deuill
/
coreos-home-server
mirror of https://github.com/deuill/coreos-home-server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Correctly load certificates from /etc/ssl/private

This commit is contained in:
Alex Palaistras 2024-01-13 23:28:01 +00:00
parent ca4bc9d4ff
commit 7606e87a4c
6 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
host/virtual/spec.bu
View File

@ -156,7 +156,7 @@ systemd:
[Service]
ExecStartPre=/bin/podman volume create --ignore letsencrypt-certificates
ExecStart=
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private/certificates $V && chown -R 10000:10000 $V"
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private $V && chown -R 10000:10000 $V"
ExecStartPost=/bin/podman volume unmount letsencrypt-certificates
storage:
@ -197,7 +197,7 @@ storage:
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
# generating certificates for the virtual host.
- path: /etc/ssl/private/certificates/localhost/fullchain.pem
- path: /etc/ssl/private/localhost/fullchain.pem
mode: 0644
contents:
inline: |
@ -220,7 +220,7 @@ storage:
D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
-----END CERTIFICATE-----
- path: /etc/ssl/private/certificates/localhost/privkey.pem
- path: /etc/ssl/private/localhost/privkey.pem
mode: 0644
contents:
inline: |

4
service/coturn/container/config/turnserver.conf.template
View File

@ -444,14 +444,14 @@ realm=${COTURN_REALM}
# Use an absolute path or path relative to the
# configuration file.
#
cert=/etc/ssl/private/certificates/${COTURN_REALM}/fullchain.pem
cert=/etc/ssl/private/${COTURN_REALM}/fullchain.pem
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
pkey=/etc/ssl/private/certificates/${COTURN_REALM}/privkey.pem
pkey=/etc/ssl/private/${COTURN_REALM}/privkey.pem
# Private key file password, if it is in encoded format.
# This option has no default value.

4
service/dovecot/container/config/dovecot.conf.template
View File

@ -82,8 +82,8 @@ ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}/fullchain.pem
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}/privkey.pem
ssl_cert = </etc/ssl/private/${DOVECOT_HOST}/fullchain.pem
ssl_key = </etc/ssl/private/${DOVECOT_HOST}/privkey.pem
protocol imap {
mail_max_userip_connections = 25

4
service/nginx/service/nginx-proxy-http.conf.template
View File

@ -8,8 +8,8 @@ server {
listen 443 ssl;
server_name ${SERVER_NAME} ${SERVER_NAME_ALT};
ssl_certificate /etc/ssl/private/certificates/${SSL_CERT_NAME}/fullchain.pem;
ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}/privkey.pem;
ssl_certificate /etc/ssl/private/${SSL_CERT_NAME}/fullchain.pem;
ssl_certificate_key /etc/ssl/private/${SSL_CERT_NAME}/privkey.pem;
include resolver.conf;
set $upstream_endpoint http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${UPSTREAM_PATH};

4
service/postfix/container/config/main.cf.template
View File

@ -202,6 +202,6 @@ tls_ssl_options = no_ticket, no_compression
tls_preempt_cipherlist = no
# Certificate file location.
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/fullchain.pem
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/privkey.pem
smtpd_tls_cert_file = /etc/ssl/private/${POSTFIX_HOST}/fullchain.pem
smtpd_tls_key_file = /etc/ssl/private/${POSTFIX_HOST}/privkey.pem
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

2
service/prosody/container/config/prosody.cfg.lua
View File

@ -185,7 +185,7 @@ openmetrics_allow_cidr = "10.89.0.0/16"
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
-- Location of directory to find certificates in (relative to main config file):
certificates = "/etc/ssl/private/certificates"
certificates = "/etc/ssl/private"
-- Allow TLS connections with additional, less secure ciphers, for compatibility with older clients.
ssl = {