finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use fully-qualified module names for builtin Ansible modules

Browse Source 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1939
This commit is contained in:
Slavi Pantaleev
2022-07-18 10:39:08 +03:00
parent 78b5be4a26
commit 34cdaade08
297 changed files with 1420 additions and 1420 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/matrix-nginx-proxy/tasks/init.yml
View File

@ -1,9 +1,9 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
when: matrix_nginx_proxy_enabled|bool
- set_fact:
- ansible.builtin.set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
when: "item.applicable|bool and item.enableable|bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"

2
roles/matrix-nginx-proxy/tasks/main.yml
View File

@ -33,7 +33,7 @@
- self-check
- name: Mark matrix-nginx-proxy role as executed
set_fact:
ansible.builtin.set_fact:
matrix_nginx_proxy_role_executed: true
tags:
- always

8
roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml
View File

@ -2,7 +2,7 @@
# When we're dealing with raw htpasswd content, we just store it in the file directly.
- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
copy:
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
owner: "{{ matrix_user_username }}"
@ -30,7 +30,7 @@
# We store the password in a file and make the `htpasswd` tool read it from there,
# as opposed to passing it directly on stdin (which will expose it to other processes on the server).
- name: Store metrics password in a temporary file
copy:
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
dest: "/tmp/matrix-nginx-proxy-metrics-password"
mode: 0400
@ -38,7 +38,7 @@
group: "{{ matrix_user_gid }}"
- name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
command:
ansible.builtin.command:
cmd: >-
{{ matrix_host_command_docker }} run
--rm
@ -53,7 +53,7 @@
'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
- name: Delete temporary metrics password file
file:
ansible.builtin.file:
path: /tmp/matrix-nginx-proxy-metrics-password
state: absent
when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''

6
roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
View File

@ -1,7 +1,7 @@
---
- name: Determine well-known files to check (Matrix)
set_fact:
ansible.builtin.set_fact:
well_known_file_checks:
- path: /.well-known/matrix/client
purpose: Client Discovery
@ -10,7 +10,7 @@
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- block:
- set_fact:
- ansible.builtin.set_fact:
well_known_file_check_matrix_server:
path: /.well-known/matrix/server
purpose: Server Discovery
@ -19,7 +19,7 @@
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- name: Determine domains that we require certificates for (ma1sd)
set_fact:
ansible.builtin.set_fact:
well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
when: matrix_well_known_matrix_server_enabled|bool

24
roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
View File

@ -1,13 +1,13 @@
---
- set_fact:
- ansible.builtin.set_fact:
well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
# These well-known files may be served without a `Content-Type: application/json` header,
# so we can't rely on the uri module's automatic parsing of JSON.
- name: Check .well-known on the matrix hostname
uri:
ansible.builtin.uri:
url: "{{ well_known_url_matrix }}"
follow_redirects: none
return_content: true
@ -19,25 +19,25 @@
ignore_errors: true
- name: Fail if .well-known not working on the matrix hostname
fail:
ansible.builtin.fail:
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
when: "result_well_known_matrix.failed"
- name: Parse JSON for well-known payload at the matrix hostname
set_fact:
ansible.builtin.set_fact:
well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
- name: Fail if .well-known not CORS-aware on the matrix hostname
fail:
ansible.builtin.fail:
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
- name: Report working .well-known on the matrix hostname
debug:
ansible.builtin.debug:
msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
- name: Check .well-known on the identity hostname
uri:
ansible.builtin.uri:
url: "{{ well_known_url_identity }}"
follow_redirects: "{{ well_known_file_check.follow_redirects }}"
return_content: true
@ -49,25 +49,25 @@
ignore_errors: true
- name: Fail if .well-known not working on the identity hostname
fail:
ansible.builtin.fail:
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
when: "result_well_known_identity.failed"
- name: Parse JSON for well-known payload at the identity hostname
set_fact:
ansible.builtin.set_fact:
well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
- name: Fail if .well-known not CORS-aware on the identity hostname
fail:
ansible.builtin.fail:
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
# For people who manually copy the well-known file, try to detect if it's outdated
- name: Fail if well-known is different on matrix hostname and identity hostname
fail:
ansible.builtin.fail:
msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
when: "well_known_matrix_payload != well_known_identity_payload"
- name: Report working .well-known on the identity hostname
debug:
ansible.builtin.debug:
msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"

