256 lines
8.6 KiB
Plaintext
256 lines
8.6 KiB
Plaintext
[global]
|
|
# Path to source SSL certificate (fullchain recommended)
|
|
source_cert_path = /etc/letsencrypt/live/example.com/fullchain.pem
|
|
|
|
# Default SSH key for all hosts (can be overridden per host)
|
|
default_ssh_key = /root/.ssh/id_rsa
|
|
|
|
# ==================== MIKROTIK DEVICES ====================
|
|
|
|
[mikrotik_router]
|
|
type = mikrotik
|
|
hostname = 172.16.0.1
|
|
port = 51022
|
|
username = admin
|
|
ssh_key_path = /root/.ssh/id_rsa_proxy
|
|
# For MikroTik, you need to provide the private key separately
|
|
source_key_path = /etc/letsencrypt/live/example.com/privkey.pem
|
|
# Note: check_url not used for MikroTik
|
|
|
|
[mikrotik_switch]
|
|
type = mikrotik
|
|
hostname = 192.168.1.50
|
|
port = 22
|
|
username = admin
|
|
source_key_path = /etc/letsencrypt/live/example.com/privkey.pem
|
|
|
|
# ==================== PROXMOX SERVERS ====================
|
|
|
|
[proxmox1]
|
|
type = proxmox
|
|
hostname = 10.87.2.150
|
|
port = 11922
|
|
username = root
|
|
# For Proxmox, source_key_path can be auto-derived or specified
|
|
source_key_path = /etc/letsencrypt/live/npm-3/privkey.pem
|
|
check_url = https://10.87.2.150:8006
|
|
|
|
[proxmox2]
|
|
type = proxmox
|
|
hostname = 10.87.2.151
|
|
port = 11922
|
|
username = root
|
|
source_key_path = /etc/letsencrypt/live/npm-3/privkey.pem
|
|
check_url = https://10.87.2.151:8006
|
|
|
|
# ==================== HOME ASSISTANT ====================
|
|
|
|
[homeassistant_supervised]
|
|
type = standard
|
|
hostname = 192.168.1.100
|
|
port = 22
|
|
username = root
|
|
# Home Assistant Supervised stores SSL in /ssl/ directory
|
|
remote_cert_path = /usr/share/hassio/ssl/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/share/hassio/ssl/privkey.pem
|
|
# Home Assistant needs to be restarted via ha command
|
|
post_upload_command = ha core restart
|
|
check_url = https://homeassistant.local:8123
|
|
|
|
[homeassistant_core]
|
|
type = standard
|
|
hostname = 192.168.1.101
|
|
port = 22
|
|
username = homeassistant
|
|
ssh_key_path = /root/.ssh/homeassistant_key
|
|
# Home Assistant Core uses the config directory
|
|
remote_cert_path = /home/homeassistant/.homeassistant/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/home/homeassistant/.homeassistant/privkey.pem
|
|
post_upload_command = sudo systemctl restart home-assistant@homeassistant
|
|
check_url = https://192.168.1.101:8123
|
|
|
|
[homeassistant_docker]
|
|
type = standard
|
|
hostname = 192.168.1.102
|
|
port = 22
|
|
username = root
|
|
# Home Assistant in Docker - certificate goes to mounted config volume
|
|
remote_cert_path = /opt/homeassistant/config/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/homeassistant/config/privkey.pem
|
|
# Restart Docker container
|
|
post_upload_command = docker restart homeassistant
|
|
check_url = https://ha.example.com:8123
|
|
|
|
[homeassistant_haos]
|
|
type = standard
|
|
hostname = 192.168.1.103
|
|
port = 22
|
|
username = root
|
|
# Home Assistant OS (HassOS) - using SSH add-on
|
|
remote_cert_path = /ssl/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/ssl/privkey.pem
|
|
post_upload_command = ha core restart
|
|
check_url = https://192.168.1.103:8123
|
|
|
|
# ==================== HOME ASSISTANT WITH NGINX PROXY ====================
|
|
|
|
[homeassistant_nginx_proxy]
|
|
type = standard
|
|
hostname = 192.168.1.104
|
|
port = 22
|
|
username = root
|
|
# When using nginx as reverse proxy for Home Assistant
|
|
remote_cert_path = /etc/nginx/ssl/homeassistant/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/homeassistant/privkey.pem
|
|
post_upload_command = nginx -t && systemctl reload nginx
|
|
check_url = https://ha.example.com
|
|
|
|
# ==================== STANDARD WEB SERVERS ====================
|
|
|
|
[webserver_nginx]
|
|
type = standard
|
|
hostname = 192.168.1.110
|
|
port = 22
|
|
username = root
|
|
remote_cert_path = /etc/nginx/ssl/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/privkey.pem
|
|
post_upload_command = nginx -t && systemctl reload nginx
|
|
check_url = https://example.com
|
|
|
|
[webserver_apache]
|
|
type = standard
|
|
hostname = 192.168.1.111
|
|
port = 2222
|
|
username = admin
|
|
ssh_key_path = /root/.ssh/webserver_key
|
|
remote_cert_path = /etc/apache2/ssl/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/apache2/ssl/privkey.pem
|
|
post_upload_command = apachectl configtest && systemctl reload apache2
|
|
check_url = https://subdomain.example.com
|
|
|
|
# ==================== MAIL SERVERS ====================
|
|
|
|
[mailserver_postfix]
|
|
type = standard
|
|
