diff --git a/manifests/ca-installer/ca-installer.yaml b/manifests/ca-installer/ca-installer.yaml
new file mode 100644
index 0000000..d35adf4
--- /dev/null
+++ b/manifests/ca-installer/ca-installer.yaml
@@ -0,0 +1,130 @@
+# ca-installer.yaml
+# CA Trust Installer — serves CA cert + iOS mobileconfig at ca.home.arpa
+#
+# Pre-requisites (run once, or after CA cert rotation):
+#   kubectl create configmap ca-installer-web -n ca-installer \
+#     --from-file=index.html=manifests/ca-installer/web/index.html
+#
+#   kubectl create configmap ca-installer-files -n ca-installer \
+#     --from-file=ca.crt=/tmp/homelab-ca.crt \
+#     --from-file=ca.mobileconfig=/tmp/homelab-ca.mobileconfig
+#
+# Apply: kubectl apply -f manifests/ca-installer/ca-installer.yaml
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ca-installer
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-config
+  namespace: ca-installer
+data:
+  default.conf: |
+    server {
+        listen 80;
+        server_name ca.home.arpa;
+        root /usr/share/nginx/html;
+
+        # CA cert — must be application/x-x509-ca-cert for iOS to recognise it
+        location = /ca.crt {
+            default_type application/x-x509-ca-cert;
+            try_files /ca.crt =404;
+        }
+
+        # iOS mobileconfig — must be this exact MIME type
+        location = /ca.mobileconfig {
+            default_type application/x-apple-aspen-config;
+            try_files /ca.mobileconfig =404;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ca-installer
+  namespace: ca-installer
+  labels:
+    app: ca-installer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ca-installer
+  template:
+    metadata:
+      labels:
+        app: ca-installer
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: web-files
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+            - name: ca-cert
+              mountPath: /usr/share/nginx/html/ca.crt
+              subPath: ca.crt
+            - name: ca-mobileconfig
+              mountPath: /usr/share/nginx/html/ca.mobileconfig
+              subPath: ca.mobileconfig
+            - name: nginx-config
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+      volumes:
+        - name: web-files
+          configMap:
+            name: ca-installer-web
+        - name: ca-cert
+          configMap:
+            name: ca-installer-files
+        - name: ca-mobileconfig
+          configMap:
+            name: ca-installer-files
+        - name: nginx-config
+          configMap:
+            name: nginx-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ca-installer
+  namespace: ca-installer
+spec:
+  selector:
+    app: ca-installer
+  ports:
+    - port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ca-installer
+  namespace: ca-installer
+  annotations:
+    # No TLS — this page is how you GET the CA, serving over HTTP avoids
+    # the chicken-and-egg problem. Once CA is trusted, *.home.arpa is fine.
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: ca.home.arpa
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ca-installer
+                port:
+                  number: 80
\ No newline at end of file
diff --git a/manifests/ca-installer/web/index.html b/manifests/ca-installer/web/index.html
new file mode 100644
index 0000000..9d2d876
--- /dev/null
+++ b/manifests/ca-installer/web/index.html
@@ -0,0 +1,750 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Homelab CA — Trust Installer</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600;700&family=Syne:wght@400;600;800&display=swap" rel="stylesheet">
+<style>
+  :root {
+    --bg: #0a0a0f;
+    --surface: #111118;
+    --border: #1e1e2e;
+    --accent: #7fff7f;
+    --accent-dim: rgba(127,255,127,0.12);
+    --accent-glow: rgba(127,255,127,0.25);
+    --text: #e8e8f0;
+    --muted: #555570;
+    --warn: #ffb347;
+    --warn-dim: rgba(255,179,71,0.12);
