mirror of
https://github.com/ketan-vijayvargiya/linuxfestnorthwest-talk-2024.git
synced 2024-05-19 06:02:27 -07:00
Add first draft
This commit is contained in:
parent
e1b5a18339
commit
b581cf2b48
88
README.md
88
README.md
|
@ -1,2 +1,90 @@
|
|||
# linuxfestnorthwest-talk-2024
|
||||
|
||||
This repository contains the code behidn my talk, _TLS in the homelab: the easy way and the hard way_, from _LinuxFest Northwest 2024_. More details [here](https://ketanvijayvargiya.com/2-tls-in-the-homelab-the-easy-way-and-the-hard-way/).
|
||||
|
||||
## Instructions
|
||||
|
||||
### Setup
|
||||
|
||||
First, find a box and a domain. I did the following for the talk but there are numerous alternatives:
|
||||
|
||||
- A cheap VM from Hetzner.
|
||||
- A free domain, _wagondime.duckdns.org_, from [Duck DNS](https://www.duckdns.org/) and pointed its IP addresses to the VM.
|
||||
|
||||
Second, install Docker and run `docker compose up -d`.
|
||||
|
||||
### Step CA
|
||||
|
||||
Once you spin up the Step CA container, run `docker compose logs step-ca` and you'll see 2 lines like these:
|
||||
|
||||
```sh
|
||||
step-ca-1 | 👉 Your CA administrative password is: ...
|
||||
...
|
||||
step-ca-1 | 2024/04/07 01:13:51 X.509 Root Fingerprint: ...
|
||||
```
|
||||
|
||||
Hang on to the admin password as I don't think you'll be able to access it later. You can also note down the root fingerprint or regenerate it later by running:
|
||||
|
||||
```sh
|
||||
docker compose exec step-ca step certificate fingerprint certs/root_ca.crt
|
||||
```
|
||||
|
||||
### Step CLI
|
||||
|
||||
Once Step CA is ready, [setup the Step CLI](https://smallstep.com/docs/step-cli/) on some _client_ machine. (Just ensure that Step CA is accessible from whatever _client_ machine you pick. You could use Tailscale, for instance. For the talk, I reused the same Hetzner box as the _client_, whcih is why you'll see `localhost` in the next command.)
|
||||
|
||||
Bootstrap the CLI:
|
||||
|
||||
```sh
|
||||
step ca bootstrap \
|
||||
--ca-url localhost:9000 \
|
||||
--fingerprint=$CA_FINGERPRINT
|
||||
```
|
||||
|
||||
### 'whoami-1': Free certificate from Let's Encrypt
|
||||
|
||||
```sh
|
||||
curl https://whoami-1.wagondime.duckdns.org
|
||||
```
|
||||
|
||||
### 'whoami-2': Custom certificate from Step CA
|
||||
|
||||
First, get the root certificate on the _client_:
|
||||
|
||||
```sh
|
||||
step ca root root_ca.crt
|
||||
```
|
||||
|
||||
Then:
|
||||
|
||||
```sh
|
||||
curl --cacert root_ca.crt https://whoami-2.wagondime.duckdns.org
|
||||
```
|
||||
|
||||
### 'whoami-3': Custom certificate from Step CA, with mTLS
|
||||
|
||||
|
||||
First, get a client certificate on the _client_:
|
||||
|
||||
```sh
|
||||
step ca certificate \
|
||||
demo client.crt client.key \
|
||||
--ca-url=localhost:9000 \
|
||||
--provisioner='admin'
|
||||
```
|
||||
|
||||
Optionally, if you want to import the client certificate into an iOS or macOS certificate store, convert the 2 files to _p12_ format:
|
||||
|
||||
```sh
|
||||
step certificate p12 --legacy client.p12 client.crt client.key
|
||||
```
|
||||
|
||||
The following should now work:
|
||||
|
||||
```sh
|
||||
curl \
|
||||
--cert client.crt \
|
||||
--key client.key \
|
||||
--cacert root_ca.crt \
|
||||
https://whoami-3.wagondime.duckdns.org
|
||||
```
|
||||
|
|
57
compose.yaml
Normal file
57
compose.yaml
Normal file
|
