diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 6d9ff33bd..a72200676 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -269,7 +269,28 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" +# Define local adress for proxying well-known challenge, if `matrix_nginx_proxy_well_known_serving_for_all_domains_enabled` is true +matrix_ssl_lets_encrypt_certbot_challenge_addr: "127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}" + # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] + + +# Controls whether matrix-nginx-proxy should serve well-known challenges for all `{{ matrix_ssl_domains_to_obtain_certificates_for }}` +# +# This is useful when you don't use matrix-nginx-proxy, but instead your own server, +# but you still want playbooks to retrieve ssl certs for you, +# but you are annoyed by the need to stop your server while retrieving certs. +# +# If enabled, allows matrix-nginx-proxy to generate nginx conf in `/matrix/nginx-proxy/conf.d` (only `well-known`block) +# for all domains defined in `{{ matrix_ssl_domains_to_obtain_certificates_for }}`, +# even is matrix_nginx_proxy_enabled is not true. +# +# You will need to define which server you use on host with `{{ matrix_host_server }}`. +# Actually only 'nginx' is implemented. +matrix_nginx_proxy_well_known_serving_for_all_domains_enabled: false +matrix_host_server: "" + + diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index e80b655df..bba0ee5d1 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -12,6 +12,10 @@ - set_fact: domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" +- name: Delegate well-known challenge to nginx on host + import_tasks: setup_ssl_well-known_challenge_for_nginx.yaml + when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_well_known_serving_for_all_domains_enabled|bool and matrix_host_server == 'nginx'" + # This will fail if there is something running on port 80 (like matrix-nginx-proxy). # We suppress the error, as we'll try another method below. - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_well-known_challenge_for_nginx.yaml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_well-known_challenge_for_nginx.yaml new file mode 100644 index 000000000..745693c9e --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_well-known_challenge_for_nginx.yaml @@ -0,0 +1,19 @@ +- name: Create nginx conf file dedicated to well-known challenge + copy: + content: "" + dest: "{{ matrix_nginx_proxy_confd_path }}/well-known.conf" + force: no + mode: 0644 + +- name: Append well-known challenge for domain + blockinfile: + path: "{{ matrix_nginx_proxy_confd_path }}/well-known.conf" + block: "{{ lookup('template', 'nginx/conf.d/nginx-well-known.conf.j2') }}" + marker: "# {mark} WELL-KNOWN CHALLENGE CONFIG FOR {{ domain_name }}" + +- name: Reload nginx for well-known challenge + systemd: + name: nginx + state: reloaded + + diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-well-known.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-well-known.conf.j2 new file mode 100644 index 000000000..376a097c4 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-well-known.conf.j2 @@ -0,0 +1,7 @@ + +server { + server_name {{ domain_name }}; + location ~ /.well-known/challenge { + proxy_pass http://{{ matrix_ssl_lets_encrypt_certbot_challenge_addr }}; + } +}