From 3c9d76458e4005dab577b7c3cb8391b509f87c4a Mon Sep 17 00:00:00 2001
From: Keith Irwin <git@ki9.us>
Date: Thu, 20 Jan 2022 10:11:35 -0700
Subject: [PATCH] Added new user invite instructions

---
 _src/nebuchadnezzar.md       |  8 -----
 _src/nebuchadnezzar/ca.md    | 57 +++++++++++++++++++++++++++++
 _src/nebuchadnezzar/index.md | 11 ++++++
 _src/nebuchadnezzar/wg.md    | 69 ++++++++++++++++++++++++++++++++++++
 4 files changed, 137 insertions(+), 8 deletions(-)
 delete mode 100644 _src/nebuchadnezzar.md
 create mode 100644 _src/nebuchadnezzar/ca.md
 create mode 100644 _src/nebuchadnezzar/index.md
 create mode 100644 _src/nebuchadnezzar/wg.md

diff --git a/_src/nebuchadnezzar.md b/_src/nebuchadnezzar.md
deleted file mode 100644
index d341789..0000000
--- a/_src/nebuchadnezzar.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-title: Welcome
-layout: base.njk
----
-
-# {{title}}
-
-This is where the wireguard and CA cert directions need to go.  
\ No newline at end of file
diff --git a/_src/nebuchadnezzar/ca.md b/_src/nebuchadnezzar/ca.md
new file mode 100644
index 0000000..27b8df4
--- /dev/null
+++ b/_src/nebuchadnezzar/ca.md
@@ -0,0 +1,57 @@
+---
+title: Installing the CA Certifiacte
+layout: base.njk
+---
+
+# {{title}}
+
+When you visit `mybank.com` over HTTPS, your connection is encrypted *and* reliable.  **Encryption** means the data is scrambled so it can't be "wiretapped".  **Reliability** means you can trust that the data was sent from the real `mybank.com`.  
+
+- `.com` is the **Top Level Domain (TLD)**.  The TLD could be `.org` or whatever.  
+- Each TLD has its own **Certificate Authority (CA)**.  The CA for `.com` is Verisign, Inc.  
+- Your browser has a store of **CA certificates**, one for each CA/TLD.  (Your operating system also keeps a store of CA certs).  
+- When you visit `mybank.com` for the first time, they send you a **server certificate**.
+- Your browser uses the Verisign CA certificate in its storage to ensure that the server certificate recieved from `mybank.com` was signed by Verisign.  
+
+If the data sent by `mybank.com` was signed by Verisign, we know we're talking to the *real* `mybank.com`.  (It's the responsibility of the CA to make sure they're signing certificates for the real mybank and not an imposter.)  Because our connection is reliable, our browser shows us a lock symbol.  
+
+This reliability is part of **Transport Layer Security (TLS)**.  This example used HTTPS, a web protocol.  But TLS is also used in mumble, email, matrix, irc, etc.  
+
+## Respec GF4's authoritah
+
+GF4 uses the unofficial `.gf4` TLD.  Neither your OS nor browser have a CA certificate for this TLD: you have to import it.  If possible, import it into both OS and browser.  On mobile devices it's only availale at the OS level, at least that's how it is on android.  
+
+For all of these instructions, you'll need to download the certificate from [https://www.gf4.pw/ca.crt](https://www.gf4.pw/ca.crt).  
+
+**TODO**: Split these into seperate pages
+
+### Linux
+
+### Debian/Ubuntu
+
+```
+curl -s https://www.gf4.pw/ca.crt \
+| sudo tee /usr/local/share/ca-certificates/gf4.crt \
+| sudo tee /etc/ssl/certs/gf4.pem
+sudo chmod 644 /usr/local/share/ca-certificates/gf4.crt /etc/ssl/certs/gf4.pem
+```
+
+Import the certificates into your browser too.  
+
+### Android
+
+TODO
+
+### Mac
+
+Help wanted
+
+### iPhone
+
+Help wanted
+
+### Windows
+
+Help wanted
+
+< [Back](/nebuchadnezzar/)
\ No newline at end of file
diff --git a/_src/nebuchadnezzar/index.md b/_src/nebuchadnezzar/index.md
new file mode 100644
index 0000000..10f7c71
--- /dev/null
+++ b/_src/nebuchadnezzar/index.md
@@ -0,0 +1,11 @@
+---
+title: Welcome
+layout: base.njk
+---
+
+# {{title}}
+
+Connecting a new device to the GF4 network is a two-step process: 
+
+1. [Install and configure wireguard](wg)
+2. [Install the CA certificate](ca)
\ No newline at end of file
diff --git a/_src/nebuchadnezzar/wg.md b/_src/nebuchadnezzar/wg.md
new file mode 100644
index 0000000..1b2b03f
--- /dev/null
+++ b/_src/nebuchadnezzar/wg.md
@@ -0,0 +1,69 @@
+---
+title: Installing Wireguard
+layout: base.njk
+---
+
+# {{title}}
+
+**TODO**: Explanation of VPNs
+
+Follow the directions for your respective platform.  Report any issues to [ki9@gf4.pw](mailto:ki9@gf4.pw).  
+
+**TODO**: Split these into seperate pages
+
+### Linux
+
+#### Debian/Ubuntu
+
+Install wireguard and patch [this bug](https://superuser.com/questions/1500691/usr-bin-wg-quick-line-31-resolvconf-command-not-found-wireguard-debian) using these commands: 
+
+```
+sudo apt install wireguard
+sudo ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf
+```
+
+Edit the config file as root
+
+```
+sudo nano /etc/wireguard/gf4.conf
+```
+
+Paste your configuration in there.  If using `systemd-resolved`, adding this line to the `[Interface]` section of the wireguard config to ensure `.gf4` domains resolve through the wireguard interface.  
+
+```
+PostUp = resolvectl domain gf4 gf4
+```
+
+Finally save the file and start the service with: 
+
+```
+sudo systemctl start wg-quick@gf4
+```
+
+Enable the VPN to start on boot by running: 
+
+```
+sudo systemctl enable wg-quick@gf4
+```
+
+### Android
+
+**TODO:** Android wireguard configuration. 
+
+### Mac
+
+**HELP WANTED:** Instructions for configuring on MacOS. 
+
+### Windows
+
+**HELP WANTED:** Instructions for configuring on Windows 10. 
+
+### iPhone
+
+**HELP WANTED:** Instructions for configuring on an iPhone. 
+
+## Testing
+
+You know everything is working if you can access [the private portal](https://www.ksn.gf4/) on the device.  If you see a privacy warning, wireguard is working and you can move on to the next step: [Installing the GF4 CA certificate](/nebuchadnezzar/ca/).  
+
+< [Back](/nebuchadnezzar/)
\ No newline at end of file