matrix-docker-ansible-deploy
matrix-docker-ansible-deploy copied to clipboard
Published
20 hours ago •
spantaleev
spantaleev
Traefik directories are not automatically created
Describe the bug Traefik directories are not automatically created when the "Using your own SSL certificates" path is chosen.
To Reproduce
My vars.yml file looks like this:
---
# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: apexaltruism.net
# The Matrix homeserver software to install.
# See:
# - `roles/custom/matrix-base/defaults/main.yml` for valid options
# - the `docs/configuring-playbook-IMPLEMENTATION_NAME.md` documentation page, if one is available for your implementation choice
matrix_homeserver_implementation: synapse
# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: 'sasasasasasasasasasasasasasasasasasasasasasasasa'
# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
# It will retrieve SSL certificates for you on-demand and forward requests to all other components.
# For alternatives, see `docs/configuring-playbook-own-webserver.md`.
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
# Ensure that public urls use https
matrix_playbook_ssl_enabled: true
# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: [email protected]
devture_traefik_config_certificatesResolvers_acme_email: ''
# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
devture_postgres_connection_password: 'P455W0RD'
# For testing or other purposes, you may wish to install services without SSL termination and
# have services exposed to http:// instead of https://.
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval.
# This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint
# (by toggling `matrix_federation_traefik_entrypoint_tls`).
devture_traefik_config_entrypoint_web_secure_enabled: false
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
# If you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interface:
# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
# - uncomment and adjust the `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
# Disable ACME / Let's Encrypt support.
devture_traefik_config_certificatesResolvers_acme_enabled: false
# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
devture_traefik_ssl_dir_enabled: true
# Expose the federation entrypoint on a custom port (other than port 8448, which is normally used publicly).
#
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
#
# If your reverse-proxy runs on another machine, consider:
# - using `0.0.0.0:8449`, just `8449` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:8449` below
# - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs`
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.0.1:8449'
# Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above,
# this may need to be reconfigured. See the comments above.
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
forwardedHeaders:
insecure: true
trustedIPs: ['192.168.192.100']
# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true
# Use the aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
src: /home/fedohide-origin/data/apexaltruism.net/privkey.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
# Create the cert.pem file on the server
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
src: /home/fedohide-origin/data/apexaltruism.net/cert.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
# Create the custom Traefik configuration.
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
- dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
content: |
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
# If this value is an external IP address, you can skip this section.
#
# If `ansible_host` is not the server's external IP address, you have 2 choices:
# 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below)
# 2. Uncomment and adjust the line below to specify an IP address manually
#
# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role
# (see `roles/custom/matrix-coturn/defaults/main.yml`).
#
# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''
# We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn.
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
#
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`.
# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line
# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands.
#
# For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
# to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file.
#
# If you're running this Ansible playbook on the same server as the one you're installing to,
# consider adding an additional `ansible_connection=local` argument to the host line below.
#
# Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04).
# You may sometimes need to explicitly add the argument `ansible_python_interpreter=/usr/bin/python3`
# to the host line below.
[matrix_servers]
matrix.apexaltruism.net ansible_host=192.168.0.211 ansible_ssh_user=centvirt-slva become=true become_user=root
Command used
ansible-playbook --key-file=/home/fedohide-origin/.ssh/frontier -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start
Expected behavior I expect the directories to be created automatically and then the files to be moved into them.
