Move roles/matrix* to roles/custom/matrix*

This paves the way for installing other roles into `roles/galaxy` using `ansible-galaxy`,
similar to how it's done in:

- https://github.com/spantaleev/gitea-docker-ansible-deploy
- https://github.com/spantaleev/nextcloud-docker-ansible-deploy

In the near future, we'll be removing a lot of the shared role code from here
and using upstream roles for it. Some of the core `matrix-*` roles have
already been extracted out into other reusable roles:

- https://github.com/devture/com.devture.ansible.role.postgres
- https://github.com/devture/com.devture.ansible.role.systemd_docker_base
- https://github.com/devture/com.devture.ansible.role.timesync
- https://github.com/devture/com.devture.ansible.role.vars_preserver
- https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages
- https://github.com/devture/com.devture.ansible.role.playbook_help

We just need to migrate to those.

roles/custom/matrix-nginx-proxy/tasks/init.yml

@@ -0,0 +1,9 @@
+---
+- ansible.builtin.set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
+  when: matrix_nginx_proxy_enabled | bool
+
+- ansible.builtin.set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
+  when: "item.applicable | bool and item.enableable | bool"
+  with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"

roles/custom/matrix-nginx-proxy/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+# Always validating the configuration, even if `matrix_nginx_proxy: false`.
+# This role performs actions even if the role is disabled, so we need
+# to ensure there's a valid configuration in any case.
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: run_setup | bool
+  tags:
+    - setup-all
+    - setup-nginx-proxy
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
+  when: run_setup | bool
+  tags:
+    - setup-all
+    - setup-nginx-proxy
+    - setup-ssl
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
+  when: run_setup | bool
+  tags:
+    - setup-all
+    - setup-nginx-proxy
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check | bool
+  tags:
+    - self-check
+
+- name: Mark matrix-nginx-proxy role as executed
+  ansible.builtin.set_fact:
+    matrix_nginx_proxy_role_executed: true
+  tags:
+    - always

roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml

@@ -0,0 +1,60 @@
+---
+
+# When we're dealing with raw htpasswd content, we just store it in the file directly.
+- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
+  ansible.builtin.copy:
+    content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
+    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0600
+  when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username
+
+# Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
+# There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
+# See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
+# We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
+# As a workaround, we run `htpasswd` from an Apache container image.
+- when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''
+  block:
+    - name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
+      community.docker.docker_image:
+        name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
+        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+        force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
+      register: result
+      retries: "{{ matrix_container_retries_count }}"
+      delay: "{{ matrix_container_retries_delay }}"
+      until: result is not failed
+
+    # We store the password in a file and make the `htpasswd` tool read it from there,
+    # as opposed to passing it directly on stdin (which will expose it to other processes on the server).
+    - name: Store metrics password in a temporary file
+      ansible.builtin.copy:
+        content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
+        dest: "/tmp/matrix-nginx-proxy-metrics-password"
+        mode: 0400
+        owner: "{{ matrix_user_uid }}"
+        group: "{{ matrix_user_gid }}"
+
+    - name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
+      ansible.builtin.command:
+        cmd: >-
+          {{ matrix_host_command_docker }} run
+          --rm
+          --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+          --cap-drop=ALL
+          --network=none
+          --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
+          --mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
+          --entrypoint=/bin/sh
+          {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
+          -c
+          'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
+      changed_when: true
+
+    - name: Delete temporary metrics password file
+      ansible.builtin.file:
+        path: /tmp/matrix-nginx-proxy-metrics-password
+        state: absent

roles/custom/matrix-nginx-proxy/tasks/self_check_well_known.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Determine well-known files to check (Matrix)
+  ansible.builtin.set_fact:
+    well_known_file_checks:
+      - path: /.well-known/matrix/client
+        purpose: Client Discovery
+        cors: true
+        follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
+        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
+
+- when: matrix_well_known_matrix_server_enabled | bool
+  block:
+    - ansible.builtin.set_fact:
+        well_known_file_check_matrix_server:
+          path: /.well-known/matrix/server
+          purpose: Server Discovery
+          cors: false
+          follow_redirects: safe
+          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
+
+    - name: Determine domains that we require certificates for (ma1sd)
+      ansible.builtin.set_fact:
+        well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
+
+- name: Perform well-known checks
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
+  with_items: "{{ well_known_file_checks }}"
+  loop_control:
+    loop_var: well_known_file_check

