chore(release): 0.13.0 [skip ci]

# [0.13.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.12.0...0.13.0) (2026-03-31)

### Features

* documentation on vault ssh ([648fb31](648fb319b1))

CHANGELOG.md

@@ -1,3 +1,27 @@
+# [0.13.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.12.0...0.13.0) (2026-03-31)
+
+
+### Features
+
+* documentation on vault ssh ([648fb31](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/648fb319b192ecd7826fe03599f7a0ee55a419ea))
+
+# [0.12.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.11.0...0.12.0) (2026-03-30)
+
+
+### Features
+
+* add more apps ([e13f3e3](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/e13f3e30e2a73a712008f65cc5932cbe1e71adb2))
+* add more apps ([ef4ff67](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/ef4ff67818d2758e21b9f0076519ca9221f74bb0))
+* add more apps ([32eacf8](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/32eacf8df7cd07eaf33a46d9df88e22f22d0cbf6))
+
+# [0.11.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.10.0...0.11.0) (2026-03-27)
+
+
+### Features
+
+* add more apps ([2221cbb](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/2221cbb0993595d7b8641fa4ffbc2fe874cdff39))
+* add more apps ([82736ec](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/82736ec2a95db97abc7337ec1849dbb97a0fca5e))
+
 # [0.10.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.9.0...0.10.0) (2026-03-26)
 
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "site-documentation",
   "type": "module",
-  "version": "0.10.0",
+  "version": "0.13.0",
   "scripts": {
     "dev": "astro dev",
     "build": "astro build",

src/content/docs/guides/vault-ssh-ca.md

@@ -0,0 +1,105 @@
+---
+title: Vault SSH Certificate Authority
+description: Steps followed to enable using Vault as a CA for ssh login
+---
+
+# Setup
+
+[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing)
+
+I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance.
+
+## Enable the SSH CA
+
+I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints.
+
+Start with enabling the mount.
+```bash
+vault secrets enable -path=ssh-client-signer ssh
+```
+
+Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
+```bash
+ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
+```
+
+Add the above signing key.
+```bash
+vault write ssh-client-signer/config/ca private_key="..." public_key="..."
+```
+
+## Create Client Role and Key
+
+Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI.
+```bash
+vault write ssh-client-signer/roles/alexlebens -<<"EOH"
+{
+  "algorithm_signer": "rsa-sha2-256",
+  "allow_user_certificates": true,
+  "allowed_users": "*",
+  "allowed_extensions": "permit-pty,permit-port-forwarding",
+  "default_extensions": {
+    "permit-pty": ""
+  },
+  "key_type": "ca",
+  "default_user": "alexlebens",
+  "ttl": "30m0s"
+}
+EOH
+```
+
+## Create Client Key
+
+Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh.
+```bash
+ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
+```
+
+## Configure SSH to use the Key and Cert
+
+SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above.
+```
+Host ps08rp
+    Hostname 10.232.1.51
+    User alexlebens
+    IdentityFile ~/.ssh/id_rsa_host
+```
+
+# Operations
+
+## Prepare Target Host
+
+Download the public cert from the endpoint.
+```bash
+curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key
+```
+
+Then add that file to the sshd config.
+```
+TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+```
+
+### Automation
+
+This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future.
+
+## Renew Client Certificate
+
+Sign the client cert, on your machine, with the Vault CA.
+```bash
+vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
+```
+
+I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh.
+```
+# Vault
+export VAULT_ADDR="https://vault.alexlebens.net"
+alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
+```
+
+### View Cert Details
+
+For troubleshooting purposes or clafification use the follow to inspect the cert.
+```bash
+ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub
+```