options

2025-10-26 23:07:10 +01:00
parent ff578b7fad
commit 4fc21ff635
2 changed files with 469 additions and 43 deletions
--- a/config.ini.example
+++ b/config.ini.example
@@ -1,40 +1,199 @@
 [global]
-# Path to source SSL certificate (can be fullchain or single cert)
+# Path to source SSL certificate (fullchain recommended)
 source_cert_path = /etc/letsencrypt/live/example.com/fullchain.pem

 # Default SSH key for all hosts (can be overridden per host)
 default_ssh_key = /root/.ssh/id_rsa

-[webserver1]
+# ==================== MIKROTIK DEVICES ====================
+
+[mikrotik_router]
+type = mikrotik
+hostname = 172.16.0.1
+port = 51022
+username = admin
+ssh_key_path = /root/.ssh/id_rsa_proxy
+# For MikroTik, you need to provide the private key separately
+source_key_path = /etc/letsencrypt/live/example.com/privkey.pem
+# Note: check_url not used for MikroTik
+
+[mikrotik_switch]
+type = mikrotik
+hostname = 192.168.1.50
+port = 22
+username = admin
+source_key_path = /etc/letsencrypt/live/example.com/privkey.pem
+
+# ==================== PROXMOX HOSTS ====================
+
+[proxmox_node1]
+type = standard
+hostname = pve1.example.com
+port = 22
+username = root
+# Proxmox uses /etc/pve/local/ which is a symlink to /etc/pve/nodes/NODENAME/
+remote_cert_path = /etc/pve/local/pveproxy-ssl.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/pve/local/pveproxy-ssl.key
+post_upload_command = systemctl restart pveproxy
+check_url = https://pve1.example.com:8006
+
+[proxmox_node2]
+type = standard
+hostname = 10.0.0.51
+port = 22
+username = root
+remote_cert_path = /etc/pve/local/pveproxy-ssl.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/pve/local/pveproxy-ssl.key
+post_upload_command = systemctl restart pveproxy
+check_url = https://10.0.0.51:8006
+
+[proxmox_cluster_node]
+type = standard
+hostname = pve-cluster.local
+port = 22
+username = root
+# For clustered Proxmox, certificate is stored per-node
+remote_cert_path = /etc/pve/nodes/pve-cluster/pveproxy-ssl.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/pve/nodes/pve-cluster/pveproxy-ssl.key
+post_upload_command = chmod 600 /etc/pve/nodes/pve-cluster/pveproxy-ssl.key && systemctl restart pveproxy
+check_url = https://pve-cluster.local:8006
+
+# ==================== HOME ASSISTANT ====================
+
+[homeassistant_supervised]
+type = standard
 hostname = 192.168.1.100
 port = 22
 username = root
-remote_cert_path = /etc/nginx/ssl/certificate.pem
-post_upload_command = systemctl reload nginx
+# Home Assistant Supervised stores SSL in /ssl/ directory
+remote_cert_path = /usr/share/hassio/ssl/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/share/hassio/ssl/privkey.pem
+# Home Assistant needs to be restarted via ha command
+post_upload_command = ha core restart
+check_url = https://homeassistant.local:8123
+
+[homeassistant_core]
+type = standard
+hostname = 192.168.1.101
+port = 22
+username = homeassistant
+ssh_key_path = /root/.ssh/homeassistant_key
+# Home Assistant Core uses the config directory
+remote_cert_path = /home/homeassistant/.homeassistant/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/home/homeassistant/.homeassistant/privkey.pem
+post_upload_command = sudo systemctl restart home-assistant@homeassistant
+check_url = https://192.168.1.101:8123
+
+[homeassistant_docker]
+type = standard
+hostname = 192.168.1.102
+port = 22
+username = root
+# Home Assistant in Docker - certificate goes to mounted config volume
+remote_cert_path = /opt/homeassistant/config/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/homeassistant/config/privkey.pem
+# Restart Docker container
+post_upload_command = docker restart homeassistant
+check_url = https://ha.example.com:8123
+
+[homeassistant_haos]
+type = standard
+hostname = 192.168.1.103
+port = 22
+username = root
+# Home Assistant OS (HassOS) - using SSH add-on
+remote_cert_path = /ssl/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/ssl/privkey.pem
+post_upload_command = ha core restart
+check_url = https://192.168.1.103:8123
+
+# ==================== HOME ASSISTANT WITH NGINX PROXY ====================
+
+[homeassistant_nginx_proxy]
+type = standard
+hostname = 192.168.1.104
+port = 22
+username = root
+# When using nginx as reverse proxy for Home Assistant
+remote_cert_path = /etc/nginx/ssl/homeassistant/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/homeassistant/privkey.pem
+post_upload_command = nginx -t && systemctl reload nginx
+check_url = https://ha.example.com
+
+# ==================== STANDARD WEB SERVERS ====================
+
+[webserver_nginx]
+type = standard
+hostname = 192.168.1.110
+port = 22
+username = root
+remote_cert_path = /etc/nginx/ssl/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/privkey.pem
+post_upload_command = nginx -t && systemctl reload nginx
 check_url = https://example.com

-[webserver2]
-hostname = 192.168.1.101
+[webserver_apache]
+type = standard
+hostname = 192.168.1.111
 port = 2222
 username = admin
-# Override SSH key for this host
-ssh_key_path = /root/.ssh/webserver2_key
+ssh_key_path = /root/.ssh/webserver_key
 remote_cert_path = /etc/apache2/ssl/fullchain.pem
-post_upload_command = systemctl reload apache2
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/apache2/ssl/privkey.pem
+post_upload_command = apachectl configtest && systemctl reload apache2
 check_url = https://subdomain.example.com

-[mailserver]
+# ==================== MAIL SERVERS ====================
+
+[mailserver_postfix]
+type = standard
 hostname = mail.example.com
 port = 22
 username = root
 remote_cert_path = /etc/postfix/ssl/cert.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/postfix/ssl/privkey.pem
 post_upload_command = systemctl restart postfix && systemctl restart dovecot
-# No check_url - always upload

-[proxmox]
-hostname = 10.0.0.50
+# ==================== DOCKER / CONTAINER HOSTS ====================
+
+[docker_traefik]
+type = standard
+hostname = 10.0.0.60
 port = 22
 username = root
-remote_cert_path = /etc/pve/local/pveproxy-ssl.pem
-post_upload_command = systemctl restart pveproxy
-check_url = https://10.0.0.50:8006
+remote_cert_path = /opt/docker/traefik/certs/cert.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/traefik/certs/key.pem
+post_upload_command = docker restart traefik
+check_url = https://traefik.example.com
+
+[docker_nginx_proxy_manager]
+type = standard
+hostname = 10.0.0.61
+port = 22
+username = root
+remote_cert_path = /opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/privkey.pem
+post_upload_command = docker exec nginx-proxy-manager nginx -s reload
+check_url = https://npm.example.com
+
+# ==================== STORAGE / NAS ====================
+
+[truenas_scale]
+type = standard
+hostname = 10.0.0.70
+port = 22
+username = root
+remote_cert_path = /etc/certificates/truenas_cert.crt
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/certificates/truenas_cert.key
+post_upload_command = midclt call system.general.ui_restart
+check_url = https://truenas.local
+
+[synology_nas]
+type = standard
+hostname = 10.0.0.71
+port = 22
+username = root
+remote_cert_path = /usr/syno/etc/certificate/system/default/fullchain.pem
+additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/syno/etc/certificate/system/default/privkey.pem
+post_upload_command = /usr/syno/sbin/synoservicectl --reload nginx
+check_url = https://synology.local:5001