Deploy certs for keycloak-admin and id.ccchh.net using certbot role

This commit is contained in:
June 2023-08-02 23:07:21 +02:00 committed by julian
parent 154a7dfa02
commit 6651f4568d
5 changed files with 12 additions and 11 deletions

View file

@ -1,12 +1,11 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}"
docker_compose__configuration_files: [ ] docker_compose__configuration_files: [ ]
cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz certbot__version_spec: ""
cert__domains: certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
certbot__certificate_domains:
- "id.ccchh.net" - "id.ccchh.net"
- "keycloak-admin.ccchh.net" - "keycloak-admin.ccchh.net"
cert__bind_9_host: authoritative-dns
cert__bind_9_zone: ccchh.net
nginx__version_spec: "" nginx__version_spec: ""
nginx__configurations: nginx__configurations:

View file

@ -52,12 +52,12 @@ all:
cert_hosts: cert_hosts:
hosts: hosts:
esphome: esphome:
keycloak:
wiki: wiki:
engelsystem: engelsystem:
certbot_hosts: certbot_hosts:
hosts: hosts:
zigbee2mqtt: zigbee2mqtt:
keycloak:
ssh_server_config_hosts: ssh_server_config_hosts:
hosts: hosts:
keycloak: keycloak:

View file

@ -15,10 +15,10 @@ server {
server_name id.ccchh.net; server_name id.ccchh.net;
ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem; ssl_certificate /etc/letsencrypt/live/id.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/id.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem; ssl_trusted_certificate /etc/letsencrypt/live/id.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds) # HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;

View file

@ -7,10 +7,10 @@ server {
server_name keycloak-admin.ccchh.net; server_name keycloak-admin.ccchh.net;
ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem; ssl_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem; ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds) # HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;

View file

@ -8,6 +8,8 @@ map $host $upstream_acme_challenge_host {
thinkcccore3.ccchh.net 10.31.242.6; thinkcccore3.ccchh.net 10.31.242.6;
wiki.ccchh.net 10.31.206.13; wiki.ccchh.net 10.31.206.13;
zigbee2mqtt.ccchh.net 10.31.208.25:31820; zigbee2mqtt.ccchh.net 10.31.208.25:31820;
id.ccchh.net 10.31.206.12:31820;
keycloak-admin.ccchh.net 10.31.206.12:31820;
default ""; default "";
} }