@ -0,0 +1,57 @@
|
|||
services:
|
||||
|
||||
traefik:
|
||||
image: traefik:latest
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- DUCKDNS_TOKEN=$DUCKDNS_TOKEN
|
||||
- LEGO_CA_CERTIFICATES=/stepca-certs/root_ca.crt
|
||||
- LEGO_CA_SYSTEM_CERT_POOL=true
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
volumes:
|
||||
- ./config/traefik/config.yaml:/etc/traefik/traefik.yaml
|
||||
- ./config/traefik/fileprovider:/opt/config/fileprovider
|
||||
- /opt/traefik:/data
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- /var/lib/docker/volumes/linuxfestnorthwest-talk-2024_step-ca/_data/certs:/stepca-certs:ro
|
||||
labels:
|
||||
- traefik.enable=false
|
||||
|
||||
step-ca:
|
||||
restart: unless-stopped
|
||||
image: smallstep/step-ca
|
||||
env_file:
|
||||
- ./config/stepca.env
|
||||
volumes:
|
||||
- step-ca:/home/step
|
||||
ports:
|
||||
- 9000:9000
|
||||
labels:
|
||||
- traefik.enable=false
|
||||
|
||||
whoami:
|
||||
image: traefik/whoami
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
- traefik.http.routers.whoami.rule=Host(`whoami-1.${BASE_DOMAIN}`)
|
||||
- traefik.http.routers.whoami.tls.certresolver=webExternalResolver
|
||||
|
||||
whoami-custom-cert:
|
||||
image: traefik/whoami
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
- traefik.http.routers.whoami-my-cert.rule=Host(`whoami-2.${BASE_DOMAIN}`)
|
||||
- traefik.http.routers.whoami-my-cert.tls.certresolver=stepCaResolver
|
||||
|
||||
whoami-custom-cert-mtls:
|
||||
image: traefik/whoami
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
- traefik.http.routers.whoami-custom-cert-mtls.rule=Host(`whoami-3.${BASE_DOMAIN}`)
|
||||
- traefik.http.routers.whoami-custom-cert-mtls.tls.certresolver=stepCaResolver
|
||||
- traefik.http.routers.whoami-custom-cert-mtls.tls.options=mtls@file
|
||||
|
||||
volumes:
|
||||
step-ca:
|
6
config/stepca.env
Normal file
6
config/stepca.env
Normal file
|
@ -0,0 +1,6 @@
|
|||
# Following are only applied on setup time.
|
||||
DOCKER_STEPCA_INIT_NAME=LinuxFestNorthwestTalk
|
||||
DOCKER_STEPCA_INIT_ACME=true
|
||||
|
||||
# These are just the addresses on which Step CA will respond. But the certificates it vends out can be used for any domain.
|
||||
DOCKER_STEPCA_INIT_DNS_NAMES=localhost,step-ca
|
32
config/traefik/config.yaml
Normal file
32
config/traefik/config.yaml
Normal file
|
@ -0,0 +1,32 @@
|
|||
entryPoints:
|
||||
web-external:
|
||||
address: ":80"
|
||||
http:
|
||||
redirections:
|
||||
entryPoint:
|
||||
to: ":443"
|
||||
websecure-external:
|
||||
address: ":443"
|
||||
|
||||
log: {}
|
||||
accessLog: {}
|
||||
|
||||
providers:
|
||||
docker: {}
|
||||
file:
|
||||
directory: /opt/config/fileprovider
|
||||
|
||||
certificatesResolvers:
|
||||
webExternalResolver:
|
||||
acme:
|
||||
email: foo@bar.com
|
||||
storage: /data/acme.json
|
||||
dnsChallenge:
|
||||
provider: duckdns
|
||||
|
||||
stepCaResolver:
|
||||
acme:
|
||||
caServer: https://step-ca:9000/acme/acme/directory
|
||||
email: foo@bar.com
|
||||
storage: /data/step-ca-resolver.json
|
||||
tlsChallenge: {}
|
7
config/traefik/fileprovider/tls-opts.yaml
Normal file
7
config/traefik/fileprovider/tls-opts.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
tls:
|
||||
options:
|
||||
mtls:
|
||||
clientAuth:
|
||||
caFiles:
|
||||
- /stepca-certs/root_ca.crt
|
||||
clientAuthType: RequireAndVerifyClientCert
|
Loading…
Reference in a new issue