Compare commits
7 Commits
586c4b47bc
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
2bbf9b3f53 | ||
|
|
86339f5115 | ||
|
|
5b55b02a76 | ||
|
|
d7cb02f506 | ||
|
|
3ca2a092fd | ||
|
|
5e52facc5c | ||
|
|
7914368111 |
78
README.md
78
README.md
@@ -16,7 +16,8 @@ Connect solely through wireguard to `192.168.1.142` and serve the REST server wi
|
||||
|
||||
## Restic Repos
|
||||
|
||||
`/etc/fstab` entry:
|
||||
`/etc/fstab` entry on Proxmox host:
|
||||
|
||||
```
|
||||
john-nas:/volume1/restic /mnt/nfs/restic nfs nofail,_netdev,x-systemd.automount,x-systemd.idle-timeout=600,timeo=14,retrans=3,hard,tcp,nfsvers=3 0 0
|
||||
```
|
||||
@@ -36,27 +37,41 @@ pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
|
||||
Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner.
|
||||
|
||||
```
|
||||
step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
|
||||
export HOSTNAME=$(hostname -s) && \
|
||||
export DOMAIN="john-stream.com" && \
|
||||
export CERT_DIR="/var/lib/tls" && \
|
||||
export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1)
|
||||
```
|
||||
|
||||
```
|
||||
(umask 077; mkdir -p "$CERT_DIR") && cd "$CERT_DIR" && \
|
||||
step ca root root_ca.crt && \
|
||||
step ca certificate "$HOSTNAME" cert.pem key.pem \
|
||||
--san "$HOSTNAME" \
|
||||
--san "$HOSTNAME.$DOMAIN" \
|
||||
--san "$IP_ADDRESS" \
|
||||
--san spiffe://john-stream.com/role/docker-agent \
|
||||
--provisioner admin
|
||||
```
|
||||
|
||||
Convert the key for Envoy to use:
|
||||
|
||||
```
|
||||
(umask 027; openssl pkcs8 -topk8 -nocrypt -in key.pem -out key_pkcs8.pem)
|
||||
```
|
||||
|
||||
Check the resultant certificate:
|
||||
|
||||
```
|
||||
openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt
|
||||
openssl x509 -noout -subject -issuer -ext extendedKeyUsage,subjectAltName -in /var/lib/tls/cert.pem
|
||||
```
|
||||
|
||||
Set up renewal
|
||||
## Envoy Proxy
|
||||
|
||||
```bash
|
||||
sudo ./scripts/install_services.sh
|
||||
```
|
||||
|
||||
Test renewal
|
||||
|
||||
```
|
||||
systemctl start cert-renewer.service && \
|
||||
systemctl status cert-renewer.service --no-pager && \
|
||||
Validate config:
|
||||
|
||||
```shell
|
||||
docker compose run -it --rm envoy --mode validate -c /etc/envoy/envoy.yaml
|
||||
```
|
||||
|
||||
## Clients
|
||||
@@ -71,30 +86,37 @@ curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/setu
|
||||
curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/check_status.sh | bash
|
||||
```
|
||||
|
||||
```bash
|
||||
curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/wizard_setup.sh | bash
|
||||
```
|
||||
|
||||
### Manual Setup
|
||||
|
||||
Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`
|
||||
|
||||
```
|
||||
read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt)
|
||||
```
|
||||
|
||||
Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
|
||||
|
||||
```
|
||||
cd $(step path)/certs && \
|
||||
step ca certificate \
|
||||
--provisioner admin --password-file secret.txt \
|
||||
$(hostnamectl hostname) restic.crt restic.key && \
|
||||
(umask 077; cat restic.crt restic.key > restic.pem)
|
||||
export HOSTNAME=$(hostname -s) && \
|
||||
export DOMAIN="john-stream.com" && \
|
||||
export CERT_DIR="/var/lib/tls" && \
|
||||
export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
|
||||
(umask 077; mkdir -p "$CERT_DIR" && cd "$CERT_DIR" && \
|
||||
step ca root root_ca.crt && \
|
||||
step ca certificate "$HOSTNAME" cert.pem key.pem \
|
||||
--san "$HOSTNAME" \
|
||||
--san "$HOSTNAME.$DOMAIN" \
|
||||
--san "$IP_ADDRESS" \
|
||||
--san spiffe://john-stream.com/role/docker-agent \
|
||||
--provisioner admin && \
|
||||
cat {cert,key}.pem > restic.pem) && \
|
||||
chmod 644 cert.pem root_ca.crt
|
||||
```
|
||||
|
||||
Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work.
