Make roles more independent of one another

With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).

roles/matrix-nginx-proxy/defaults/main.yml

@@ -1,7 +1,3 @@
-# By default, this playbook sets up its own nginx proxy server on port 80/443.
-# This is fine if you're dedicating the whole server to Matrix.
-# But in case that's not the case, you may wish to prevent that
-# and take care of proxying by yourself.
 matrix_nginx_proxy_enabled: true
 
 matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
@@ -9,6 +5,20 @@ matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
 matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
 matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
 
+# List of systemd services that matrix-nginx-proxy.service depends on
+matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-nginx-proxy.service wants
+matrix_nginx_proxy_systemd_wanted_services_list: []
+
+# Controls whether proxying the riot domain should be done.
+matrix_nginx_proxy_proxy_riot_enabled: false
+matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}"
+
+# Controls whether proxying the matrix domain should be done.
+matrix_nginx_proxy_proxy_matrix_enabled: false
+matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}"
+
 # The addresses where the Matrix Client API is.
 # Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
 matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
@@ -39,6 +49,9 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
 # where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
 matrix_ssl_retrieval_method: "lets-encrypt"
 
+# The list of domains that this role will obtain certificates for.
+matrix_ssl_domains_to_obtain_certificates_for: []
+
 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -17,21 +17,30 @@
     mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
-    recurse: yes
   with_items:
     - "{{ matrix_nginx_proxy_data_path }}"
     - "{{ matrix_nginx_proxy_confd_path }}"
 
-- name: Ensure Matrix nginx-proxy configured
+- name: Ensure Matrix nginx-proxy configured (generic)
   template:
-    src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
-    dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
+    src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
     mode: 0644
-  with_items:
-    - "nginx-http.conf"
-    - "matrix-synapse.conf"
-    - "matrix-riot-web.conf"
+  when: "matrix_nginx_proxy_enabled"
 
+- name: Ensure Matrix nginx-proxy configuration for matrix domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    mode: 0644
+  when: "matrix_nginx_proxy_proxy_matrix_enabled"
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    mode: 0644
+  when: "matrix_nginx_proxy_proxy_riot_enabled"
 
 #
 # Tasks related to setting up matrix-nginx-proxy
@@ -50,7 +59,7 @@
   with_items:
     - "http"
     - "https"
-  when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled"
+  when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'"
 
 - name: Ensure matrix-nginx-proxy.service installed
   template:
@@ -82,3 +91,16 @@
     path: "/etc/systemd/system/matrix-nginx-proxy.service"
     state: absent
   when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_matrix_enabled"
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_riot_enabled"
+

roles/matrix-nginx-proxy/tasks/ssl/main.yml

@@ -8,15 +8,6 @@
 
 # Common tasks, required by any method below.
 
-- name: Determine domains that we require certificates for (Matrix)
-  set_fact:
-    domains_requiring_certificates: "['{{ hostname_matrix }}']"
-
-- name: Determine domains that we require certificates for (Riot)
-  set_fact:
-    domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}"
-  when: "matrix_riot_web_enabled"
-
 - name: Ensure SSL certificate paths exists
   file:
     path: "{{ item }}"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -39,7 +39,7 @@
 
 - name: Obtain Let's Encrypt certificates
   include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
-  with_items: "{{ domains_requiring_certificates }}"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
   loop_control:
     loop_var: domain_name
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml

@@ -2,7 +2,7 @@
 
 - name: Verify certificates
   include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
-  with_items: "{{ domains_requiring_certificates }}"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
   loop_control:
     loop_var: domain_name
   when: "matrix_ssl_retrieval_method == 'manually-managed'"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml

@@ -18,7 +18,7 @@
 
 - name: Generate self-signed certificates
   include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
-  with_items: "{{ domains_requiring_certificates }}"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
   loop_control:
     loop_var: domain_name
   when: "matrix_ssl_retrieval_method == 'self-signed'"

roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2

@@ -1,6 +1,6 @@
 server {
 	listen 80;
-	server_name {{ hostname_riot }};
+	server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
 
 	server_tokens off;
 
@@ -25,7 +25,7 @@ server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
-    server_name {{ hostname_riot }};
+    server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
 
 	server_tokens off;
 	root /dev/null;
@@ -33,8 +33,8 @@ server {
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
 
-	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
-	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/privkey.pem;
 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2

@@ -1,6 +1,6 @@
 server {
 	listen 80;
-	server_name {{ hostname_matrix }};
+	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
 
 	server_tokens off;
 
@@ -25,7 +25,7 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 
-	server_name {{ hostname_matrix }};
+	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
 
 	server_tokens off;
 	root /dev/null;
@@ -33,8 +33,8 @@ server {
 	gzip on;
 	gzip_types text/plain application/json;
 
-	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
-	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -1,17 +1,12 @@
 [Unit]
-Description=Matrix nginx proxy server
-After=docker.service
-Requires=docker.service
-Wants=matrix-synapse.service
-{% if matrix_corporal_enabled %}
-Wants=matrix-corporal.service
-{% endif %}
-{% if matrix_riot_web_enabled %}
-Wants=matrix-riot-web.service
-{% endif %}
-{% if matrix_mxisd_enabled %}
-Wants=matrix-mxisd.service
-{% endif %}
+Description=Matrix nginx-proxy server
+{% for service in matrix_nginx_proxy_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_nginx_proxy_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
 
 [Service]
 Type=simple