nik/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CA Trust Installer configuration and web interface for certificate installation

Browse Source
This commit is contained in:
Nik Afiq 2026-03-10 16:28:17 +09:00
parent e5488fa56d
commit a470dd4f60
3 changed files with 882 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
manifests/ca-installer/ca-installer.yaml Normal file
View File

@ -0,0 +1,130 @@
# ca-installer.yaml
# CA Trust Installer — serves CA cert + iOS mobileconfig at ca.home.arpa
#
# Pre-requisites (run once, or after CA cert rotation):
# kubectl create configmap ca-installer-web -n ca-installer \
# --from-file=index.html=manifests/ca-installer/web/index.html
#
# kubectl create configmap ca-installer-files -n ca-installer \
# --from-file=ca.crt=/tmp/homelab-ca.crt \
# --from-file=ca.mobileconfig=/tmp/homelab-ca.mobileconfig
#
# Apply: kubectl apply -f manifests/ca-installer/ca-installer.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: ca-installer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: ca-installer
data:
default.conf: |
server {
listen 80;
server_name ca.home.arpa;
root /usr/share/nginx/html;
# CA cert — must be application/x-x509-ca-cert for iOS to recognise it
location = /ca.crt {
default_type application/x-x509-ca-cert;
try_files /ca.crt =404;
}
# iOS mobileconfig — must be this exact MIME type
location = /ca.mobileconfig {
default_type application/x-apple-aspen-config;
try_files /ca.mobileconfig =404;
}
location / {
try_files $uri $uri/ /index.html;
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ca-installer
namespace: ca-installer
labels:
app: ca-installer
spec:
replicas: 1
selector:
matchLabels:
app: ca-installer
template:
metadata:
labels:
app: ca-installer
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: web-files
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
- name: ca-cert
mountPath: /usr/share/nginx/html/ca.crt
subPath: ca.crt
- name: ca-mobileconfig
mountPath: /usr/share/nginx/html/ca.mobileconfig
subPath: ca.mobileconfig
- name: nginx-config
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
volumes:
- name: web-files
configMap:
name: ca-installer-web
- name: ca-cert
configMap:
name: ca-installer-files
- name: ca-mobileconfig
configMap:
name: ca-installer-files
- name: nginx-config
configMap:
name: nginx-config
---
apiVersion: v1
kind: Service
metadata:
name: ca-installer
namespace: ca-installer
spec:
selector:
app: ca-installer
ports:
- port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ca-installer
namespace: ca-installer
annotations:
# No TLS — this page is how you GET the CA, serving over HTTP avoids
# the chicken-and-egg problem. Once CA is trusted, *.home.arpa is fine.
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
spec:
ingressClassName: traefik
rules:
- host: ca.home.arpa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ca-installer
port:
number: 80

750
manifests/ca-installer/web/index.html Normal file
View File

@ -0,0 +1,750 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Homelab CA — Trust Installer</title>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600;700&family=Syne:wght@400;600;800&display=swap" rel="stylesheet">
<style>
:root {
--bg: #0a0a0f;
--surface: #111118;
--border: #1e1e2e;
--accent: #7fff7f;
--accent-dim: rgba(127,255,127,0.12);
--accent-glow: rgba(127,255,127,0.25);
--text: #e8e8f0;
--muted: #555570;
--warn: #ffb347;
--warn-dim: rgba(255,179,71,0.12);
--step-bg: #0d0d14;
}
* { margin: 0; padding: 0; box-sizing: border-box; }
body {
background: var(--bg);
color: var(--text);
font-family: 'Syne', sans-serif;
min-height: 100vh;
overflow-x: hidden;
}
/* Grid background */
body::before {
content: '';
position: fixed;
inset: 0;
background-image:
linear-gradient(rgba(127,255,127,0.03) 1px, transparent 1px),
linear-gradient(90deg, rgba(127,255,127,0.03) 1px, transparent 1px);
background-size: 40px 40px;
pointer-events: none;
z-index: 0;
}
/* Glow orb */
body::after {
content: '';
position: fixed;
top: -200px;
left: 50%;
transform: translateX(-50%);
width: 600px;
height: 400px;
