Make roles more independent of one another

With this change, the following roles are now only dependent on the minimal `matrix-base` role: - `matrix-corporal` - `matrix-coturn` - `matrix-mailer` - `matrix-mxisd` - `matrix-postgres` - `matrix-riot-web` - `matrix-synapse` The `matrix-nginx-proxy` role still does too much and remains dependent on the others. Wiring up the various (now-independent) roles happens via a glue variables file (`group_vars/matrix-servers`). It's triggered for all hosts in the `matrix-servers` group. According to Ansible's rules of priority, we have the following chain of inclusion/overriding now: - role defaults (mostly empty or good for independent usage) - playbook glue variables (`group_vars/matrix-servers`) - inventory host variables (`inventory/host_vars/matrix.<your-domain>`) All roles default to enabling their main component (e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`). Reasoning: if a role is included in a playbook (especially separately, in another playbook), it should "work" by default. Our playbook disables some of those if they are not generally useful (e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
parent 515f04e936
commit c10182e5a6
57 changed files with 807 additions and 289 deletions
--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@ -17,21 +17,30 @@
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
-    recurse: yes
  with_items:
    - "{{ matrix_nginx_proxy_data_path }}"
    - "{{ matrix_nginx_proxy_confd_path }}"

- name: Ensure Matrix nginx-proxy configured
+- name: Ensure Matrix nginx-proxy configured (generic)
  template:
-    src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
-    dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
+    src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
    mode: 0644
-  with_items:
-    - "nginx-http.conf"
-    - "matrix-synapse.conf"
-    - "matrix-riot-web.conf"
+  when: "matrix_nginx_proxy_enabled"

+- name: Ensure Matrix nginx-proxy configuration for matrix domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    mode: 0644
+  when: "matrix_nginx_proxy_proxy_matrix_enabled"
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    mode: 0644
+  when: "matrix_nginx_proxy_proxy_riot_enabled"

 #
 # Tasks related to setting up matrix-nginx-proxy
@ -50,7 +59,7 @@
  with_items:
    - "http"
    - "https"
-  when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled"
+  when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'"

 - name: Ensure matrix-nginx-proxy.service installed
  template:
@ -82,3 +91,16 @@
    path: "/etc/systemd/system/matrix-nginx-proxy.service"
    state: absent
  when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_matrix_enabled"
+
+- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_riot_enabled"
+
--- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml
@ -8,15 +8,6 @@

 # Common tasks, required by any method below.

- name: Determine domains that we require certificates for (Matrix)
-  set_fact:
-    domains_requiring_certificates: "['{{ hostname_matrix }}']"
-
- name: Determine domains that we require certificates for (Riot)
-  set_fact:
-    domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}"
-  when: "matrix_riot_web_enabled"
-
 - name: Ensure SSL certificate paths exists
  file:
    path: "{{ item }}"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@ -39,7 +39,7 @@

 - name: Obtain Let's Encrypt certificates
  include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
-  with_items: "{{ domains_requiring_certificates }}"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
  loop_control:
    loop_var: domain_name
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml
@ -2,7 +2,7 @@

 - name: Verify certificates
  include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
-  with_items: "{{ domains_requiring_certificates }}"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
  loop_control:
    loop_var: domain_name
  when: "matrix_ssl_retrieval_method == 'manually-managed'"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml
@ -18,7 +18,7 @@

 - name: Generate self-signed certificates
  include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
-  with_items: "{{ domains_requiring_certificates }}"
+  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
  loop_control:
    loop_var: domain_name
  when: "matrix_ssl_retrieval_method == 'self-signed'"