0.2.1 revision

roles/matrix-nginx-proxy/defaults/main.yml

@@ -1,13 +1,15 @@
 matrix_nginx_proxy_enabled: true
+matrix_nginx_proxy_version: 1.19.6-alpine
 
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
-matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine"
+matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
 
 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
 matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
+matrix_nginx_proxy_data_path_in_container: "/nginx-data"
 matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
 
 # List of systemd services that matrix-nginx-proxy.service depends on
@@ -110,6 +112,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
 # Controls whether proxying the matrix domain should be done.
 matrix_nginx_proxy_proxy_matrix_enabled: false
 matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
+# The port name used for federation in the nginx configuration.
+# This is not necessarily the port that it's actually on,
+# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
+matrix_nginx_proxy_proxy_matrix_federation_port: 8448
 
 # Controls whether proxying the dimension domain should be done.
 matrix_nginx_proxy_proxy_dimension_enabled: false

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -11,7 +11,6 @@
     - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
     - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
     - "/etc/cron.d/matrix-ssl-lets-encrypt"
-    - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
 
 #
 # Tasks related to setting up Let's Encrypt's management of certificates

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -199,10 +199,10 @@ server {
 #}
 server {
 	{% if matrix_nginx_proxy_https_enabled %}
-		listen 8448 ssl http2;
-		listen [::]:8448 ssl http2;
+		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
+		listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
 	{% else %}
-		listen 8448;
+		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};
 	{% endif %}
 
 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -30,15 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			-p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \
 			{% endif %}
 			{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %}
-			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \
+			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \
 			{% endif %}
 			--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
-			{% if matrix_awx_enabled|bool == false or matrix_nginx_proxy_base_domain_homepage_enabled %}
-			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
-			{% endif %}
-			{% if matrix_awx_enabled and matrix_nginx_proxy_base_domain_homepage_enabled|bool == false %}
-			--mount type=bind,src=/chroot/website,dst=/nginx-data/matrix-domain,ro \
-			{% endif %}
+			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \
 			--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
 			{% if matrix_ssl_retrieval_method != 'none' %}
 			--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \

roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2

@@ -3,8 +3,8 @@ Description=Renews Let's Encrypt SSL certificates periodically
 
 [Timer]
 Unit=matrix-ssl-lets-encrypt-certificates-renew.service
-OnCalendar=Sunday *-*-* 05:00:00
-RandomizedDelaySec=3h
+OnCalendar=*-*-* 04:00:00
+RandomizedDelaySec=2h
 
 [Install]
 WantedBy=timers.target

roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2

@@ -3,8 +3,8 @@ Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates
 
 [Timer]
 Unit=matrix-ssl-nginx-proxy-reload.service
-OnCalendar=Sunday *-*-* 13:00:00
-RandomizedDelaySec=3h
+OnCalendar=*-*-* 06:30:00
+RandomizedDelaySec=1h
 
 [Install]
 WantedBy=timers.target