|
||||
|
||||
```
|
||||
export RESTIC_CACERT=$(step path)/certs/root_ca.crt
|
||||
export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
|
||||
export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu
|
||||
export RESTIC_CACERT=$(step path)/certs/root_ca.crt && \
|
||||
export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem && \
|
||||
export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu && \
|
||||
export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt)
|
||||
```
|
||||
|
||||
@@ -106,6 +128,8 @@ restic snapshots
|
||||
|
||||
### Installing Latest Binary
|
||||
|
||||
Do this in case the restic version from apt is too old.
|
||||
|
||||
```
|
||||
curl -s https://api.github.com/repos/restic/restic/releases/latest | grep tag_name
|
||||
```
|
||||
|
||||
@@ -17,7 +17,7 @@ services:
|
||||
- "443:10000"
|
||||
volumes:
|
||||
- ./envoy.yaml:/etc/envoy/envoy.yaml:ro
|
||||
- ./access.log:/var/log/envoy/access.log
|
||||
- /var/lib/tls:/certs
|
||||
- ./access.log:/var/log/envoy/access.log
|
||||
depends_on:
|
||||
- rest-server
|
||||
|
||||
32
envoy.yaml
32
envoy.yaml
@@ -27,7 +27,7 @@ static_resources:
|
||||
prefix: spiffe://john-stream.com # (2)!
|
||||
tls_certificates:
|
||||
- certificate_chain: { filename: /certs/cert.pem }
|
||||
private_key: { filename: /certs/envoy.pem } # (3)!
|
||||
private_key: { filename: /certs/key_pkcs8.pem } # (3)!
|
||||
# --8<-- [end:transport_socket]
|
||||
filters:
|
||||
- name: envoy.filters.network.http_connection_manager
|
||||
@@ -49,7 +49,7 @@ static_resources:
|
||||
name: local_route
|
||||
virtual_hosts:
|
||||
- name: local_service
|
||||
domains: ["*.john-stream.com"]
|
||||
domains: ["*"]
|
||||
routes:
|
||||
- match:
|
||||
prefix: "/"
|
||||
@@ -64,18 +64,42 @@ static_resources:
|
||||
rules:
|
||||
action: ALLOW
|
||||
policies:
|
||||
"test_policy":
|
||||
"ubuntu-policy":
|
||||
permissions:
|
||||
- and_rules:
|
||||
rules:
|
||||
- header:
|
||||
name: ":path"
|
||||
string_match:
|
||||
prefix: "/dev-test"
|
||||
prefix: "/john-ubuntu"
|
||||
principals:
|
||||
- authenticated:
|
||||
principal_name:
|
||||
exact: "spiffe://john-stream.com/ubuntu"
|
||||
"p14-policy":
|
||||
permissions:
|
||||
- and_rules:
|
||||
rules:
|
||||
- header:
|
||||
name: ":path"
|
||||
string_match:
|
||||
prefix: "/john-p14s"
|
||||
principals:
|
||||
- authenticated:
|
||||
principal_name:
|
||||
exact: "spiffe://john-stream.com/john-p14s"
|
||||
"gitea-policy":
|
||||
permissions:
|
||||
- and_rules:
|
||||
rules:
|
||||
- header:
|
||||
name: ":path"
|
||||
string_match:
|
||||
prefix: "/gitea"
|
||||
principals:
|
||||
- authenticated:
|
||||
principal_name:
|
||||
exact: "spiffe://john-stream.com/gitea"
|
||||
# --8<-- [end:rbac]
|
||||
- name: envoy.filters.http.router
|
||||
typed_config:
|
||||
|
||||
@@ -22,9 +22,9 @@ print_status() {
|
||||
|
||||
EXIT_CODE=0
|
||||
|
||||
CERTS_DIR="$(readlink -f ~/.step/certs)"
|
||||
SERVER_CERT="$CERTS_DIR/restic.crt"
|
||||
SERVER_KEY="$CERTS_DIR/restic.key"
|
||||
CERTS_DIR="/var/lib/tls"
|
||||
SERVER_CERT="$CERTS_DIR/cert.pem"
|
||||
SERVER_KEY="$CERTS_DIR/key.pem"
|
||||
TIMER_NAME="cert-renewer.timer"
|
||||
|
||||
# 1. Check Certificates Existence
|
||||
|
||||
Reference in New Issue
Block a user