From bc9c2a97a5047e961a809b5b0885cca5e3cc47f4 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 28 Dec 2025 14:51:38 -0600
Subject: [PATCH] named key files

---
 Caddyfile          |  2 +-
 README.md          | 14 +++++++++++++-
 docker-compose.yml |  4 +++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/Caddyfile b/Caddyfile
index 6b6f006..1e5ef9c 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -3,7 +3,7 @@
 }
 
 :8443 {
-    tls /certs/foo.crt /certs/foo.key {
+    tls /certs/soteria.crt /certs/soteria.key {
         protocols tls1.3
         client_auth {
             mode require_and_verify
diff --git a/README.md b/README.md
index ad82e0e..95562bc 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,12 @@ Generate a new private key and (public) certificate
 step ca certificate soteria.john-stream.com certs/foo.crt certs/foo.key --provisioner admin
 ```
 
+One-time setup for Caddy to be able to trust the Janus CA. This creates a symlink for the root CA.
+
+```
+ln -s $(step path)/certs/root_ca.crt certs/root_ca.crt
+```
+
 Check certificate
 ```
 openssl x509 -in certs/foo.crt -noout -subject -issuer -ext extendedKeyUsage
@@ -57,11 +63,17 @@ pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
 
 ## Restic Clients
 
+```
+cd $(step path)/certs && \
+step ca certificate --provisioner admin $USER@$HOSTNAME restic.crt restic.key && \
+(umask 077; cat restic.crt restic.key > restic.pem)
+```
+
 Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work.
 
 ```
 export RESTIC_CACERT=$(step path)/certs/root_ca.crt
-export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/soteria.pem
+export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
 ```
 
 ### Installing Latest Binary
diff --git a/docker-compose.yml b/docker-compose.yml
index 4665d0b..0edefa5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,6 +14,8 @@ services:
       - "8443:8443"
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - ./certs:/certs:ro
+      - ./certs/soteria.crt:/certs/soteria.crt:ro
+      - ./certs/soteria.key:/certs/soteria.key:ro
+      - ${HOME}/.step/certs/root_ca.crt:/certs/root_ca.crt:ro
     depends_on:
       - rest-server