+    --step-bg: #0d0d14;
+  }
+
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+
+  body {
+    background: var(--bg);
+    color: var(--text);
+    font-family: 'Syne', sans-serif;
+    min-height: 100vh;
+    overflow-x: hidden;
+  }
+
+  /* Grid background */
+  body::before {
+    content: '';
+    position: fixed;
+    inset: 0;
+    background-image:
+      linear-gradient(rgba(127,255,127,0.03) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(127,255,127,0.03) 1px, transparent 1px);
+    background-size: 40px 40px;
+    pointer-events: none;
+    z-index: 0;
+  }
+
+  /* Glow orb */
+  body::after {
+    content: '';
+    position: fixed;
+    top: -200px;
+    left: 50%;
+    transform: translateX(-50%);
+    width: 600px;
+    height: 400px;
+    background: radial-gradient(ellipse, rgba(127,255,127,0.08) 0%, transparent 70%);
+    pointer-events: none;
+    z-index: 0;
+  }
+
+  .container {
+    position: relative;
+    z-index: 1;
+    max-width: 680px;
+    margin: 0 auto;
+    padding: 60px 24px 80px;
+  }
+
+  /* Header */
+  .header {
+    margin-bottom: 48px;
+    animation: fadeUp 0.6s ease both;
+  }
+
+  .badge {
+    display: inline-flex;
+    align-items: center;
+    gap: 6px;
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 11px;
+    letter-spacing: 0.08em;
+    color: var(--accent);
+    background: var(--accent-dim);
+    border: 1px solid rgba(127,255,127,0.2);
+    padding: 4px 10px;
+    border-radius: 2px;
+    margin-bottom: 20px;
+  }
+
+  .badge::before {
+    content: '';
+    width: 6px; height: 6px;
+    background: var(--accent);
+    border-radius: 50%;
+    box-shadow: 0 0 6px var(--accent);
+    animation: pulse 2s infinite;
+  }
+
+  h1 {
+    font-size: clamp(32px, 6vw, 52px);
+    font-weight: 800;
+    line-height: 1.05;
+    letter-spacing: -0.02em;
+    color: #fff;
+    margin-bottom: 16px;
+  }
+
+  h1 span { color: var(--accent); }
+
+  .subtitle {
+    font-size: 15px;
+    color: var(--muted);
+    line-height: 1.6;
+    font-weight: 400;
+    max-width: 480px;
+  }
+
+  /* Warning banner */
+  .warn-box {
+    display: flex;
+    gap: 12px;
+    background: var(--warn-dim);
+    border: 1px solid rgba(255,179,71,0.25);
+    border-radius: 4px;
+    padding: 14px 16px;
+    margin-bottom: 36px;
+    font-size: 13px;
+    color: var(--warn);
+    line-height: 1.5;
+    animation: fadeUp 0.6s 0.1s ease both;
+  }
+
+  .warn-icon { flex-shrink: 0; font-size: 16px; margin-top: 1px; }
+
+  /* Device card */
+  .device-card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 6px;
+    overflow: hidden;
+    margin-bottom: 24px;
+    animation: fadeUp 0.6s 0.2s ease both;
+  }
+
+  .device-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 16px 20px;
+    border-bottom: 1px solid var(--border);
+    background: var(--step-bg);
+  }
+
+  .device-label {
+    display: flex;
+    align-items: center;
+    gap: 10px;
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 12px;
+    color: var(--muted);
+    letter-spacing: 0.05em;
+  }
+
+  .device-detected {
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 12px;
+    color: var(--accent);
+    background: var(--accent-dim);
+    padding: 3px 8px;
+    border-radius: 2px;
+  }
+
+  /* Steps */
+  .steps {
+    padding: 24px 20px;
+    display: flex;
+    flex-direction: column;
+    gap: 0;
+  }
+
+  .step {
+    display: flex;
+    gap: 16px;
+    padding: 0 0 24px 0;
+    position: relative;
+  }
+
+  .step:last-child { padding-bottom: 0; }
+
+  .step:not(:last-child)::before {
+    content: '';
+    position: absolute;
+    left: 15px;
+    top: 32px;
+    bottom: 0;
+    width: 1px;
+    background: var(--border);
+  }
+
+  .step-num {
+    flex-shrink: 0;
+    width: 32px;
+    height: 32px;
+    background: var(--step-bg);
+    border: 1px solid var(--border);
