[Soteria]

Soteria: https://en.wikipedia.org/wiki/Soteria_(mythology)

In Greek mythology, Soteria (Greek: Σωτηρία) was the goddess or spirit (daimon) of safety and salvation, deliverance, and preservation from harm

Intent

Connect solely through wireguard to 192.168.1.142 and serve the REST server with a certificate signed by Janus.

Restic REST Server

restic / rest-server

REST backend

Restic Repos

/etc/fstab entry on Proxmox host:

john-nas:/volume1/restic  /mnt/nfs/restic  nfs  nofail,_netdev,x-systemd.automount,x-systemd.idle-timeout=600,timeo=14,retrans=3,hard,tcp,nfsvers=3  0  0

Mounted using a bind mount point in the LXC.

https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points

pct set 103 -mp0 /mnt/nfs/restic,mp=/mnt/restic

Soteria Certificates

Certificate Renewal

Generate a new private key and (public) certificate in the right places. This will use the admin provisioner.

export HOSTNAME=$(hostname -s) && \
export DOMAIN="john-stream.com" && \
export CERT_DIR="/var/lib/tls" && \
export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1)

(umask 077; mkdir -p "$CERT_DIR") && cd "$CERT_DIR" && \
step ca root root_ca.crt && \
step ca certificate "$HOSTNAME" cert.pem key.pem \
    --san "$HOSTNAME" \
    --san "$HOSTNAME.$DOMAIN" \
    --san "$IP_ADDRESS" \
    --san spiffe://john-stream.com/role/docker-agent \
    --provisioner admin

Convert the key for Envoy to use:

(umask 027; openssl pkcs8 -topk8 -nocrypt -in key.pem -out key_pkcs8.pem)

Check the resultant certificate:

openssl x509 -noout -subject -issuer -ext extendedKeyUsage,subjectAltName -in /var/lib/tls/cert.pem

Envoy Proxy

Validate config:

docker compose run -it --rm envoy --mode validate -c /etc/envoy/envoy.yaml

Clients

To set up a client, run the following command. It will prompt for the provisioner password and the repository name.

curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/setup_client.sh | bash

curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/check_status.sh | bash

curl -sL https://gitea.john-stream.com/john/soteria/raw/branch/main/scripts/wizard_setup.sh | bash

Manual Setup

Set up provisioner password by running this and pasting in the current JWK provisioner password for admin

export HOSTNAME=$(hostname -s) && \
export DOMAIN="john-stream.com" && \
export CERT_DIR="/var/lib/tls" && \
export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
(umask 077; mkdir -p "$CERT_DIR" && cd "$CERT_DIR" && \
step ca root root_ca.crt && \
step ca certificate "$HOSTNAME" cert.pem key.pem \
    --san "$HOSTNAME" \
    --san "$HOSTNAME.$DOMAIN" \
    --san "$IP_ADDRESS" \
    --san spiffe://john-stream.com/role/docker-agent \
    --provisioner admin && \
cat {cert,key}.pem > restic.pem) && \
chmod 644 cert.pem root_ca.crt

Need restic 0.16+ for the env vars RESTIC_CACERT and RESTIC_TLS_CLIENT_CERT to work.

export RESTIC_CACERT=$(step path)/certs/root_ca.crt && \
export RESTIC_TLS_CLIENT_CERT=$(step path)/certs/restic.pem && \
export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/john-ubuntu && \
export RESTIC_PASSWORD_FILE=$(readlink -f ~/.config/resticprofile/password.txt)

Create a test repo through the rest server:

restic snapshots

Installing Latest Binary

Do this in case the restic version from apt is too old.

curl -s https://api.github.com/repos/restic/restic/releases/latest | grep tag_name

wget -O restic.bz2 https://github.com/restic/restic/releases/download/v0.18.1/restic_0.18.1_linux_amd64.bz2 && \
bunzip2 restic.bz2 && \
chmod +x restic && \
sudo mv restic /usr/local/bin/ && \
restic version