hostname = mail.example.com
|
|
port = 22
|
|
username = root
|
|
remote_cert_path = /etc/postfix/ssl/cert.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/postfix/ssl/privkey.pem
|
|
post_upload_command = systemctl restart postfix && systemctl restart dovecot
|
|
|
|
# ==================== DOCKER / CONTAINER HOSTS ====================
|
|
|
|
[docker_traefik]
|
|
type = standard
|
|
hostname = 10.0.0.60
|
|
port = 22
|
|
username = root
|
|
remote_cert_path = /opt/docker/traefik/certs/cert.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/traefik/certs/key.pem
|
|
post_upload_command = docker restart traefik
|
|
check_url = https://traefik.example.com
|
|
|
|
[docker_nginx_proxy_manager]
|
|
type = standard
|
|
hostname = 10.0.0.61
|
|
port = 22
|
|
username = root
|
|
remote_cert_path = /opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/privkey.pem
|
|
post_upload_command = docker exec nginx-proxy-manager nginx -s reload
|
|
check_url = https://npm.example.com
|
|
|
|
# ==================== STORAGE / NAS ====================
|
|
|
|
[truenas_scale]
|
|
type = standard
|
|
hostname = 10.0.0.70
|
|
port = 22
|
|
username = root
|
|
remote_cert_path = /etc/certificates/truenas_cert.crt
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/certificates/truenas_cert.key
|
|
post_upload_command = midclt call system.general.ui_restart
|
|
check_url = https://truenas.local
|
|
|
|
[synology_nas]
|
|
type = standard
|
|
hostname = 10.0.0.71
|
|
port = 22
|
|
username = root
|
|
remote_cert_path = /usr/syno/etc/certificate/system/default/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/syno/etc/certificate/system/default/privkey.pem
|
|
post_upload_command = /usr/syno/sbin/synoservicectl --reload nginx
|
|
check_url = https://synology.local:5001
|
|
|
|
|
|
# ==================== MAIL SERVER WITH CUSTOM CERTIFICATE ====================
|
|
# This server uses mail.company.com certificate
|
|
|
|
[mailserver]
|
|
type = standard
|
|
hostname = mail.company.com
|
|
port = 22
|
|
username = root
|
|
# Override: use mail-specific certificate
|
|
source_cert_path = /etc/letsencrypt/live/mail.company.com/fullchain.pem
|
|
remote_cert_path = /etc/postfix/ssl/cert.pem
|
|
additional_files = /etc/letsencrypt/live/mail.company.com/privkey.pem:/etc/postfix/ssl/privkey.pem
|
|
post_upload_command = systemctl restart postfix && systemctl restart dovecot
|
|
check_url = https://mail.company.com:465
|
|
|
|
# ==================== SUBDOMAIN WITH CUSTOM CERTIFICATE ====================
|
|
# This server uses subdomain.org certificate
|
|
|
|
[api_server]
|
|
type = standard
|
|
hostname = 192.168.1.200
|
|
port = 22
|
|
username = ubuntu
|
|
ssh_key_path = /root/.ssh/api_key
|
|
# Override: use api-specific certificate
|
|
source_cert_path = /etc/letsencrypt/live/api.subdomain.org/fullchain.pem
|
|
remote_cert_path = /etc/nginx/ssl/api/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/api.subdomain.org/privkey.pem:/etc/nginx/ssl/api/privkey.pem
|
|
post_upload_command = systemctl reload nginx
|
|
check_url = https://api.subdomain.org
|
|
|
|
# ==================== CLIENT SITE WITH CUSTOM CERTIFICATE ====================
|
|
# Client's own domain and certificate
|
|
|
|
[client_website]
|
|
type = standard
|
|
hostname = 203.0.113.50
|
|
port = 2222
|
|
username = admin
|
|
# Override: use client-specific certificate
|
|
source_cert_path = /etc/letsencrypt/live/client-domain.com/fullchain.pem
|
|
remote_cert_path = /var/www/ssl/fullchain.pem
|
|
additional_files = /etc/letsencrypt/live/client-domain.com/privkey.pem:/var/www/ssl/privkey.pem
|
|
post_upload_command = systemctl reload apache2
|
|
check_url = https://www.client-domain.com
|
|
|
|
[client_mikrotik]
|
|
type = mikrotik
|
|
hostname = 203.0.113.51
|
|
port = 22
|
|
username = admin
|
|
ssh_key_path = /root/.ssh/client_key
|
|
# Override: use client-specific certificate
|
|
source_cert_path = /etc/letsencrypt/live/client-domain.com/fullchain.pem
|
|
source_key_path = /etc/letsencrypt/live/client-domain.com/privkey.pem
|
|
|
|
# ==================== DEVELOPMENT SERVER ====================
|
|
# Dev server with staging certificate
|
|
|
|
[dev_server]
|
|
type = standard
|
|
hostname = dev.local
|
|
port = 22
|
|
username = developer
|
|
# Override: use staging certificate for testing
|
|
source_cert_path = /etc/letsencrypt-staging/live/dev.example.com/fullchain.pem
|
|
remote_cert_path = /opt/app/ssl/fullchain.pem
|
|
additional_files = /etc/letsencrypt-staging/live/dev.example.com/privkey.pem:/opt/app/ssl/privkey.pem
|
|
post_upload_command = docker-compose restart nginx
|
|
# No check_url - always upload to dev |