diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-24 14:28:45 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-24 14:28:45 +0200 |
| commit | 9a57015b6fc729f8da37c42957733f1afb657be8 (patch) | |
| tree | 774ef9238a847929c7d68da8a18d0335e21ecd5e /frontends/etc | |
| parent | 4d27f91ea6e61020902fbb2ed916225b69866275 (diff) | |
Add f3s hosts to ACME certificate management
- Add all 18 f3s hosts to @acme_hosts for certificate issuance
- Skip standby certificate variants for f3s hosts (not needed for k3s cluster)
- Add port 80 ACME challenge blocks to httpd for all f3s hosts
- Add port 8080 fallback page blocks to httpd for f3s hosts (when cluster is down)
- Update relayd.conf.tpl to skip standby keypairs for f3s hosts
- Update acme-client.conf.tpl to skip standby certificates for f3s hosts
Fixes missing certificates on flux.f3s.buetow.org, anki.f3s.buetow.org, and other f3s services
Diffstat (limited to 'frontends/etc')
| -rw-r--r-- | frontends/etc/acme-client.conf.tpl | 2 | ||||
| -rw-r--r-- | frontends/etc/httpd.conf.tpl | 16 | ||||
| -rw-r--r-- | frontends/etc/relayd.conf.tpl | 2 |
3 files changed, 18 insertions, 2 deletions
diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl index 685794c..b99b428 100644 --- a/frontends/etc/acme-client.conf.tpl +++ b/frontends/etc/acme-client.conf.tpl @@ -31,9 +31,11 @@ domain <%= $host %> { domain full chain certificate "/etc/ssl/<%= $host %>.fullchain.pem" sign with letsencrypt } +<% unless (grep { $_ eq $host } @$f3s_hosts) { -%> domain standby.<%= $host %> { domain key "/etc/ssl/private/standby.<%= $host %>.key" domain full chain certificate "/etc/ssl/standby.<%= $host %>.fullchain.pem" sign with letsencrypt } <% } -%> +<% } -%> diff --git a/frontends/etc/httpd.conf.tpl b/frontends/etc/httpd.conf.tpl index 6a313ae..24889d5 100644 --- a/frontends/etc/httpd.conf.tpl +++ b/frontends/etc/httpd.conf.tpl @@ -175,9 +175,21 @@ server "<%= $prefix %>gogios.buetow.org" { } <% } -%> -# Fallback for f3s hosts - serve fallback page for ALL paths +# f3s hosts: ACME challenges on port 80, fallback page on port 8080 (served by master when k3s cluster is down) <% for my $host (@$f3s_hosts) { for my $prefix (@prefixes) { -%> -server "<%= $prefix.$host %>" { +server "<%= $prefix.$host %>-port80" { + listen on * port 80 + log style forwarded + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "<%= $prefix.$host %>-port8080" { listen on * port 8080 log style forwarded location * { diff --git a/frontends/etc/relayd.conf.tpl b/frontends/etc/relayd.conf.tpl index b04ecd3..0a7283f 100644 --- a/frontends/etc/relayd.conf.tpl +++ b/frontends/etc/relayd.conf.tpl @@ -26,8 +26,10 @@ http protocol "https" { # Skip server hostnames - each server only has its own cert, handled by dedicated keypair below next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; -%> tls keypair <%= $host %> + <% unless (grep { $_ eq $host } @$f3s_hosts) { -%> tls keypair standby.<%= $host %> <% } -%> + <% } -%> tls keypair <%= $hostname.'.'.$domain -%> # Enable WebSocket support |