diff options
Diffstat (limited to 'volumes')
-rw-r--r-- | volumes/proxy/traefik.toml | 24 | ||||
-rw-r--r-- | volumes/root-ca/.gitignore | 5 | ||||
-rw-r--r-- | volumes/root-ca/readme.md | 10 |
3 files changed, 39 insertions, 0 deletions
diff --git a/volumes/proxy/traefik.toml b/volumes/proxy/traefik.toml new file mode 100644 index 0000000..6d3acb6 --- /dev/null +++ b/volumes/proxy/traefik.toml @@ -0,0 +1,24 @@ +[entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.web.http.redirections.entryPoint] + to = "websecure" + scheme = "https" + [entryPoints.websecure] + address = ":443" + +[api] + dashboard = true + +[certificatesResolvers.smallstep.acme] + caServer = "https://root-ca" # acme-staging-v02.api.letsencrypt.org/directory" + storage = "acme.json" + [certificatesResolvers.smallstep.acme.httpChallenge] + entryPoint = "web" + +[providers.docker] + watch = true + network = "fediverse" + +[providers.file] + filename = "traefik_dynamic.toml" diff --git a/volumes/root-ca/.gitignore b/volumes/root-ca/.gitignore new file mode 100644 index 0000000..0b61f0b --- /dev/null +++ b/volumes/root-ca/.gitignore @@ -0,0 +1,5 @@ +# Ignore everything in this dir, except this file +# This dir will contain secrets that you will need to trust on your +* +!.gitignore +!readme.md
\ No newline at end of file diff --git a/volumes/root-ca/readme.md b/volumes/root-ca/readme.md new file mode 100644 index 0000000..8908bd4 --- /dev/null +++ b/volumes/root-ca/readme.md @@ -0,0 +1,10 @@ +# Warning + +> [!WARNING] +> After setup, this directory will contain secrets that should never be shared with anyone. Doing so could put your computer at risk. + +In order to permit most fedi software to talk to each other with minimal modifications, they need to do it over HTTPS. Which means they all need to have SSL certificates, which all need to be issued by a certificate authority, which they need to trust. That likely includes Letterbook, or any other fediverse application that you're developing on your host machine. Which means you need to trust it as well. + +When you use this project, you're going to create a root certificate authority, so that you can issue those certificates. Most of that happens automatically, and you don't need to be *too* concerned with how it works. But, in order to make full use of it, you will probably have to add that CA as a trusted root certificate authority on your own machine. + +After you've set up the project, this directory will contain the private signing key for that CA, along with a variety of other secrets and configuration data. **Never reveal this data to anyone!** If the signing key of the local root CA you're about to create is ever compromised, it could be used to perform invisible man-in-the-middle attacks against any computer that trusts it. Which likely includes the computer you're using to read this right now.
\ No newline at end of file |