sync with previous repo

roles/matrix-nginx-proxy/tasks/init.yml

@@ -0,0 +1,8 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
+  when: matrix_nginx_proxy_enabled|bool
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
+  when: "item.applicable|bool and item.enableable|bool"
+  with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"

roles/matrix-nginx-proxy/tasks/main.yml

@@ -0,0 +1,38 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+# Always validating the configuration, even if `matrix_nginx_proxy: false`.
+# This role performs actions even if the role is disabled, so we need
+# to ensure there's a valid configuration in any case.
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-nginx-proxy
+
+- import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-nginx-proxy
+    - setup-ssl
+
+- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-nginx-proxy
+
+- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
+  delegate_to: 127.0.0.1
+  become: false
+  when: run_self_check|bool
+  tags:
+    - self-check
+
+- name: Mark matrix-nginx-proxy role as executed
+  set_fact:
+    matrix_nginx_proxy_role_executed: true
+  tags:
+   - always

roles/matrix-nginx-proxy/tasks/self_check_well_known.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Determine well-known files to check (Matrix)
+  set_fact:
+    well_known_file_checks:
+      - path: /.well-known/matrix/client
+        purpose: Client Discovery
+        cors: true
+        follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
+        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
+
+- block:
+    - set_fact:
+        well_known_file_check_matrix_server:
+          path: /.well-known/matrix/server
+          purpose: Server Discovery
+          cors: false
+          follow_redirects: safe
+          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
+
+    - name: Determine domains that we require certificates for (ma1sd)
+      set_fact:
+        well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
+  when: matrix_well_known_matrix_server_enabled|bool
+
+- name: Perform well-known checks
+  include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
+  with_items: "{{ well_known_file_checks }}"
+  loop_control:
+    loop_var: well_known_file_check

roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml

@@ -0,0 +1,73 @@
+---
+
+- set_fact:
+    well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
+    well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
+
+# These well-known files may be served without a `Content-Type: application/json` header,
+# so we can't rely on the uri module's automatic parsing of JSON.
+- name: Check .well-known on the matrix hostname
+  uri:
+    url: "{{ well_known_url_matrix }}"
+    follow_redirects: none
+    return_content: true
+    validate_certs: "{{ well_known_file_check.validate_certs }}"
+    headers:
+      Origin: example.com
+  check_mode: no
+  register: result_well_known_matrix
+  ignore_errors: true
+
+- name: Fail if .well-known not working on the matrix hostname
+  fail:
+    msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
+  when: "result_well_known_matrix.failed"
+
+- name: Parse JSON for well-known payload at the matrix hostname
+  set_fact:
+    well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
+
+- name: Fail if .well-known not CORS-aware on the matrix hostname
+  fail:
+    msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
+  when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
+
+- name: Report working .well-known on the matrix hostname
+  debug:
+    msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
+
+- name: Check .well-known on the identity hostname
+  uri:
+    url: "{{ well_known_url_identity }}"
+    follow_redirects: "{{ well_known_file_check.follow_redirects }}"
+    return_content: true
+    validate_certs: "{{ well_known_file_check.validate_certs }}"
+    headers:
+      Origin: example.com
+  check_mode: no
+  register: result_well_known_identity
+  ignore_errors: true
+
+- name: Fail if .well-known not working on the identity hostname
+  fail:
+    msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
+  when: "result_well_known_identity.failed"
+
+- name: Parse JSON for well-known payload at the identity hostname
+  set_fact:
+    well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
+
+- name: Fail if .well-known not CORS-aware on the identity hostname
+  fail:
+    msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
+  when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
+
+# For people who manually copy the well-known file, try to detect if it's outdated
+- name: Fail if well-known is different on matrix hostname and identity hostname
+  fail:
+    msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
+  when: "well_known_matrix_payload != well_known_identity_payload"
+
+- name: Report working .well-known on the identity hostname
+  debug:
+    msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -0,0 +1,272 @@
+---
+
+#
+# Generic tasks that we always want to happen, regardless
+# if the user wants matrix-nginx-proxy or not.
+#
+# If the user would set up their own nginx proxy server,
+# the config files from matrix-nginx-proxy can be reused.
+#
+# It doesn't hurt to put them in place, even if they turn out
+# to be unnecessary.
+#
+- name: Ensure Matrix nginx-proxy paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_nginx_proxy_base_path }}"
+    - "{{ matrix_nginx_proxy_data_path }}"
+    - "{{ matrix_nginx_proxy_confd_path }}"
+
+- name: Ensure Matrix nginx-proxy configured (main config override)
+  template:
+    src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
+    dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_enabled|bool
+
+- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI)
+  template:
+    src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
+    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0400
+  when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"
+
+- name: Ensure Matrix nginx-proxy configured (generic)
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_synapse_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for Element domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_element_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for dimension domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_dimension_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for goneb domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_jitsi_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for grafana domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_grafana_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_sygnal_enabled|bool
+
+- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
+    mode: 0644
+
+- name: Ensure Matrix nginx-proxy data directory for base domain exists
+  file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool
+
+- name: Ensure Matrix nginx-proxy homepage for base domain exists
+  copy:
+    content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}"
+    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool
+
+- name: Ensure Matrix nginx-proxy configuration for base domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_base_domain_serving_enabled|bool
+
+#
+# Tasks related to setting up matrix-nginx-proxy
+#
+- name: Ensure nginx Docker image is pulled
+  docker_image:
+    name: "{{ matrix_nginx_proxy_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_nginx_proxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_docker_image_force_pull }}"
+  when: matrix_nginx_proxy_enabled|bool
+
+- name: Ensure matrix-nginx-proxy.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
+    mode: 0644
+  register: matrix_nginx_proxy_systemd_service_result
+  when: matrix_nginx_proxy_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
+
+
+#
+# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
+#
+
+- name: Check existence of matrix-nginx-proxy service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
+  register: matrix_nginx_proxy_service_stat
+  when: "not matrix_nginx_proxy_enabled|bool"
+
+- name: Ensure matrix-nginx-proxy is stopped
+  service:
+    name: matrix-nginx-proxy
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure matrix-nginx-proxy.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_matrix_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy homepage for base domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
+    state: absent
+  when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for base domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy configuration for main config override deleted
+  file:
+    path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled|bool"
+
+- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI)
+  file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool"

