Add 'none' SSL certificate retrieval method

This commit is contained in:
Slavi Pantaleev 2019-02-01 16:50:02 +02:00
parent e09b7435d1
commit 8681a5dc69
3 changed files with 22 additions and 3 deletions

View File

@ -2,6 +2,8 @@
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/). By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/).
Those certificates are used when configuring the nginx reverse proxy installed by this playbook.
If that's alright, you can skip this. If that's alright, you can skip this.
@ -29,4 +31,15 @@ With such a configuration, the playbook would expect you to drop the SSL certifi
- `<matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem` - `<matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem`
- `<matrix_ssl_config_dir_path>/live/<domain>/privkey.pem` - `<matrix_ssl_config_dir_path>/live/<domain>/privkey.pem`
where `<domain>` refers to the domains that you need (usually `matrix.<your-domain>` and `riot.<your-domain>`). where `<domain>` refers to the domains that you need (usually `matrix.<your-domain>` and `riot.<your-domain>`).
## Not bothering with SSL certificates
If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration:
```yaml
matrix_ssl_retrieval_method: none
```
With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want.

View File

@ -66,6 +66,7 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
# - "self-signed" - the playbook generates and self-signs certificates # - "self-signed" - the playbook generates and self-signs certificates
# - "manually-managed" - lets you manage certificates by yourself (manually; see below) # - "manually-managed" - lets you manage certificates by yourself (manually; see below)
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
# #
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
@ -73,6 +74,10 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem # - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem # - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). # where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
#
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
matrix_ssl_retrieval_method: "lets-encrypt" matrix_ssl_retrieval_method: "lets-encrypt"
# The list of domains that this role will obtain certificates for. # The list of domains that this role will obtain certificates for.

View File

@ -3,10 +3,10 @@
- name: Fail if using unsupported SSL certificate retrieval method - name: Fail if using unsupported SSL certificate retrieval method
fail: fail:
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']" when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
# Common tasks, required by any method below. # Common tasks, required by almost any method below.
- name: Ensure SSL certificate paths exists - name: Ensure SSL certificate paths exists
file: file:
@ -19,6 +19,7 @@
with_items: with_items:
- "{{ matrix_ssl_log_dir_path }}" - "{{ matrix_ssl_log_dir_path }}"
- "{{ matrix_ssl_config_dir_path }}" - "{{ matrix_ssl_config_dir_path }}"
when: "matrix_ssl_retrieval_method != 'none'"
# Method specific tasks follow # Method specific tasks follow