--- interfaces: adm: ens18 srv: ens19 loc_unattended: reboot: true blacklist: [ "gitlab"] loc_needrestart: override: [] loc_certbot: - mail: root@crans.org certname: crans.org domains: "*.crans.org" - mail: root@crans.org certname: adm.crans.org domains: "*.adm.crans.org" loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}" algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}" algorithm: HMAC-SHA512 loc_nginx: ssl: - name: adm.crans.org cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem - name: crans.org cert: /etc/letsencrypt/live/crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem servers: [] loc_reverseproxy: reverseproxy_sites: - {from: gitlab.crans.org, to: "127.0.0.1:8000"} - {from: gitlab.adm.crans.org, to: "127.0.0.1:8000", ssl: adm.crans.org} redirect_sites: [] static_sites: []