roles/matrix-nginx-proxy/tasks/setup_well_known.yml

@@ -0,0 +1,24 @@
+- set_fact:
+    matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
+
+# We need others to be able to read these directories too,
+# so that matrix-nginx-proxy's nginx user can access the files.
+#
+# For running with another webserver, we recommend being part of the `matrix` group.
+- name: Ensure Matrix static-files path exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_static_files_base_path }}/.well-known/matrix"
+
+- name: Ensure Matrix /.well-known/matrix/client configured
+  template:
+    src: "{{ role_path }}/templates/well-known/matrix-client.j2"
+    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

roles/matrix-nginx-proxy/tasks/ssl/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Fail if using unsupported SSL certificate retrieval method
+  fail:
+    msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
+
+
+# Common tasks, required by almost any method below.
+
+- name: Ensure SSL certificate paths exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    recurse: true
+  with_items:
+    - "{{ matrix_ssl_log_dir_path }}"
+    - "{{ matrix_ssl_config_dir_path }}"
+  when: "matrix_ssl_retrieval_method != 'none'"
+
+
+# Method specific tasks follow
+
+- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml
+
+- import_tasks: tasks/ssl/setup_ssl_self_signed.yml
+
+- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -0,0 +1,64 @@
+---
+
+# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
+# This migration task can be removed some time in the future.
+- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
+    - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
+    - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
+    - "/etc/cron.d/matrix-ssl-lets-encrypt"
+
+#
+# Tasks related to setting up Let's Encrypt's management of certificates
+#
+
+- block:
+    - name: Ensure certbot Docker image is pulled
+      docker_image:
+        name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+        force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
+
+    - name: Obtain Let's Encrypt certificates
+      include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
+      with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
+      loop_control:
+        loop_var: domain_name
+
+    - name: Ensure Let's Encrypt SSL renewal script installed
+      template:
+        src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+        dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        mode: 0755
+
+    - name: Ensure SSL renewal systemd units installed
+      template:
+        src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
+        dest: "{{ matrix_systemd_path }}/{{ item.name }}"
+        mode: 0644
+      when: "item.applicable|bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+
+#
+# Tasks related to getting rid of Let's Encrypt's management of certificates
+#
+
+- block:
+    - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+      file:
+        path: "{{ matrix_systemd_path }}/{{ item.name }}"
+        state: absent
+      when: "not item.applicable|bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
+
+    - name: Ensure Let's Encrypt SSL renewal script removed
+      file:
+        path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        state: absent
+  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -0,0 +1,91 @@
+- debug:
+    msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
+
+- set_fact:
+    domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+
+- name: Check if a certificate for the domain already exists
+  stat:
+    path: "{{ domain_name_certificate_path }}"
+  register: domain_name_certificate_path_stat
+
+- set_fact:
+    domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
+
+- block:
+  - name: Ensure required service for obtaining is started
+    service:
+      name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
+      state: started
+    register: matrix_ssl_pre_obtaining_required_service_start_result
+
+  - name: Wait some time, so that the required service for obtaining can start
+    wait_for:
+      timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}"
+    when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool"
+  when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''"
+
+# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
+# We suppress the error, as we'll try another method below.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
+  shell: >-
+    {{ matrix_host_command_docker }} run
+    --rm
+    --name=matrix-certbot
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
+    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: domain_name_needs_cert|bool
+  register: result_certbot_direct
+  ignore_errors: true
+
+# If matrix-nginx-proxy is configured from a previous run of this playbook,
+# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
+  shell: >-
+    {{ matrix_host_command_docker }} run
+    --rm
+    --name=matrix-certbot
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
+    --network={{ matrix_docker_network }}
+    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    --work-dir=/tmp
+    --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: "domain_name_needs_cert and result_certbot_direct.failed"
+  register: result_certbot_proxy
+  ignore_errors: true
+
+- name: Fail if all SSL certificate retrieval attempts failed
+  fail:
+    msg: |
+      Failed to obtain a certificate directly (by listening on port 80)
+      and also failed to obtain by relying on the server at port 80 to proxy the request.
+      See above for details.
+      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
+      more easily, stop the server on port 80 while this playbook runs.
+  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Verify certificates
+  include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'manually-managed'"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml

