Deploy certs for aes.ccchh.net using certbot role

Also clean up NGINX configuration a bit.
2023-08-02 23:40:36 +02:00 · 2023-08-02 23:40:36 +02:00 · 48f9a2f901
parent 542211ca25
commit 48f9a2f901
4 changed files with 8 additions and 9 deletions
--- a/inventories/z9/host_vars/engelsystem.yaml
+++ b/inventories/z9/host_vars/engelsystem.yaml
@ -1,14 +1,12 @@
 docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/engelsystem/compose.yaml.j2') }}"
 docker_compose__configuration_files: []

-cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
-cert__domains:
+certbot__version_spec: ""
+certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
+certbot__certificate_domains:
  - "aes.ccchh.net"
-cert__bind_9_host: authoritative-dns
-cert__bind_9_zone: ccchh.net

 nginx__version_spec: ""
-nginx__deploy_redirect_conf: true
 nginx__configurations:
  - name: aes.ccchh.net
    content: "{{ lookup('ansible.builtin.file', 'configs/engelsystem/nginx/aes.ccchh.net.conf') }}"
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -51,13 +51,13 @@ all:
        engelsystem:
    cert_hosts:
      hosts:
-        engelsystem:
    certbot_hosts:
      hosts:
        esphome:
        zigbee2mqtt:
        keycloak:
        wiki:
+        engelsystem:
    ssh_server_config_hosts:
      hosts:
        keycloak:
--- a/playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf
+++ b/playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf
@ -14,10 +14,10 @@ server {

    server_name aes.ccchh.net;

-    ssl_certificate /etc/ansible_certs/certs/aes.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/ansible_certs/certs/aes.ccchh.net/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/aes.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/aes.ccchh.net/privkey.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/ansible_certs/certs/aes.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/aes.ccchh.net/chain.pem;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
--- a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf
@ -11,6 +11,7 @@ map $host $upstream_acme_challenge_host {
    id.ccchh.net 10.31.206.12:31820;
    keycloak-admin.ccchh.net 10.31.206.12:31820;
    esphome.ccchh.net 10.31.208.24:31820;
+    aes.ccchh.net 10.31.206.14:31820;
    default "";
 }