+    border-radius: 50%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 12px;
+    font-weight: 600;
+    color: var(--accent);
+    position: relative;
+    z-index: 1;
+  }
+
+  .step-content {
+    flex: 1;
+    padding-top: 5px;
+  }
+
+  .step-title {
+    font-size: 14px;
+    font-weight: 600;
+    color: #fff;
+    margin-bottom: 6px;
+  }
+
+  .step-desc {
+    font-size: 13px;
+    color: var(--muted);
+    line-height: 1.6;
+  }
+
+  .step-desc code {
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 11px;
+    background: var(--step-bg);
+    border: 1px solid var(--border);
+    padding: 1px 5px;
+    border-radius: 2px;
+    color: var(--text);
+  }
+
+  /* Download button */
+  .dl-btn {
+    display: inline-flex;
+    align-items: center;
+    gap: 8px;
+    margin-top: 10px;
+    padding: 10px 18px;
+    background: var(--accent);
+    color: #0a0a0f;
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 12px;
+    font-weight: 700;
+    letter-spacing: 0.05em;
+    border: none;
+    border-radius: 3px;
+    cursor: pointer;
+    text-decoration: none;
+    transition: opacity 0.15s, transform 0.15s, box-shadow 0.15s;
+    box-shadow: 0 0 0 0 var(--accent-glow);
+  }
+
+  .dl-btn:hover {
+    opacity: 0.9;
+    transform: translateY(-1px);
+    box-shadow: 0 4px 20px var(--accent-glow);
+  }
+
+  .dl-btn:active { transform: translateY(0); }
+
+  .dl-btn.secondary {
+    background: transparent;
+    color: var(--text);
+    border: 1px solid var(--border);
+    box-shadow: none;
+  }
+
+  .dl-btn.secondary:hover {
+    border-color: var(--accent);
+    color: var(--accent);
+    box-shadow: none;
+  }
+
+  /* Other devices grid */
+  .other-title {
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 11px;
+    letter-spacing: 0.1em;
+    color: var(--muted);
+    text-transform: uppercase;
+    margin-bottom: 14px;
+    animation: fadeUp 0.6s 0.3s ease both;
+  }
+
+  .other-grid {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 12px;
+    animation: fadeUp 0.6s 0.35s ease both;
+  }
+
+  @media (max-width: 480px) {
+    .other-grid { grid-template-columns: 1fr; }
+  }
+
+  .other-card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 4px;
+    padding: 16px;
+    cursor: pointer;
+    transition: border-color 0.15s, background 0.15s;
+  }
+
+  .other-card:hover {
+    border-color: rgba(127,255,127,0.3);
+    background: var(--step-bg);
+  }
+
+  .other-card-header {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    margin-bottom: 10px;
+  }
+
+  .other-icon { font-size: 18px; }
+
+  .other-name {
+    font-size: 13px;
+    font-weight: 600;
+    color: #fff;
+  }
+
+  .other-steps {
+    display: none;
+    font-size: 12px;
+    color: var(--muted);
+    line-height: 1.7;
+    border-top: 1px solid var(--border);
+    margin-top: 10px;
+    padding-top: 10px;
+  }
+
+  .other-steps ol {
+    padding-left: 16px;
+  }
+
+  .other-steps ol li { margin-bottom: 4px; }
+
+  .other-steps code {
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 10px;
+    background: rgba(255,255,255,0.05);
+    padding: 1px 4px;
+    border-radius: 2px;
+    color: var(--text);
+  }
+
+  .other-card.open .other-steps { display: block; }
+  .other-card.open { border-color: rgba(127,255,127,0.3); }
+
+  .expand-icon {
+    margin-left: auto;
+    font-size: 12px;
+    color: var(--muted);
+    transition: transform 0.2s;
+  }
+  .other-card.open .expand-icon { transform: rotate(180deg); }
+
+  /* Footer */
+  .footer {
+    margin-top: 56px;
+    padding-top: 24px;
+    border-top: 1px solid var(--border);
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 11px;
+    color: var(--muted);
+    animation: fadeUp 0.6s 0.4s ease both;
+  }
+
+  .footer a {
+    color: var(--muted);
+    text-decoration: none;
+  }
+
+  .footer a:hover { color: var(--accent); }
+
+  /* Animations */
+  @keyframes fadeUp {
