README tweaks

2026-01-03 09:20:46 -06:00
parent 86339f5115
commit 2bbf9b3f53
1 changed files with 14 additions and 11 deletions
--- a/README.md
+++ b/README.md
@@ -95,17 +95,20 @@ curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/wiza
 Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`

 ```
-(umask 077; read -s secret && echo "$secret" > $(step path)/certs/secret.txt && unset secret)
-```
-
-Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
-
-```
-cd $(step path)/certs && \
-step ca certificate \
-    --provisioner admin --password-file secret.txt \
-    $(hostnamectl hostname) restic.crt restic.key && \
-(umask 077; cat restic.{crt,key} > restic.pem)
+export HOSTNAME=$(hostname -s) && \
+export DOMAIN="john-stream.com" && \
+export CERT_DIR="/var/lib/tls" && \
+export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
+(umask 077; mkdir -p "$CERT_DIR" && cd "$CERT_DIR" && \
+step ca root root_ca.crt && \
+step ca certificate "$HOSTNAME" cert.pem key.pem \
+    --san "$HOSTNAME" \
+    --san "$HOSTNAME.$DOMAIN" \
+    --san "$IP_ADDRESS" \
+    --san spiffe://john-stream.com/role/docker-agent \
+    --provisioner admin && \
+cat {cert,key}.pem > restic.pem) && \
+chmod 644 cert.pem root_ca.crt
 ```

 Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work.