finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sync with previous repo

Browse Source
This commit is contained in:
Michael Collins
2021-08-13 16:05:57 +08:00
parent 83a90f1cd1
commit 98e6cd685d
641 changed files with 43857 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
roles/matrix-nginx-proxy/tasks/ssl/main.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: Fail if using unsupported SSL certificate retrieval method
fail:
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
# Common tasks, required by almost any method below.
- name: Ensure SSL certificate paths exists
file:
path: "{{ item }}"
state: directory
mode: 0770
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
recurse: true
with_items:
- "{{ matrix_ssl_log_dir_path }}"
- "{{ matrix_ssl_config_dir_path }}"
when: "matrix_ssl_retrieval_method != 'none'"
# Method specific tasks follow
- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml
- import_tasks: tasks/ssl/setup_ssl_self_signed.yml
- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml

64
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml Normal file
View File

@ -0,0 +1,64 @@
---
# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
# This migration task can be removed some time in the future.
- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
- "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
- "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
- "/etc/cron.d/matrix-ssl-lets-encrypt"
#
# Tasks related to setting up Let's Encrypt's management of certificates
#
- block:
- name: Ensure certbot Docker image is pulled
docker_image:
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
- name: Ensure Let's Encrypt SSL renewal script installed
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
mode: 0755
- name: Ensure SSL renewal systemd units installed
template:
src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
dest: "{{ matrix_systemd_path }}/{{ item.name }}"
mode: 0644
when: "item.applicable|bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
#
# Tasks related to getting rid of Let's Encrypt's management of certificates
#
- block:
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
file:
path: "{{ matrix_systemd_path }}/{{ item.name }}"
state: absent
when: "not item.applicable|bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
- name: Ensure Let's Encrypt SSL renewal script removed
file:
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

91
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml Normal file
View File

@ -0,0 +1,91 @@
- debug:
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
- set_fact:
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
- name: Check if a certificate for the domain already exists
stat:
path: "{{ domain_name_certificate_path }}"
register: domain_name_certificate_path_stat
- set_fact:
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
- block:
- name: Ensure required service for obtaining is started
service:
name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
state: started
register: matrix_ssl_pre_obtaining_required_service_start_result
- name: Wait some time, so that the required service for obtaining can start
wait_for:
timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}"
when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool"
when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''"
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
# We suppress the error, as we'll try another method below.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
shell: >-
{{ matrix_host_command_docker }} run
--rm
--name=matrix-certbot
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
-p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
certonly
--non-interactive
--work-dir=/tmp
--http-01-port 8080
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
--standalone
--preferred-challenges http
--agree-tos
--email={{ matrix_ssl_lets_encrypt_support_email }}
-d {{ domain_name }}
when: domain_name_needs_cert|bool
register: result_certbot_direct
ignore_errors: true
# If matrix-nginx-proxy is configured from a previous run of this playbook,
# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
shell: >-
{{ matrix_host_command_docker }} run
--rm
--name=matrix-certbot
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
--network={{ matrix_docker_network }}
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
certonly
--non-interactive
--work-dir=/tmp
--http-01-port 8080
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
--standalone
--preferred-challenges http
--agree-tos
--email={{ matrix_ssl_lets_encrypt_support_email }}
-d {{ domain_name }}
when: "domain_name_needs_cert and result_certbot_direct.failed"
register: result_certbot_proxy
ignore_errors: true
- name: Fail if all SSL certificate retrieval attempts failed
fail:
msg: |
Failed to obtain a certificate directly (by listening on port 80)
and also failed to obtain by relying on the server at port 80 to proxy the request.
See above for details.
You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
more easily, stop the server on port 80 while this playbook runs.
when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"

8
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'manually-managed'"

23
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml Normal file
View File

@ -0,0 +1,23 @@
---
- set_fact:
matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
- name: Check if SSL certificate file exists
stat:
path: "{{ matrix_ssl_certificate_verification_cert_path }}"
register: matrix_ssl_certificate_verification_cert_path_stat_result
- fail:
msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
- name: Check if SSL certificate key file exists
stat:
path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
register: matrix_ssl_certificate_verification_cert_key_path_stat_result
- fail:
msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"

32
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Ensure OpenSSL installed (RedHat)
yum:
name:
- openssl
state: present
update_cache: no
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'"
- name: Ensure APT usage dependencies are installed (Debian)
apt:
name:
- openssl
state: present
update_cache: no
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'"
- name: Ensure OpenSSL installed (Archlinux)
pacman:
name:
- openssl
state: latest
update_cache: no
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'"
- name: Generate self-signed certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'self-signed'"

42
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml Normal file
View File

@ -0,0 +1,42 @@
---
- set_fact:
matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
- name: Check if SSL certificate file exists
stat:
path: "{{ matrix_ssl_certificate_cert_path }}"
register: matrix_ssl_certificate_cert_path_stat_result
# In order to do any sort of generation (below), we need to ensure the directory exists first
- name: Ensure SSL certificate directory exists
file:
path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
# The proper way to do this is by using a sequence of
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
#
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
# which is not available on CentOS 7 (at least).
#
# We'll do it in a more manual way.
- name: Generate SSL certificate
command: |
openssl req -x509 \
-sha256 \
-newkey rsa:4096 \
-nodes \
-subj "/CN={{ domain_name }}" \
-keyout {{ matrix_ssl_certificate_cert_key_path }} \
-out {{ matrix_ssl_certificate_cert_path }} \
-days 3650
become: true
become_user: "{{ matrix_user_username }}"
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"