try to do certbot on VPS

Vagrantfile

@@ -28,9 +28,9 @@ Vagrant.configure("2") do |config|
   # Create a forwarded port mapping which allows access to a specific port
   # within the machine from a port on the host machine and only allow access
   # via 127.0.0.1 to disable public access
-  config.vm.network "forwarded_port", guest: 8008, host: 8008, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 8008, host: 8008
-  config.vm.network "forwarded_port", guest: 8448, host: 8448, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 8448, host: 8448
-  config.vm.network "forwarded_port", guest: 443, host: 443, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 443, host: 443
 
   # Create a private network, which allows host-only access to the machine
   # using a specific IP.
@@ -58,15 +58,8 @@ Vagrant.configure("2") do |config|
     # Customize the amount of memory on the VM:
     vb.memory = "4096"
   end
-  #
-  # View the documentation for the provider you are using for more
-  # information on available options.
   
-  # Enable provisioning with a shell script. Additional provisioners such as
+  config.vm.provision "ansible" do |ansible|
-  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
+    ansible.playbook = "setup.yml"
-  # documentation for more information about their specific syntax and use.
+  end
-  # config.vm.provision "shell", inline: <<-SHELL
-  #   apt-get update
-  #   apt-get install -y apache2
-  # SHELL
 end

certbot.yml

@@ -0,0 +1,9 @@
+---
+- hosts: synapse
+  vars: 
+    certbot_certs: 
+      - email: core@fuz.re
+        domains:
+          - {{ ansible_host }}
+          # - riot.fuz.re
+  roles: geerlingguy.ansible-role-certbot

certificate.yml

@@ -1,3 +1,10 @@
 # Correctly setup Let's Encrypt certificate renewal
 # https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html
+# - import_playbook: nginx-letsencrypt.yml
+
+# - import_playbook: openssl.yml
+# when: public_ipv4 = false
+
+# when: public_ipv4 = true
+include_role: certbot.yml
 # https://github.com/geerlingguy/ansible-role-certbot

main.yml

@@ -0,0 +1,40 @@
+---
+
+- hosts:
+  - synapse
+
+  handlers:
+    - name: reboot
+      reboot:
+
+  pre_tasks:
+
+    - apt:
+        update_cache: yes
+
+    - name: Disable IPv6
+      blockinfile:
+        path: /etc/sysctl.conf
+        block: |
+          net.ipv6.conf.all.disable_ipv6 = 1
+          net.ipv6.conf.default.disable_ipv6 = 1
+          net.ipv6.conf.lo.disable_ipv6 = 1
+      notify: reboot
+
+    - name: apply ipv6 disable
+      command: sysctl -p
+      become: yes
+
+    - name: check ipv6 state
+      shell: cat /proc/sys/net/ipv6/conf/all/disable_ipv6
+      register: command_result
+      failed_when: "'1' not in command_result.stdout"
+
+    - apt:
+        name: python-pip
+  roles:
+  - geerlingguy.pip
+
+- import_playbook: postgres.yml
+# todo: create synapse user
+- import_playbook: synapse.yml

postgres.yml

@@ -1,4 +1,5 @@
 - hosts: synapse
+  become: yes
   tasks:
   - pip:
       name: psycopg2

requirements.yml

@@ -1,6 +1,7 @@
 # from galaxy
 - src: geerlingguy.pip
 - src: geerlingguy.postgresql
+- src: geerlingguy.ansible-role-certbot
 
 # from GitHub, overriding the name and specifying a specific tag
 # - src: https://github.com/bennojoy/nginx

setup.yml

@@ -1,11 +0,0 @@
----
-
-- hosts:
-  - synapse
-
-  roles:
-  - geerlingguy.pip
-
-- import_playbook: postgres.yml
-# todo: create synapse user
-- import_playbook: synapse.yml

synapse.yml

@@ -18,10 +18,10 @@
     matrix_synapse_report_stats: false # Report stats to matrix.org?
     
     matrix_synapse_extra_config: # no_tls:true disables port 8448
-      no_tls: true 
+      no_tls: false 
     # If false:
-    # matrix_synapse_tls_cert: ""
+    matrix_synapse_tls_cert: ""
-    # matrix_synapse_tls_key: ""
+    matrix_synapse_tls_key: ""
 
   # pre_tasks:
   # tasks: