From 632e4127140cc2598c87b4cfac54c7c108108fd8 Mon Sep 17 00:00:00 2001 From: Alexander Tratsevskiy Date: Fri, 31 Mar 2023 18:13:59 +0300 Subject: [PATCH] =?UTF-8?q?homeassistant:=20=D0=BD=D0=B0=D1=81=D1=82=D1=80?= =?UTF-8?q?=D0=BE=D0=B9=D0=BA=D0=B0=20https?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../homeassistant/homeassistant/ini.env | 22 +++++++++++++++ .../homeassistant/nginx/homeassistant.conf | 27 +++++++++++++++++++ .../nginx/ssl/.calculate_directory | 1 + .../homeassistant/nginx/ssl/create-ssl | 6 +++++ 4 files changed, 56 insertions(+) create mode 100644 profiles/templates/homeassistant/nginx/ssl/.calculate_directory create mode 100644 profiles/templates/homeassistant/nginx/ssl/create-ssl diff --git a/profiles/templates/homeassistant/homeassistant/ini.env b/profiles/templates/homeassistant/homeassistant/ini.env index db90a6c..a47e25f 100644 --- a/profiles/templates/homeassistant/homeassistant/ini.env +++ b/profiles/templates/homeassistant/homeassistant/ini.env @@ -2,3 +2,25 @@ [homeassistant] protocol = http domain = home.example.org + +# for a self-signed certificate +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = some_dn + +[some_dn] +C = RU +L = Saint-Petersburg +O = Calculate Linux +emailAddress = support@calculate.ru +CN = calculate-linux.org + +[req_ext] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = otherdomain.com +IP.1 = 1.2.3.4 diff --git a/profiles/templates/homeassistant/nginx/homeassistant.conf b/profiles/templates/homeassistant/nginx/homeassistant.conf index 864ed0c..eca3332 100644 --- a/profiles/templates/homeassistant/nginx/homeassistant.conf +++ b/profiles/templates/homeassistant/nginx/homeassistant.conf @@ -3,6 +3,7 @@ map $http_upgrade $connection_upgrade { default upgrade; '' close; } + server { listen 80; location / { @@ -20,3 +21,29 @@ server { proxy_set_header X-Real-IP $remote_addr; } } + +server { + server_name #-ini(homeassistant.domain)-#; + + ssl_certificate /var/calculate/ssl/fullchain.pem; + ssl_certificate_key /var/calculate/ssl/privkey.pem; + + listen 443 ssl; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; + ssl_protocols TLSv1.2; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + proxy_buffering off; + + location / { + proxy_pass http://127.0.0.1:8123; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/profiles/templates/homeassistant/nginx/ssl/.calculate_directory b/profiles/templates/homeassistant/nginx/ssl/.calculate_directory new file mode 100644 index 0000000..814ccaf --- /dev/null +++ b/profiles/templates/homeassistant/nginx/ssl/.calculate_directory @@ -0,0 +1 @@ +# Calculate path=/var/calculate diff --git a/profiles/templates/homeassistant/nginx/ssl/create-ssl b/profiles/templates/homeassistant/nginx/ssl/create-ssl new file mode 100644 index 0000000..2284d76 --- /dev/null +++ b/profiles/templates/homeassistant/nginx/ssl/create-ssl @@ -0,0 +1,6 @@ +# Calculate run=/bin/bash + +cd /var/calculate/ssl +openssl req -new -x509 -nodes -subj "/CN=calculate.root" -newkey rsa:2048 -keyout ca.key -out ca.crt -reqexts v3_req -extensions v3_ca +openssl req -new -nodes -sha256 -newkey rsa:2048 -config /var/calculate/ini.env -out domain.csr -keyout privkey.pem +openssl x509 -req -in domain.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 500 -sha256 -extfile /var/calculate/ini.env -extensions req_ext -out fullchain.pem