roles/custom/matrix-nginx-proxy/tasks/self_check_well_known_file.yml

@@ -0,0 +1,73 @@
+---
+
+- ansible.builtin.set_fact:
+    well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
+    well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
+
+# These well-known files may be served without a `Content-Type: application/json` header,
+# so we can't rely on the uri module's automatic parsing of JSON.
+- name: Check .well-known on the matrix hostname
+  ansible.builtin.uri:
+    url: "{{ well_known_url_matrix }}"
+    follow_redirects: none
+    return_content: true
+    validate_certs: "{{ well_known_file_check.validate_certs }}"
+    headers:
+      Origin: example.com
+  check_mode: false
+  register: result_well_known_matrix
+  ignore_errors: true
+
+- name: Fail if .well-known not working on the matrix hostname
+  ansible.builtin.fail:
+    msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
+  when: "result_well_known_matrix.failed"
+
+- name: Parse JSON for well-known payload at the matrix hostname
+  ansible.builtin.set_fact:
+    well_known_matrix_payload: "{{ result_well_known_matrix.content | from_json }}"
+
+- name: Fail if .well-known not CORS-aware on the matrix hostname
+  ansible.builtin.fail:
+    msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
+  when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
+
+- name: Report working .well-known on the matrix hostname
+  ansible.builtin.debug:
+    msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
+
+- name: Check .well-known on the identity hostname
+  ansible.builtin.uri:
+    url: "{{ well_known_url_identity }}"
+    follow_redirects: "{{ well_known_file_check.follow_redirects }}"
+    return_content: true
+    validate_certs: "{{ well_known_file_check.validate_certs }}"
+    headers:
+      Origin: example.com
+  check_mode: false
+  register: result_well_known_identity
+  ignore_errors: true
+
+- name: Fail if .well-known not working on the identity hostname
+  ansible.builtin.fail:
+    msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
+  when: "result_well_known_identity.failed"
+
+- name: Parse JSON for well-known payload at the identity hostname
+  ansible.builtin.set_fact:
+    well_known_identity_payload: "{{ result_well_known_identity.content | from_json }}"
+
+- name: Fail if .well-known not CORS-aware on the identity hostname
+  ansible.builtin.fail:
+    msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
+  when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
+
+# For people who manually copy the well-known file, try to detect if it's outdated
+- name: Fail if well-known is different on matrix hostname and identity hostname
+  ansible.builtin.fail:
+    msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
+  when: "well_known_matrix_payload != well_known_identity_payload"
+
+- name: Report working .well-known on the identity hostname
+  ansible.builtin.debug:
+    msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"

roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -0,0 +1,350 @@
+---
+
+#
+# Generic tasks that we always want to happen, regardless
+# if the user wants matrix-nginx-proxy or not.
+#
+# If the user would set up their own nginx proxy server,
+# the config files from matrix-nginx-proxy can be reused.
+#
+# It doesn't hurt to put them in place, even if they turn out
+# to be unnecessary.
+#
+- name: Ensure Matrix nginx-proxy paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_nginx_proxy_base_path }}", when: true}
+    - {path: "{{ matrix_nginx_proxy_data_path }}", when: true}
+    - {path: "{{ matrix_nginx_proxy_confd_path }}", when: true}
+    - {path: "{{ matrix_nginx_proxy_synapse_cache_path }}", when: "{{ matrix_nginx_proxy_synapse_cache_enabled and not matrix_nginx_proxy_enabled }}"}
+  when: item.when | bool
+
+- name: Ensure Matrix nginx-proxy configured (main config override)
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
+    dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_enabled | bool
+
+- name: Setup metrics
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml"
+  when: matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configured (generic)
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_synapse_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_synapse_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_dendrite_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_dendrite_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-conduit exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-conduit.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-conduit.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_conduit_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-conduit deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-conduit.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_conduit_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for Element domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_element_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_hydrogen_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_cinny_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for buscarron domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_buscarron_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for dimension domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_dimension_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for goneb domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_bot_go_neb_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_jitsi_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for grafana domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_grafana_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_sygnal_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for ntfy domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-ntfy.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_ntfy_enabled | bool
+
+- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
+    mode: 0644
+
+- name: Ensure Matrix nginx-proxy data directory for base domain exists
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: matrix_nginx_proxy_base_domain_serving_enabled | bool and matrix_nginx_proxy_base_domain_create_directory | bool
+
+- name: Ensure Matrix nginx-proxy homepage for base domain exists
+  ansible.builtin.copy:
+    content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}"
+    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: matrix_nginx_proxy_base_domain_serving_enabled | bool and matrix_nginx_proxy_base_domain_homepage_enabled | bool and matrix_nginx_proxy_base_domain_create_directory | bool
+
+- name: Ensure Matrix nginx-proxy configuration for base domain exists
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_base_domain_serving_enabled | bool
+
+#
+# Tasks related to setting up matrix-nginx-proxy
+#
+- name: Ensure nginx Docker image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_nginx_proxy_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_nginx_proxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_docker_image_force_pull }}"
+  when: matrix_nginx_proxy_enabled | bool
+  register: result
+  retries: "{{ matrix_container_retries_count }}"
+  delay: "{{ matrix_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure matrix-nginx-proxy.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
+    mode: 0644
+  register: matrix_nginx_proxy_systemd_service_result
+  when: matrix_nginx_proxy_enabled | bool
+
+- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
+
+
+#
+# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
+#
+
+- name: Check existence of matrix-nginx-proxy service
+  ansible.builtin.stat:
+    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
+  register: matrix_nginx_proxy_service_stat
+  when: "not matrix_nginx_proxy_enabled | bool"
+
+- name: Ensure matrix-nginx-proxy is stopped
+  ansible.builtin.service:
+    name: matrix-nginx-proxy
+    state: stopped
+    enabled: false
+    daemon_reload: true
+  register: stopping_result
+  when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure matrix-nginx-proxy.service doesn't exist
+  ansible.builtin.file:
+    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_matrix_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_hydrogen_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_cinny_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for buscarron domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_buscarron_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_dimension_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_jitsi_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_grafana_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_sygnal_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for ntfy domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_ntfy_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy homepage for base domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
+    state: absent
+  when: "not matrix_nginx_proxy_base_domain_serving_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for base domain deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_base_domain_serving_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy configuration for main config override deleted
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled | bool"
+
+- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI)
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
+    state: absent
+
+# This file is now generated by the matrix-synapse role and saved in the Synapse directory
+- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
+  ansible.builtin.file:
+    path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
+    state: absent
+
+- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
+  ansible.builtin.file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool"

roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml

@@ -0,0 +1,25 @@
+---
+- ansible.builtin.set_fact:
+    matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
+
+# We need others to be able to read these directories too,
+# so that matrix-nginx-proxy's nginx user can access the files.
+#
+# For running with another webserver, we recommend being part of the `matrix` group.
+- name: Ensure Matrix static-files path exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_static_files_base_path }}/.well-known/matrix"
+
+- name: Ensure Matrix /.well-known/matrix/client configured
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/well-known/matrix-client.j2"
+    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Fail if using unsupported SSL certificate retrieval method
+  ansible.builtin.fail:
+    msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
+
+- name: Fail if using unsupported private key type
+  ansible.builtin.fail:
+    msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value"
+  when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']"
+
+
+# Common tasks, required by almost any method below.
+
+- name: Ensure SSL certificate paths exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    recurse: true
+  with_items:
+    - "{{ matrix_ssl_log_dir_path }}"
+    - "{{ matrix_ssl_config_dir_path }}"
+  when: "matrix_ssl_retrieval_method != 'none'"
+
+
+# Method specific tasks follow
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt.yml"
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed.yml"
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed.yml"

