CCCHH/ansible-infra
CCCHH/ansible-infra
18
0
Fork 0
Code Issues 5 Pull requests Wiki Activity

light: use new combined cert and make server reachable over v6

Browse source 
The server being reachable over v6 is needed for the new method of
getting the cert directly via http challenge over v6.
This commit is contained in:
June 2024-07-30 00:14:09 +02:00
parent a23c152d8e
commit 70a27ec79c
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
5 changed files with 68 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
inventories/z9/host_vars/light.yaml
View file

@ -53,9 +53,7 @@ ola__configs:
nginx__version_spec: "" nginx__version_spec: ""
nginx__deploy_redirect_conf: false nginx__deploy_redirect_conf: false
nginx__configurations: nginx__configurations:
- name: light.ccchh.net - name: light
content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light.ccchh.net.conf') }}" content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light.conf') }}"
- name: light-werkstatt.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light-werkstatt.ccchh.net.conf') }}"
- name: http_handler - name: http_handler
content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/http_handler.conf') }}" content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/http_handler.conf') }}"

2
playbooks/files/z9/configs/light/nginx/http_handler.conf
View file

@ -1,6 +1,6 @@
server { server {
listen 80 default_server; listen 80 default_server;
#listen [::]:80 default_server; listen [::]:80 default_server;
server_name _; server_name _;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {

25
playbooks/files/z9/configs/light/nginx/light-werkstatt.ccchh.net.conf
View file

@ -1,25 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}

25
playbooks/files/z9/configs/light/nginx/light.ccchh.net.conf
View file

@ -1,25 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name light.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}

65
playbooks/files/z9/configs/light/nginx/light.conf Normal file
View file

@ -0,0 +1,65 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.z9.ccchh.net ;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}