Use cert role to deploy a valid certificate for zigbee2mqtt.ccchh.net

2023-05-09 17:24:20 +02:00 · 2023-05-09 17:24:20 +02:00 · ca3a30360f
parent 1cd0700cf5
commit ca3a30360f
3 changed files with 17 additions and 6 deletions
--- a/inventories/z9/host_vars/zigbee2mqtt.yaml
+++ b/inventories/z9/host_vars/zigbee2mqtt.yaml
@ -10,6 +10,13 @@ zigbee2mqtt__network_key: !vault |
          30303031306635313764323434333465353465366633376432326563666264386431623335613636
          64643434666433363865
 zigbee2mqtt__initial_config: "{{ lookup('ansible.builtin.template', 'configs/zigbee2mqtt/zigbee2mqtt/configuration.yaml.j2') }}"
+cert__acme_account_email: jannes+letsencrypt-ccchh@grzb.de
+cert__domains:
+  - "zigbee2mqtt.ccchh.net"
+cert__bind_9_host: authoritative-dns
+cert__bind_9_zone: ccchh.net
+cert__handlers:
+  - Restart `nginx.service`
 nginx__version_spec: ""
 nginx__configurations:
  - name: zigbee2mqtt
--- a/playbooks/deploy_zigbee2mqtt.yaml
+++ b/playbooks/deploy_zigbee2mqtt.yaml
@ -1,7 +1,8 @@
 ---
- name: Deploy zigbee2mqtt on zigbee2mqtt.z9
+- name: Deploy zigbee2mqtt on zigbee2mqtt.z9.ccchh.net
  become: true
  hosts: zigbee2mqtt
  roles:
    - zigbee2mqtt
+    - cert
    - nginx
--- a/playbooks/files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf
+++ b/playbooks/files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf
@ -2,10 +2,14 @@ server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;

-    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+    server_name zigbee2mqtt.ccchh.net;

-    server_name zigbee2mqtt.z9;
+    ssl_certificate /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/chain.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;

    location / {
        proxy_pass http://localhost:8080/;
@ -17,7 +21,6 @@ server {
    location /api {
        proxy_pass http://localhost:8080/api;
        proxy_set_header Host $host;
-
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";