background: radial-gradient(ellipse, rgba(127,255,127,0.08) 0%, transparent 70%);
pointer-events: none;
z-index: 0;
}
.container {
position: relative;
z-index: 1;
max-width: 680px;
margin: 0 auto;
padding: 60px 24px 80px;
}
/* Header */
.header {
margin-bottom: 48px;
animation: fadeUp 0.6s ease both;
}
.badge {
display: inline-flex;
align-items: center;
gap: 6px;
font-family: 'JetBrains Mono', monospace;
font-size: 11px;
letter-spacing: 0.08em;
color: var(--accent);
background: var(--accent-dim);
border: 1px solid rgba(127,255,127,0.2);
padding: 4px 10px;
border-radius: 2px;
margin-bottom: 20px;
}
.badge::before {
content: '';
width: 6px; height: 6px;
background: var(--accent);
border-radius: 50%;
box-shadow: 0 0 6px var(--accent);
animation: pulse 2s infinite;
}
h1 {
font-size: clamp(32px, 6vw, 52px);
font-weight: 800;
line-height: 1.05;
letter-spacing: -0.02em;
color: #fff;
margin-bottom: 16px;
}
h1 span { color: var(--accent); }
.subtitle {
font-size: 15px;
color: var(--muted);
line-height: 1.6;
font-weight: 400;
max-width: 480px;
}
/* Warning banner */
.warn-box {
display: flex;
gap: 12px;
background: var(--warn-dim);
border: 1px solid rgba(255,179,71,0.25);
border-radius: 4px;
padding: 14px 16px;
margin-bottom: 36px;
font-size: 13px;
color: var(--warn);
line-height: 1.5;
animation: fadeUp 0.6s 0.1s ease both;
}
.warn-icon { flex-shrink: 0; font-size: 16px; margin-top: 1px; }
/* Device card */
.device-card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 6px;
overflow: hidden;
margin-bottom: 24px;
animation: fadeUp 0.6s 0.2s ease both;
}
.device-header {
display: flex;
align-items: center;
justify-content: space-between;
padding: 16px 20px;
border-bottom: 1px solid var(--border);
background: var(--step-bg);
}
.device-label {
display: flex;
align-items: center;
gap: 10px;
font-family: 'JetBrains Mono', monospace;
font-size: 12px;
color: var(--muted);
letter-spacing: 0.05em;
}
.device-detected {
font-family: 'JetBrains Mono', monospace;
font-size: 12px;
color: var(--accent);
background: var(--accent-dim);
padding: 3px 8px;
border-radius: 2px;
}
/* Steps */
.steps {
padding: 24px 20px;
display: flex;
flex-direction: column;
gap: 0;
}
.step {
display: flex;
gap: 16px;
padding: 0 0 24px 0;
position: relative;
}
.step:last-child { padding-bottom: 0; }
.step:not(:last-child)::before {
content: '';
position: absolute;
left: 15px;
top: 32px;
bottom: 0;
width: 1px;
background: var(--border);
}
.step-num {
flex-shrink: 0;
width: 32px;
height: 32px;
background: var(--step-bg);
border: 1px solid var(--border);
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
font-family: 'JetBrains Mono', monospace;
font-size: 12px;
font-weight: 600;
color: var(--accent);
position: relative;
z-index: 1;
}
.step-content {
flex: 1;
padding-top: 5px;
}
.step-title {
font-size: 14px;
font-weight: 600;
color: #fff;
margin-bottom: 6px;
}
.step-desc {
font-size: 13px;
color: var(--muted);
line-height: 1.6;
}
.step-desc code {
font-family: 'JetBrains Mono', monospace;
font-size: 11px;
background: var(--step-bg);
border: 1px solid var(--border);
padding: 1px 5px;
border-radius: 2px;
color: var(--text);
}
/* Download button */
.dl-btn {
display: inline-flex;
align-items: center;
gap: 8px;
margin-top: 10px;
padding: 10px 18px;
background: var(--accent);
color: #0a0a0f;
font-family: 'JetBrains Mono', monospace;
font-size: 12px;
font-weight: 700;
letter-spacing: 0.05em;
border: none;
border-radius: 3px;
cursor: pointer;
text-decoration: none;
transition: opacity 0.15s, transform 0.15s, box-shadow 0.15s;
box-shadow: 0 0 0 0 var(--accent-glow);
}
.dl-btn:hover {
opacity: 0.9;
transform: translateY(-1px);
box-shadow: 0 4px 20px var(--accent-glow);
}
.dl-btn:active { transform: translateY(0); }
.dl-btn.secondary {
background: transparent;
color: var(--text);
border: 1px solid var(--border);
box-shadow: none;
}
.dl-btn.secondary:hover {
border-color: var(--accent);
color: var(--accent);
box-shadow: none;
}
/* Other devices grid */
.other-title {
font-family: 'JetBrains Mono', monospace;
font-size: 11px;
letter-spacing: 0.1em;
color: var(--muted);
text-transform: uppercase;
margin-bottom: 14px;
