reorg

changed default port
2025-12-28 16:05:16 -06:00 · 2025-12-28 16:04:43 -06:00
3 changed files with 30 additions and 37 deletions
--- a/2
+++ b/2
@@ -2,7 +2,7 @@
    debug
 }

-:8443 {
+:443 {
    tls /certs/soteria.crt /certs/soteria.key {
        protocols tls1.3
        client_auth {
--- a/README.md
+++ b/README.md
@@ -14,39 +14,6 @@ Connect solely through wireguard to `192.168.1.142` and serve the REST server wi

 [REST backend](https://restic.readthedocs.io/en/latest/100_references.html#rest-backend)

-## Certificates
-
-[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
-
-Generate a new private key and (public) certificate
-
-```
-step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
-```
-
-One-time setup for Caddy to be able to trust the Janus CA. This creates a symlink for the root CA.
-
-Check certificate
-```
-openssl x509 -noout -subject -issuer -ext extendedKeyUsage -in certs/soteria.crt
-```
-
-```
-cat certs/soteria.crt certs/soteria.key > $(step path)/certs/soteria.pem
-```
-
-Add to ~/.bashrc to trust the Janus CA:
-
-```
-export RESTIC_CACERT=$(step path)/certs/root_ca.crt
-```
-
-Create a test repo through the rest server:
-
-```
-restic -r rest:https://soteria.john-stream.com:8443/dev-test --tls-client-cert certs/client_combined.pem init
-```
-
 ## Restic Repos

 Mounted using a bind mount point in the LXC.
@@ -57,14 +24,32 @@ https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points
 pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
 ```

-## Restic Clients
+## Soteria Certificates
+
+[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
+
+Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner.
+
+```
+step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
+```
+
+Check the resultant certificate:
+
+```
+openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt
+```
+
+## Clients

 Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`

 ```
-read -s secret && (umask 077; echo "$secret" > secret.txt)
+read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt)
 ```

+Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
+
 ```
 cd $(step path)/certs && \
 step ca certificate \
@@ -78,6 +63,14 @@ Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT`
 ```
 export RESTIC_CACERT=$(step path)/certs/root_ca.crt
 export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
+export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu
+export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt)
+```
+
+Create a test repo through the rest server:
+
+```
+restic snapshots
 ```

 ### Installing Latest Binary
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,7 @@ services:
    image: caddy:alpine
    restart: unless-stopped
    ports:
-      - "8443:8443"
+      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./certs/soteria.crt:/certs/soteria.crt:ro
Author	SHA1	Message	Date
John Lancaster	43f898a2db	reorg	2025-12-28 16:05:16 -06:00
John Lancaster	0584fb4865	changed default port	2025-12-28 16:04:43 -06:00