ec0f936227
It doesn't hurt to attempt renewal more frequently, as it only does real work if it's actually necessary. Reloading, we postpone some more, because certbot adds some random delay (between 1 and 8 * 60 seconds) when renewing. We want to ensure we reload at least 8 minutes later, which wasn't the case. To make it even safer (in case future certbot versions use a longer delay), we reload a whole hour later. We're in no rush to start using the new certificates anyway, especially given that we attempt renewal often. Somewhat fixes #146 (Github Issue)
116 lines
4.0 KiB
YAML
116 lines
4.0 KiB
YAML
---
|
|
|
|
# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
|
|
# This migration task can be removed some time in the future.
|
|
- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- /usr/local/bin/matrix-ssl-certificates-renew
|
|
- /etc/cron.d/matrix-ssl-certificate-renewal
|
|
- /etc/cron.d/matrix-nginx-proxy-periodic-restarter
|
|
|
|
|
|
#
|
|
# Tasks related to setting up Let's Encrypt's management of certificates
|
|
#
|
|
|
|
- name: (Deprecation) Catch and report renamed settings
|
|
fail:
|
|
msg: >-
|
|
Your configuration contains a variable, which now has a different name.
|
|
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
|
with_items:
|
|
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
|
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars"
|
|
|
|
- name: Fail if required variables are undefined
|
|
fail:
|
|
msg: "Detected an undefined required variable"
|
|
with_items:
|
|
- "{{ matrix_ssl_lets_encrypt_support_email }}"
|
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none"
|
|
|
|
- name: Ensure certbot Docker image is pulled
|
|
docker_image:
|
|
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
|
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
|
|
|
- name: Obtain Let's Encrypt certificates
|
|
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
|
|
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
|
|
loop_control:
|
|
loop_var: domain_name
|
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
|
|
|
- name: Ensure Let's Encrypt SSL renewal script installed
|
|
template:
|
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
|
|
dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
|
|
mode: 0750
|
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
|
|
|
- block:
|
|
- name: Ensure periodic SSL renewal cronjob configured (MAILTO)
|
|
cron:
|
|
user: root
|
|
cron_file: matrix-ssl-lets-encrypt
|
|
env: yes
|
|
name: MAILTO
|
|
value: "{{ matrix_ssl_lets_encrypt_support_email }}"
|
|
|
|
- name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
|
|
cron:
|
|
user: root
|
|
cron_file: matrix-ssl-lets-encrypt
|
|
name: matrix-ssl-lets-encrypt-certificates-renew
|
|
state: present
|
|
hour: 4
|
|
minute: 15
|
|
day: "*"
|
|
job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
|
|
|
|
- name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
|
|
cron:
|
|
user: root
|
|
cron_file: matrix-ssl-lets-encrypt
|
|
name: matrix-nginx-proxy-reload
|
|
state: present
|
|
hour: 5
|
|
minute: 20
|
|
day: "*"
|
|
job: /bin/systemctl reload matrix-nginx-proxy.service
|
|
when: matrix_nginx_proxy_enabled
|
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
|
|
|
|
|
#
|
|
# Tasks related to getting rid of Let's Encrypt's management of certificates
|
|
#
|
|
|
|
# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
|
|
# Other cronjobs can potentially remain there (see below).
|
|
- name: Ensure matrix-nginx-proxy-reload cronjob removed
|
|
cron:
|
|
user: root
|
|
cron_file: matrix-ssl-lets-encrypt
|
|
name: matrix-nginx-proxy-reload
|
|
state: absent
|
|
when: "not matrix_nginx_proxy_enabled"
|
|
|
|
# When Let's Encrypt is not used at all, remove all cronjobs in that cron file.
|
|
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
|
|
cron:
|
|
user: root
|
|
cron_file: matrix-ssl-lets-encrypt
|
|
state: absent
|
|
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
|
|
|
|
- name: Ensure Let's Encrypt SSL renewal script removed
|
|
file:
|
|
path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
|
|
state: absent
|
|
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
|