Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl

Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break

roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2

@@ -1,8 +1,8 @@
-MAILTO="{{ ssl_support_email }}"
+MAILTO="{{ matrix_ssl_support_email }}"
 
 # This periodically restarts the Matrix services
 # to ensure they're using the latest SSL certificate
-# in case it got renewed by the `ssl-certificate-renewal` cronjob
+# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
 # (which happens once every ~2-3 months).
 #
 # Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,

roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2

@@ -1,4 +1,4 @@
-MAILTO="{{ ssl_support_email }}"
+MAILTO="{{ matrix_ssl_support_email }}"
 
 # The goal of this cronjob is to ask acmetool to check
 # the current SSL certificates and to see if some need renewal.
@@ -18,4 +18,4 @@ MAILTO="{{ ssl_support_email }}"
 # These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
 # because it aliases `/.well-known/acme-challenge` to that same directory.
 
-15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
+15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug

roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2

@@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			--link matrix-synapse:synapse \
 			--link matrix-riot-web:riot \
 			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \
-			-v {{ ssl_certs_path }}:/acmetool-certs \
+			-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
 			{{ docker_nginx_image }}
 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStop=-/usr/bin/docker rm matrix-nginx-proxy

roles/matrix-server/templates/systemd/matrix-synapse.service.j2

@@ -15,7 +15,7 @@ Requires=matrix-s3fs.service
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-synapse
 ExecStartPre=-/usr/bin/docker rm matrix-synapse
-ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R
+ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if not matrix_postgres_use_external %}
 			--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
@@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			-v {{ matrix_synapse_config_dir_path }}:/data \
 			-v {{ matrix_synapse_run_path }}:/matrix-run \
 			-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
-			-v {{ ssl_certs_path }}:/acmetool-certs \
+			-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
 			{{ docker_matrix_image }}
 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse