ci: set to debug log

.gitea/workflows/renovate.yaml

@@ -22,7 +22,7 @@ jobs:
           RENOVATE_REPOSITORIES: alexlebens/site-documentation
           RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
           RENOVATE_REDIS_URL: ${{ vars.RENOVATE_REDIS_URL }}
-          LOG_LEVEL: info
+          LOG_LEVEL: debug
           RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
           RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
           RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}

astro.config.mjs

@@ -6,8 +6,6 @@ import sitemap from '@astrojs/sitemap';
 import starlight from "@astrojs/starlight";
 import starlightThemeRapide from 'starlight-theme-rapide'
 
-import tailwindcss from '@tailwindcss/vite';
-
 const getSiteURL = () => {
   if (process.env.SITE_URL) {
     return `https://${process.env.SITE_URL}`;
@@ -29,6 +27,9 @@ export default defineConfig({
       customCss: [
         './src/styles/custom.css',
       ],
+      expressiveCode: {
+        themes: ['vitesse-light', 'vitesse-dark'],
+      },      
       social: [
         {
           icon: "external",
@@ -54,21 +55,9 @@ export default defineConfig({
           autogenerate: { directory: "applications" },
         },
       ],
-    }),
+    })  
   ],
 
-  markdown: {
-    syntaxHighlight: false,
-  },
-
-  plugins: {
-    '@tailwindcss/postcss': {},
-  },
-
-  vite: {
-    plugins: [tailwindcss()],
-  },
-
   output: 'static',
 
   adapter: node({

src/content/docs/applications/homepage.mdx

@@ -0,0 +1,15 @@
+---
+title: Homepage
+description: A highly customizable homepage (or startpage / application dashboard) with Docker and service API integrations.
+hero:
+  tagline: A highly customizable homepage (or startpage / application dashboard) with Docker and service API integrations.
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/homepage.webp
+  actions:
+    - text: Source
+      link: https://github.com/gethomepage/homepage
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/homepage
+      icon: right-arrow
+---

src/content/docs/guides/vault-ssh-ca.md

@@ -0,0 +1,105 @@
+---
+title: Vault SSH Certificate Authority
+description: Steps followed to enable using Vault as a CA for ssh login
+---
+
+# Setup
+
+[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing)
+
+I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance.
+
+## Enable the SSH CA
+
+I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints.
+
+Start with enabling the mount.
+```bash
+vault secrets enable -path=ssh-client-signer ssh
+```
+
+Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
+```bash
+ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
+```
+
+Add the above signing key.
+```bash
+vault write ssh-client-signer/config/ca private_key="..." public_key="..."
+```
+
+## Create Client Role and Key
+
+Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI.
+```bash
+vault write ssh-client-signer/roles/alexlebens -<<"EOH"
+{
+  "algorithm_signer": "rsa-sha2-256",
+  "allow_user_certificates": true,
+  "allowed_users": "*",
+  "allowed_extensions": "permit-pty,permit-port-forwarding",
+  "default_extensions": {
+    "permit-pty": ""
+  },
+  "key_type": "ca",
+  "default_user": "alexlebens",
+  "ttl": "30m0s"
+}
+EOH
+```
+
+## Create Client Key
+
+Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh.
+```bash
+ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
+```
+
+## Configure SSH to use the Key and Cert
+
+SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above.
+```
+Host ps08rp
+    Hostname 10.232.1.51
+    User alexlebens
+    IdentityFile ~/.ssh/id_rsa_host
+```
+
+# Operations
+
+## Prepare Target Host
+
+Download the public cert from the endpoint.
+```bash
+curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key
+```
+
+Then add that file to the sshd config.
+```
+TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+```
+
+### Automation
+
+This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future.
+
+## Renew Client Certificate
+
+Sign the client cert, on your machine, with the Vault CA.
+```bash
+vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
+```
+
+I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh.
+```
+# Vault
+export VAULT_ADDR="https://vault.alexlebens.net"
+alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
+```
+
+### View Cert Details
+
+For troubleshooting purposes or clafification use the follow to inspect the cert.
+```bash
+ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub
+```