Move roles/matrix* to roles/custom/matrix*

This paves the way for installing other roles into `roles/galaxy` using `ansible-galaxy`,
similar to how it's done in:

- https://github.com/spantaleev/gitea-docker-ansible-deploy
- https://github.com/spantaleev/nextcloud-docker-ansible-deploy

In the near future, we'll be removing a lot of the shared role code from here
and using upstream roles for it. Some of the core `matrix-*` roles have
already been extracted out into other reusable roles:

- https://github.com/devture/com.devture.ansible.role.postgres
- https://github.com/devture/com.devture.ansible.role.systemd_docker_base
- https://github.com/devture/com.devture.ansible.role.timesync
- https://github.com/devture/com.devture.ansible.role.vars_preserver
- https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages
- https://github.com/devture/com.devture.ansible.role.playbook_help

We just need to migrate to those.

roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Fail if using unsupported SSL certificate retrieval method
+  ansible.builtin.fail:
+    msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
+
+- name: Fail if using unsupported private key type
+  ansible.builtin.fail:
+    msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value"
+  when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']"
+
+
+# Common tasks, required by almost any method below.
+
+- name: Ensure SSL certificate paths exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    recurse: true
+  with_items:
+    - "{{ matrix_ssl_log_dir_path }}"
+    - "{{ matrix_ssl_config_dir_path }}"
+  when: "matrix_ssl_retrieval_method != 'none'"
+
+
+# Method specific tasks follow
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt.yml"
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed.yml"
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed.yml"

roles/custom/matrix-nginx-proxy/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Check if a Let's Encrypt renewal configuration directory exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_config_dir_path }}/renewal"
+  register: matrix_ssl_config_renewal_directory_stat_result
+
+- when: matrix_ssl_config_renewal_directory_stat_result.stat.exists | bool
+  block:
+    - name: Determine current Let's Encrypt renewal configs
+      ansible.builtin.find:
+        path: "{{ matrix_ssl_config_dir_path }}/renewal"
+        patterns: ".*.conf$"
+        use_regex: true
+      register: matrix_ssl_current_renewal_config_files
+
+    - name: Determine unnecessary Let's Encrypt renewal configs
+      ansible.builtin.set_fact:
+        matrix_ssl_current_renewal_config_files_to_purge: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) + [item.path] }}"
+      with_items: "{{ matrix_ssl_current_renewal_config_files.files }}"
+      when: "item.path | basename | replace('.conf', '') not in matrix_ssl_domains_to_obtain_certificates_for"
+
+    - name: Purge unneceessary Let's Encrypt renewal config files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) }}"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -0,0 +1,67 @@
+---
+
+# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
+# This migration task can be removed some time in the future.
+- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
+    - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
+    - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
+    - "/etc/cron.d/matrix-ssl-lets-encrypt"
+
+#
+# Tasks related to setting up Let's Encrypt's management of certificates
+#
+
+- when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+  block:
+    - when: matrix_ssl_orphaned_renewal_configs_purging_enabled | bool
+      ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml"
+
+    - name: Ensure certbot Docker image is pulled
+      community.docker.docker_image:
+        name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+        force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
+
+    - name: Obtain Let's Encrypt certificates
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
+      with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}"
+      loop_control:
+        loop_var: domain_name
+
+    - name: Ensure Let's Encrypt SSL renewal script installed
+      ansible.builtin.template:
+        src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+        dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        mode: 0755
+
+    - name: Ensure SSL renewal systemd units installed
+      ansible.builtin.template:
+        src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
+        dest: "{{ matrix_systemd_path }}/{{ item.name }}"
+        mode: 0644
+      when: "item.applicable | bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
+
+#
+# Tasks related to getting rid of Let's Encrypt's management of certificates
+#
+
+- when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
+  block:
+    - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+      ansible.builtin.file:
+        path: "{{ matrix_systemd_path }}/{{ item.name }}"
+        state: absent
+      when: "not item.applicable | bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
+
+    - name: Ensure Let's Encrypt SSL renewal script removed
+      ansible.builtin.file:
+        path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        state: absent

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -0,0 +1,96 @@
+---
+- ansible.builtin.debug:
+    msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
+
+- ansible.builtin.set_fact:
+    domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+
+- name: Check if a certificate for the domain already exists
+  ansible.builtin.stat:
+    path: "{{ domain_name_certificate_path }}"
+  register: domain_name_certificate_path_stat
+
+- ansible.builtin.set_fact:
+    domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
+
+- when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''"
+  block:
+    - name: Ensure required service for obtaining is started
+      ansible.builtin.service:
+        name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
+        state: started
+      register: matrix_ssl_pre_obtaining_required_service_start_result
+
+    - name: Wait some time, so that the required service for obtaining can start
+      ansible.builtin.wait_for:
+        timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}"
+      when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool"
+
+# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
+# We suppress the error, as we'll try another method below.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
+  ansible.builtin.shell: >-
+    {{ matrix_host_command_docker }} run
+    --rm
+    --name=matrix-certbot
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
+    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: domain_name_needs_cert | bool
+  register: result_certbot_direct
+  ignore_errors: true
+
+# If matrix-nginx-proxy is configured from a previous run of this playbook,
+# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
+  ansible.builtin.shell: >-
+    {{ matrix_host_command_docker }} run
+    --rm
+    --name=matrix-certbot
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
+    --network={{ matrix_docker_network }}
+    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: "domain_name_needs_cert and result_certbot_direct.failed"
+  register: result_certbot_proxy
+  ignore_errors: true
+
+- name: Fail if all SSL certificate retrieval attempts failed
+  ansible.builtin.fail:
+    msg: |
+      Failed to obtain a certificate directly (by listening on port 80)
+      and also failed to obtain by relying on the server at port 80 to proxy the request.
+      See above for details.
+      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
+      more easily, stop the server on port 80 while this playbook runs.
+  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Verify certificates
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'manually-managed'"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml

@@ -0,0 +1,23 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_path }}"
+  register: matrix_ssl_certificate_verification_cert_path_stat_result
+
+- ansible.builtin.fail:
+    msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
+
+- name: Check if SSL certificate key file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
+  register: matrix_ssl_certificate_verification_cert_key_path_stat_result
+
+- ansible.builtin.fail:
+    msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml

@@ -0,0 +1,11 @@
+---
+
+- ansible.builtin.import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
+  when: "matrix_ssl_retrieval_method == 'self-signed'"
+
+- name: Generate self-signed certificates
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'self-signed'"

roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml

@@ -0,0 +1,49 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
+    matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_certificate_cert_path }}"
+  register: matrix_ssl_certificate_cert_path_stat_result
+
+# In order to do any sort of generation (below), we need to ensure the directory exists first
+- name: Ensure SSL certificate directory exists
+  ansible.builtin.file:
+    path: "{{ matrix_ssl_certificate_csr_path | dirname }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
+
+# The proper way to do this is by using a sequence of
+# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
+#
+# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
+# which is not available on CentOS 7 (at least).
+#
+# We'll do it in a more manual way.
+- name: Generate SSL certificate
+  ansible.builtin.command: |
+    openssl req -x509 \
+    -sha256 \
+    -newkey rsa:4096 \
+    -nodes \
+    -subj "/CN={{ domain_name }}" \
+    -keyout {{ matrix_ssl_certificate_cert_key_path }} \
+    -out {{ matrix_ssl_certificate_cert_path }} \
+    -days 3650
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
+
+- name: Adjust SSL certificate file ownership
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_ssl_certificate_cert_key_path }}"
+    - "{{ matrix_ssl_certificate_cert_path }}"