So I have heard that the quickstart is opinionated, particularly in relation to the PKI. It also seems to build some config file(s), and init a database. I have outgrown the quickstart, and I need to start identifiying and breaking bottlenecks. I would like to stick with docker containers, but I am beginning to wonder whether or not I need to spend some time with the binary, producing some of the artifacts that the quickstart does.
What are the primatives that the quickstart produces that I would need to make myself? Which is the first bottleneck I need to break?
This is actually what I was working on Saturday for that other thread I was referencing. I'll narrate a video and explain what I'm doing and why... It'll be "quick and dirty" but you'll get what you need from it. Won't take me long... Gimme a few
1 Like
I figured, I didn't want to hijack another thread, but would like to make it easy to find for the next guy. No rush, I will be heading away for the next few days... if Starlink works up north in the boonies then I might play with it.
Here you go. Hopefully it's reasonably thorough for a quick effort (I think it is). Happy to hear feedback and further questions... It's uploading/processing now. Should be live in five-ish minutes...
Script I followed (from-scratch.sh) is here https://raw.githubusercontent.com/dovholuknf/openziti-compose/main/from-scratch.sh
3 Likes
Thanks so much for the video @TheLumberjack , that really does help a ton.
So I have a couple quick questions.
-
Is this sufficient for a small production service? I am talking a really small business like mine, with a few dozen devices and a handful of users. I would start using this as a production transport for access to all my secure devices.
-
Do I need an external CA? Again, really small production service as above. What does an external CA give me?
in my opinion it is, as long as you use a static ip/dns name. the IP/DNS can't change after you start it up or your PKI will be busted... 
Totally would be fine imo for many, many users (many more than a handful). You'd want to have a "DR/backup" plan is all but you've asked about that before so I figure you're gtg there.
Nope, not one bit. Externa CA doesn't give you anything other than 'vanity'. You do need a wildcard cert for BrowZer, when (if) you ever get around to using that, but you can layer that on after the fact via alt_server_certs...
I kinda figured those would be the answers. This is great, I am pretty much ready to put a DONE stamp on my zitification of my devices. THANK YOU!!!
1 Like
