rezn-seedr bootstraps Rezn + Orqos infrastructure nodes
- One-shot provisioning for Rezn and/or Orqos nodes
- Installs certs, trust configs, and SSH host/user certs (see below)
- Sets up systemd units for long-running services
Rezn/Seedr relies on mutual TLS (mTLS) for all node and service communication.
You must provide a CA to issue and rotate X.509 certs—we don’t care which one.
Recommended:
- step-ca — maintained, automatable, supports SSH CA
- cfssl — works, but limited features
- Anything that spits out PEM certs
Revocation & Rotation:
Short-lived certs (24-72h) recommended.
Revocation (“kill switch”) is up to your CA—if you need instant revocation, pay for it or build it yourself.
TL;DR:
You bring the certs, Rezn takes care of the mTLS.
Rezn/Seedr expects your environment to support SSH CA (short-lived, signed SSH host and user certs).
- step-ssh is fully supported and recommended.
- Traditional static SSH keys are discouraged and may not be supported in future releases.
- If you’re not familiar with SSH CA, read: https://smallstep.com/docs/step-ssh/
/etc/rezn/
├── trust.toml
├── certs/
│ ├── rezn-client.pem
│ ├── rezn-client.key
│ └── orqos-ca.pem
│ ├── ssh\_host\_key-cert.pub # SSH host cert (recommended)
│ └── ssh\_user-cert.pub # SSH user cert (optional)
Currently: Debian Bookworm, Ubuntu LTS.
Docker is required.
- Ensures
/etc/reznand/etc/rezn/certs/exist - Copies certs (X.509, SSH) to the right places
- Writes a valid
trust.toml - Installs systemd units for rezn and orqos
- Verifies services are running
- Logs locally and optionally to Loki
mTLS for all RPC and service calls.
SSH CA for shell/automation access.
Config via /etc/rezn/trust.toml:
[trust]
client_cert = "/etc/rezn/certs/rezn-client.pem"
client_key = "/etc/rezn/certs/rezn-client.key"
ca_bundle = "/etc/rezn/certs/orqos-ca.pem"This tool takes over the box. Run it only on clean, dedicated hosts, not shared or dev laptops.
Under active development. Breaking changes happen weekly.