Add first draft

.env

@@ -0,0 +1,2 @@
+BASE_DOMAIN=wagondime.duckdns.org
+DUCKDNS_TOKEN=foo

README.md

@@ -1,2 +1,90 @@
 # linuxfestnorthwest-talk-2024
 
+This repository contains the code behidn my talk, _TLS in the homelab: the easy way and the hard way_, from _LinuxFest Northwest 2024_. More details [here](https://ketanvijayvargiya.com/2-tls-in-the-homelab-the-easy-way-and-the-hard-way/).
+
+## Instructions
+
+### Setup
+
+First, find a box and a domain. I did the following for the talk but there are numerous alternatives:
+
+- A cheap VM from Hetzner.
+- A free domain, _wagondime.duckdns.org_, from [Duck DNS](https://www.duckdns.org/) and pointed its IP addresses to the VM.
+
+Second, install Docker and run `docker compose up -d`.
+
+### Step CA
+
+Once you spin up the Step CA container, run `docker compose logs step-ca` and you'll see 2 lines like these:
+
+```sh
+step-ca-1  | 👉 Your CA administrative password is: ...
+...
+step-ca-1  | 2024/04/07 01:13:51 X.509 Root Fingerprint: ...
+```
+
+Hang on to the admin password as I don't think you'll be able to access it later. You can also note down the root fingerprint or regenerate it later by running:
+
+```sh
+docker compose exec step-ca step certificate fingerprint certs/root_ca.crt
+```
+
+### Step CLI
+
+Once Step CA is ready, [setup the Step CLI](https://smallstep.com/docs/step-cli/) on some _client_ machine. (Just ensure that Step CA is accessible from whatever _client_ machine you pick. You could use Tailscale, for instance. For the talk, I reused the same Hetzner box as the _client_, whcih is why you'll see `localhost` in the next command.)
+
+Bootstrap the CLI:
+
+```sh
+step ca bootstrap \
+    --ca-url localhost:9000 \
+    --fingerprint=$CA_FINGERPRINT
+```
+
+### 'whoami-1': Free certificate from Let's Encrypt
+
+```sh
+curl https://whoami-1.wagondime.duckdns.org
+```
+
+### 'whoami-2': Custom certificate from Step CA
+
+First, get the root certificate on the _client_:
+
+```sh
+step ca root root_ca.crt
+```
+
+Then:
+
+```sh
+curl --cacert root_ca.crt https://whoami-2.wagondime.duckdns.org
+```
+
+### 'whoami-3': Custom certificate from Step CA, with mTLS
+
+
+First, get a client certificate on the _client_:
+
+```sh
+step ca certificate \
+    demo client.crt client.key \
+    --ca-url=localhost:9000 \
+    --provisioner='admin'
+```
+
+Optionally, if you want to import the client certificate into an iOS or macOS certificate store, convert the 2 files to _p12_ format:
+
+```sh
+step certificate p12 --legacy client.p12 client.crt client.key
+```
+
+The following should now work:
+
+```sh
+curl \
+	--cert client.crt \
+	--key client.key \
+	--cacert root_ca.crt \
+	https://whoami-3.wagondime.duckdns.org
+```

compose.yaml

@@ -0,0 +1,57 @@
+services:
+
+  traefik:
+    image: traefik:latest
+    restart: unless-stopped
+    environment:
+      - DUCKDNS_TOKEN=$DUCKDNS_TOKEN
+      - LEGO_CA_CERTIFICATES=/stepca-certs/root_ca.crt
+      - LEGO_CA_SYSTEM_CERT_POOL=true
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./config/traefik/config.yaml:/etc/traefik/traefik.yaml
+      - ./config/traefik/fileprovider:/opt/config/fileprovider
+      - /opt/traefik:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/lib/docker/volumes/linuxfestnorthwest-talk-2024_step-ca/_data/certs:/stepca-certs:ro
+    labels:
+      - traefik.enable=false
+
+  step-ca:
+    restart: unless-stopped
+    image: smallstep/step-ca
+    env_file:
+      - ./config/stepca.env
+    volumes:
+      - step-ca:/home/step
+    ports:
+      - 9000:9000
+    labels:
+      - traefik.enable=false
+
+  whoami:
+    image: traefik/whoami
+    restart: unless-stopped
+    labels:
+      - traefik.http.routers.whoami.rule=Host(`whoami-1.${BASE_DOMAIN}`)
+      - traefik.http.routers.whoami.tls.certresolver=webExternalResolver
+
+  whoami-custom-cert:
+    image: traefik/whoami
+    restart: unless-stopped
+    labels:
+      - traefik.http.routers.whoami-my-cert.rule=Host(`whoami-2.${BASE_DOMAIN}`)
+      - traefik.http.routers.whoami-my-cert.tls.certresolver=stepCaResolver
+
+  whoami-custom-cert-mtls:
+    image: traefik/whoami
+    restart: unless-stopped
+    labels:
+      - traefik.http.routers.whoami-custom-cert-mtls.rule=Host(`whoami-3.${BASE_DOMAIN}`)
+      - traefik.http.routers.whoami-custom-cert-mtls.tls.certresolver=stepCaResolver
+      - traefik.http.routers.whoami-custom-cert-mtls.tls.options=mtls@file
+
+volumes:
+  step-ca:

config/stepca.env

@@ -0,0 +1,6 @@
+# Following are only applied on setup time.
+DOCKER_STEPCA_INIT_NAME=LinuxFestNorthwestTalk
+DOCKER_STEPCA_INIT_ACME=true
+
+# These are just the addresses on which Step CA will respond. But the certificates it vends out can be used for any domain.
+DOCKER_STEPCA_INIT_DNS_NAMES=localhost,step-ca

config/traefik/config.yaml

@@ -0,0 +1,32 @@
+entryPoints:
+  web-external:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: ":443"
+  websecure-external:
+    address: ":443"
+
+log: {}
+accessLog: {}
+
+providers:
+  docker: {}
+  file:
+    directory: /opt/config/fileprovider
+
+certificatesResolvers:
+  webExternalResolver:
+    acme:
+      email: foo@bar.com
+      storage: /data/acme.json
+      dnsChallenge:
+        provider: duckdns
+
+  stepCaResolver:
+    acme:
+      caServer: https://step-ca:9000/acme/acme/directory
+      email: foo@bar.com
+      storage: /data/step-ca-resolver.json
+      tlsChallenge: {}

config/traefik/fileprovider/tls-opts.yaml

@@ -0,0 +1,7 @@
+tls:
+  options:
+    mtls:
+      clientAuth:
+        caFiles:
+          - /stepca-certs/root_ca.crt
+        clientAuthType: RequireAndVerifyClientCert