+    from { opacity: 0; transform: translateY(16px); }
+    to   { opacity: 1; transform: translateY(0); }
+  }
+
+  @keyframes pulse {
+    0%, 100% { opacity: 1; }
+    50%       { opacity: 0.4; }
+  }
+
+  /* Device sections */
+  .instructions { display: none; }
+  .instructions.active { display: block; }
+</style>
+</head>
+<body>
+<div class="container">
+
+  <header class="header">
+    <div class="badge">homelab.internal</div>
+    <h1>Trust the<br><span>homelab CA</span></h1>
+    <p class="subtitle">Install the internal certificate authority to access homelab services without browser warnings.</p>
+  </header>
+
+  <div class="warn-box">
+    <span class="warn-icon">⚠</span>
+    <span>This page itself may show a certificate warning — that's expected. Once you install the CA, all <code style="font-family:JetBrains Mono,monospace;font-size:11px;background:rgba(0,0,0,0.3);padding:1px 4px;border-radius:2px;">*.home.arpa</code> services will be trusted automatically.</span>
+  </div>
+
+  <!-- Auto-detected device -->
+  <div class="device-card">
+    <div class="device-header">
+      <div class="device-label">DETECTED DEVICE</div>
+      <div class="device-detected" id="device-name">detecting...</div>
+    </div>
+    <div class="steps" id="device-instructions">
+      <!-- Filled by JS -->
+    </div>
+  </div>
+
+  <!-- Other devices -->
+  <div class="other-title">OTHER DEVICES</div>
+  <div class="other-grid" id="other-grid">
+    <!-- Filled by JS -->
+  </div>
+
+  <footer class="footer">
+    <span>ca.home.arpa</span>
+    <a href="/ca.crt" download>↓ raw cert (PEM)</a>
+  </footer>
+
+</div>
+
+<script>
+const CA_CRT_URL = '/ca.crt';
+const MOBILECONFIG_URL = '/ca.mobileconfig';
+
+function detect() {
+  const ua = navigator.userAgent;
+  if (/iPhone|iPad|iPod/.test(ua)) return 'ios';
+  if (/Android/.test(ua)) return 'android';
+  if (/Mac/.test(ua) && !/Mobile/.test(ua)) return 'mac';
+  if (/Win/.test(ua)) return 'windows';
+  if (/Linux/.test(ua)) return 'linux';
+  return 'unknown';
+}
+
+const devices = {
+  ios: {
+    name: '📱 iPhone / iPad',
+    shortName: 'iOS',
+    icon: '📱',
+    steps: [
+      {
+        title: 'Install the profile',
+        desc: () => {
+          const btn = document.createElement('div');
+          const a = document.createElement('a');
+          a.href = MOBILECONFIG_URL;
+          a.className = 'dl-btn';
+          a.innerHTML = '⬇ Install Profile (.mobileconfig)';
+          btn.appendChild(a);
+          return btn;
+        }
+      },
+      {
+        title: 'Open Settings',
+        desc: 'Go to <code>Settings → General → VPN & Device Management</code> and tap the downloaded profile → <strong>Install</strong>.'
+      },
+      {
+        title: 'Enable full trust',
+        desc: 'Go to <code>Settings → General → About → Certificate Trust Settings</code> and toggle on the homelab CA.'
+      },
+      {
+        title: 'Done',
+        desc: 'All <code>*.home.arpa</code> services will now be trusted in Safari and Chrome.'
+      }
+    ]
+  },
+  android: {
+    name: '🤖 Android',
+    shortName: 'Android',
+    icon: '🤖',
+    steps: [
+      {
+        title: 'Download the certificate',
+        desc: () => {
+          const btn = document.createElement('div');
+          const a = document.createElement('a');
+          a.href = CA_CRT_URL;
+          a.download = 'homelab-ca.crt';
+          a.className = 'dl-btn';
+          a.innerHTML = '⬇ Download CA Certificate';
+          btn.appendChild(a);
+          return btn;
+        }
+      },
+      {
+        title: 'Install the certificate',
+        desc: 'Go to <code>Settings → Security → Encryption & Credentials → Install a certificate → CA Certificate</code> and select the downloaded file.'
+      },
+      {
+        title: 'Done',
+        desc: 'Homelab services should now be trusted in Chrome.'
