Here is the architecture proposed for the first ever Enough instance based on libvirt . It is located on a machine with a libvirt daemon running and has a single IPv4.
- exemple.lan is created with the desired service, a forum
enough --domain example.lan service create --driver libvirt forum. The certificate is based on
ownca, which is the default for the libvirt driver because it is assumed that it can’t be reached from internet and LE is therefore not an option.
- a host is created for
example.orgto run bind and a reverse proxy
enough --domain example.lan host create --driver libvirt reverse-host
- a glue record is added to example.org to delegate the DNS to the IPv4 of the machine
~/.enough/example.org/inventory/group_vars/all/certificate.ymlis modified with
- a rule is added on the host to forward 80/443 to
- a hand made playbook uses the enough-nginx role to reverse proxy forum.example.org to forum.example.lan
There may be a blocker:
bind-host is hardcoded in many places to be the name of the host running the DNS for a domain. Since both
example.lan run on the same libvirt hypervisor, they wil conflict. Hardcoded
bind-host must be removed and replaced by a group, even if said group can only contain a single host.