🏭 How to setup your organization's internal services with a local CA.
View Demo
·
Report Bug
·
Request Feature
Table of Contents
For various reasons, many development teams do not trust cloud providers and want to host their own in-house services. Laboratoriator is a series of docker-compose files and an instructional guide on how to setup your organization's services in a internal network.
Install the following inside your host.
- Create the StepCA's directory and modify it, so docker can write in it.
$ cd $HOME
$ mkdir stepca
$ chown 1000:1000 stepca
- Initialize and configurate StepCA. Make sure that you save your password and the new CA's fingerprint.
$ docker run -p 8443:8443 -it -v `pwd`/stepca:/home/step smallstep/step-ca:0.18.1 step ca init
> Standalone
> MoxthosCA
> 0.0.0.0,ca.moxthos.art
> :8443
> admin@moxthos.art
> ********
...
✔ Root fingerprint: ******************************************************
...
- Save your password inside the container and run the compose file.
$ docker run -p 8443:8443 -it -v `pwd`/stepca:/home/step smallstep/step-ca:0.18.1 sh
(inside container) $ echo -n '**********' > /home/step/secrets/password
(inside container) $ exit
$ docker compose -f stepca.docker-compose.yml up -d
- Do not forget to change the default max lifetime for TLS certificates.
- Open
~/stepca/config/ca.json
and configureclaims
inside theauthority
or theprovisioner
object. - Restart the container to apply the changes.
"claims": {
"maxTLSCertDuration": "2160h",
"defaultTLSCertDuration": "24h",
}
- Install the root certificates in your host using
step
.
$ step ca bootstrap --ca-url https://ca.moxthos.art:8443 --fingerprint ************ --install
- Create
certs
andtraefik
directories and modify them, so docker can write in them.
$ mkdir certs traefik
$ chown 1000:1000 certs traefik
- Create a certificate/key for Traefik and save it inside
certs
.
$ step ca certificate --ca-url https://ca.moxthos.art:8443 traefik.moxthos.art certs/traefik.crt certs/traefik.key --not-after 2399h
- Copy the root certificate from StepCA's container to
certs
.
$ docker cp stepca:/home/step/certs/root_ca.crt ./certs/
$ chmod 644 ./certs/root_ca.crt
- Create
traefik-config.toml
insidetraefik
and make sure that it contains the following:
[[tls.certificates]]
certFile = "/certs/traefik.crt"
keyFile = "/certs/traefik.key"
- Run the compose file.
$ docker compose -f traefik.docker-compose.yml up -d
- Create a certificate/key for Gitea and save it inside
certs
.
$ step ca certificate --ca-url https://ca.moxthos.art:8443 gitea.moxthos.art certs/gitea.crt certs/gitea.key --not-after 2399h
- Make sure that
traefik/traefik-config.toml
contains the following:
[[tls.certificates]]
certFile = "/certs/gitea.crt"
keyFile = "/certs/gitea.key"
Run the compose file.
$ docker compose -f gitea.docker-compose.yml up -d
You can repeat the above process for all the other services.
- Step installation
- Traefik installation
- Gitea installation
- WikiJS installation
- Nextcloud installation
- Rocketchat installation
- Ctfd installation
-
.env
for docker compose
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Distributed under the MIT License. See LICENSE
for more information.