hyungi/home-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: migrate to unified wildcard ssl (*.hyungi.net) using cloudflare dns validation

Browse Source 
- Switch Certbot to dns-cloudflare plugin
- Remove individual service certificates
- Update Nginx to use single wildcard cert
- Fix macOS Docker file caching issue by renaming cert files
- Ignore cloudflare.ini and ssl-certs in git
This commit is contained in:
hyungi
2026-01-05 14:13:14 +09:00
parent 82701155bb
commit 00c8231925
39 changed files with 85 additions and 241088 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
nginx-ssl.conf
View File

@@ -149,8 +149,8 @@ http {
server_name komga.hyungi.net;
# SSL 설정 (Let's Encrypt 공인 인증서)
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
# SSL 보안 설정
ssl_protocols TLSv1.2 TLSv1.3;
@@ -200,8 +200,8 @@ http {
server_name jellyfin.hyungi.net;
# SSL 설정 (Let's Encrypt 공인 인증서)
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
# SSL 보안 설정
ssl_protocols TLSv1.2 TLSv1.3;
@@ -257,8 +257,8 @@ http {
server_name webdav.hyungi.net;
# SSL 설정 (WebDAV 전용 Let's Encrypt 인증서)
ssl_certificate /etc/nginx/ssl/live/webdav.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/webdav.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
# SSL 보안 설정
ssl_protocols TLSv1.2 TLSv1.3;
@@ -327,8 +327,8 @@ http {
http2 on;
server_name ds1525.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
@@ -348,8 +348,8 @@ http {
http2 on;
server_name document.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
@@ -367,8 +367,8 @@ http {
http2 on;
server_name git.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
@@ -388,8 +388,8 @@ http {
http2 on;
server_name vault.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
@@ -411,8 +411,8 @@ http {
http2 on;
server_name news.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
@@ -424,4 +424,68 @@ http {
}
}
# HTTPS 서버 - MailPlus
server {
listen 443 ssl;
http2 on;
server_name mailplus.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 100M;
location / {
# Assuming standard Synology MailPlus port or relying on DSM backend?
# Let's check proxy_service_map.md or trust standard 5000/5001 or separate port.
# Wait, commonly MailPlus uses standard web station ports or dedicated.
# I will use http://dsm_backend (5000) for now if unsure, or better yet, verify port.
# Actually, standard MailPlus runs on DSM ports unless customized.
# Let's use upstream dsm_backend for safety.
proxy_pass http://dsm_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - Contacts
server {
listen 443 ssl;
http2 on;
server_name contacts.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://dsm_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - Calendar
server {
listen 443 ssl;
http2 on;
server_name calendar.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://dsm_backend;
include /etc/nginx/conf.d/security.conf;
}
}
}