named key files

Caddyfile

@@ -3,7 +3,7 @@
 }
 
 :8443 {
-    tls /certs/foo.crt /certs/foo.key {
+    tls /certs/soteria.crt /certs/soteria.key {
         protocols tls1.3
         client_auth {
             mode require_and_verify

README.md

@@ -24,6 +24,12 @@ Generate a new private key and (public) certificate
 step ca certificate soteria.john-stream.com certs/foo.crt certs/foo.key --provisioner admin
 ```
 
+One-time setup for Caddy to be able to trust the Janus CA. This creates a symlink for the root CA.
+
+```
+ln -s $(step path)/certs/root_ca.crt certs/root_ca.crt
+```
+
 Check certificate
 ```
 openssl x509 -in certs/foo.crt -noout -subject -issuer -ext extendedKeyUsage
@@ -57,11 +63,17 @@ pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
 
 ## Restic Clients
 
+```
+cd $(step path)/certs && \
+step ca certificate --provisioner admin $USER@$HOSTNAME restic.crt restic.key && \
+(umask 077; cat restic.crt restic.key > restic.pem)
+```
+
 Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work.
 
 ```
 export RESTIC_CACERT=$(step path)/certs/root_ca.crt
-export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/soteria.pem
+export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
 ```
 
 ### Installing Latest Binary

docker-compose.yml

@@ -14,6 +14,8 @@ services:
       - "8443:8443"
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - ./certs:/certs:ro
+      - ./certs/soteria.crt:/certs/soteria.crt:ro
+      - ./certs/soteria.key:/certs/soteria.key:ro
+      - ${HOME}/.step/certs/root_ca.crt:/certs/root_ca.crt:ro
     depends_on:
       - rest-server