CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 2
Code Issues 6 Pull requests 5 Wiki Activity Actions

Deploy certs for keycloak-admin and id.ccchh.net using certbot role

Browse source
This commit is contained in:
June 2023-08-02 23:07:21 +02:00 committed by julian
commit 6651f4568d
5 changed files with 12 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
inventories/z9/host_vars/keycloak.yaml
View file

@ -1,12 +1,11 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}"
docker_compose__configuration_files: [ ]
cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
cert__domains:
certbot__version_spec: ""
certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
certbot__certificate_domains:
- "id.ccchh.net"
- "keycloak-admin.ccchh.net"
cert__bind_9_host: authoritative-dns
cert__bind_9_zone: ccchh.net
nginx__version_spec: ""
nginx__configurations:

2
inventories/z9/hosts.yaml
View file

@ -52,12 +52,12 @@ all:
cert_hosts:
hosts:
esphome:
keycloak:
wiki:
engelsystem:
certbot_hosts:
hosts:
zigbee2mqtt:
keycloak:
ssh_server_config_hosts:
hosts:
keycloak:

6
playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
View file

@ -15,10 +15,10 @@ server {
server_name id.ccchh.net;
ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem;
ssl_certificate /etc/letsencrypt/live/id.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/id.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/id.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

6
playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
View file

@ -7,10 +7,10 @@ server {
server_name keycloak-admin.ccchh.net;
ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem;
ssl_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

2
playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -8,6 +8,8 @@ map $host $upstream_acme_challenge_host {
thinkcccore3.ccchh.net 10.31.242.6;
wiki.ccchh.net 10.31.206.13;
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
id.ccchh.net 10.31.206.12:31820;
keycloak-admin.ccchh.net 10.31.206.12:31820;
default "";
}