From 526683319bc715ada64b78668aff26c23cf78049 Mon Sep 17 00:00:00 2001 From: rskntroot Date: Fri, 20 Jun 2025 00:52:46 +0000 Subject: [PATCH] update dirs --- mkdocs/docs/{coding => code}/oxpasta.md | 0 mkdocs/docs/{coding => code}/r53-ddns.md | 0 mkdocs/docs/index.md | 10 ++- mkdocs/docs/{projects => notes}/linux.md | 0 mkdocs/docs/projects/network.md | 7 +- mkdocs/docs/projects/step_ca.md | 108 ++++++++++++++++++----- 6 files changed, 97 insertions(+), 28 deletions(-) rename mkdocs/docs/{coding => code}/oxpasta.md (100%) rename mkdocs/docs/{coding => code}/r53-ddns.md (100%) rename mkdocs/docs/{projects => notes}/linux.md (100%) diff --git a/mkdocs/docs/coding/oxpasta.md b/mkdocs/docs/code/oxpasta.md similarity index 100% rename from mkdocs/docs/coding/oxpasta.md rename to mkdocs/docs/code/oxpasta.md diff --git a/mkdocs/docs/coding/r53-ddns.md b/mkdocs/docs/code/r53-ddns.md similarity index 100% rename from mkdocs/docs/coding/r53-ddns.md rename to mkdocs/docs/code/r53-ddns.md diff --git a/mkdocs/docs/index.md b/mkdocs/docs/index.md index 4bb5ced..38a5e44 100644 --- a/mkdocs/docs/index.md +++ b/mkdocs/docs/index.md @@ -26,13 +26,17 @@ Nothing. It made sense if I blended "Ruskonator" (an old nickname) with Input/Output (IO). The same goes for "rskntroot", it's a mix of that same nickname and "root". -## Coding +## Code -Currently, this is an unorganized list of things I have spent many of what corporate America refers to as "cycles" on. +Some code that I have spent many of what corporate America refers to as "cycles" on. + +## Notes + +References to information that I have found myself revisiting. ## Projects -Currently, the same as "coding". +An unorganized list of guides and project ideas that I have taken the time to document. ## Storage diff --git a/mkdocs/docs/projects/linux.md b/mkdocs/docs/notes/linux.md similarity index 100% rename from mkdocs/docs/projects/linux.md rename to mkdocs/docs/notes/linux.md diff --git a/mkdocs/docs/projects/network.md b/mkdocs/docs/projects/network.md index 5e7d8cf..6b9d922 100644 --- a/mkdocs/docs/projects/network.md +++ b/mkdocs/docs/projects/network.md @@ -89,20 +89,23 @@ Welcome to my recommended HomeLab network setup! Here’s a breakdown of the key ### Cameras **Unifi [G5 Bullet](https://techspecs.ui.com/unifi/cameras-nvrs/uvc-g5-bullet)** + - 4MP resolution, HDR, AI motion detection. --- ## Network Attached Storage -#### 6-Bay NAS +=== "6-Bay NAS" **UGREEN [DXP6800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp6800-pro-nas-storage)** + - See [Personal NAS](../storage/personal_nas.md) for setup details. -#### 8-Bay NAS +=== "8-Bay NAS" **UGREEN [DXP9800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp8800-plus-nas-storage)** + - See [Enterprise NAS](../storage/soho_nas.md) for more details. --- diff --git a/mkdocs/docs/projects/step_ca.md b/mkdocs/docs/projects/step_ca.md index 03a4585..5b27b89 100644 --- a/mkdocs/docs/projects/step_ca.md +++ b/mkdocs/docs/projects/step_ca.md @@ -4,7 +4,17 @@ An internal CA and ACME Provider. ## Brief -Step can do more, but lets configure the basics. +Guide to setup a internal Certificate Authority and ACME Provider + for issuing trusted TLS certs for internal sites. + This is useful for both traefik certificateResolver or kubernetes ClusterIssuer. + Step can do more, but lets configure the basics. + +- by `rskntroot` on `2025-06-18` + +## Assumptions + +- An Internal DNS server is configured and accessible. +- Debian is your choice for the ACME/CA server install. ## Install @@ -28,36 +38,76 @@ apt-get update && apt-get -y install step-cli step-ca echo 'some-password' > secret ``` -=== Config +=== "Config" - ``` bash - step ca init \ - --deployment-type standalone \ - --name ${CA_NAME} \ - --dns=${CA_DNS_NAMES} \ - --address 0.0.0.0:5001 \ - --provisioner ${CA_EMAIL} \ - --password-file ./secret - ``` + ``` bash + step ca init \ + --deployment-type standalone \ + --name ${CA_NAME} \ + --dns=${CA_DNS_NAMES} \ + --address "0.0.0.0:5001" \ + --provisioner ${CA_EMAIL} \ + --password-file ./secret + ``` -=== Example +=== "Example" - ``` bash - step ca init \ - --deployment-type standalone \ - --name rskio \ - --dns=rskio.com,rskntr.com \ - --address 0.0.0.0:5001 \ - --provisioner dev@rskio.com \ - --password-file ./secret - ``` + ``` bash + step ca init \ + --deployment-type standalone \ + --name rskio \ + --dns=rskio.com,rskntr.com \ + --address "0.0.0.0:5001" \ + --provisioner dev@rskio.com \ + --password-file ./secret + ``` ``` bash step ca provisioner add dev --type ACME +mv secret /root/.step/config/. ``` ## Service +``` bash +vi /root/.step/step.service +``` + +paste the following and save with `[ESC] [:] [x] [ENTER]` + +``` toml +[Unit] +Description=Step CA & ACME Provider +After=network-online.target +Requires=network-online.target + +[Service] +Type=simple +RemainAfterExit=yes +ExecStart=/usr/bin/step-ca /root/.step/config/ca.json --password-file /root/.step/config/secret +User=root + +Restart=always +RestartSec=60 + +[Install] +WantedBy=multi-user.target +``` + +``` bash +ln -s /root/.step/step.service /etc/systemd/system/. +systemctl daemon-reload +systemctl enable --now step.service +systemctl status step.service +``` + +``` bash +ss -pnlt | grep 5001 +curl -k https://localhost:5001/acme/dev/directory +``` + +you should see your service logs showing it is listening on port `:5001` and see the contents of the webpage from `curl` + ## Certificates ### Trust @@ -67,7 +117,9 @@ cat ~/.step/certs/root_ca.crt cat ~/.step/certs/intermediate_ca.crt ``` -save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing +save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing. + +you should now be able to browse to your sites without warning ### ClusterIssuer @@ -75,7 +127,7 @@ save and install the files into the trusted certificates on your endpoint and en cat .step/certs/root_ca.crt | base64 -w0 ``` -use output in the spec. +use above output under `spec.acme.caBundle` ``` yaml apiVersion: cert-manager.io/v1 @@ -95,3 +147,13 @@ spec: ingress: class: traefik ``` + +## FAQs + +> Why didnt you containerize this? + +Because I have multiple kubernetes clusters. + Running this on a separate machine means that I don't have to install a `rootCA.pem` for each cluster instance. + You might say "yeah, but you can specify the rootCA as an input to step CA"--but who wants to key files and + setup CA for each kuberenetes install? + So yeah, maybe I'll do it in the future.