mirror of
https://github.com/pikvm/pikvm
synced 2024-11-10 13:10:37 +00:00
Add instructions for using Route53 for DNS (#766)
* Add instructions for using Route53 for DNS Add instructions for using Route53 for DNS * Update letsencrypt.md Updates to use AWS_SHARED_CREDENTIALS_FILE.
This commit is contained in:
parent
2d903e08b2
commit
2874b62e77
@ -75,3 +75,91 @@ This example shows that PiKVM may not be accessible from the internet, but you c
|
||||
```
|
||||
|
||||
4. Next follow the basic guide.
|
||||
|
||||
|
||||
## Route53 DNS
|
||||
|
||||
This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use AWS Route53 DNS. Make sure you are running an image newer than 2022.06.20 and kvmd version 3.119-1 or greater.
|
||||
|
||||
1. Switch filesystem to RW and install the Route53 DNS plugin:
|
||||
```
|
||||
# rw
|
||||
# pacman -S certbot-dns-route53
|
||||
```
|
||||
|
||||
2. Configure Your AWS User
|
||||
For the certbot_dns_route53 plugin to work it needs to be able to connect to AWS using an access key with the correct permissions.
|
||||
|
||||
To do this securely you’ll want to create a new AWS user that only has the necessary permissions it needs to work.
|
||||
|
||||
You can find instructions for creating a user [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). The basics of it is you’ll want a user with Programmatic access (not console), add it to a group (I created a new one just for this user and any future certbot users I might need).
|
||||
|
||||
The user will need specific permissions that are required to allow the certbot plugin to create the necessary CNAME records. These can be added by manually selecting them from a very long list or you can use the json view to give it the following permissions.
|
||||
|
||||
```
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:ListHostedZones",
|
||||
"route53:GetChange"
|
||||
],
|
||||
"Resource": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect" : "Allow",
|
||||
"Action" : [
|
||||
"route53:ChangeResourceRecordSets"
|
||||
],
|
||||
"Resource" : [
|
||||
"arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
Make sure you replace YOURHOSTEDZONEID with the instance ID of your hosted zone.
|
||||
|
||||
Once the user is created don’t forget to download and save your access key and secret access key (somewhere secure, these are as sensitive as your passwords).
|
||||
|
||||
3. Setup credentials:
|
||||
|
||||
We now need to put the AWS credentials on the PiKVM so the certbot can use them.
|
||||
```
|
||||
kvmd-pstrun -- mkdir /var/lib/kvmd/pst/data/certbot/
|
||||
kvmd-pstrun -- mkdir /var/lib/kvmd/pst/data/certbot/runroot
|
||||
```
|
||||
|
||||
Copy and paste your AWS credentials into the nano editor and save the file.
|
||||
```
|
||||
kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth
|
||||
```
|
||||
Here is an example .route53.auth file. Replace the placeholders with the access key and secret access key that you just saved from AWS and fill them in.
|
||||
|
||||
```
|
||||
[default]
|
||||
aws_access_key_id=XXXXXX
|
||||
aws_secret_access_key=XXXX/XXXXX
|
||||
```
|
||||
|
||||
Update permissions:
|
||||
```
|
||||
kvmd-pstrun -- chmod 600 /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth
|
||||
```
|
||||
|
||||
4. Obtain the certificate:
|
||||
```
|
||||
export AWS_SHARED_CREDENTIALS_FILE="/var/lib/kvmd/pst/data/certbot/runroot/.route53.auth"
|
||||
kvmd-certbot certonly \
|
||||
--dns-route53 \
|
||||
--agree-tos \
|
||||
-n \
|
||||
--email user@example.com \
|
||||
-d pikvm.example.com
|
||||
```
|
||||
|
||||
4. Next follow the basic guide.
|
||||
|
Loading…
Reference in New Issue
Block a user