🏭 How to setup your organization's internal services with a local CA.
View Demo
·
Report Bug
·
Request Feature
Table of Contents
For various reasons, many development teams do not trust cloud providers and want to host their own in-house services. Laboratoriator is a series of docker-compose files and an instructional guide on how to setup your organization's services in a internal network.
Install the following inside your host.
- Create the StepCA's directory and modify it, so docker can write in it.
$ cd $HOME
$ mkdir stepca
$ chown 1000:1000 stepca- Initialize and configurate StepCA. Make sure that you save your password and the new CA's fingerprint.
$ docker run -p 8443:8443 -it -v `pwd`/stepca:/home/step smallstep/step-ca:0.18.1 step ca init
> Standalone
> MoxthosCA
> 0.0.0.0,ca.moxthos.art
> :8443
> admin@moxthos.art
> ********
...
✔ Root fingerprint: ******************************************************
...- Save your password inside the container and run the compose file.
$ docker run -p 8443:8443 -it -v `pwd`/stepca:/home/step smallstep/step-ca:0.18.1 sh
(inside container) $ echo -n '**********' > /home/step/secrets/password
(inside container) $ exit
$ docker compose -f stepca.docker-compose.yml up -d
- Do not forget to change the default max lifetime for TLS certificates.
- Open
~/stepca/config/ca.jsonand configureclaimsinside theauthorityor theprovisionerobject. - Restart the container to apply the changes.
"claims": {
"maxTLSCertDuration": "2160h",
"defaultTLSCertDuration": "24h",
}
- Install the root certificates in your host using
step.
$ step ca bootstrap --ca-url https://ca.moxthos.art:8443 --fingerprint ************ --install
- Create
certsandtraefikdirectories and modify them, so docker can write in them.
$ mkdir certs traefik
$ chown 1000:1000 certs traefik- Create a certificate/key for Traefik and save it inside
certs.
$ step ca certificate --ca-url https://ca.moxthos.art:8443 traefik.moxthos.art certs/traefik.crt certs/traefik.key --not-after 2399h- Copy the root certificate from StepCA's container to
certs.
$ docker cp stepca:/home/step/certs/root_ca.crt ./certs/
$ chmod 644 ./certs/root_ca.crt- Create
traefik-config.tomlinsidetraefikand make sure that it contains the following:
[[tls.certificates]]
certFile = "/certs/traefik.crt"
keyFile = "/certs/traefik.key"
- Run the compose file.
$ docker compose -f traefik.docker-compose.yml up -d
- Create a certificate/key for Gitea and save it inside
certs.
$ step ca certificate --ca-url https://ca.moxthos.art:8443 gitea.moxthos.art certs/gitea.crt certs/gitea.key --not-after 2399h- Make sure that
traefik/traefik-config.tomlcontains the following:
[[tls.certificates]]
certFile = "/certs/gitea.crt"
keyFile = "/certs/gitea.key"
Run the compose file.
$ docker compose -f gitea.docker-compose.yml up -d
You can repeat the above process for all the other services.
- Step installation
- Traefik installation
- Gitea installation
- WikiJS installation
- Nextcloud installation
- Rocketchat installation
- Ctfd installation
-
.envfor docker compose
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the MIT License. See LICENSE for more information.
Christos Kaltsas - me@christoskaltsas.com
Project Link: https://github.com/bQqqr/laboratoritator