animation: fadeUp 0.6s 0.3s ease both;
}
.other-grid {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 12px;
animation: fadeUp 0.6s 0.35s ease both;
}
@media (max-width: 480px) {
.other-grid { grid-template-columns: 1fr; }
}
.other-card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 4px;
padding: 16px;
cursor: pointer;
transition: border-color 0.15s, background 0.15s;
}
.other-card:hover {
border-color: rgba(127,255,127,0.3);
background: var(--step-bg);
}
.other-card-header {
display: flex;
align-items: center;
gap: 8px;
margin-bottom: 10px;
}
.other-icon { font-size: 18px; }
.other-name {
font-size: 13px;
font-weight: 600;
color: #fff;
}
.other-steps {
display: none;
font-size: 12px;
color: var(--muted);
line-height: 1.7;
border-top: 1px solid var(--border);
margin-top: 10px;
padding-top: 10px;
}
.other-steps ol {
padding-left: 16px;
}
.other-steps ol li { margin-bottom: 4px; }
.other-steps code {
font-family: 'JetBrains Mono', monospace;
font-size: 10px;
background: rgba(255,255,255,0.05);
padding: 1px 4px;
border-radius: 2px;
color: var(--text);
}
.other-card.open .other-steps { display: block; }
.other-card.open { border-color: rgba(127,255,127,0.3); }
.expand-icon {
margin-left: auto;
font-size: 12px;
color: var(--muted);
transition: transform 0.2s;
}
.other-card.open .expand-icon { transform: rotate(180deg); }
/* Footer */
.footer {
margin-top: 56px;
padding-top: 24px;
border-top: 1px solid var(--border);
display: flex;
align-items: center;
justify-content: space-between;
font-family: 'JetBrains Mono', monospace;
font-size: 11px;
color: var(--muted);
animation: fadeUp 0.6s 0.4s ease both;
}
.footer a {
color: var(--muted);
text-decoration: none;
}
.footer a:hover { color: var(--accent); }
/* Animations */
@keyframes fadeUp {
from { opacity: 0; transform: translateY(16px); }
to { opacity: 1; transform: translateY(0); }
}
@keyframes pulse {
0%, 100% { opacity: 1; }
50% { opacity: 0.4; }
}
/* Device sections */
.instructions { display: none; }
.instructions.active { display: block; }
</style>
</head>
<body>
<div class="container">
<header class="header">
<div class="badge">homelab.internal</div>
<h1>Trust the<br><span>homelab CA</span></h1>
<p class="subtitle">Install the internal certificate authority to access homelab services without browser warnings.</p>
</header>
<div class="warn-box">
<span class="warn-icon"></span>
<span>This page itself may show a certificate warning — that's expected. Once you install the CA, all <code style="font-family:JetBrains Mono,monospace;font-size:11px;background:rgba(0,0,0,0.3);padding:1px 4px;border-radius:2px;">*.home.arpa</code> services will be trusted automatically.</span>
</div>
<!-- Auto-detected device -->
<div class="device-card">
<div class="device-header">
<div class="device-label">DETECTED DEVICE</div>
<div class="device-detected" id="device-name">detecting...</div>
</div>
<div class="steps" id="device-instructions">
<!-- Filled by JS -->
</div>
</div>
<!-- Other devices -->
<div class="other-title">OTHER DEVICES</div>
<div class="other-grid" id="other-grid">
<!-- Filled by JS -->
</div>
<footer class="footer">
<span>ca.home.arpa</span>
<a href="/ca.crt" download>↓ raw cert (PEM)</a>
</footer>
</div>
<script>
const CA_CRT_URL = '/ca.crt';
const MOBILECONFIG_URL = '/ca.mobileconfig';
function detect() {
const ua = navigator.userAgent;
if (/iPhone|iPad|iPod/.test(ua)) return 'ios';
if (/Android/.test(ua)) return 'android';
if (/Mac/.test(ua) && !/Mobile/.test(ua)) return 'mac';
if (/Win/.test(ua)) return 'windows';
if (/Linux/.test(ua)) return 'linux';
return 'unknown';
}
const devices = {
ios: {
name: '📱 iPhone / iPad',
shortName: 'iOS',
icon: '📱',
steps: [
{
title: 'Install the profile',
desc: () => {
const btn = document.createElement('div');
const a = document.createElement('a');
a.href = MOBILECONFIG_URL;
a.className = 'dl-btn';
a.innerHTML = '⬇ Install Profile (.mobileconfig)';
btn.appendChild(a);
return btn;
}
},
{
title: 'Open Settings',
desc: 'Go to <code>Settings → General → VPN & Device Management</code> and tap the downloaded profile → <strong>Install</strong>.'
