john/soteria
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0fee09099a2de13c17d2fd9d508c4a4f794cc78c
soteria/README.md
John Lancaster b5998954ab more notes
2025-12-28 18:21:11 -06:00

120 lines
3.2 KiB
Markdown
Raw Blame History

# [Soteria]
Soteria: https://en.wikipedia.org/wiki/Soteria_(mythology)
> In Greek mythology, Soteria (Greek: Σωτηρία) was the goddess or spirit (daimon) of safety and salvation, deliverance, and preservation from harm
## Intent
Connect solely through wireguard to `192.168.1.142` and serve the REST server with a certificate signed by Janus.
## Restic REST Server
[restic / **rest-server**](https://github.com/restic/rest-server)
[REST backend](https://restic.readthedocs.io/en/latest/100_references.html#rest-backend)
## Restic Repos
`/etc/fstab` entry:
```
john-nas:/volume1/restic /mnt/nfs/restic nfs nofail,_netdev,x-systemd.automount,x-systemd.idle-timeout=600,timeo=14,retrans=3,hard,tcp,nfsvers=3 0 0
```
Mounted using a bind mount point in the LXC.
https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points
```
pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic
```
## Soteria Certificates
[Certificate Renewal](https://smallstep.com/docs/step-ca/renewal/)
Generate a new private key and (public) certificate in the right places. This will use the `admin` provisioner.
```
step ca certificate soteria.john-stream.com certs/soteria.crt certs/soteria.key --provisioner admin
```
Check the resultant certificate:
```
openssl x509 -noout -subject -issuer -ext extendedKeyUsage -ext subjectAltName -in certs/soteria.crt
```
Set up renewal
```bash
sudo ./scripts/install_services.sh
```
Test renewal
```
systemctl start cert-renewer.service && \
systemctl status cert-renewer.service --no-pager && \
```
## Clients
To set up a client, run the following command. It will prompt for the provisioner password and the repository name.
```bash
curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/setup_client.sh | bash
```
```bash
curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/check_status.sh | bash
```
### Manual Setup
Set up provisioner password by running this and pasting in the current JWK provisioner password for `admin`
```
read -s secret && (umask 077; echo "$secret" > $(step path)/certs/secret.txt)
```
Generate the client TLS private key and (public) certificate for mTLS. This will combine them both into a file called `restic.pem`, which can be used with the `--tls-client-cert` option with the restic CLI.
```
cd $(step path)/certs && \
step ca certificate \
--provisioner admin --password-file secret.txt \
$(hostnamectl hostname) restic.crt restic.key && \
(umask 077; cat restic.crt restic.key > restic.pem)
```
Need restic 0.16+ for the env vars `RESTIC_CACERT` and `RESTIC_TLS_CLIENT_CERT` to work.
```
export RESTIC_CACERT=$(step path)/certs/root_ca.crt
export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem
export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu
export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt)
```
Create a test repo through the rest server:
```
restic snapshots
```
### Installing Latest Binary
```
curl -s https://api.github.com/repos/restic/restic/releases/latest | grep tag_name
```
```
wget -O restic.bz2 https://github.com/restic/restic/releases/download/v0.18.1/restic_0.18.1_linux_amd64.bz2 && \
bunzip2 restic.bz2 && \
chmod +x restic && \
sudo mv restic /usr/local/bin/ && \
restic version
```
Reference in New Issue View Git Blame Copy Permalink