Last active
February 12, 2021 10:52
-
-
Save reixd/42cb14f0a7cc155bb0a9e99ef22615f2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| ############################################################################### | |
| # | |
| # GLOBAL Config: ansible/inventory/group_vars/all/pki.yml | |
| # | |
| ############################################################################### | |
| # Enable staging env during development | |
| #pki_acme_ca: 'le-staging-v2' | |
| # Do not need special subdomain implictly | |
| pki_default_subdomains: [] | |
| pki_acme_default_subdomains: [] | |
| pki_ca_domain: 'example.net' | |
| pki_ca_organization: 'MySuperCompany' | |
| pki_ca_root_key_size: '8192' | |
| pki_ca_domain_dn: [ 'o={{ pki_ca_organization }}', 'ou=Ops' ] | |
| pki_ca_service_dn: [ 'o={{ pki_ca_organization }}', 'ou=Ops Internal Services' ] | |
| pki_realm_key_size: '4096' | |
| pki_system_ca_certificates_download_all_hosts_force: True | |
| # Additional wildcard realms | |
| pki_realms: | |
| - name: '{{ ansible_domain }}' | |
| acme: False | |
| subject_alt_names: | |
| - 'dns:{{ ansible_domain }}' | |
| - 'dns:*.{{ ansible_domain }}' | |
| - name: '{{ ansible_fqdn }}' | |
| acme: False | |
| subject_alt_names: | |
| - 'dns:*.{{ ansible_fqdn }}' | |
| - 'uri:https://{{ ansible_fqdn }}/' | |
| # Allow to use IPs in the browser and still have a valid TLS cert ;) | |
| - 'IP:127.0.0.1' | |
| - 'IP:0:0:0:0:0:0:0:1' | |
| - '{{ ("IP:" + ansible_default_ipv4.address) | |
| if (ansible_default_ipv4|d() and ansible_default_ipv4.address|d() ) | |
| else [] }}' | |
| - '{{ ("IP:" + ansible_default_ipv6.address) | |
| if (ansible_default_ipv6|d() and ansible_default_ipv6.address|d() ) | |
| else [] }}' | |
| ############################################################################### | |
| # | |
| # HOST Config: ansible/inventory/host_vars/cloud.example.net/pki.yml | |
| # | |
| ############################################################################### | |
| #### TLS/PKI | |
| # TLS certs for the listed realsm with specific domains | |
| pki_host_realms: | |
| - name: 'cloud.example.net' | |
| acme: true | |
| acme_domains: | |
| - 'cloud.example.net' | |
| - 'aliasdomain.example.net' | |
| #### Webserver | |
| nginx__servers: | |
| - name: | |
| # List of domain this VirtualServer listens. The first domain is the main-domain | |
| # and gives the name to the nginx config file | |
| - 'cloud.example.net' | |
| - 'aliasdomain.example.net' | |
| enabled: True | |
| state: 'present' | |
| acme: True | |
| ssl: True | |
| redirect_to_ssl: True | |
| # Fancy location stuff | |
| location: | |
| '/api/': | | |
| proxy_pass https://api_backend_webserver_proxy/; | |
| proxy_hide_header WWW-Authenticate; | |
| '/': | | |
| proxy_pass https://frontend/; | |
| # API Server | |
| - name: | |
| - 'api.example.net | |
| enabled: True | |
| state: 'present' | |
| type: 'proxy' | |
| acme: True | |
| ssl: True | |
| # Specify different TLS certificates not managed by debops and found somewhere else | |
| ssl_crt: '/path/to/other/tls/certs/api.example.net/fullchain.pem' | |
| ssl_key: '/path/to/other/tls/certs/api.example.net/privkey.pem' | |
| redirect_to_ssl: True | |
| location: | |
| '/api/': | | |
| proxy_pass https://api_backend_webserver_proxy/; | |
| proxy_hide_header WWW-Authenticate; | |
| '/': | | |
| proxy_pass https://api_backend_webserver_proxy/; | |
| proxy_hide_header WWW-Authenticate; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment