Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl

Moving keeps everything in the /matrix directory, so that we wouldn't contaminate anything else on the system or risk clashing with something else. Also retrieving certificates separately for the Riot and Matrix domains, which should help in multiple ways: - allows them to be very different (completely separate base domain..) - allows for Riot to be disabled for the playbook some time later and still have the code not break
2017-09-11 23:50:14 +03:00
parent ded7c274f6
commit cb323f5b4c
11 changed files with 35 additions and 24 deletions
--- a/roles/matrix-server/tasks/setup_main.yml
+++ b/roles/matrix-server/tasks/setup_main.yml
@ -17,4 +17,14 @@
  file:
    path: "{{ matrix_environment_variables_data_path }}"
    state: directory
-    mode: 0700
+    mode: 0700
+
+- name: Ensure Matrix base path exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_synapse_base_path }}"
--- a/roles/matrix-server/tasks/setup_postgres.yml
+++ b/roles/matrix-server/tasks/setup_postgres.yml
@ -48,7 +48,7 @@
 # Tasks related to getting rid of the internal postgres server (if it was previously enabled)
 #

- name: Check existance of matrix-postgres service
+- name: Check existence of matrix-postgres service
  stat: path="/etc/systemd/system/matrix-postgres.service"
  register: matrix_postgres_service_stat
  when: matrix_postgres_use_external
@ -63,7 +63,7 @@
    state: absent
  when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"

- name: Check existance of matrix-postgres local data path
+- name: Check existence of matrix-postgres local data path
  stat: path="{{ matrix_postgres_data_path }}"
  register: matrix_postgres_data_path_stat
  when: matrix_postgres_use_external
@ -72,4 +72,4 @@
 - name: Notify if matrix-postgres local data remains
  debug:
    msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that."
-  when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
+  when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
--- a/roles/matrix-server/tasks/setup_s3fs.yml
+++ b/roles/matrix-server/tasks/setup_s3fs.yml
@ -26,7 +26,7 @@
 # Tasks related to getting rid of s3fs (if it was previously enabled)
 #

- name: Check existance of matrix-s3fs service
+- name: Check existence of matrix-s3fs service
  stat: path="/etc/systemd/system/matrix-s3fs.service"
  register: matrix_s3fs_service_stat

@ -51,4 +51,4 @@
  docker_image:
    name: "{{ docker_s3fs_image }}"
    state: absent
-  when: "not matrix_s3_media_store_enabled"
+  when: "not matrix_s3_media_store_enabled"
--- a/roles/matrix-server/tasks/setup_ssl.yml
+++ b/roles/matrix-server/tasks/setup_ssl.yml
@ -17,7 +17,7 @@

 - name: Ensure SSL certificates path exists
  file:
-    path: "{{ ssl_certs_path }}"
+    path: "{{ matrix_ssl_certs_path }}"
    state: directory
    mode: 0770
    owner: "{{ matrix_user_username }}"
@ -34,10 +34,13 @@
 - name: Ensure SSL certificates are marked as wanted in acmetool
  shell: >-
    /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
-    -v {{ ssl_certs_path }}:/certs
-    -e ACME_EMAIL={{ ssl_support_email }}
+    -v {{ matrix_ssl_certs_path }}:/certs
+    -e ACME_EMAIL={{ matrix_ssl_support_email }}
    willwill/acme-docker
-    acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug
+    acmetool want {{ item }} --xlog.severity=debug
+  with_items:
+    - "{{ hostname_matrix }}"
+    - "{{ hostname_riot }}"

 - name: Ensure matrix-nginx-proxy is started (if previously installed & started)
  service: name=matrix-nginx-proxy state=started
@ -45,6 +48,6 @@

 - name: Ensure periodic SSL renewal cronjob configured
  template:
-    src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2"
-    dest: "/etc/cron.d/ssl-certificate-renewal"
+    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
+    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
    mode: 0600
--- a/roles/matrix-server/tasks/setup_synapse.yml
+++ b/roles/matrix-server/tasks/setup_synapse.yml
@ -8,7 +8,6 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
-    - "{{ matrix_synapse_base_path }}"
    - "{{ matrix_synapse_config_dir_path }}"
    - "{{ matrix_synapse_run_path }}"
    # We handle matrix_synapse_media_store_path below, not here,