roles/custom/matrix-nginx-proxy/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Check if a Let's Encrypt renewal configuration directory exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_config_dir_path }}/renewal"
+  register: matrix_ssl_config_renewal_directory_stat_result
+
+- when: matrix_ssl_config_renewal_directory_stat_result.stat.exists | bool
+  block:
+    - name: Determine current Let's Encrypt renewal configs
+      ansible.builtin.find:
+        path: "{{ matrix_ssl_config_dir_path }}/renewal"
+        patterns: ".*.conf$"
+        use_regex: true
+      register: matrix_ssl_current_renewal_config_files
+
+    - name: Determine unnecessary Let's Encrypt renewal configs
+      ansible.builtin.set_fact:
+        matrix_ssl_current_renewal_config_files_to_purge: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) + [item.path] }}"
+      with_items: "{{ matrix_ssl_current_renewal_config_files.files }}"
+      when: "item.path | basename | replace('.conf', '') not in matrix_ssl_domains_to_obtain_certificates_for"
+
+    - name: Purge unneceessary Let's Encrypt renewal config files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) }}"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -0,0 +1,67 @@
+---
+
+# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
+# This migration task can be removed some time in the future.
+- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
+    - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
+    - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
+    - "/etc/cron.d/matrix-ssl-lets-encrypt"
+
+#
+# Tasks related to setting up Let's Encrypt's management of certificates
+#
+
+- when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+  block:
+    - when: matrix_ssl_orphaned_renewal_configs_purging_enabled | bool
+      ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml"
+
+    - name: Ensure certbot Docker image is pulled
+      community.docker.docker_image:
+        name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+        force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
+
+    - name: Obtain Let's Encrypt certificates
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
+      with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}"
+      loop_control:
+        loop_var: domain_name
+
+    - name: Ensure Let's Encrypt SSL renewal script installed
+      ansible.builtin.template:
+        src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+        dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        mode: 0755
+
+    - name: Ensure SSL renewal systemd units installed
+      ansible.builtin.template:
+        src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
+        dest: "{{ matrix_systemd_path }}/{{ item.name }}"
+        mode: 0644
+      when: "item.applicable | bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
+
+#
+# Tasks related to getting rid of Let's Encrypt's management of certificates
+#
+
+- when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
+  block:
+    - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+      ansible.builtin.file:
+        path: "{{ matrix_systemd_path }}/{{ item.name }}"
+        state: absent
+      when: "not item.applicable | bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
+
+    - name: Ensure Let's Encrypt SSL renewal script removed
+      ansible.builtin.file:
+        path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        state: absent

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -0,0 +1,96 @@
+---
+- ansible.builtin.debug:
+    msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
+
+- ansible.builtin.set_fact:
+    domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+
+- name: Check if a certificate for the domain already exists
+  ansible.builtin.stat:
+    path: "{{ domain_name_certificate_path }}"
+  register: domain_name_certificate_path_stat
+
+- ansible.builtin.set_fact:
+    domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
+
+- when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''"
+  block:
+    - name: Ensure required service for obtaining is started
+      ansible.builtin.service:
+        name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
+        state: started
+      register: matrix_ssl_pre_obtaining_required_service_start_result
+
+    - name: Wait some time, so that the required service for obtaining can start
+      ansible.builtin.wait_for:
+        timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}"
+      when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool"
+
+# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
+# We suppress the error, as we'll try another method below.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
+  ansible.builtin.shell: >-
+    {{ matrix_host_command_docker }} run
+    --rm
+    --name=matrix-certbot
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
+    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: domain_name_needs_cert | bool
+  register: result_certbot_direct
+  ignore_errors: true
+
+# If matrix-nginx-proxy is configured from a previous run of this playbook,
+# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
+  ansible.builtin.shell: >-
+    {{ matrix_host_command_docker }} run
+    --rm
+    --name=matrix-certbot
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
+    --network={{ matrix_docker_network }}
+    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: "domain_name_needs_cert and result_certbot_direct.failed"
+  register: result_certbot_proxy
+  ignore_errors: true
+
+- name: Fail if all SSL certificate retrieval attempts failed
+  ansible.builtin.fail:
+    msg: |
+      Failed to obtain a certificate directly (by listening on port 80)
+      and also failed to obtain by relying on the server at port 80 to proxy the request.
+      See above for details.
+      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
+      more easily, stop the server on port 80 while this playbook runs.
+  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Verify certificates
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'manually-managed'"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml

