From 8681a5dc695f77b6492fd1b962f2f18088fd720f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 16:50:02 +0200 Subject: [PATCH] Add 'none' SSL certificate retrieval method --- docs/configuring-playbook-ssl-certificates.md | 15 ++++++++++++++- roles/matrix-nginx-proxy/defaults/main.yml | 5 +++++ roles/matrix-nginx-proxy/tasks/ssl/main.yml | 5 +++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 8974431aa..5c8161faf 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -2,6 +2,8 @@ By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/). +Those certificates are used when configuring the nginx reverse proxy installed by this playbook. + If that's alright, you can skip this. @@ -29,4 +31,15 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` -where `` refers to the domains that you need (usually `matrix.` and `riot.`). \ No newline at end of file +where `` refers to the domains that you need (usually `matrix.` and `riot.`). + + +## Not bothering with SSL certificates + +If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration: + +```yaml +matrix_ssl_retrieval_method: none +``` + +With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 9171470bd..0bf7955b0 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -66,6 +66,7 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "self-signed" - the playbook generates and self-signs certificates # - "manually-managed" - lets you manage certificates by yourself (manually; see below) +# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects # # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` @@ -73,6 +74,10 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # - /live//fullchain.pem # - /live//privkey.pem # where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). +# +# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. +# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) +# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. matrix_ssl_retrieval_method: "lets-encrypt" # The list of domains that this role will obtain certificates for. diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index 2681164d8..5402468c6 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -3,10 +3,10 @@ - name: Fail if using unsupported SSL certificate retrieval method fail: msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" - when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']" + when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" -# Common tasks, required by any method below. +# Common tasks, required by almost any method below. - name: Ensure SSL certificate paths exists file: @@ -19,6 +19,7 @@ with_items: - "{{ matrix_ssl_log_dir_path }}" - "{{ matrix_ssl_config_dir_path }}" + when: "matrix_ssl_retrieval_method != 'none'" # Method specific tasks follow