john/soteria
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reorg

Browse Source
This commit is contained in:
John Lancaster
2025-12-28 16:05:16 -06:00
parent 0584fb4865
commit 43f898a2db
1 changed files with 28 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
README.md
View File

@@ -14,39 +14,6 @@ Connect solely through wireguard to `192.168.1.142` and serve the REST server wi
[REST backend](https://restic.readthedocs.io/en/latest/100_references.html#rest-backend)
## Certificates
[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
Generate a new private key and (public) certificate
```
step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
```
One-time setup for Caddy to be able to trust the Janus CA. This creates a symlink for the root CA.
Check certificate
```
openssl x509 -noout -subject -issuer -ext extendedKeyUsage -in certs/soteria.crt
```
```
cat certs/soteria.crt certs/soteria.key > $(step path)/certs/soteria.pem
```
Add to ~/.bashrc to trust the Janus CA:
```
export RESTIC_CACERT=$(step path)/certs/root_ca.crt
```
Create a test repo through the rest server:
```
restic -r rest:https://soteria.john-stream.com:8443/dev-test --tls-client-cert certs/client_combined.pem init
```
## Restic Repos
Mounted using a bind mount point in the LXC.
@@ -57,14 +24,32 @@ https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points
pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
```
## Restic Clients
## Soteria Certificates
[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner.
```
step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
```
Check the resultant certificate:
```
openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt
```
## Clients
Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`
```
read -s secret && (umask 077; echo "$secret" > secret.txt)
read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt)
```
Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
```
cd $(step path)/certs && \
step ca certificate \
@@ -78,6 +63,14 @@ Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT`
```
export RESTIC_CACERT=$(step path)/certs/root_ca.crt
export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu
export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt)
```
Create a test repo through the rest server:
```
restic snapshots
```
### Installing Latest Binary