infra/modules/kubernetes/keyserver/index.md

This contains the setup for setting up a remote machine that serves a keyfile for decrypting a luks volume

1. Install nginx
```
sudo apt update
sudo apt install nginx apache2-utils -y
```

2. Create User for basic auth

```
sudo htpasswd -c /etc/nginx/.htpasswd truenas
```

3. Create secure directory and key file

```
sudo mkdir -p /srv/keys
head -c 128 /dev/urandom | sudo tee /srv/keys/truenas.key >/dev/null
```

4. Create rate limit zone
```
# /etc/nginx/conf.d/ratelimit.conf

# Allow only 3 key requests per minute per IP
limit_req_zone $binary_remote_addr zone=keylimit:10m rate=3r/m;
```

5. Configure nginx virtual host
```
# /etc/nginx/sites-available/keyserver.conf

server {
    listen 443 ssl;
    server_name <ip address here>;

    # TLS certificate and key (we will set these in the next step)
    ssl_certificate     /etc/ssl/certs/keyserver.crt;
    ssl_certificate_key /etc/ssl/private/keyserver.key;

    # Enforce strong TLS
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # Rate limiting zone created earlier
    limit_req zone=keylimit burst=2 nodelay;

    location /keys/ {
        alias /srv/keys/;

        # Basic auth
        auth_basic           "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;

        # Disable directory listing
        autoindex off;

        # Prevent caching
        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
    }
}
```

6. Enable the host:
```
sudo ln -s /etc/nginx/sites-available/keyserver.conf /etc/nginx/sites-enabled/
```

7. Disable default host:
```
sudo rm /etc/nginx/sites-enabled/default
```
add keyserver ansible playbook to deploy oob keyserver [ci skip] 2025-11-29 11:38:32 +00:00			`This contains the setup for setting up a remote machine that serves a keyfile for decrypting a luks volume`

			`1. Install nginx`
			```
			`sudo apt update`
			`sudo apt install nginx apache2-utils -y`
			```

			`2. Create User for basic auth`

			```
			`sudo htpasswd -c /etc/nginx/.htpasswd truenas`
			```

			`3. Create secure directory and key file`

			```
			`sudo mkdir -p /srv/keys`
			`head -c 128 /dev/urandom \| sudo tee /srv/keys/truenas.key >/dev/null`
			```

			`4. Create rate limit zone`
			```
			`# /etc/nginx/conf.d/ratelimit.conf`

			`# Allow only 3 key requests per minute per IP`
			`limit_req_zone $binary_remote_addr zone=keylimit:10m rate=3r/m;`
			```

			`5. Configure nginx virtual host`
			```
			`# /etc/nginx/sites-available/keyserver.conf`

			`server {`
			`listen 443 ssl;`
			`server_name <ip address here>;`

			`# TLS certificate and key (we will set these in the next step)`
			`ssl_certificate /etc/ssl/certs/keyserver.crt;`
			`ssl_certificate_key /etc/ssl/private/keyserver.key;`

			`# Enforce strong TLS`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_prefer_server_ciphers on;`

			`# Rate limiting zone created earlier`
			`limit_req zone=keylimit burst=2 nodelay;`

			`location /keys/ {`
			`alias /srv/keys/;`

			`# Basic auth`
			`auth_basic "Restricted";`
			`auth_basic_user_file /etc/nginx/.htpasswd;`

			`# Disable directory listing`
			`autoindex off;`

			`# Prevent caching`
			`add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;`
			`}`
			`}`
			```

			`6. Enable the host:`
			```
			`sudo ln -s /etc/nginx/sites-available/keyserver.conf /etc/nginx/sites-enabled/`
			```

			`7. Disable default host:`
			```
			`sudo rm /etc/nginx/sites-enabled/default`
			```