dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity
configpolicy/group_vars
History
Dustin ffe972d79b r/samba-cert: Obtain LDAP/TLS cert via ACME 
The *samba-cert* role configures `lego` and HAProxy to obtain an X.509
certificate via the ACME HTTP-01 challenge.  HAProxy is necessary
because LDAP server certificates need to have the apex domain in their
SAN field, and the ACME server may contact *any* domain controller
server with an A record for that name.  HAProxy will forward the
challenge request on to the first available host on port 5000, where
`lego` is listening to provide validation.

Issuing certificates this way has a couple of advantages:

1. No need for the wildcard certificate for the *pyrocufflink.blue*
   domain any more
2. Renewals are automatic and handled by the server itself rather than
   Ansible via scheduled Jenkins job

Item (2) is particularly interesting because it avoids the bi-monthly
issue where replacing the LDAP server certificate and restarting Samba
causes the Jenkins job to fail.

Naturally, for this to work correctly, all LDAP client applications
need to trust the certificates issued by the ACME server, in this case
*DCH Root CA R2*.
 		2024-06-12 18:33:24 -05:00
..
dch-gw Move dch_networks definition to all group 2018-10-13 12:43:35 -05:00
public-web public-web: Add Tabitha's new SSH key 2024-03-15 10:29:03 -05:00
pxe r/netboot/jenkins-agent: Configure NBD exports 2022-08-15 17:14:06 -05:00
pyrocufflink r/fileserver: Restrict non-administrators to SFTP 2024-02-01 10:29:32 -06:00
synapse synapse: Back up data using BURP 2023-05-23 09:52:50 -05:00
unifi unifi: Scrape logs from UniFi and device syslog 2024-02-28 19:04:30 -06:00
Fedora37.yml Fedora37: Set collectd SELinux domain permissive 2022-12-19 10:22:00 -06:00
all.yml auto-updates: Install and configure dnf-automatic 2024-06-12 06:25:17 -05:00
aria2.yml aria2: Deploy aria2 download manager 2018-08-19 14:17:48 -05:00
bitwarden_rs.yml vaultwarden: Change Domain URL 2023-03-03 11:17:07 -06:00
burp-client.yml hosts: Add burp1.p.b 2020-01-25 13:57:04 -06:00
burp-server.yml burp-server: Keep more backups 2023-07-17 16:36:37 -05:00
collectd.yml Switch Prometheus/collectd to pull 2021-10-30 16:41:17 -05:00
dch-vpn.yml dch-vpn: Avoid configuring firewalld 2018-10-13 12:19:25 -05:00
file-servers.yml file-servers: Set Apache ServerName 2023-12-29 10:46:13 -06:00
gitea.yml gitea: Back up with BURP 2023-04-12 14:07:51 -05:00
home-assistant.yml home-assistant: Back up Zigbee/ZWave/Mosquitto 2022-12-23 06:56:52 -06:00
jenkins-slave.yml jenkins-slave: Allow Jenkins to connect to Docker 2019-09-19 19:50:35 -05:00
k8s-controller.yml hosts: Add Kubernetes machines 2022-08-03 20:52:01 -05:00
k8s-node.yml hosts: Add Kubernetes machines 2022-08-03 20:52:01 -05:00
koji-hub.yml hosts: Add koji0.pyrocufflink.blue 2018-08-12 10:27:20 -05:00
koji.yml hosts: Add koji0.pyrocufflink.blue 2018-08-12 10:27:20 -05:00
kubelet.yml r/collectd: Ignore filesystems by path 2022-08-05 18:56:48 -05:00
nextcloud.yml nextcloud: Trust headers from public rev proxy 2021-12-20 22:20:09 -06:00
nut-monitor.yml nut-monitor: Require both UPS to be online 2024-01-25 21:22:04 -06:00
prometheus.yml Switch Prometheus/collectd to pull 2021-10-30 16:41:17 -05:00
pyrocufflink-dhcp.yml pyrocufflink-dhcp: DHCP reservations for VM hosts 2021-02-17 20:33:41 -06:00
radius.yml Move APs to Management network 2018-07-15 09:19:39 -05:00
repohost.yml r/repohost: Configure Yum package repo host 2023-11-07 20:51:10 -06:00
samba-dc.yml r/samba-cert: Obtain LDAP/TLS cert via ACME 2024-06-12 18:33:24 -05:00
smtp-relay.yml smtp-relay: Switch to Fastmail 2023-10-24 17:27:21 -05:00
taiga.yml taiga: Add playbook for Taiga 2019-09-19 19:51:45 -05:00
vm-hosts.yml vm-hosts: Auto-start unifi2 2024-05-26 10:51:16 -05:00
zabbix-server.yml zabbix-server: Allow SMTP relay from any loopback 2019-04-15 10:05:04 -05:00
zabbix.yml hosts: Add hosts to zabbix group 2018-04-14 15:47:49 -05:00