Use real certs for DNS over TLS

2021-09-29 19:49:04 +00:00 · 2021-09-29 19:49:04 +00:00 · 5a9b0a6b20
commit 5a9b0a6b20
parent 8bdf278ea6
2 changed files with 11 additions and 2 deletions
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@ -73,19 +73,25 @@
    - name: copy dns private key
      copy:
        dest: "{{ tls_private }}/dns.home.foo.sh.key"
-        src: /srv/ca/private/dns.home.foo.sh.key
+        src: "{{ item }}"
        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
+      with_first_found:
+        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
+        - "/srv/ca/private/{{ inventory_hostname }}.key"
      tags: certificate
      notify: restart unbound
    - name: copy dns certificate and ca cert
      copy:
        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
-        src: /srv/ca/certs/dns.home.foo.sh.crt
+        src: "{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
+      with_first_found:
+        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
+        - "/srv/ca/certs/{{ inventory_hostname }}.crt"
      tags: certificate
      notify: restart unbound
    - name: copy dns zone files
--- a/playbooks/proxy.yml
+++ b/playbooks/proxy.yml
@ -35,6 +35,9 @@
    - role: nginx/site
      site: devel01.foo.sh
      proxy: https://devel01.home.foo.sh/
+    - role: nginx/site
+      site: dns.home.foo.sh
+      redirect: https://www.foo.sh/
    - role: nginx/site
      site: git.foo.sh
      proxy: https://git02.home.foo.sh/