1
0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2024-12-12 08:43:55 +02:00
Commit Graph

8 Commits

Author SHA1 Message Date
Slavi Pantaleev
23e4a4734b Switch from acmetool to certbot for SSL certificate retrieval 2018-08-29 09:37:44 +03:00
Slavi Pantaleev
f476e49e64 Make SSL renewal time configurable and nginx-proxy reload time adequate
The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`),
which makes no sense - it's too infrequently.

It's in line with the renewal time now (+5 minutes).
2017-11-11 10:38:38 +02:00
Slavi Pantaleev
19e191f0bd Do not assign Docker container name for certificate renewal
Prevents clashes with other services like this one.
2017-10-16 08:42:27 +03:00
Slavi Pantaleev
3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00
Slavi Pantaleev
6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev
cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00
Slavi Pantaleev
a3ecb7bfd9 Add http->http redirection for Matrix/Riot
Doing this means that matrix-nginx-proxy now starts
occupying port 80, which necessitates that
SSL renewal happens slightly differently.
2017-08-06 19:10:50 +03:00
Slavi Pantaleev
87f5883f24 Initial commit 2017-07-31 23:08:20 +03:00