What happens instead
TASK [galaxy/auxiliary : Ensure AUX files are created] ************************************************************************************************************************************************************************************************************************
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/ssl/privkey.pem) => changed=false
ansible_loop_var: item
checksum: 12e54d7930e615dea175797b9792638b3e1048bb
item:
dest: /matrix/traefik/ssl/privkey.pem
src: /home/fedohide-origin/data/apexaltruism.net/privkey.pem
msg: Destination directory /matrix/traefik/ssl does not exist
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/ssl/cert.pem) => changed=false
ansible_loop_var: item
checksum: 4ff171b003c0c9d5f37158c99f522a7590ad2d56
item:
dest: /matrix/traefik/ssl/cert.pem
src: /home/fedohide-origin/data/apexaltruism.net/cert.pem
msg: Destination directory /matrix/traefik/ssl does not exist
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/config/certificates.yml) => changed=false
ansible_loop_var: item
checksum: 50550a5ace0de7a63f286a5da5bbd00a9cea5d2c
item:
content: |-
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
dest: /matrix/traefik/config/certificates.yml
msg: Destination directory /matrix/traefik/config does not exist
PLAY RECAP ********************************************************************************************************************************************************************************************************************************************************************
matrix.apexaltruism.net : ok=148 changed=51 unreachable=0 failed=1 skipped=300 rescued=0 ignored=0
TASK [galaxy/auxiliary : Ensure AUX files are created] *******************************************************************************************************************************************************************************************************************************************************************************************************************
changed: [matrix.apexaltruism.net] => (item=/matrix/traefik/ssl/privkey.pem)
changed: [matrix.apexaltruism.net] => (item=/matrix/traefik/ssl/cert.pem)
failed: [matrix.apexaltruism.net] (item=/matrix/traefik/config/certificates.yml) => changed=false
ansible_loop_var: item
checksum: 50550a5ace0de7a63f286a5da5bbd00a9cea5d2c
item:
content: |-
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
dest: /matrix/traefik/config/certificates.yml
msg: Destination directory /matrix/traefik/config does not exist
PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
matrix.apexaltruism.net : ok=150 changed=4 unreachable=0 failed=1 skipped=297 rescued=0 ignored=0
Manual mitigation attempted
-
Execute the following commands in the server on which Matrix is to be deployed.
sudo mkdir -p /matrix/traefik/configsudo mkdir -p /matrix/traefik/sslsudo chown -R matrix:matrix /matrix/ -
Restart the playbook execution.
Matrix Server:
Static hostname: centvirt-slva.apexaltruism.net
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: NOPE
Boot ID: NOPE
Virtualization: kvm
Operating System: CentOS Stream 9
CPE OS Name: cpe:/o:centos:centos:9
Kernel: Linux 5.14.0-432.el9.x86_64
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC _Q35 + ICH9, 2009_
Firmware Version: Arch Linux 1.16.3-1-1
Ansible: If your problem appears to be with Ansible, tell us:
- where you run Ansible -- e.g. on the Matrix server itself; on another computer (which OS? distro? standard installation or containerized Ansible?)
Static hostname: fedohide-origin.apexaltruism.net
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: NOPE
Boot ID: NOPE
Virtualization: kvm
Operating System: Fedora Linux 41 (Cloud Edition Prerelease)
CPE OS Name: cpe:/o:fedoraproject:fedora:41
OS Support End: Tue 2025-05-13
OS Support Remaining: 1y 1month 4d
Kernel: Linux 6.9.0-0.rc2.20240403git026e680b0a08.25.fc41.x86_64
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC _Q35 + ICH9, 2009_
Firmware Version: Arch Linux 1.16.3-1-1
Firmware Date: Tue 2014-04-01
Firmware Age: 10y 1w
The machine running Ansible is in the same network as the machine that is supposed to run Matrix.
- what version of Ansible you're running (see
ansible --version)
ansible [core 2.16.5]
config file = /home/fedohide-origin/projects/matrix-docker-ansible-deploy/ansible.cfg
configured module search path = ['/home/fedohide-origin/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.12/site-packages/ansible
ansible collection location = /home/fedohide-origin/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.12.2 (main, Mar 21 2024, 00:00:00) [GCC 14.0.1 20240316 (Red Hat 14.0.1-0)] (/usr/bin/python3)
jinja version = 3.1.3
libyaml = True
Additional context Add any other context about the problem here.
I already issued it here #2688
It should still be same issue that the value devture_traefik_ssl_dir_enabled is not being used (no code except in the vars.yml). It's probably an easy fix.
I too have encountered this problem, but the solution is simple. Since this problem occurs only with a clean installation, I run the playbook without AUX for the first time, and in the second pass I set certificates and other settings, for this purpose I keep two configs prepared, so as not to comment and uncomment lines. Also in the second pass config for LDAP traefik authorization.
