diff --git a/README.md b/README.md index 397711a..a8a266b 100644 --- a/README.md +++ b/README.md @@ -14,39 +14,6 @@ Connect solely through wireguard to `192.168.1.142` and serve the REST server wi [REST backend](https://restic.readthedocs.io/en/latest/100_references.html#rest-backend) -## Certificates - -[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/) - -Generate a new private key and (public) certificate - -``` -step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin -``` - -One-time setup for Caddy to be able to trust the Janus CA. This creates a symlink for the root CA. - -Check certificate -``` -openssl x509 -noout -subject -issuer -ext extendedKeyUsage -in certs/soteria.crt -``` - -``` -cat certs/soteria.crt certs/soteria.key > $(step path)/certs/soteria.pem -``` - -Add to ~/.bashrc to trust the Janus CA: - -``` -export RESTIC_CACERT=$(step path)/certs/root_ca.crt -``` - -Create a test repo through the rest server: - -``` -restic -r rest:https://soteria.john-stream.com:8443/dev-test --tls-client-cert certs/client_combined.pem init -``` - ## Restic Repos Mounted using a bind mount point in the LXC. @@ -57,14 +24,32 @@ https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic ``` -## Restic Clients +## Soteria Certificates + +[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/) + +Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner. + +``` +step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin +``` + +Check the resultant certificate: + +``` +openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt +``` + +## Clients Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin` ``` -read -s secret && (umask 077; echo "$secret" > secret.txt) +read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt) ``` +Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI. + ``` cd $(step path)/certs && \ step ca certificate \ @@ -78,6 +63,14 @@ Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` ``` export RESTIC_CACERT=$(step path)/certs/root_ca.crt export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem +export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu +export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt) +``` + +Create a test repo through the rest server: + +``` +restic snapshots ``` ### Installing Latest Binary