From 6ac4bf8240e1a484eb2de9177cd25fc81ff69268 Mon Sep 17 00:00:00 2001 From: julian Date: Wed, 2 Aug 2023 23:17:31 +0200 Subject: [PATCH] Deploy certs for wiki.ccchh.net using certbot role Also clean up NGINX configurations. --- inventories/z9/host_vars/wiki.yaml | 10 +++------- inventories/z9/hosts.yaml | 2 +- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- .../files/configs/wiki/nginx/http_handler.conf | 14 -------------- .../files/configs/wiki/nginx/wiki.ccchh.net.conf | 6 +++--- 5 files changed, 8 insertions(+), 26 deletions(-) delete mode 100644 playbooks/files/configs/wiki/nginx/http_handler.conf diff --git a/inventories/z9/host_vars/wiki.yaml b/inventories/z9/host_vars/wiki.yaml index ea1bce3..73ef060 100644 --- a/inventories/z9/host_vars/wiki.yaml +++ b/inventories/z9/host_vars/wiki.yaml @@ -1,13 +1,9 @@ nginx__version_spec: "" -nginx__deploy_redirect_conf: false nginx__configurations: - - name: http_handler - content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/http_handler.conf') }}" - name: wiki.ccchh.net content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/wiki.ccchh.net.conf') }}" -cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz -cert__domains: +certbot__version_spec: "" +certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz +certbot__certificate_domains: - "wiki.ccchh.net" -cert__bind_9_host: authoritative-dns -cert__bind_9_zone: ccchh.net diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 6ffe9fd..16cd681 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -52,12 +52,12 @@ all: cert_hosts: hosts: esphome: - wiki: engelsystem: certbot_hosts: hosts: zigbee2mqtt: keycloak: + wiki: ssh_server_config_hosts: hosts: keycloak: diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf index 0f13d88..a7fab56 100644 --- a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -6,7 +6,7 @@ map $host $upstream_acme_challenge_host { thinkcccore1.ccchh.net 10.31.242.4; thinkcccore2.ccchh.net 10.31.242.5; thinkcccore3.ccchh.net 10.31.242.6; - wiki.ccchh.net 10.31.206.13; + wiki.ccchh.net 10.31.206.13:31820; zigbee2mqtt.ccchh.net 10.31.208.25:31820; id.ccchh.net 10.31.206.12:31820; keycloak-admin.ccchh.net 10.31.206.12:31820; diff --git a/playbooks/files/configs/wiki/nginx/http_handler.conf b/playbooks/files/configs/wiki/nginx/http_handler.conf deleted file mode 100644 index 2dcf7d9..0000000 --- a/playbooks/files/configs/wiki/nginx/http_handler.conf +++ /dev/null @@ -1,14 +0,0 @@ -server { - listen 80 default_server; - #listen [::]:80 default_server; - server_name _; - - location /.well-known/acme-challenge/ { - autoindex on; - root /webroot-for-acme-challenge; - } - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf b/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf index c875c71..856db70 100644 --- a/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf +++ b/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf @@ -14,10 +14,10 @@ server { server_name wiki.ccchh.net; - ssl_certificate /etc/ansible_certs/certs/wiki.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/ansible_certs/certs/wiki.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/wiki.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wiki.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/ansible_certs/certs/wiki.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/wiki.ccchh.net/chain.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always;