-
Notifications
You must be signed in to change notification settings - Fork 1
/
configuration.reference.yaml
109 lines (101 loc) · 3.97 KB
/
configuration.reference.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Note: this is a YAML file. YAML is a superset of JSON.
# Therefore, writing/generating your configuration file in JSON works too.
# Path to Let's Encrypt "live" directory:
letsencrypt_live: '/etc/letsencrypt/live'
# Whether or not to filter certificates found in Let's Encrypt "live" directory:
cert_filter: True
# Python regular expression used to filter certificates:
cert_pattern: '^(www|api)\.mysite\.net$'
# Whether the filter above should be used as a whitelist (True) or a
# blacklist (False):
cert_whitelist: True
# Separator between certificates and their associated files:
# '/' will result in the usual layout, with one directory per certificate:
# www.mysite.net/cert.pem
# www.mysite.net/combined.pem
# api.mysite.net/cert.pem
# api.mysite.net/combined.pem
separator: '/'
# Any other character will result in a flat layout, with all certificates in a
# single directory:
# www.mysite.net_cert.pem
# www.mysite.net_combined.pem
# api.mysite.net_cert.pem
# api.mysite.net_combined.pem
# Do NOT use characters that can occur in a domain name, like letters, digits,
# hyphens or dots as those are BOUND to bite you sooner or later.
# separator: '_'
# separator: ':'
# separator: '@'
# That said, if you feel adventurous:
# - the separator is not restricted to a single character;
# - the separator is not restricted to the ASCII table;
# - the separator is not restricted to printable/visible characters.
# uid and gid for both directories and files:
# These settings do NOT understand user and group names.
uid: 1305
gid: 25519
# They default to 0.
# However, hardcoding user/group ids can be a timebomb.
# These settings provide the ability to reflect the same uid or gid as a given
# file:
same-uid-as: '/path/to/target/user/home/directory'
same-gid-as: '/path/to/file/with/adequate/ownership'
# If the mentioned paths cannot be stat()ed, combinedfs defaults to the values
# set via uid and gid respectively.
# Unix modes: base-8 notation in a string.
# Directories:
dir_mode: '0550'
# Regular files, typically certificates and Diffie-Hellman parameters:
reg_mode: '0444'
# Sensitive files, typically private keys. Combined files generated using one or
# more sensitive files will inherit this mode too:
key_mode: '0400'
# This pattern is used to detect sensitive files; it is a Python regex matched
# against the real, absolute, non-canonical path of each file (e.g.
# /etc/letsencrypt/live/www.mysite.net/privkey.pem).
sensitive_pattern: '/privkey.pem$'
# For each certificate, all files described below will be exposed:
files:
# It is pretty simple to expose a regular file:
cert.pem:
content: ['cert.pem']
# Want to remove a useless file? Do not mention it. It is that simple.
#chain.pem:
# content: ['chain.pem']
fullchain.pem:
content: ['fullchain.pem']
# Per-file permissions; same-uid-as and same-gid-as are available too:
uid: 2223
gid: 2226
mode: '0440'
privkey.pem:
content: ['privkey.pem']
# Concatenates fullchain.pem and privkey.pem into combined.pem:
combined.pem:
content:
- 'fullchain.pem'
- 'privkey.pem'
# It is possible to introduce any file in the mix through absolute paths:
combined-with-common-dhparam.pem:
content:
- 'fullchain.pem'
- 'privkey.pem'
- '/etc/dhparam-factory/common.pem'
# The ${cert} placeholder allows to fetch certificate-specific files:
combined-with-specific-dhparam.pem:
content:
- 'fullchain.pem'
- 'privkey.pem'
- '/etc/dhparam-factory/${cert}.pem'
# Specifying an array of filepaths triggers the fallback feature.
# This will concatenate fullchain.pem, privkey.pem and the cert-specific
# dhparam or, if it does not exist, the common one.
# No, this does not work recursively, only one level allowed.
combined-with-dhparam.pem:
- 'fullchain.pem'
- 'privkey.pem'
- ['/etc/dhparam-factory/${cert}.pem', '/etc/dhparam-factory/common.pem']
# Finally, an empty array means an empty file:
combined-with-dhparam.pem.ocsp:
content: []