✔ buying a dedicated server
✔ installing debian and 2 packages
✔ adding that machine to the list and running ansible that will handle everything from now
i forgot how to manage a pki ca
kind of shit that's so badly documented people sell books about it
and there's none of it in my bash/zsh history
update: i guessed things and it worked out fine. now i can talk about it.
first i had a very elaborate ansible playbook that would generate a key and csr on the vpn server,
then fetch, sign with the local ca, and upload the cert.
it got replaced by generating the key/cert locally and uploading it; it's much less steps and knowing that the ca host also has root an other servers it's not really problematic. (further automation was considered and abandoned later)
@CobaltVelvet (pointing back towards my earlier recommendation: Vault‘s CA can be used directly with OpenVPN, i.e. clients get their certificates with Vault instead of easy-pki or Ansible, plus Vault has a variety of authentication backends available; e.g. you could hand out certificates for certain servers or services based on GitHub groups, or LDAP logins etc. it’s tremendously helpful and trivial to use, honestly)
@moritzheiber well it looks really good and i'll definitely consider it if and when i'll get the time and motivation to fix all of that, hopefully it'll happen in the next year
@CobaltVelvet lmk if you want any help, it’s literally what I do on a daily basis :)
@CobaltVelvet currently most of it is Keycloak, Vault and containers.. it’s a very potent combination
@moritzheiber @CobaltVelvet if it can help I have a repo where I was playing around with vault's pki and bootstrapping vault with an external ca too, it's here: https://github.com/caligin/nomad-playground/
Makefile around +54 generates the "external" ca, then playbook.yml aroud +65 sets up a root ca inside vault
@caligin @CobaltVelvet hint: Terraform has an excellent certificate provider: https://www.terraform.io/docs/providers/tls/index.html
No more Makefile foo.
@moritzheiber @CobaltVelvet ohhhh nice!
update 2 : apparently it stills uses the first method *after* the second.
okay i have no idea. i'd read look at that file's history but... meh. not sure i'd get much information.