update dirs

mkdocs/docs/projects/linux.md

@@ -1,150 +0,0 @@
-# Linux Setup
-
-## Brief
-
-some setup guides
-
-- by `rskntroot` on `2025-02-20`
-
-## Preferences
-
-### SSH
-
-- see [K4YT3X's Hardened OpenSSH Server Configuration](https://github.com/k4yt3x/sshd_config)
-
-``` bash
-sudo -i
-```
-
-``` bash
-cd /etc/ssh/
-mv sshd_config sshd_config.backup
-curl https://raw.githubusercontent.com/k4yt3x/sshd_config/master/sshd_config -o ./sshd_config
-chmod 644 /etc/ssh/sshd_config
-cat <<%% >> /etc/ssh/sshd_config
-# Enable Public Key Auth
-PubkeyAuthentication yes
-AuthorizedKeysFile .ssh/authorized_keys
-%%
-systemctl restart ssh
-exit
-```
-
-### Auth
-
-=== "Existing Key"
-
-    ``` bash
-    key="ecdsa-sha2-nistp256 ASASDASDFsomekey user@whatever"
-    ```
-
-    ``` bash
-    mkdir -p ~/.ssh && echo ${key} >> ~/.ssh/authorized_keys
-    ```
-
-=== "New Key"
-
-    ``` bash
-    ssh-keygen -t ecdsa
-    cat id_ecdsa.pub >> ~/.ssh/authorized_keys
-    ```
-
-### Docker
-
-- see [https://docs.docker.com/engine/install/ubuntu/](https://docs.docker.com/engine/install/ubuntu/)
-
-``` bash
-curl -fsSL https://get.docker.com -o get-docker.sh
-sudo sh ./get-docker.sh
-sudo systemctl enable --now docker
-rm -f ./get-docker.sh
-sudo usermod -a -G docker $(whoami)
-docker ps
-```
-
-- see [https://docs.docker.com/config/completion/](https://docs.docker.com/config/completion/)
-
-=== "Debian"
-
-    ``` bash
-    sudo apt install bash-completion -y
-    ```
-
-=== "Fedora"
-
-    ``` bash
-    sudo dnf install bash-completion -y
-    ```
-
-``` bash
-cat <<%% >> ~/.bashrc
-if [ -f /etc/bash_completion ]; then
-    . /etc/bash_completion
-fi
-%%
-mkdir -p ~/.local/share/bash-completion/completions
-docker completion bash > ~/.local/share/bash-completion/completions/docker
-source ~/.bashrc
-```
-
-### Tools
-
-=== "Debian"
-
-    ``` bash
-    sudo apt install -y \
-      curl \
-      htop \
-      iputils-ping \
-      jq \
-      tcpdump \
-      traceroute \
-      vim
-    ```
-
-=== "Fedora"
-
-    ``` bash
-    sudo dnf install -y \
-      htop \
-      sensors
-    ```
-
-### Shortcuts
-
-#### fastfetch
-
-- see [fastfetch](https://github.com/fastfetch-cli/fastfetch) for more info
-
-=== "Debian"
-
-    ``` bash
-    url="https://github.com/fastfetch-cli/fastfetch/releases/download/2.45.0/fastfetch-linux-aarch64.deb"
-    ```
-
-    ``` bash
-    mkdir -p ~/downloads/ && cd ~/downloads
-    curl -fsSLO ${url} -o fastfetch-installer
-    sudo dpkg -i ./fastfetch-installer
-    ```
-
-=== "Fedora"
-
-    ``` bash
-    url="https://github.com/fastfetch-cli/fastfetch/releases/download/2.45.0/fastfetch-linux-amd64.rpm"
-    ```
-
-    ``` bash
-    mkdir -p ~/downloads/ && cd ~/downloads
-    curl -fsSLO ${url} -o fastfetch-installer
-    sudo dnf install ./fastfetch-installer
-    ```
-
-``` bash
-cat <<%% >> ~/.bashrc
-# RSKIO
-alias ff="fastfetch"
-alias q="exit"
-%%
-source ~/.bashrc
-```

mkdocs/docs/projects/network.md

@@ -89,20 +89,23 @@ Welcome to my recommended HomeLab network setup! Here’s a breakdown of the key
 ### Cameras
 
 **Unifi [G5 Bullet](https://techspecs.ui.com/unifi/cameras-nvrs/uvc-g5-bullet)**
+
 - 4MP resolution, HDR, AI motion detection.
 