},
{
title: 'Enable full trust',
desc: 'Go to <code>Settings → General → About → Certificate Trust Settings</code> and toggle on the homelab CA.'
},
{
title: 'Done',
desc: 'All <code>*.home.arpa</code> services will now be trusted in Safari and Chrome.'
}
]
},
android: {
name: '🤖 Android',
shortName: 'Android',
icon: '🤖',
steps: [
{
title: 'Download the certificate',
desc: () => {
const btn = document.createElement('div');
const a = document.createElement('a');
a.href = CA_CRT_URL;
a.download = 'homelab-ca.crt';
a.className = 'dl-btn';
a.innerHTML = '⬇ Download CA Certificate';
btn.appendChild(a);
return btn;
}
},
{
title: 'Install the certificate',
desc: 'Go to <code>Settings → Security → Encryption & Credentials → Install a certificate → CA Certificate</code> and select the downloaded file.'
},
{
title: 'Done',
desc: 'Homelab services should now be trusted in Chrome.'
}
]
},
mac: {
name: '🍎 macOS',
shortName: 'macOS',
icon: '🍎',
steps: [
{
title: 'Download the certificate',
desc: () => {
const btn = document.createElement('div');
const a = document.createElement('a');
a.href = CA_CRT_URL;
a.download = 'homelab-ca.crt';
a.className = 'dl-btn';
a.innerHTML = '⬇ Download CA Certificate';
btn.appendChild(a);
return btn;
}
},
{
title: 'Install via Keychain',
desc: 'Double-click the downloaded <code>homelab-ca.crt</code> file → <strong>Keychain Access</strong> opens → select <strong>System</strong> keychain → Add. Enter your password.'
},
{
title: 'Set to Always Trust',
desc: 'Find the cert in Keychain Access (search for <code>homelab</code>), double-click it → <strong>Trust</strong> section → <strong>When using this certificate: Always Trust</strong>.'
},
{
title: 'Or use the terminal',
desc: () => {
const wrap = document.createElement('div');
wrap.innerHTML = 'Alternatively, after downloading run:<br><br><code style="font-family:JetBrains Mono,monospace;font-size:11px;background:var(--step-bg);border:1px solid var(--border);padding:8px 12px;border-radius:3px;display:block;color:var(--accent);line-height:1.8;">sudo security add-trusted-cert -d -r trustRoot \\\n -k /Library/Keychains/System.keychain ~/Downloads/homelab-ca.crt</code>';
return wrap;
}
},
{
title: 'Restart browser',
desc: 'Quit and reopen your browser completely.'
}
]
},
windows: {
name: '🪟 Windows',
shortName: 'Windows',
icon: '🪟',
steps: [
{
title: 'Download the certificate',
desc: () => {
const btn = document.createElement('div');
const a = document.createElement('a');
a.href = CA_CRT_URL;
a.download = 'homelab-ca.crt';
a.className = 'dl-btn';
a.innerHTML = '⬇ Download CA Certificate';
btn.appendChild(a);
return btn;
}
},
{
title: 'Run the installer',
desc: 'Double-click the <code>homelab-ca.crt</code> file → <strong>Install Certificate</strong><strong>Local Machine</strong><strong>Place all certificates in the following store</strong> → Browse → <strong>Trusted Root Certification Authorities</strong> → Finish.'
},
{
title: 'Restart browser',
desc: 'Quit and reopen Edge or Chrome.'
