update dirs

2025-06-20 00:52:46 +00:00
parent d231294b15
commit 526683319b
6 changed files with 97 additions and 28 deletions
--- a/mkdocs/docs/coding/oxpasta.md
+++ b/mkdocs/docs/coding/oxpasta.md
--- a/mkdocs/docs/coding/r53-ddns.md
+++ b/mkdocs/docs/coding/r53-ddns.md
--- a/mkdocs/docs/index.md
+++ b/mkdocs/docs/index.md
@@ -26,13 +26,17 @@ Nothing.
 It made sense if I blended "Ruskonator" (an old nickname) with Input/Output (IO).
 The same goes for "rskntroot", it's a mix of that same nickname and "root".

-## Coding
+## Code

-Currently, this is an unorganized list of things I have spent many of what corporate America refers to as "cycles" on.
+Some code that I have spent many of what corporate America refers to as "cycles" on.
+
+## Notes
+
+References to information that I have found myself revisiting.

 ## Projects

-Currently, the same as "coding".
+An unorganized list of guides and project ideas that I have taken the time to document.

 ## Storage

--- a/mkdocs/docs/projects/linux.md
+++ b/mkdocs/docs/projects/linux.md
--- a/mkdocs/docs/projects/network.md
+++ b/mkdocs/docs/projects/network.md
@@ -89,20 +89,23 @@ Welcome to my recommended HomeLab network setup! Here’s a breakdown of the key
 ### Cameras

 **Unifi [G5 Bullet](https://techspecs.ui.com/unifi/cameras-nvrs/uvc-g5-bullet)**
+
 - 4MP resolution, HDR, AI motion detection.

 ---

 ## Network Attached Storage

-#### 6-Bay NAS
+=== "6-Bay NAS"

    **UGREEN [DXP6800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp6800-pro-nas-storage)**
+
    - See [Personal NAS](../storage/personal_nas.md) for setup details.

-#### 8-Bay NAS
+=== "8-Bay NAS"

    **UGREEN [DXP9800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp8800-plus-nas-storage)**
+
    - See [Enterprise NAS](../storage/soho_nas.md) for more details.

 ---
--- a/mkdocs/docs/projects/step_ca.md
+++ b/mkdocs/docs/projects/step_ca.md
@@ -4,7 +4,17 @@ An internal CA and ACME Provider.

 ## Brief

-Step can do more, but lets configure the basics.
+Guide to setup a internal Certificate Authority and ACME Provider
+ for issuing trusted TLS certs for internal sites.
+ This is useful for both traefik certificateResolver or kubernetes ClusterIssuer.
+ Step can do more, but lets configure the basics.
+
+- by `rskntroot` on `2025-06-18`
+
+## Assumptions
+
+- An Internal DNS server is configured and accessible.
+- Debian is your choice for the ACME/CA server install.

 ## Install

@@ -28,36 +38,76 @@ apt-get update && apt-get -y install step-cli step-ca
 echo 'some-password' > secret
 ```

-=== Config
+=== "Config"

-  ``` bash
-  step ca init \
-  --deployment-type standalone \
-  --name ${CA_NAME} \
-  --dns=${CA_DNS_NAMES} \
-  --address 0.0.0.0:5001 \
-  --provisioner ${CA_EMAIL} \
-  --password-file ./secret
-  ```
+    ``` bash
+    step ca init \
+    --deployment-type standalone \
+    --name ${CA_NAME} \
+    --dns=${CA_DNS_NAMES} \
+    --address "0.0.0.0:5001" \
+    --provisioner ${CA_EMAIL} \
+    --password-file ./secret
+    ```

-=== Example
+=== "Example"

-  ``` bash
-  step ca init \
-  --deployment-type standalone \
-  --name rskio \
-  --dns=rskio.com,rskntr.com \
-  --address 0.0.0.0:5001 \
-  --provisioner dev@rskio.com \
-  --password-file ./secret
-  ```
+    ``` bash
+    step ca init \
+    --deployment-type standalone \
+    --name rskio \
+    --dns=rskio.com,rskntr.com \
+    --address "0.0.0.0:5001" \
+    --provisioner dev@rskio.com \
+    --password-file ./secret
+    ```

 ``` bash
 step ca provisioner add dev --type ACME
+mv secret /root/.step/config/.
 ```

 ## Service

+``` bash
+vi /root/.step/step.service
+```
+
+paste the following and save with `[ESC] [:] [x] [ENTER]`
+
+``` toml
+[Unit]
+Description=Step CA & ACME Provider
+After=network-online.target
+Requires=network-online.target
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+ExecStart=/usr/bin/step-ca /root/.step/config/ca.json --password-file /root/.step/config/secret
+User=root
+
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target
+```
+
+``` bash
+ln -s /root/.step/step.service /etc/systemd/system/.
+systemctl daemon-reload
+systemctl enable --now step.service
+systemctl status step.service
+```
+
+``` bash
+ss -pnlt | grep 5001
+curl -k https://localhost:5001/acme/dev/directory
+```
+
+you should see your service logs showing it is listening on port `:5001` and see the contents of the webpage from `curl`
+
 ## Certificates

 ### Trust
@@ -67,7 +117,9 @@ cat ~/.step/certs/root_ca.crt
 cat ~/.step/certs/intermediate_ca.crt
 ```

-save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing
+save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing.
+
+you should now be able to browse to your sites without warning

 ### ClusterIssuer

@@ -75,7 +127,7 @@ save and install the files into the trusted certificates on your endpoint and en
 cat .step/certs/root_ca.crt | base64 -w0
 ```

-use output in the spec.
+use above output under `spec.acme.caBundle`

 ``` yaml
 apiVersion: cert-manager.io/v1
@@ -95,3 +147,13 @@ spec:
          ingress:
            class: traefik
 ```
+
+## FAQs
+
+> Why didnt you containerize this?
+
+Because I have multiple kubernetes clusters.
+ Running this on a separate machine means that I don't have to install a `rootCA.pem` for each cluster instance.
+ You might say "yeah, but you can specify the rootCA as an input to step CA"--but who wants to key files and
+ setup CA for each kuberenetes install?
+ So yeah, maybe I'll do it in the future.