From 6651f4568d58132ad7160442aaa657f67767d850 Mon Sep 17 00:00:00 2001 From: julian Date: Wed, 2 Aug 2023 23:07:21 +0200 Subject: [PATCH] Deploy certs for keycloak-admin and id.ccchh.net using certbot role --- inventories/z9/host_vars/keycloak.yaml | 7 +++---- inventories/z9/hosts.yaml | 2 +- playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf | 6 +++--- .../configs/keycloak/nginx/keycloak-admin.ccchh.net.conf | 6 +++--- .../configs/public-reverse-proxy/nginx/acme_challenge.conf | 2 ++ 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/inventories/z9/host_vars/keycloak.yaml b/inventories/z9/host_vars/keycloak.yaml index 117b263..b152155 100644 --- a/inventories/z9/host_vars/keycloak.yaml +++ b/inventories/z9/host_vars/keycloak.yaml @@ -1,12 +1,11 @@ docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}" docker_compose__configuration_files: [ ] -cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz -cert__domains: +certbot__version_spec: "" +certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz +certbot__certificate_domains: - "id.ccchh.net" - "keycloak-admin.ccchh.net" -cert__bind_9_host: authoritative-dns -cert__bind_9_zone: ccchh.net nginx__version_spec: "" nginx__configurations: diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 866d314..6ffe9fd 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -52,12 +52,12 @@ all: cert_hosts: hosts: esphome: - keycloak: wiki: engelsystem: certbot_hosts: hosts: zigbee2mqtt: + keycloak: ssh_server_config_hosts: hosts: keycloak: diff --git a/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf b/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf index 16b57b7..309c552 100644 --- a/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf +++ b/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf @@ -15,10 +15,10 @@ server { server_name id.ccchh.net; - ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/id.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/id.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/id.ccchh.net/chain.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf b/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf index 0bff51f..657188f 100644 --- a/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf +++ b/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf @@ -7,10 +7,10 @@ server { server_name keycloak-admin.ccchh.net; - ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/chain.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf index f1d4ab0..0f13d88 100644 --- a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -8,6 +8,8 @@ map $host $upstream_acme_challenge_host { thinkcccore3.ccchh.net 10.31.242.6; wiki.ccchh.net 10.31.206.13; zigbee2mqtt.ccchh.net 10.31.208.25:31820; + id.ccchh.net 10.31.206.12:31820; + keycloak-admin.ccchh.net 10.31.206.12:31820; default ""; }