Deploy certs for keycloak-admin and id.ccchh.net using certbot role
This commit is contained in:
parent
154a7dfa02
commit
6651f4568d
5 changed files with 12 additions and 11 deletions
|
@ -1,12 +1,11 @@
|
|||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}"
|
||||
docker_compose__configuration_files: [ ]
|
||||
|
||||
cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
|
||||
cert__domains:
|
||||
certbot__version_spec: ""
|
||||
certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
|
||||
certbot__certificate_domains:
|
||||
- "id.ccchh.net"
|
||||
- "keycloak-admin.ccchh.net"
|
||||
cert__bind_9_host: authoritative-dns
|
||||
cert__bind_9_zone: ccchh.net
|
||||
|
||||
nginx__version_spec: ""
|
||||
nginx__configurations:
|
||||
|
|
|
@ -52,12 +52,12 @@ all:
|
|||
cert_hosts:
|
||||
hosts:
|
||||
esphome:
|
||||
keycloak:
|
||||
wiki:
|
||||
engelsystem:
|
||||
certbot_hosts:
|
||||
hosts:
|
||||
zigbee2mqtt:
|
||||
keycloak:
|
||||
ssh_server_config_hosts:
|
||||
hosts:
|
||||
keycloak:
|
||||
|
|
|
@ -15,10 +15,10 @@ server {
|
|||
|
||||
server_name id.ccchh.net;
|
||||
|
||||
ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/id.ccchh.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/id.ccchh.net/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/id.ccchh.net/chain.pem;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
|
|
@ -7,10 +7,10 @@ server {
|
|||
|
||||
server_name keycloak-admin.ccchh.net;
|
||||
|
||||
ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.ccchh.net/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/chain.pem;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
|
|
@ -8,6 +8,8 @@ map $host $upstream_acme_challenge_host {
|
|||
thinkcccore3.ccchh.net 10.31.242.6;
|
||||
wiki.ccchh.net 10.31.206.13;
|
||||
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
|
||||
id.ccchh.net 10.31.206.12:31820;
|
||||
keycloak-admin.ccchh.net 10.31.206.12:31820;
|
||||
default "";
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue