update dirs

mkdocs/docs/index.md

@@ -26,13 +26,17 @@ Nothing.
  It made sense if I blended "Ruskonator" (an old nickname) with Input/Output (IO).
  The same goes for "rskntroot", it's a mix of that same nickname and "root".
 
-## Coding
+## Code
 
-Currently, this is an unorganized list of things I have spent many of what corporate America refers to as "cycles" on.
+Some code that I have spent many of what corporate America refers to as "cycles" on.
+
+## Notes
+
+References to information that I have found myself revisiting.
 
 ## Projects
 
-Currently, the same as "coding".
+An unorganized list of guides and project ideas that I have taken the time to document.
 
 ## Storage
 

mkdocs/docs/projects/network.md

@@ -89,20 +89,23 @@ Welcome to my recommended HomeLab network setup! Here’s a breakdown of the key
 ### Cameras
 
 **Unifi [G5 Bullet](https://techspecs.ui.com/unifi/cameras-nvrs/uvc-g5-bullet)**
+
 - 4MP resolution, HDR, AI motion detection.
 
 ---
 
 ## Network Attached Storage
 
-#### 6-Bay NAS
+=== "6-Bay NAS"
 
     **UGREEN [DXP6800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp6800-pro-nas-storage)**
+
     - See [Personal NAS](../storage/personal_nas.md) for setup details.
 
-#### 8-Bay NAS
+=== "8-Bay NAS"
 
     **UGREEN [DXP9800 PRO](https://www.ugreen.com/collections/nas-storage/products/ugreen-nasync-dxp8800-plus-nas-storage)**
+
     - See [Enterprise NAS](../storage/soho_nas.md) for more details.
 
 ---

mkdocs/docs/projects/step_ca.md

@@ -4,8 +4,18 @@ An internal CA and ACME Provider.
 
 ## Brief
 
+Guide to setup a internal Certificate Authority and ACME Provider
+ for issuing trusted TLS certs for internal sites.
+ This is useful for both traefik certificateResolver or kubernetes ClusterIssuer.
  Step can do more, but lets configure the basics.
 
+- by `rskntroot` on `2025-06-18`
+
+## Assumptions
+
+- An Internal DNS server is configured and accessible.
+- Debian is your choice for the ACME/CA server install.
+
 ## Install
 
 ``` bash
@@ -28,36 +38,76 @@ apt-get update && apt-get -y install step-cli step-ca
 echo 'some-password' > secret
 ```
 
-=== Config
+=== "Config"
 
     ``` bash
     step ca init \
     --deployment-type standalone \
     --name ${CA_NAME} \
     --dns=${CA_DNS_NAMES} \
-  --address 0.0.0.0:5001 \
+    --address "0.0.0.0:5001" \
     --provisioner ${CA_EMAIL} \
     --password-file ./secret
     ```
 
-=== Example
+=== "Example"
 
     ``` bash
     step ca init \
     --deployment-type standalone \
     --name rskio \
     --dns=rskio.com,rskntr.com \
-  --address 0.0.0.0:5001 \
+    --address "0.0.0.0:5001" \
     --provisioner dev@rskio.com \
     --password-file ./secret
     ```
 
 ``` bash
 step ca provisioner add dev --type ACME
+mv secret /root/.step/config/.
 ```
 
 ## Service
 
+``` bash
+vi /root/.step/step.service
+```
+
+paste the following and save with `[ESC] [:] [x] [ENTER]`
+
+``` toml
+[Unit]
+Description=Step CA & ACME Provider
+After=network-online.target
+Requires=network-online.target
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+ExecStart=/usr/bin/step-ca /root/.step/config/ca.json --password-file /root/.step/config/secret
+User=root
+
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target
+```
+
+``` bash
+ln -s /root/.step/step.service /etc/systemd/system/.
+systemctl daemon-reload
+systemctl enable --now step.service
+systemctl status step.service
+```
+
+``` bash
+ss -pnlt | grep 5001
+curl -k https://localhost:5001/acme/dev/directory
+```
+
+you should see your service logs showing it is listening on port `:5001` and see the contents of the webpage from `curl`
+
 ## Certificates
 
 ### Trust
@@ -67,7 +117,9 @@ cat ~/.step/certs/root_ca.crt
 cat ~/.step/certs/intermediate_ca.crt
 ```
 
-save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing
+save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing.
+
+you should now be able to browse to your sites without warning
 
 ### ClusterIssuer
 
@@ -75,7 +127,7 @@ save and install the files into the trusted certificates on your endpoint and en
 cat .step/certs/root_ca.crt | base64 -w0
 ```
 
-use output in the spec.
+use above output under `spec.acme.caBundle`
 
 ``` yaml
 apiVersion: cert-manager.io/v1
@@ -95,3 +147,13 @@ spec:
           ingress:
             class: traefik
 ```
+
+## FAQs
+
+> Why didnt you containerize this?
+
+Because I have multiple kubernetes clusters.
+ Running this on a separate machine means that I don't have to install a `rootCA.pem` for each cluster instance.
+ You might say "yeah, but you can specify the rootCA as an input to step CA"--but who wants to key files and
+ setup CA for each kuberenetes install?
+ So yeah, maybe I'll do it in the future.