Use cert role to deploy a valid certificate for zigbee2mqtt.ccchh.net

This commit is contained in:
yuri 2023-05-09 17:24:20 +02:00
parent 1cd0700cf5
commit ca3a30360f
No known key found for this signature in database
GPG key ID: E646779AC54AEC64
3 changed files with 17 additions and 6 deletions

View file

@ -10,6 +10,13 @@ zigbee2mqtt__network_key: !vault |
30303031306635313764323434333465353465366633376432326563666264386431623335613636 30303031306635313764323434333465353465366633376432326563666264386431623335613636
64643434666433363865 64643434666433363865
zigbee2mqtt__initial_config: "{{ lookup('ansible.builtin.template', 'configs/zigbee2mqtt/zigbee2mqtt/configuration.yaml.j2') }}" zigbee2mqtt__initial_config: "{{ lookup('ansible.builtin.template', 'configs/zigbee2mqtt/zigbee2mqtt/configuration.yaml.j2') }}"
cert__acme_account_email: jannes+letsencrypt-ccchh@grzb.de
cert__domains:
- "zigbee2mqtt.ccchh.net"
cert__bind_9_host: authoritative-dns
cert__bind_9_zone: ccchh.net
cert__handlers:
- Restart `nginx.service`
nginx__version_spec: "" nginx__version_spec: ""
nginx__configurations: nginx__configurations:
- name: zigbee2mqtt - name: zigbee2mqtt

View file

@ -1,7 +1,8 @@
--- ---
- name: Deploy zigbee2mqtt on zigbee2mqtt.z9 - name: Deploy zigbee2mqtt on zigbee2mqtt.z9.ccchh.net
become: true become: true
hosts: zigbee2mqtt hosts: zigbee2mqtt
roles: roles:
- zigbee2mqtt - zigbee2mqtt
- cert
- nginx - nginx

View file

@ -2,10 +2,14 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; server_name zigbee2mqtt.ccchh.net;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
server_name zigbee2mqtt.z9; ssl_certificate /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/chain.pem;
add_header Strict-Transport-Security "max-age=63072000" always;
location / { location / {
proxy_pass http://localhost:8080/; proxy_pass http://localhost:8080/;
@ -15,9 +19,8 @@ server {
} }
location /api { location /api {
proxy_pass http://localhost:8080/api; proxy_pass http://localhost:8080/api;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";