88
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View File

@ -11,7 +11,7 @@
# to be unnecessary.
#
- name: Ensure Matrix nginx-proxy paths exist
file:
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
@ -25,7 +25,7 @@
when: item.when|bool
- name: Ensure Matrix nginx-proxy configured (main config override)
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
mode: 0644
@ -36,123 +36,123 @@
when: matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool
- name: Ensure Matrix nginx-proxy configured (generic)
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
mode: 0644
when: matrix_nginx_proxy_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_synapse_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_dendrite_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_dendrite_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for Element domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_element_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for riot domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_cinny_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for buscarron domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_buscarron_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for dimension domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_dimension_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for goneb domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_jitsi_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for grafana domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_grafana_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_sygnal_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for ntfy domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-ntfy.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_ntfy_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
mode: 0644
- name: Ensure Matrix nginx-proxy data directory for base domain exists
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain"
state: directory
mode: 0750
@ -161,7 +161,7 @@
when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool
- name: Ensure Matrix nginx-proxy homepage for base domain exists
copy:
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}"
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
mode: 0644
@ -170,7 +170,7 @@
when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool
- name: Ensure Matrix nginx-proxy configuration for base domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
mode: 0644
@ -192,7 +192,7 @@
until: result is not failed
- name: Ensure matrix-nginx-proxy.service installed
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
mode: 0644
@ -200,7 +200,7 @@
when: matrix_nginx_proxy_enabled|bool
- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
service:
ansible.builtin.service:
daemon_reload: true
when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
@ -216,7 +216,7 @@
when: "not matrix_nginx_proxy_enabled|bool"
- name: Ensure matrix-nginx-proxy is stopped
service:
ansible.builtin.service:
name: matrix-nginx-proxy
state: stopped
enabled: false
@ -225,113 +225,113 @@
when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure matrix-nginx-proxy.service doesn't exist
file:
ansible.builtin.file:
path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
state: absent
when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
service:
ansible.builtin.service:
daemon_reload: true
when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_matrix_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for buscarron domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_buscarron_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for ntfy domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_ntfy_enabled|bool"
- name: Ensure Matrix nginx-proxy homepage for base domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
state: absent
when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for base domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
state: absent
when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for main config override deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
state: absent
when: "not matrix_nginx_proxy_enabled|bool"
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI)
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
state: absent
# This file is now generated by the matrix-synapse role and saved in the Synapse directory
- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
file:
ansible.builtin.file:
path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
state: absent
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
state: absent
when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool"

6
roles/matrix-nginx-proxy/tasks/setup_well_known.yml
View File

@ -1,5 +1,5 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
# We need others to be able to read these directories too,
@ -7,7 +7,7 @@
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
file:
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
@ -17,7 +17,7 @@
- "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/well-known/matrix-client.j2"
dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644

6
roles/matrix-nginx-proxy/tasks/ssl/main.yml
View File

@ -1,12 +1,12 @@
---
- name: Fail if using unsupported SSL certificate retrieval method
fail:
ansible.builtin.fail:
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
- name: Fail if using unsupported private key type
fail:
ansible.builtin.fail:
msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value"
when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']"
@ -14,7 +14,7 @@
# Common tasks, required by almost any method below.
- name: Ensure SSL certificate paths exists
file:
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0770

10
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
View File

@ -3,7 +3,7 @@
# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
# This migration task can be removed some time in the future.
- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
file:
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
@ -31,13 +31,13 @@
loop_var: domain_name
- name: Ensure Let's Encrypt SSL renewal script installed
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
mode: 0755
- name: Ensure SSL renewal systemd units installed
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
dest: "{{ matrix_systemd_path }}/{{ item.name }}"
mode: 0644
@ -51,14 +51,14 @@
- block:
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
file:
ansible.builtin.file:
path: "{{ matrix_systemd_path }}/{{ item.name }}"
state: absent
when: "not item.applicable|bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
- name: Ensure Let's Encrypt SSL renewal script removed
file:
ansible.builtin.file:
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

