx_proxy_role_executed: false
|
||||
matrix_nginx_proxy_role_executed: false
|
||||
|
||||
matrix_ssl_renewal_systemd_units_list:
|
||||
- name: matrix-ssl-lets-encrypt-certificates-renew.service
|
||||
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
|
||||
enableable: false
|
||||
- name: matrix-ssl-lets-encrypt-certificates-renew.timer
|
||||
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
|
||||
enableable: true
|
||||
- name: matrix-ssl-nginx-proxy-reload.service
|
||||
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
|
||||
enableable: false
|
||||
- name: matrix-ssl-nginx-proxy-reload.timer
|
||||
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
|
||||
enableable: true
|
||||
|
||||
Reference in New Issue
Block a user