From 3d6ec4049505349fe9da26857a09aafd7e206de4 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 20 Jan 2024 14:00:53 +0100 Subject: apps publish: always include hostname in cert/vhost names --- roles/apps/node-red/instance/tasks/main.yml | 10 +++------- roles/apps/whawty/auth/instance/tasks/main.yml | 10 +++------- 2 files changed, 6 insertions(+), 14 deletions(-) (limited to 'roles') diff --git a/roles/apps/node-red/instance/tasks/main.yml b/roles/apps/node-red/instance/tasks/main.yml index 38547f58..410a1b9f 100644 --- a/roles/apps/node-red/instance/tasks/main.yml +++ b/roles/apps/node-red/instance/tasks/main.yml @@ -52,7 +52,7 @@ x509_certificate_config: ca: "{{ node_red_instances[node_red_instance].publish.zone.certificate_ca_config }}" cert: - common_name: "node-red-{{ node_red_instance }}" + common_name: "node-red-{{ node_red_instance }}.{{ inventory_hostname }}" extended_key_usage: - serverAuth extended_key_usage_critical: yes @@ -125,11 +125,7 @@ - name: configure nginx vhost for publishment vars: nginx_vhost__yaml: | - {% if node_red_instances[node_red_instance].publish.zone.publisher == inventory_hostname %} - name: "node-red-{{ node_red_instance }}" - {% else %} - name: "node-red-{{ node_red_instance }}-{{ inventory_hostname }}" - {% endif %} + name: "node-red-{{ node_red_instance }}.{{ inventory_hostname }}" template: generic {% if 'tls' in node_red_instances[node_red_instance].publish %} tls: @@ -151,7 +147,7 @@ certificate_key: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-key.pem" trusted_certificate: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-ca-crt.pem" verify: "on" - name: "node-red-{{ node_red_instance }}" + name: "node-red-{{ node_red_instance }}.{{ inventory_hostname }}" protocols: "TLSv1.3" {% if 'location_extra_directives' in node_red_instances[node_red_instance].publish %} extra_directives: | diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml index 1e2f6c0d..26ba63df 100644 --- a/roles/apps/whawty/auth/instance/tasks/main.yml +++ b/roles/apps/whawty/auth/instance/tasks/main.yml @@ -41,7 +41,7 @@ x509_certificate_config: ca: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_ca_config }}" cert: - common_name: "whawty-auth-{{ whawty_auth_instance }}" + common_name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}" extended_key_usage: - serverAuth extended_key_usage_critical: yes @@ -125,11 +125,7 @@ - name: configure nginx vhost for publishment vars: nginx_vhost__yaml: | - {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %} - name: "whawty-auth-{{ whawty_auth_instance }}" - {% else %} - name: "whawty-auth-{{ whawty_auth_instance }}-{{ inventory_hostname }}" - {% endif %} + name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}" template: generic {% if 'tls' in whawty_auth_instances[whawty_auth_instance].publish %} tls: @@ -149,7 +145,7 @@ proxy_ssl: trusted_certificate: "/etc/ssl/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}-ca-crt.pem" verify: "on" - name: "whawty-auth-{{ whawty_auth_instance }}" + name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}" protocols: "TLSv1.3" nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}" include_role: -- cgit v1.2.3