14
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
View File

@ -1,8 +1,8 @@
---
- debug:
- ansible.builtin.debug:
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
- set_fact:
- ansible.builtin.set_fact:
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
- name: Check if a certificate for the domain already exists
@ -10,12 +10,12 @@
path: "{{ domain_name_certificate_path }}"
register: domain_name_certificate_path_stat
- set_fact:
- ansible.builtin.set_fact:
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
- block:
- name: Ensure required service for obtaining is started
service:
ansible.builtin.service:
name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
state: started
register: matrix_ssl_pre_obtaining_required_service_start_result
@ -29,7 +29,7 @@
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
# We suppress the error, as we'll try another method below.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
shell: >-
ansible.builtin.shell: >-
{{ matrix_host_command_docker }} run
--rm
--name=matrix-certbot
@ -58,7 +58,7 @@
# If matrix-nginx-proxy is configured from a previous run of this playbook,
# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
shell: >-
ansible.builtin.shell: >-
{{ matrix_host_command_docker }} run
--rm
--name=matrix-certbot
@ -86,7 +86,7 @@
ignore_errors: true
- name: Fail if all SSL certificate retrieval attempts failed
fail:
ansible.builtin.fail:
msg: |
Failed to obtain a certificate directly (by listening on port 80)
and also failed to obtain by relying on the server at port 80 to proxy the request.

6
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml
View File

@ -1,6 +1,6 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
@ -9,7 +9,7 @@
path: "{{ matrix_ssl_certificate_verification_cert_path }}"
register: matrix_ssl_certificate_verification_cert_path_stat_result
- fail:
- ansible.builtin.fail:
msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
@ -18,6 +18,6 @@
path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
register: matrix_ssl_certificate_verification_cert_key_path_stat_result
- fail:
- ansible.builtin.fail:
msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"

8
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml
View File

@ -1,6 +1,6 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
@ -12,7 +12,7 @@
# In order to do any sort of generation (below), we need to ensure the directory exists first
- name: Ensure SSL certificate directory exists
file:
ansible.builtin.file:
path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
state: directory
mode: 0750
@ -28,7 +28,7 @@
#
# We'll do it in a more manual way.
- name: Generate SSL certificate
command: |
ansible.builtin.command: |
openssl req -x509 \
-sha256 \
-newkey rsa:4096 \
@ -40,7 +40,7 @@
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
- name: Adjust SSL certificate file ownership
file:
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"

14
roles/matrix-nginx-proxy/tasks/validate_config.yml
View File

@ -1,7 +1,7 @@
---
- name: (Deprecation) Catch and report renamed settings
fail:
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
@ -16,19 +16,19 @@
- {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}
- name: Fail on unknown matrix_ssl_retrieval_method
fail:
ansible.builtin.fail:
msg: >-
`matrix_ssl_retrieval_method` needs to be set to a known value.
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
- name: Fail on unknown matrix_nginx_proxy_ssl_config
fail:
ansible.builtin.fail:
msg: >-
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
- name: Fail if Basic Auth enabled for metrics, but no credentials supplied
fail:
ansible.builtin.fail:
msg: |
Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
- either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
@ -37,7 +37,7 @@
- block:
- name: (Deprecation) Catch and report renamed settings
fail:
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
@ -48,7 +48,7 @@
when: "item.old in vars"
- name: Fail if required variables are undefined
fail:
ansible.builtin.fail:
msg: "The `{{ item }}` variable must be defined and have a non-null value"
with_items:
- "matrix_ssl_lets_encrypt_support_email"
@ -60,7 +60,7 @@
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: (Deprecation) Catch and report old metrics usage
fail:
ansible.builtin.fail:
msg: >-
Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Synapse,
which exposed metrics on `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`.