+      }
+    ]
+  },
+  mac: {
+    name: '🍎 macOS',
+    shortName: 'macOS',
+    icon: '🍎',
+    steps: [
+      {
+        title: 'Download the certificate',
+        desc: () => {
+          const btn = document.createElement('div');
+          const a = document.createElement('a');
+          a.href = CA_CRT_URL;
+          a.download = 'homelab-ca.crt';
+          a.className = 'dl-btn';
+          a.innerHTML = '⬇ Download CA Certificate';
+          btn.appendChild(a);
+          return btn;
+        }
+      },
+      {
+        title: 'Install via Keychain',
+        desc: 'Double-click the downloaded <code>homelab-ca.crt</code> file → <strong>Keychain Access</strong> opens → select <strong>System</strong> keychain → Add. Enter your password.'
+      },
+      {
+        title: 'Set to Always Trust',
+        desc: 'Find the cert in Keychain Access (search for <code>homelab</code>), double-click it → <strong>Trust</strong> section → <strong>When using this certificate: Always Trust</strong>.'
+      },
+      {
+        title: 'Or use the terminal',
+        desc: () => {
+          const wrap = document.createElement('div');
+          wrap.innerHTML = 'Alternatively, after downloading run:<br><br><code style="font-family:JetBrains Mono,monospace;font-size:11px;background:var(--step-bg);border:1px solid var(--border);padding:8px 12px;border-radius:3px;display:block;color:var(--accent);line-height:1.8;">sudo security add-trusted-cert -d -r trustRoot \\\n  -k /Library/Keychains/System.keychain ~/Downloads/homelab-ca.crt</code>';
+          return wrap;
+        }
+      },
+      {
+        title: 'Restart browser',
+        desc: 'Quit and reopen your browser completely.'
+      }
+    ]
+  },
+  windows: {
+    name: '🪟 Windows',
+    shortName: 'Windows',
+    icon: '🪟',
+    steps: [
+      {
+        title: 'Download the certificate',
+        desc: () => {
+          const btn = document.createElement('div');
+          const a = document.createElement('a');
+          a.href = CA_CRT_URL;
+          a.download = 'homelab-ca.crt';
+          a.className = 'dl-btn';
+          a.innerHTML = '⬇ Download CA Certificate';
+          btn.appendChild(a);
+          return btn;
+        }
+      },
+      {
+        title: 'Run the installer',
+        desc: 'Double-click the <code>homelab-ca.crt</code> file → <strong>Install Certificate</strong> → <strong>Local Machine</strong> → <strong>Place all certificates in the following store</strong> → Browse → <strong>Trusted Root Certification Authorities</strong> → Finish.'
+      },
+      {
+        title: 'Restart browser',
+        desc: 'Quit and reopen Edge or Chrome.'
+      }
+    ]
+  },
+  linux: {
+    name: '🐧 Linux',
+    shortName: 'Linux',
+    icon: '🐧',
+    steps: [
+      {
+        title: 'Download the certificate',
+        desc: () => {
+          const btn = document.createElement('div');
+          const a = document.createElement('a');
+          a.href = CA_CRT_URL;
+          a.download = 'homelab-ca.crt';
+          a.className = 'dl-btn';
+          a.innerHTML = '⬇ Download CA Certificate';
+          btn.appendChild(a);
+          return btn;
+        }
+      },
+      {
+        title: 'Install system-wide',
+        desc: () => {
+          const wrap = document.createElement('div');
+          wrap.innerHTML = '<code style="font-family:JetBrains Mono,monospace;font-size:11px;background:var(--step-bg);border:1px solid var(--border);padding:8px 12px;border-radius:3px;display:block;color:var(--accent);line-height:1.8;"># Debian/Ubuntu\nsudo cp homelab-ca.crt /usr/local/share/ca-certificates/\nsudo update-ca-certificates\n\n# Arch\nsudo trust anchor --store homelab-ca.crt</code>';
+          return wrap;
+        }
+      },
+      {
+        title: 'For Chrome/Chromium',
+        desc: 'Chrome on Linux uses its own store. Go to <code>Settings → Privacy and security → Security → Manage certificates → Authorities → Import</code>.'
+      }
+    ]
+  },
+  unknown: {
+    name: '🖥 Unknown device',
+    shortName: 'Other',
+    icon: '🖥',
+    steps: [
+      {
+        title: 'Download the raw certificate',
+        desc: () => {
+          const btn = document.createElement('div');
+          const a = document.createElement('a');
+          a.href = CA_CRT_URL;
+          a.download = 'homelab-ca.crt';
+          a.className = 'dl-btn';
+          a.innerHTML = '⬇ Download CA Certificate (PEM)';
+          btn.appendChild(a);
+          return btn;
+        }
+      },
+      {
+        title: 'Install on your OS',
+        desc: 'Import the certificate into your system\'s trusted root store. Select another device above for specific instructions.'