@@ -0,0 +1,23 @@
+---
+
+- set_fact:
+    matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_path }}"
+  register: matrix_ssl_certificate_verification_cert_path_stat_result
+
+- fail:
+    msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
+
+- name: Check if SSL certificate key file exists
+  stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
+  register: matrix_ssl_certificate_verification_cert_key_path_stat_result
+
+- fail:
+    msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Ensure OpenSSL installed (RedHat)
+  yum:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'"
+
+- name: Ensure APT usage dependencies are installed (Debian)
+  apt:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'"
+
+- name: Ensure OpenSSL installed (Archlinux)
+  pacman:
+    name:
+      - openssl
+    state: latest
+    update_cache: no
+  when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'"
+
+- name: Generate self-signed certificates
+  include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'self-signed'"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml

@@ -0,0 +1,42 @@
+---
+
+- set_fact:
+    matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
+    matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  stat:
+    path: "{{ matrix_ssl_certificate_cert_path }}"
+  register: matrix_ssl_certificate_cert_path_stat_result
+
+# In order to do any sort of generation (below), we need to ensure the directory exists first
+- name: Ensure SSL certificate directory exists
+  file:
+    path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
+
+# The proper way to do this is by using a sequence of
+# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
+#
+# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
+# which is not available on CentOS 7 (at least).
+#
+# We'll do it in a more manual way.
+- name: Generate SSL certificate
+  command: |
+    openssl req -x509 \
+    -sha256 \
+    -newkey rsa:4096 \
+    -nodes \
+    -subj "/CN={{ domain_name }}" \
+    -keyout {{ matrix_ssl_certificate_cert_key_path }} \
+    -out {{ matrix_ssl_certificate_cert_path }} \
+    -days 3650
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"

roles/matrix-nginx-proxy/tasks/validate_config.yml

@@ -0,0 +1,47 @@
+---
+
+- name: (Deprecation) Catch and report renamed settings
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'}
+    - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'}
+    # People who configured this to disable Riot, would now wish to be disabling Element.
+    # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default.
+    - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'}
+    - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': '<not configurable anymore>'}
+    - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}
+
+- name: Fail on unknown matrix_ssl_retrieval_method
+  fail:
+    msg: >-
+      `matrix_ssl_retrieval_method` needs to be set to a known value.
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
+
+- name: Fail on unknown matrix_nginx_proxy_ssl_config
+  fail:
+    msg: >-
+      `matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
+  when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
+
+- block:
+    - name: (Deprecation) Catch and report renamed settings
+      fail:
+        msg: >-
+          Your configuration contains a variable, which now has a different name.
+          Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+      with_items:
+        - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+        - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+      when: "item.old in vars"
+
+    - name: Fail if required variables are undefined
+      fail:
+        msg: "The `{{ item }}` variable must be defined and have a non-null value"
+      with_items:
+        - "matrix_ssl_lets_encrypt_support_email"
+      when: "vars[item] == '' or vars[item] is none"
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"