From b9517487fde12fcc54073e58f8097fc3db966d0b Mon Sep 17 00:00:00 2001
From: "J. Doe" <email@example.org>
Date: Thu, 3 Oct 2019 04:04:52 +0200
Subject: [PATCH] try to do certbot on VPS

---
 Vagrantfile                              | 21 +++++--------
 certbot.yml                              |  9 ++++++
 certificate.yml                          |  7 +++++
 main.yml                                 | 40 ++++++++++++++++++++++++
 postgres.yml                             |  1 +
 requirements.yml                         |  1 +
 setup.yml                                | 11 -------
 synapse.yml                              |  6 ++--
 ubuntu-bionic-18.04-cloudimg-console.log |  0
 9 files changed, 68 insertions(+), 28 deletions(-)
 create mode 100644 certbot.yml
 create mode 100644 main.yml
 delete mode 100644 setup.yml
 create mode 100644 ubuntu-bionic-18.04-cloudimg-console.log

diff --git a/Vagrantfile b/Vagrantfile
index 677fb9a..3b30d30 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -28,9 +28,9 @@ Vagrant.configure("2") do |config|
   # Create a forwarded port mapping which allows access to a specific port
   # within the machine from a port on the host machine and only allow access
   # via 127.0.0.1 to disable public access
-  config.vm.network "forwarded_port", guest: 8008, host: 8008, host_ip: "127.0.0.1"
-  config.vm.network "forwarded_port", guest: 8448, host: 8448, host_ip: "127.0.0.1"
-  config.vm.network "forwarded_port", guest: 443, host: 443, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 8008, host: 8008
+  config.vm.network "forwarded_port", guest: 8448, host: 8448
+  config.vm.network "forwarded_port", guest: 443, host: 443
 
   # Create a private network, which allows host-only access to the machine
   # using a specific IP.
@@ -58,15 +58,8 @@ Vagrant.configure("2") do |config|
     # Customize the amount of memory on the VM:
     vb.memory = "4096"
   end
-  #
-  # View the documentation for the provider you are using for more
-  # information on available options.
-
-  # Enable provisioning with a shell script. Additional provisioners such as
-  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
-  # documentation for more information about their specific syntax and use.
-  # config.vm.provision "shell", inline: <<-SHELL
-  #   apt-get update
-  #   apt-get install -y apache2
-  # SHELL
+  
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "setup.yml"
+  end
 end
diff --git a/certbot.yml b/certbot.yml
new file mode 100644
index 0000000..a511d81
--- /dev/null
+++ b/certbot.yml
@@ -0,0 +1,9 @@
+---
+- hosts: synapse
+  vars: 
+    certbot_certs: 
+      - email: core@fuz.re
+        domains:
+          - {{ ansible_host }}
+          # - riot.fuz.re
+  roles: geerlingguy.ansible-role-certbot
diff --git a/certificate.yml b/certificate.yml
index 73018cc..06e8841 100644
--- a/certificate.yml
+++ b/certificate.yml
@@ -1,3 +1,10 @@
 # Correctly setup Let's Encrypt certificate renewal
 # https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html
+# - import_playbook: nginx-letsencrypt.yml
+
+# - import_playbook: openssl.yml
+# when: public_ipv4 = false
+
+# when: public_ipv4 = true
+include_role: certbot.yml
 # https://github.com/geerlingguy/ansible-role-certbot
\ No newline at end of file
diff --git a/main.yml b/main.yml
new file mode 100644
index 0000000..0a0d812
--- /dev/null
+++ b/main.yml
@@ -0,0 +1,40 @@
+---
+
+- hosts:
+  - synapse
+
+  handlers:
+    - name: reboot
+      reboot:
+
+  pre_tasks:
+
+    - apt:
+        update_cache: yes
+
+    - name: Disable IPv6
+      blockinfile:
+        path: /etc/sysctl.conf
+        block: |
+          net.ipv6.conf.all.disable_ipv6 = 1
+          net.ipv6.conf.default.disable_ipv6 = 1
+          net.ipv6.conf.lo.disable_ipv6 = 1
+      notify: reboot
+
+    - name: apply ipv6 disable
+      command: sysctl -p
+      become: yes
+
+    - name: check ipv6 state
+      shell: cat /proc/sys/net/ipv6/conf/all/disable_ipv6
+      register: command_result
+      failed_when: "'1' not in command_result.stdout"
+
+    - apt:
+        name: python-pip
+  roles:
+  - geerlingguy.pip
+
+- import_playbook: postgres.yml
+# todo: create synapse user
+- import_playbook: synapse.yml
\ No newline at end of file
diff --git a/postgres.yml b/postgres.yml
index 5c285aa..8f660ef 100644
--- a/postgres.yml
+++ b/postgres.yml
@@ -1,4 +1,5 @@
 - hosts: synapse
+  become: yes
   tasks:
   - pip:
       name: psycopg2
diff --git a/requirements.yml b/requirements.yml
index 26f2666..8ba10fc 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,6 +1,7 @@
 # from galaxy
 - src: geerlingguy.pip
 - src: geerlingguy.postgresql
+- src: geerlingguy.ansible-role-certbot
 
 # from GitHub, overriding the name and specifying a specific tag
 # - src: https://github.com/bennojoy/nginx
diff --git a/setup.yml b/setup.yml
deleted file mode 100644
index 38cc57d..0000000
--- a/setup.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- hosts:
-  - synapse
-
-  roles:
-  - geerlingguy.pip
-
-- import_playbook: postgres.yml
-# todo: create synapse user
-- import_playbook: synapse.yml
\ No newline at end of file
diff --git a/synapse.yml b/synapse.yml
index f0cf439..57a4ba5 100644
--- a/synapse.yml
+++ b/synapse.yml
@@ -18,10 +18,10 @@
     matrix_synapse_report_stats: false # Report stats to matrix.org?
     
     matrix_synapse_extra_config: # no_tls:true disables port 8448
-      no_tls: true 
+      no_tls: false 
     # If false:
-    # matrix_synapse_tls_cert: ""
-    # matrix_synapse_tls_key: ""
+    matrix_synapse_tls_cert: ""
+    matrix_synapse_tls_key: ""
 
   # pre_tasks:
   # tasks:
diff --git a/ubuntu-bionic-18.04-cloudimg-console.log b/ubuntu-bionic-18.04-cloudimg-console.log
new file mode 100644
index 0000000..e69de29