cqrenet/matrix-docker-ansible-deploy
3
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-12-14 12:54:47 +00:00
Code Issues Wiki Activity

Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl

Browse Source 
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
This commit is contained in:
Slavi Pantaleev
2017-09-11 23:50:14 +03:00
parent ded7c274f6
commit cb323f5b4c
11 changed files with 35 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
View File

@@ -1,8 +1,8 @@
MAILTO="{{ ssl_support_email }}"
MAILTO="{{ matrix_ssl_support_email }}"
# This periodically restarts the Matrix services
# to ensure they're using the latest SSL certificate
# in case it got renewed by the `ssl-certificate-renewal` cronjob
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
# (which happens once every ~2-3 months).
#
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,

4
roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 → roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
View File

@@ -1,4 +1,4 @@
MAILTO="{{ ssl_support_email }}"
MAILTO="{{ matrix_ssl_support_email }}"
# The goal of this cronjob is to ask acmetool to check
# the current SSL certificates and to see if some need renewal.
@@ -18,4 +18,4 @@ MAILTO="{{ ssl_support_email }}"
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
# because it aliases `/.well-known/acme-challenge` to that same directory.
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug