diff options
author | Baptiste Jonglez <git@bitsofnetworks.org> | 2024-06-08 17:14:44 +0200 |
---|---|---|
committer | Baptiste Jonglez <git@bitsofnetworks.org> | 2024-06-08 17:14:48 +0200 |
commit | 7e88a88e04db20b0c5552742dae78ae50d3f4318 (patch) | |
tree | 7d2d9af8e58a8a2195e66fb1973a93ca1d9154f6 /doc/why-not-ansible.md | |
parent | 9fc22d72d44e3c987bb9fa589fde8af1626cb98f (diff) | |
download | nixcfg-7e88a88e04db20b0c5552742dae78ae50d3f4318.tar.gz nixcfg-7e88a88e04db20b0c5552742dae78ae50d3f4318.zip |
prod: garage: Enable on-demand-tls check for *.garage S3 endpoint
We were hitting Let's Encrypt rate limits because we were generating
thousands of non-sense certificates like "foo.bar.baz.garage.deuxfleurs.fr"
See https://crt.sh
Subdomains of garage.deuxfleurs.fr only make sense when accessing buckets
through S3 with vhost-style, so let's enable the on-demand-tls check to
make sure that the bucket exists in Garage.
In the long term, we might want to have a wildcard certificate for this
usage, or simply stop supporting vhost-style S3 access.
Diffstat (limited to 'doc/why-not-ansible.md')
0 files changed, 0 insertions, 0 deletions