}
]
},
linux: {
name: '🐧 Linux',
shortName: 'Linux',
icon: '🐧',
steps: [
{
title: 'Download the certificate',
desc: () => {
const btn = document.createElement('div');
const a = document.createElement('a');
a.href = CA_CRT_URL;
a.download = 'homelab-ca.crt';
a.className = 'dl-btn';
a.innerHTML = '⬇ Download CA Certificate';
btn.appendChild(a);
return btn;
}
},
{
title: 'Install system-wide',
desc: () => {
const wrap = document.createElement('div');
wrap.innerHTML = '<code style="font-family:JetBrains Mono,monospace;font-size:11px;background:var(--step-bg);border:1px solid var(--border);padding:8px 12px;border-radius:3px;display:block;color:var(--accent);line-height:1.8;"># Debian/Ubuntu\nsudo cp homelab-ca.crt /usr/local/share/ca-certificates/\nsudo update-ca-certificates\n\n# Arch\nsudo trust anchor --store homelab-ca.crt</code>';
return wrap;
}
},
{
title: 'For Chrome/Chromium',
desc: 'Chrome on Linux uses its own store. Go to <code>Settings → Privacy and security → Security → Manage certificates → Authorities → Import</code>.'
}
]
},
unknown: {
name: '🖥 Unknown device',
shortName: 'Other',
icon: '🖥',
steps: [
{
title: 'Download the raw certificate',
desc: () => {
const btn = document.createElement('div');
const a = document.createElement('a');
a.href = CA_CRT_URL;
a.download = 'homelab-ca.crt';
a.className = 'dl-btn';
a.innerHTML = '⬇ Download CA Certificate (PEM)';
btn.appendChild(a);
return btn;
}
},
{
title: 'Install on your OS',
desc: 'Import the certificate into your system\'s trusted root store. Select another device above for specific instructions.'
}
]
}
};
function renderSteps(deviceKey, container) {
const device = devices[deviceKey];
container.innerHTML = '';
device.steps.forEach((step, i) => {
const stepEl = document.createElement('div');
stepEl.className = 'step';
const num = document.createElement('div');
num.className = 'step-num';
num.textContent = i + 1;
const content = document.createElement('div');
content.className = 'step-content';
const title = document.createElement('div');
title.className = 'step-title';
title.textContent = step.title;
content.appendChild(title);
const desc = document.createElement('div');
desc.className = 'step-desc';
if (typeof step.desc === 'function') {
desc.appendChild(step.desc());
} else {
desc.innerHTML = step.desc;
}
content.appendChild(desc);
stepEl.appendChild(num);
stepEl.appendChild(content);
container.appendChild(stepEl);
});
}
function renderOtherDevices(currentDevice) {
const grid = document.getElementById('other-grid');
grid.innerHTML = '';
Object.entries(devices).forEach(([key, device]) => {
if (key === currentDevice || key === 'unknown') return;
const card = document.createElement('div');
card.className = 'other-card';
const header = document.createElement('div');
header.className = 'other-card-header';
const icon = document.createElement('span');
icon.className = 'other-icon';
icon.textContent = device.icon;
const name = document.createElement('span');
name.className = 'other-name';
name.textContent = device.shortName;
const expandIcon = document.createElement('span');
expandIcon.className = 'expand-icon';
expandIcon.textContent = '▾';
header.appendChild(icon);
header.appendChild(name);
header.appendChild(expandIcon);
// Compact step list
const stepsEl = document.createElement('div');
stepsEl.className = 'other-steps';
const ol = document.createElement('ol');
device.steps.forEach(step => {
const li = document.createElement('li');
li.textContent = step.title;
ol.appendChild(li);
});
stepsEl.appendChild(ol);
// Download link for this device
const dlLink = document.createElement('a');
dlLink.style.cssText = 'display:inline-block;margin-top:10px;font-family:JetBrains Mono,monospace;font-size:11px;color:var(--accent);text-decoration:none;';
dlLink.href = key === 'ios' ? MOBILECONFIG_URL : CA_CRT_URL;
dlLink.download = key === 'ios' ? '' : 'homelab-ca.crt';
dlLink.textContent = key === 'ios' ? '⬇ profile' : '⬇ cert';
stepsEl.appendChild(dlLink);
card.appendChild(header);
card.appendChild(stepsEl);
card.addEventListener('click', () => {
card.classList.toggle('open');
});
grid.appendChild(card);
});
}
// Init
const current = detect();
document.getElementById('device-name').textContent = devices[current].name;
renderSteps(current, document.getElementById('device-instructions'));
renderOtherDevices(current);
</script>
</body>
</html>

3
values/pihole.yaml
View File

@ -78,4 +78,5 @@ dnsmasq:
- address=/qbittorrent.home.arpa/192.168.7.77
- address=/jdownloader.home.arpa/192.168.7.77
- address=/glances.home.arpa/192.168.7.77
- address=/glances-debian.home.arpa/192.168.7.77
- address=/glances-debian.home.arpa/192.168.7.77
- address=/ca.home.arpa/1