-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
018a946
commit 318d483
Showing
6 changed files
with
126 additions
and
77 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| name: ci | ||
|
|
||
| on: | ||
| pull_request: | ||
| push: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| gomodtidy: | ||
| name: tidy | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: stable | ||
| - name: go mod tidy | ||
| run: go mod tidy | ||
| - name: git diff | ||
| run: | | ||
| git diff --exit-code --quiet | ||
| if [ $? -ne 0 ]; then | ||
| echo "Please run 'go mod tidy' and commit the changes" | ||
| exit 1 | ||
| fi | ||
| golangci: | ||
| name: lint | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: stable | ||
| - name: golangci-lint | ||
| uses: golangci/golangci-lint-action@v6 | ||
| with: | ||
| version: v1.59 | ||
| gotest: | ||
| name: test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: stable | ||
| - name: go test | ||
| run: go test -v -race -cover ./... |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,80 @@ | ||
| # PiKVM Tailscale Cert Renewer | ||
| # PiKVM Tailscale Certificate Renewer | ||
|
|
||
| This is a tool to automatically renew tailscale certs for a PiKVM | ||
| [](LICENSE) | ||
| <!--  --> | ||
|
|
||
| This tool assumes you have setup your PiKVM and the [tailscale integration](https://docs.pikvm.org/tailscale/) using the [official docs](https://docs.pikvm.org/). This tool is designed around the following information from the docs: | ||
| >If you have a certificate (making a cert falls outside the scope of PiKVM - please reference OpenSSL documentation or use Let's Encrypt), replace keys in /etc/kvmd/nginx/ssl, edit /etc/kvmd/nginx/ssl.conf if necessary and restart kvmd-nginx service. *[PiKVM Common Questions](https://docs.pikvm.org/faq/#common-questions)* | ||
| Automatically renew Tailscale SSL certificates for your PiKVM with ease! | ||
|
|
||
| This tool automatically discovers your tailscale domain, creates and renews certs for that domain, sets the cert path in the nginx config, and restarts NGINX. | ||
| ## 🚀 Features | ||
|
|
||
| ``` | ||
| - **Automatic Discovery**: Detects your Tailscale domain without manual configuration | ||
| - **Certificate Management**: Creates and renews certificates seamlessly | ||
| - **NGINX Integration**: Updates NGINX configuration and restarts the service automatically | ||
| - **Zero Maintenance**: Set it and forget it - your certs will always be up-to-date | ||
|
|
||
| ## 🛠 Prerequisites | ||
|
|
||
| This tool assumes you have: | ||
| 1. Set up your PiKVM | ||
| 2. Configured the [Tailscale integration](https://docs.pikvm.org/tailscale/) using the [official PiKVM documentation](https://docs.pikvm.org/) | ||
|
|
||
| ## 📦 Installation | ||
|
|
||
| To install, run the following command on your PiKVM: | ||
|
|
||
| ```bash | ||
| curl -L -s "https://raw.githubusercontent.com/nateinaction/pikvm-tailscale-cert-renewer/main/install.sh" | bash | ||
| ``` | ||
|
|
||
| ## 🔍 Monitoring | ||
|
|
||
| After installation, the certificate renewer runs as a system service. You can monitor its status using systemctl: | ||
|
|
||
| ```bash | ||
| systemctl status pikvm-tailscale-cert-renewer | ||
| ``` | ||
|
|
||
| For more detailed logs, use journalctl: | ||
|
|
||
| ```bash | ||
| journalctl -u pikvm-tailscale-cert-renewer | ||
| ``` | ||
|
|
||
| ## 🎬 Covered Scenarios | ||
|
|
||
| The certificate renewer primarily operates in an idle state but actively watches for the following scenarios: | ||
| - Tailscale domain changes | ||
| - Certificate mismatchs between Tailscale and filesystem caused by | ||
| - Certificate revocation | ||
| - Certificate expiry | ||
| - Missing certificate files | ||
| - Modified certificate files | ||
| - NGINX configuration changes | ||
|
|
||
| ## 📋 Example Log | ||
| Here's an example log output when a Tailscale domain change occurs: | ||
|
|
||
| ``` | ||
| Jul 17 04:25:31 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:31 WARN cert file does not exist path=/etc/kvmd/nginx/ssl/my-domain.mytailnet.ts.net.crt | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO filesystem mode changed to read/write | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO wrote cert file path=/etc/kvmd/nginx/ssl/my-domain.mytailnet.ts.net.crt | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO wrote key file path=/etc/kvmd/nginx/ssl/my-domain.mytailnet.ts.net.key | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO filesystem mode changed to read-only | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 WARN cert or key line not found in nginx config path=/etc/kvmd/nginx/ssl.conf | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO filesystem mode changed to read/write | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO wrote to nginx ssl config path=/etc/kvmd/nginx/ssl.conf | ||
| Jul 17 04:25:46 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:46 INFO filesystem mode changed to read-only | ||
| Jul 17 04:25:48 pikvm pikvm-tailscale-cert-renewer[11845]: 2024/07/17 04:25:48 INFO kvmd-nginx restarted | ||
| ``` | ||
|
|
||
| ## 📝 License | ||
| This project is licensed under the MIT License - see the LICENSE file for details. | ||
|
|
||
| ## 🤝 Contributing | ||
| Contributions, issues, and feature requests are welcome! Feel free to check the issues page. | ||
|
|
||
| ## 🌟 Show your support | ||
| Give a ⭐️ if this project helped you! | ||
|
|
||
| ## 📞 Contact | ||
| If you have any questions or feedback, please [open an issue](https://github.com/nateinaction/pikvm-tailscale-cert-renewer/issues) or start a [discussion](https://github.com/nateinaction/pikvm-tailscale-cert-renewer/discussions). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters