[global] # Path to source SSL certificate (fullchain recommended) source_cert_path = /etc/letsencrypt/live/example.com/fullchain.pem # Default SSH key for all hosts (can be overridden per host) default_ssh_key = /root/.ssh/id_rsa # ==================== MIKROTIK DEVICES ==================== [mikrotik_router] type = mikrotik hostname = 172.16.0.1 port = 51022 username = admin ssh_key_path = /root/.ssh/id_rsa_proxy # For MikroTik, you need to provide the private key separately source_key_path = /etc/letsencrypt/live/example.com/privkey.pem # Note: check_url not used for MikroTik [mikrotik_switch] type = mikrotik hostname = 192.168.1.50 port = 22 username = admin source_key_path = /etc/letsencrypt/live/example.com/privkey.pem # ==================== PROXMOX SERVERS ==================== [proxmox1] type = proxmox hostname = 10.87.2.150 port = 11922 username = root # For Proxmox, source_key_path can be auto-derived or specified source_key_path = /etc/letsencrypt/live/npm-3/privkey.pem check_url = https://10.87.2.150:8006 [proxmox2] type = proxmox hostname = 10.87.2.151 port = 11922 username = root source_key_path = /etc/letsencrypt/live/npm-3/privkey.pem check_url = https://10.87.2.151:8006 # ==================== HOME ASSISTANT ==================== [homeassistant_supervised] type = standard hostname = 192.168.1.100 port = 22 username = root # Home Assistant Supervised stores SSL in /ssl/ directory remote_cert_path = /usr/share/hassio/ssl/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/share/hassio/ssl/privkey.pem # Home Assistant needs to be restarted via ha command post_upload_command = ha core restart check_url = https://homeassistant.local:8123 [homeassistant_core] type = standard hostname = 192.168.1.101 port = 22 username = homeassistant ssh_key_path = /root/.ssh/homeassistant_key # Home Assistant Core uses the config directory remote_cert_path = /home/homeassistant/.homeassistant/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/home/homeassistant/.homeassistant/privkey.pem post_upload_command = sudo systemctl restart home-assistant@homeassistant check_url = https://192.168.1.101:8123 [homeassistant_docker] type = standard hostname = 192.168.1.102 port = 22 username = root # Home Assistant in Docker - certificate goes to mounted config volume remote_cert_path = /opt/homeassistant/config/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/homeassistant/config/privkey.pem # Restart Docker container post_upload_command = docker restart homeassistant check_url = https://ha.example.com:8123 [homeassistant_haos] type = standard hostname = 192.168.1.103 port = 22 username = root # Home Assistant OS (HassOS) - using SSH add-on remote_cert_path = /ssl/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/ssl/privkey.pem post_upload_command = ha core restart check_url = https://192.168.1.103:8123 # ==================== HOME ASSISTANT WITH NGINX PROXY ==================== [homeassistant_nginx_proxy] type = standard hostname = 192.168.1.104 port = 22 username = root # When using nginx as reverse proxy for Home Assistant remote_cert_path = /etc/nginx/ssl/homeassistant/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/homeassistant/privkey.pem post_upload_command = nginx -t && systemctl reload nginx check_url = https://ha.example.com # ==================== STANDARD WEB SERVERS ==================== [webserver_nginx] type = standard hostname = 192.168.1.110 port = 22 username = root remote_cert_path = /etc/nginx/ssl/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/privkey.pem post_upload_command = nginx -t && systemctl reload nginx check_url = https://example.com [webserver_apache] type = standard hostname = 192.168.1.111 port = 2222 username = admin ssh_key_path = /root/.ssh/webserver_key remote_cert_path = /etc/apache2/ssl/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/apache2/ssl/privkey.pem post_upload_command = apachectl configtest && systemctl reload apache2 check_url = https://subdomain.example.com # ==================== MAIL SERVERS ==================== [mailserver_postfix] type = standard hostname = mail.example.com port = 22 username = root remote_cert_path = /etc/postfix/ssl/cert.