+      }
+    ]
+  }
+};
+
+function renderSteps(deviceKey, container) {
+  const device = devices[deviceKey];
+  container.innerHTML = '';
+  device.steps.forEach((step, i) => {
+    const stepEl = document.createElement('div');
+    stepEl.className = 'step';
+
+    const num = document.createElement('div');
+    num.className = 'step-num';
+    num.textContent = i + 1;
+
+    const content = document.createElement('div');
+    content.className = 'step-content';
+
+    const title = document.createElement('div');
+    title.className = 'step-title';
+    title.textContent = step.title;
+    content.appendChild(title);
+
+    const desc = document.createElement('div');
+    desc.className = 'step-desc';
+    if (typeof step.desc === 'function') {
+      desc.appendChild(step.desc());
+    } else {
+      desc.innerHTML = step.desc;
+    }
+    content.appendChild(desc);
+
+    stepEl.appendChild(num);
+    stepEl.appendChild(content);
+    container.appendChild(stepEl);
+  });
+}
+
+function renderOtherDevices(currentDevice) {
+  const grid = document.getElementById('other-grid');
+  grid.innerHTML = '';
+
+  Object.entries(devices).forEach(([key, device]) => {
+    if (key === currentDevice || key === 'unknown') return;
+
+    const card = document.createElement('div');
+    card.className = 'other-card';
+
+    const header = document.createElement('div');
+    header.className = 'other-card-header';
+
+    const icon = document.createElement('span');
+    icon.className = 'other-icon';
+    icon.textContent = device.icon;
+
+    const name = document.createElement('span');
+    name.className = 'other-name';
+    name.textContent = device.shortName;
+
+    const expandIcon = document.createElement('span');
+    expandIcon.className = 'expand-icon';
+    expandIcon.textContent = '▾';
+
+    header.appendChild(icon);
+    header.appendChild(name);
+    header.appendChild(expandIcon);
+
+    // Compact step list
+    const stepsEl = document.createElement('div');
+    stepsEl.className = 'other-steps';
+    const ol = document.createElement('ol');
+    device.steps.forEach(step => {
+      const li = document.createElement('li');
+      li.textContent = step.title;
+      ol.appendChild(li);
+    });
+    stepsEl.appendChild(ol);
+
+    // Download link for this device
+    const dlLink = document.createElement('a');
+    dlLink.style.cssText = 'display:inline-block;margin-top:10px;font-family:JetBrains Mono,monospace;font-size:11px;color:var(--accent);text-decoration:none;';
+    dlLink.href = key === 'ios' ? MOBILECONFIG_URL : CA_CRT_URL;
+    dlLink.download = key === 'ios' ? '' : 'homelab-ca.crt';
+    dlLink.textContent = key === 'ios' ? '⬇ profile' : '⬇ cert';
+    stepsEl.appendChild(dlLink);
+
+    card.appendChild(header);
+    card.appendChild(stepsEl);
+
+    card.addEventListener('click', () => {
+      card.classList.toggle('open');
+    });
+
+    grid.appendChild(card);
+  });
+}
+
+// Init
+const current = detect();
+document.getElementById('device-name').textContent = devices[current].name;
+renderSteps(current, document.getElementById('device-instructions'));
+renderOtherDevices(current);
+</script>
+</body>
+</html>
diff --git a/values/pihole.yaml b/values/pihole.yaml
index 17a618b..8241adc 100644
--- a/values/pihole.yaml
+++ b/values/pihole.yaml
@@ -78,4 +78,5 @@ dnsmasq:
     - address=/qbittorrent.home.arpa/192.168.7.77
     - address=/jdownloader.home.arpa/192.168.7.77
     - address=/glances.home.arpa/192.168.7.77
-    - address=/glances-debian.home.arpa/192.168.7.77
\ No newline at end of file
+    - address=/glances-debian.home.arpa/192.168.7.77
+    - address=/ca.home.arpa/1
\ No newline at end of file