Move to dedicated Let's Encrypt certificate volume
We would previously use the `letsencrypt` volume used as state by Lego itself, which contains a number of private files not intended to be accessed widely; the `letsencrypt-certificates` volume used now contains only certificate chains and private keys, under dedicated folders.
This commit is contained in:
parent
bc579762cc
commit
83bea27cd4
|
@ -154,10 +154,10 @@ systemd:
|
|||
- name: use-local-files.conf
|
||||
contents: |
|
||||
[Service]
|
||||
ExecStartPre=/bin/podman volume create --ignore letsencrypt
|
||||
ExecStartPre=/bin/podman volume create --ignore letsencrypt-certificates
|
||||
ExecStart=
|
||||
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt) && cp -Rv /etc/ssl/private/certificates $V && chown -R 10000:10000 $V"
|
||||
ExecStartPost=/bin/podman volume unmount letsencrypt
|
||||
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private/certificates $V && chown -R 10000:10000 $V"
|
||||
ExecStartPost=/bin/podman volume unmount letsencrypt-certificates
|
||||
|
||||
storage:
|
||||
files:
|
||||
|
@ -197,7 +197,7 @@ storage:
|
|||
|
||||
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
|
||||
# generating certificates for the virtual host.
|
||||
- path: /etc/ssl/private/certificates/localhost.crt
|
||||
- path: /etc/ssl/private/certificates/localhost/fullchain.pem
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
|
@ -220,7 +220,7 @@ storage:
|
|||
D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
|
||||
eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
|
||||
-----END CERTIFICATE-----
|
||||
- path: /etc/ssl/private/certificates/localhost.key
|
||||
- path: /etc/ssl/private/certificates/localhost/privkey.pem
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
|
|
|
@ -444,14 +444,14 @@ realm=${COTURN_REALM}
|
|||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
#
|
||||
cert=/etc/ssl/private/certificates/${COTURN_REALM}.crt
|
||||
cert=/etc/ssl/private/certificates/${COTURN_REALM}/fullchain.pem
|
||||
|
||||
# Private key file.
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
pkey=/etc/ssl/private/certificates/${COTURN_REALM}.key
|
||||
pkey=/etc/ssl/private/certificates/${COTURN_REALM}/privkey.pem
|
||||
|
||||
# Private key file password, if it is in encoded format.
|
||||
# This option has no default value.
|
||||
|
|
|
@ -19,7 +19,7 @@ PublishPort=5350:5350
|
|||
PublishPort=5350:5350/udp
|
||||
PodmanArgs=--publish ${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}:${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}/udp --sdnotify=healthy
|
||||
Volume=%N:/var/lib/%N:z
|
||||
Volume=letsencrypt:/etc/ssl/private:z,ro
|
||||
Volume=letsencrypt-certificates:/etc/ssl/private:z,ro
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=%E/coreos-home-server/%N/%N.env
|
||||
|
|
|
@ -82,8 +82,8 @@ ssl_min_protocol = TLSv1.2
|
|||
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl_prefer_server_ciphers = no
|
||||
|
||||
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
|
||||
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key
|
||||
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}/fullchain.pem
|
||||
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}/privkey.pem
|
||||
|
||||
protocol imap {
|
||||
mail_max_userip_connections = 25
|
||||
|
|
|
@ -18,7 +18,7 @@ PublishPort=143:143
|
|||
PublishPort=993:993
|
||||
PublishPort=4190:4190
|
||||
Volume=%N:/var/mail:z
|
||||
Volume=letsencrypt:/etc/ssl/private:z,ro
|
||||
Volume=letsencrypt-certificates:/etc/ssl/private:z,ro
|
||||
|
||||
[Service]
|
||||
ExecReload=/bin/podman exec %N doveadm -v reload
|
||||
|
|
|
@ -4,5 +4,5 @@ set -eu
|
|||
|
||||
# Copy certificates to dedicated directory.
|
||||
install --owner letsencrypt --group letsencrypt --mode 0755 -d "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN"
|
||||
install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.pem"
|
||||
install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.key"
|
||||
install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/fullchain.pem"
|
||||
install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/privkey.pem"
|
||||
|
|
|
@ -13,7 +13,7 @@ PodmanArgs=--sdnotify=healthy
|
|||
PublishPort=80:80
|
||||
PublishPort=443:443
|
||||
Volume=nginx-conf:/etc/nginx/conf.d:z
|
||||
Volume=letsencrypt:/etc/ssl/private:z,rshared,ro
|
||||
Volume=letsencrypt-certificates:/etc/ssl/private:z,rshared,ro
|
||||
|
||||
[Service]
|
||||
Restart=on-failure
|
||||
|
|
|
@ -8,8 +8,8 @@ server {
|
|||
listen 443 ssl;
|
||||
server_name ${SERVER_NAME} ${SERVER_NAME_ALT};
|
||||
|
||||
ssl_certificate /etc/ssl/private/certificates/${SSL_CERT_NAME}.crt;
|
||||
ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}.key;
|
||||
ssl_certificate /etc/ssl/private/certificates/${SSL_CERT_NAME}/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}/privkey.pem;
|
||||
|
||||
include resolver.conf;
|
||||
set $upstream_endpoint http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${UPSTREAM_PATH};
|
||||
|
|
|
@ -202,6 +202,6 @@ tls_ssl_options = no_ticket, no_compression
|
|||
tls_preempt_cipherlist = no
|
||||
|
||||
# Certificate file location.
|
||||
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
||||
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
|
||||
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/fullchain.pem
|
||||
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/privkey.pem
|
||||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
||||
|
|
|
@ -15,7 +15,7 @@ PublishPort=465:465
|
|||
PublishPort=587:587
|
||||
Network=internal
|
||||
Volume=dovecot:/var/mail:z
|
||||
Volume=letsencrypt:/etc/ssl/private:z,ro
|
||||
Volume=letsencrypt-certificates:/etc/ssl/private:z,ro
|
||||
|
||||
[Service]
|
||||
ExecReload=/bin/podman exec %N postfix reload
|
||||
|
|
|
@ -17,7 +17,7 @@ PublishPort=5269:5269
|
|||
PublishPort=5347:5347
|
||||
Volume=%N:/var/lib/%N:z
|
||||
Volume=prosody-conf:/etc/%N/conf.d:z
|
||||
Volume=letsencrypt:/etc/ssl/private:z
|
||||
Volume=letsencrypt-certificates:/etc/ssl/private:z,ro
|
||||
|
||||
[Service]
|
||||
ExecReload=/bin/podman exec %N prosodyctl shell config reload
|
||||
|
|
Loading…
Reference in New Issue