@@ -0,0 +1,23 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_path }}"
+  register: matrix_ssl_certificate_verification_cert_path_stat_result
+
+- ansible.builtin.fail:
+    msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
+
+- name: Check if SSL certificate key file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
+  register: matrix_ssl_certificate_verification_cert_key_path_stat_result
+
+- ansible.builtin.fail:
+    msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml

@@ -0,0 +1,11 @@
+---
+
+- ansible.builtin.import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
+  when: "matrix_ssl_retrieval_method == 'self-signed'"
+
+- name: Generate self-signed certificates
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'self-signed'"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml

@@ -0,0 +1,49 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
+    matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_certificate_cert_path }}"
+  register: matrix_ssl_certificate_cert_path_stat_result
+
+# In order to do any sort of generation (below), we need to ensure the directory exists first
+- name: Ensure SSL certificate directory exists
+  ansible.builtin.file:
+    path: "{{ matrix_ssl_certificate_csr_path | dirname }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
+
+# The proper way to do this is by using a sequence of
+# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
+#
+# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
+# which is not available on CentOS 7 (at least).
+#
+# We'll do it in a more manual way.
+- name: Generate SSL certificate
+  ansible.builtin.command: |
+    openssl req -x509 \
+    -sha256 \
+    -newkey rsa:4096 \
+    -nodes \
+    -subj "/CN={{ domain_name }}" \
+    -keyout {{ matrix_ssl_certificate_cert_key_path }} \
+    -out {{ matrix_ssl_certificate_cert_path }} \
+    -days 3650
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
+
+- name: Adjust SSL certificate file ownership
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_ssl_certificate_cert_key_path }}"
+    - "{{ matrix_ssl_certificate_cert_path }}"

roles/custom/matrix-nginx-proxy/tasks/validate_config.yml

@@ -0,0 +1,74 @@
+---
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'}
+    - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'}
+    # People who configured this to disable Riot, would now wish to be disabling Element.
+    # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default.
+    - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'}
+    - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': '<not configurable anymore>'}
+    - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}
+
+- name: Fail on unknown matrix_ssl_retrieval_method
+  ansible.builtin.fail:
+    msg: >-
+      `matrix_ssl_retrieval_method` needs to be set to a known value.
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
+
+- name: Fail on unknown matrix_nginx_proxy_ssl_config
+  ansible.builtin.fail:
+    msg: >-
+      `matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
+  when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
+
+- name: Fail if Basic Auth enabled for metrics, but no credentials supplied
+  ansible.builtin.fail:
+    msg: |
+      Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
+      - either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
+      - or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`)
+  when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))"
+
+- when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+  block:
+    - name: (Deprecation) Catch and report renamed settings
+      ansible.builtin.fail:
+        msg: >-
+          Your configuration contains a variable, which now has a different name.
+          Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+      with_items:
+        - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+        - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+        - {'old': 'matrix_nginx_proxy_proxy_synapse_workers_enabled_list', 'new': '<no longer used>'}
+      when: "item.old in vars"
+
+    - name: Fail if required variables are undefined
+      ansible.builtin.fail:
+        msg: "The `{{ item }}` variable must be defined and have a non-null value"
+      with_items:
+        - "matrix_ssl_lets_encrypt_support_email"
+        - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container"
+        - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container"
+        - "matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container"
+        - "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container"
+      when: "vars[item] == '' or vars[item] is none"
+
+- name: (Deprecation) Catch and report old metrics usage
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Synapse,
+      which exposed metrics on `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`.
+
+      We now recommend exposing Synapse metrics in another way, from another URL.
+      Refer to the changelog for more details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-06-22
+  with_items:
+    - matrix_nginx_proxy_proxy_synapse_metrics
+    - matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled
+    - matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
+  when: "item in vars"