From 154a7dfa02675a05d6228e1d759378bae5fbdc29 Mon Sep 17 00:00:00 2001 From: julian Date: Wed, 2 Aug 2023 22:53:37 +0200 Subject: [PATCH] Deploy certs for zigbee2mqtt.ccchh.net using new certbot role Also add certbot role to deploy.yaml playbook and add accompanying group. --- inventories/z9/host_vars/zigbee2mqtt.yaml | 11 +++++------ inventories/z9/hosts.yaml | 4 +++- playbooks/deploy.yaml | 5 +++++ .../public-reverse-proxy/nginx/acme_challenge.conf | 1 + .../files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf | 6 +++--- 5 files changed, 17 insertions(+), 10 deletions(-) diff --git a/inventories/z9/host_vars/zigbee2mqtt.yaml b/inventories/z9/host_vars/zigbee2mqtt.yaml index 3e400b6..6437683 100644 --- a/inventories/z9/host_vars/zigbee2mqtt.yaml +++ b/inventories/z9/host_vars/zigbee2mqtt.yaml @@ -1,13 +1,12 @@ zigbee2mqtt__version: "1.32.1" zigbee2mqtt__network_key: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/zigbee2mqtt/network_key', create=false, missing='error') }}" zigbee2mqtt__initial_config: "{{ lookup('ansible.builtin.template', 'configs/zigbee2mqtt/zigbee2mqtt/configuration.yaml.j2') }}" -cert__acme_account_email: jannes+letsencrypt-ccchh@grzb.de -cert__domains: + +certbot__version_spec: "" +certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz +certbot__certificate_domains: - "zigbee2mqtt.ccchh.net" -cert__bind_9_host: authoritative-dns -cert__bind_9_zone: ccchh.net -cert__handlers: - - Restart `nginx.service` + nginx__version_spec: "" nginx__configurations: - name: zigbee2mqtt diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 4a0197b..866d314 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -52,10 +52,12 @@ all: cert_hosts: hosts: esphome: - zigbee2mqtt: keycloak: wiki: engelsystem: + certbot_hosts: + hosts: + zigbee2mqtt: ssh_server_config_hosts: hosts: keycloak: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index bb078cc..78d6ab7 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -57,6 +57,11 @@ roles: - cert +- name: Ensure certbot and certificate deployment on certbot_hosts + hosts: certbot_hosts + roles: + - certbot + - name: Ensure Docker Compose deployment on docker_compose_hosts hosts: docker_compose_hosts roles: diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf index 3174eef..f1d4ab0 100644 --- a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -7,6 +7,7 @@ map $host $upstream_acme_challenge_host { thinkcccore2.ccchh.net 10.31.242.5; thinkcccore3.ccchh.net 10.31.242.6; wiki.ccchh.net 10.31.206.13; + zigbee2mqtt.ccchh.net 10.31.208.25:31820; default ""; } diff --git a/playbooks/files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf b/playbooks/files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf index 1d2639c..9c35e87 100644 --- a/playbooks/files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf +++ b/playbooks/files/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf @@ -4,10 +4,10 @@ server { server_name zigbee2mqtt.ccchh.net; - ssl_certificate /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/zigbee2mqtt.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/zigbee2mqtt.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/ansible_certs/certs/zigbee2mqtt.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/zigbee2mqtt.ccchh.net/chain.pem; add_header Strict-Transport-Security "max-age=63072000" always;