overmind
/
matrix-docker-ansible-deploy
kopia lustrzana https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Forkuj 0
Kod Zgłoszenia 0 Wydania 0 Wiki Aktywność
Matrix Docker Ansible eploy
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
102 Commity
13 Gałęzie
487 MiB
 
 
Drzewo: ea43d46b70
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'ea43d46b70'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-server/tasks/setup_ssl.yml

69 wiersze
2.4 KiB
Czysty Wina Historia 

  1. ---

  2. 

  3. - name: Determine domains to obtain certificates for (Matrix)

  4.   set_fact:

  5.     domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']"

  6. 

  7. - name: Determine domains to obtain certificates for (Riot)

  8.   set_fact:

  9.     domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}"

  10.   when: matrix_riot_web_enabled

  11. 

  12. - name: Allow access to HTTP/HTTPS in firewalld

  13.   firewalld:

  14.     service: "{{ item }}"

  15.     state: enabled

  16.     immediate: yes

  17.     permanent: yes

  18.   with_items:

  19.     - http

  20.     - https

  21.   when: ansible_os_family == 'RedHat'

  22. 

  23. - name: Ensure acmetool Docker image is pulled

  24.   docker_image:

  25.     name: willwill/acme-docker

  26. 

  27. # Granting +rx to others as well, because the `nginx` user from within

  28. # matrix-nginx-proxy needs to be able to read the acme-challenge files inside

  29. # for renewal purposes.

  30. #

  31. # This should not be causing security trouble outside of the container,

  32. # as the parent directory (/matrix) does not allow "others" to access it or any of its children.

  33. # Still, it works when the /ssl subtree is mounted in the container.

  34. - name: Ensure SSL certificates path exists

  35.   file:

  36.     path: "{{ matrix_ssl_certs_path }}"

  37.     state: directory

  38.     mode: 0775

  39.     owner: "{{ matrix_user_username }}"

  40.     group: "{{ matrix_user_username }}"

  41. 

  42. - name: Check matrix-nginx-proxy state

  43.   service: name=matrix-nginx-proxy

  44.   register: matrix_nginx_proxy_state

  45. 

  46. - name: Ensure matrix-nginx-proxy is stopped (if previously installed & started)

  47.   service: name=matrix-nginx-proxy state=stopped

  48.   when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"

  49. 

  50. - name: Ensure SSL certificates are marked as wanted in acmetool

  51.   shell: >-

  52.     /usr/bin/docker run --rm --name acmetool --net=host

  53.     -v {{ matrix_ssl_certs_path }}:/certs

  54.     -v {{ matrix_ssl_certs_path }}/run:/var/run/acme

  55.     -e ACME_EMAIL={{ matrix_ssl_support_email }}

  56.     willwill/acme-docker

  57.     acmetool want {{ item }} --xlog.severity=debug

  58.   with_items: "{{ domains_to_obtain_certificate_for }}"

  59. 

  60. - name: Ensure matrix-nginx-proxy is started (if previously installed & started)

  61.   service: name=matrix-nginx-proxy state=started

  62.   when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"

  63. 

  64. - name: Ensure periodic SSL renewal cronjob configured

  65.   template:

  66.     src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"

  67.     dest: "/etc/cron.d/matrix-ssl-certificate-renewal"

  68.     mode: 0600