diff --git a/README.md b/README.md index d17d028..aa1a9c4 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ Connect solely through wireguard to `192.168.1.142` and serve the REST server wi ## Restic Repos -`/etc/fstab` entry: +`/etc/fstab` entry on Proxmox host: + ``` john-nas:/volume1/restic /mnt/nfs/restic nfs nofail,_netdev,x-systemd.automount,x-systemd.idle-timeout=600,timeo=14,retrans=3,hard,tcp,nfsvers=3 0 0 ``` @@ -36,27 +37,41 @@ pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner. ``` -step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin +export HOSTNAME=$(hostname -s) && \ +export DOMAIN="john-stream.com" && \ +export CERT_DIR="/var/lib/tls" && \ +export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) +``` + +``` +(umask 077; mkdir -p "$CERT_DIR") && cd "$CERT_DIR" && \ +step ca root root_ca.crt && \ +step ca certificate "$HOSTNAME" cert.pem key.pem \ + --san "$HOSTNAME" \ + --san "$HOSTNAME.$DOMAIN" \ + --san "$IP_ADDRESS" \ + --san spiffe://john-stream.com/role/docker-agent \ + --provisioner admin +``` + +Convert the key for Envoy to use: + +``` +(umask 027; openssl pkcs8 -topk8 -nocrypt -in key.pem -out key_pkcs8.pem) ``` Check the resultant certificate: ``` -openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt +openssl x509 -noout -subject -issuer -ext extendedKeyUsage,subjectAltName -in /var/lib/tls/cert.pem ``` -Set up renewal +## Envoy Proxy -```bash -sudo ./scripts/install_services.sh -``` - -Test renewal - -``` -systemctl start cert-renewer.service && \ -systemctl status cert-renewer.service --no-pager && \ +Validate config: +```shell +docker compose run -it --rm envoy --mode validate -c /etc/envoy/envoy.yaml ``` ## Clients @@ -71,12 +86,16 @@ curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/setu curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/check_status.sh | bash ``` +```bash +curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/wizard_setup.sh | bash +``` + ### Manual Setup Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin` ``` -read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt) +(umask 077; read -s secret && echo "$secret" > $(step path)/certs/secret.txt && unset secret) ``` Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI. @@ -86,15 +105,15 @@ cd $(step path)/certs && \ step ca certificate \ --provisioner admin --password-file secret.txt \ $(hostnamectl hostname) restic.crt restic.key && \ -(umask 077; cat restic.crt restic.key > restic.pem) +(umask 077; cat restic.{crt,key} > restic.pem) ``` Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work. ``` -export RESTIC_CACERT=$(step path)/certs/root_ca.crt -export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem -export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu +export RESTIC_CACERT=$(step path)/certs/root_ca.crt && \ +export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem && \ +export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu && \ export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt) ``` @@ -106,6 +125,8 @@ restic snapshots ### Installing Latest Binary +Do this in case the restic version from apt is too old. + ``` curl -s https://api.github.com/repos/restic/restic/releases/latest | grep tag_name ```