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/postfix/ssl/privkey.pem post_upload_command = systemctl restart postfix && systemctl restart dovecot # ==================== DOCKER / CONTAINER HOSTS ==================== [docker_traefik] type = standard hostname = 10.0.0.60 port = 22 username = root remote_cert_path = /opt/docker/traefik/certs/cert.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/traefik/certs/key.pem post_upload_command = docker restart traefik check_url = https://traefik.example.com [docker_nginx_proxy_manager] type = standard hostname = 10.0.0.61 port = 22 username = root remote_cert_path = /opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/privkey.pem post_upload_command = docker exec nginx-proxy-manager nginx -s reload check_url = https://npm.example.com # ==================== STORAGE / NAS ==================== [truenas_scale] type = standard hostname = 10.0.0.70 port = 22 username = root remote_cert_path = /etc/certificates/truenas_cert.crt additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/certificates/truenas_cert.key post_upload_command = midclt call system.general.ui_restart check_url = https://truenas.local [synology_nas] type = standard hostname = 10.0.0.71 port = 22 username = root remote_cert_path = /usr/syno/etc/certificate/system/default/fullchain.pem additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/syno/etc/certificate/system/default/privkey.pem post_upload_command = /usr/syno/sbin/synoservicectl --reload nginx check_url = https://synology.local:5001 # ==================== MAIL SERVER WITH CUSTOM CERTIFICATE ==================== # This server uses mail.company.com certificate [mailserver] type = standard hostname = mail.company.com port = 22 username = root # Override: use mail-specific certificate source_cert_path = /etc/letsencrypt/live/mail.company.com/fullchain.pem remote_cert_path = /etc/postfix/ssl/cert.pem additional_files = /etc/letsencrypt/live/mail.company.com/privkey.pem:/etc/postfix/ssl/privkey.pem post_upload_command = systemctl restart postfix && systemctl restart dovecot check_url = https://mail.company.com:465 # ==================== SUBDOMAIN WITH CUSTOM CERTIFICATE ==================== # This server uses subdomain.org certificate [api_server] type = standard hostname = 192.168.1.200 port = 22 username = ubuntu ssh_key_path = /root/.ssh/api_key # Override: use api-specific certificate source_cert_path = /etc/letsencrypt/live/api.subdomain.org/fullchain.pem remote_cert_path = /etc/nginx/ssl/api/fullchain.pem additional_files = /etc/letsencrypt/live/api.subdomain.org/privkey.pem:/etc/nginx/ssl/api/privkey.pem post_upload_command = systemctl reload nginx check_url = https://api.subdomain.org # ==================== CLIENT SITE WITH CUSTOM CERTIFICATE ==================== # Client's own domain and certificate [client_website] type = standard hostname = 203.0.113.50 port = 2222 username = admin # Override: use client-specific certificate source_cert_path = /etc/letsencrypt/live/client-domain.com/fullchain.pem remote_cert_path = /var/www/ssl/fullchain.pem additional_files = /etc/letsencrypt/live/client-domain.com/privkey.pem:/var/www/ssl/privkey.pem post_upload_command = systemctl reload apache2 check_url = https://www.client-domain.com [client_mikrotik] type = mikrotik hostname = 203.0.113.51 port = 22 username = admin ssh_key_path = /root/.ssh/client_key # Override: use client-specific certificate source_cert_path = /etc/letsencrypt/live/client-domain.com/fullchain.pem source_key_path = /etc/letsencrypt/live/client-domain.com/privkey.pem # ==================== DEVELOPMENT SERVER ==================== # Dev server with staging certificate [dev_server] type = standard hostname = dev.local port = 22 username = developer # Override: use staging certificate for testing source_cert_path = /etc/letsencrypt-staging/live/dev.example.com/fullchain.pem remote_cert_path = /opt/app/ssl/fullchain.pem additional_files = /etc/letsencrypt-staging/live/dev.example.com/privkey.pem:/opt/app/ssl/privkey.pem post_upload_command = docker-compose restart nginx # No check_url - always upload to dev