 ---
 
 ## Network Attached Storage
 
-#### 6-Bay NAS
+=== "6-Bay NAS"
 
     **UGREEN [DXP6800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp6800-pro-nas-storage)**
+
     - See [Personal NAS](../storage/personal_nas.md) for setup details.
 
-#### 8-Bay NAS
+=== "8-Bay NAS"
 
     **UGREEN [DXP9800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp8800-plus-nas-storage)**
+
     - See [Enterprise NAS](../storage/soho_nas.md) for more details.
 
 ---

mkdocs/docs/projects/step_ca.md

@@ -4,7 +4,17 @@ An internal CA and ACME Provider.
 
 ## Brief
 
-Step can do more, but lets configure the basics.
+Guide to setup a internal Certificate Authority and ACME Provider
+ for issuing trusted TLS certs for internal sites.
+ This is useful for both traefik certificateResolver or kubernetes ClusterIssuer.
+ Step can do more, but lets configure the basics.
+
+- by `rskntroot` on `2025-06-18`
+
+## Assumptions
+
+- An Internal DNS server is configured and accessible.
+- Debian is your choice for the ACME/CA server install.
 
 ## Install
 
@@ -28,36 +38,76 @@ apt-get update && apt-get -y install step-cli step-ca
 echo 'some-password' > secret
 ```
 
-=== Config
+=== "Config"
 
-  ``` bash
-  step ca init \
-  --deployment-type standalone \
-  --name ${CA_NAME} \
-  --dns=${CA_DNS_NAMES} \
-  --address 0.0.0.0:5001 \
-  --provisioner ${CA_EMAIL} \
-  --password-file ./secret
-  ```
+    ``` bash
+    step ca init \
+    --deployment-type standalone \
+    --name ${CA_NAME} \
+    --dns=${CA_DNS_NAMES} \
+    --address "0.0.0.0:5001" \
+    --provisioner ${CA_EMAIL} \
+    --password-file ./secret
+    ```
 
-=== Example
+=== "Example"
 
-  ``` bash
-  step ca init \
-  --deployment-type standalone \
-  --name rskio \
-  --dns=rskio.com,rskntr.com \
-  --address 0.0.0.0:5001 \
-  --provisioner dev@rskio.com \
-  --password-file ./secret
-  ```
+    ``` bash
+    step ca init \
+    --deployment-type standalone \
+    --name rskio \
+    --dns=rskio.com,rskntr.com \
+    --address "0.0.0.0:5001" \
+    --provisioner dev@rskio.com \
+    --password-file ./secret
+    ```
 
 ``` bash
 step ca provisioner add dev --type ACME
+mv secret /root/.step/config/.
 ```
 
 ## Service
 
+``` bash
+vi /root/.step/step.service
+```
+
+paste the following and save with `[ESC] [:] [x] [ENTER]`
+
+``` toml
+[Unit]
+Description=Step CA & ACME Provider
+After=network-online.target
+Requires=network-online.target
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+ExecStart=/usr/bin/step-ca /root/.step/config/ca.json --password-file /root/.step/config/secret
+User=root
+
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target
+```
+
+``` bash
+ln -s /root/.step/step.service /etc/systemd/system/.
+systemctl daemon-reload
+systemctl enable --now step.service
+systemctl status step.service
+```
+
+``` bash
+ss -pnlt | grep 5001
+curl -k https://localhost:5001/acme/dev/directory
+```
+
+you should see your service logs showing it is listening on port `:5001` and see the contents of the webpage from `curl`
+
 ## Certificates
 
 ### Trust
@@ -67,7 +117,9 @@ cat ~/.step/certs/root_ca.crt
 cat ~/.step/certs/intermediate_ca.crt
 ```
 
-save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing
+save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing.
+
+you should now be able to browse to your sites without warning
 
 ### ClusterIssuer
 
@@ -75,7 +127,7 @@ save and install the files into the trusted certificates on your endpoint and en
 cat .step/certs/root_ca.crt | base64 -w0
 ```
 
-use output in the spec.
+use above output under `spec.acme.caBundle`
 
 ``` yaml
 apiVersion: cert-manager.io/v1
@@ -95,3 +147,13 @@ spec:
           ingress:
             class: traefik
 ```
+
+## FAQs
+
+> Why didnt you containerize this?
+
+Because I have multiple kubernetes clusters.
+ Running this on a separate machine means that I don't have to install a `rootCA.pem` for each cluster instance.
+ You might say "yeah, but you can specify the rootCA as an input to step CA"--but who wants to key files and
+ setup CA for each kuberenetes install?
+ So yeah, maybe I'll do it in the future.