reorg

Caddyfile

@@ -2,7 +2,7 @@
     debug
 }
 
-:8443 {
+:443 {
     tls /certs/soteria.crt /certs/soteria.key {
         protocols tls1.3
         client_auth {

README.md

@@ -14,39 +14,6 @@ Connect solely through wireguard to `192.168.1.142` and serve the REST server wi
 
 [REST backend](https://restic.readthedocs.io/en/latest/100_references.html#rest-backend)
 
-## Certificates
-
-[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
-
-Generate a new private key and (public) certificate
-
-```
-step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
-```
-
-One-time setup for Caddy to be able to trust the Janus CA. This creates a symlink for the root CA.
-
-Check certificate
-```
-openssl x509 -noout -subject -issuer -ext extendedKeyUsage -in certs/soteria.crt
-```
-
-```
-cat certs/soteria.crt certs/soteria.key > $(step path)/certs/soteria.pem
-```
-
-Add to ~/.bashrc to trust the Janus CA:
-
-```
-export RESTIC_CACERT=$(step path)/certs/root_ca.crt
-```
-
-Create a test repo through the rest server:
-
-```
-restic -r rest:https://soteria.john-stream.com:8443/dev-test --tls-client-cert certs/client_combined.pem init
-```
-
 ## Restic Repos
 
 Mounted using a bind mount point in the LXC.
@@ -57,14 +24,32 @@ https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points
 pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
 ```
 
-## Restic Clients
+## Soteria Certificates
+
+[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
+
+Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner.
+
+```
+step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
+```
+
+Check the resultant certificate:
+
+```
+openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt
+```
+
+## Clients
 
 Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`
 
 ```
-read -s secret && (umask 077; echo "$secret" > secret.txt)
+read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt)
 ```
 
+Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
+
 ```
 cd $(step path)/certs && \
 step ca certificate \
@@ -78,6 +63,14 @@ Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT`
 ```
 export RESTIC_CACERT=$(step path)/certs/root_ca.crt
 export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
+export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu
+export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt)
+```
+
+Create a test repo through the rest server:
+
+```
+restic snapshots
 ```
 
 ### Installing Latest Binary

docker-compose.yml

@@ -11,7 +11,7 @@ services:
     image: caddy:alpine
     restart: unless-stopped
     ports:
-      - "8443:8443"
+      - "443:443"
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - ./certs/soteria.crt:/certs/soteria.crt:ro