Initial infrastructure documentation - comprehensive homelab reference

2026-02-23 03:42:22 +00:00
commit 0682c79580
169 changed files with 63913 additions and 0 deletions
--- a/infrastructure/CA-DEPLOYMENT-SUMMARY.md
+++ b/infrastructure/CA-DEPLOYMENT-SUMMARY.md
@@ -0,0 +1,231 @@
+# CA Certificate Deployment Summary
+
+**Deployment Date:** 2026-01-25
+**Deployment Status:** ✅ Complete - Phase 1
+
+## What Was Deployed
+
+### 1. Homelab Internal CA Root Certificate Distribution
+
+The internal CA root certificate from your Step-CA server (10.0.10.15, CT 115) has been installed on:
+
+#### LXC Containers
+- ✅ CT 102 - PostgreSQL (10.0.10.20)
+- ✅ CT 106 - n8n (10.0.10.22)
+- ✅ CT 127 - Dockge (10.0.10.27)
+- ✅ CT 128 - Uptime Kuma (10.0.10.26)
+- ⚠️ CT 104 - Authentik (10.0.10.21) - Not running during deployment
+
+#### Proxmox Hosts
+- ✅ main-pve (10.0.10.3)
+- ✅ pve-router (10.0.10.2)
+- ✅ pve-storage (10.0.10.4)
+
+#### VPS
+- ✅ 66.63.182.168 (vps.nianticbooks.com)
+
+**Location:** `/usr/local/share/ca-certificates/homelab-ca.crt` on all systems
+
+### 2. Internal HTTPS Reverse Proxy Deployment
+
+**Service:** Caddy Internal Proxy
+**Location:** Docker container on CT 127 (10.0.10.27)
+**Container Name:** caddy-internal
+**Configuration:** `/opt/caddy-internal/` on CT 127
+
+#### Services Now Available via HTTPS
+
+All services are accessible at `https://<service>.nianticbooks.home`:
+
+| Service | HTTPS URL | Backend Port |
+|---------|-----------|--------------|
+| Sonarr | https://sonarr.nianticbooks.home | 8989 |
+| Radarr | https://radarr.nianticbooks.home | 7878 |
+| Prowlarr | https://prowlarr.nianticbooks.home | 9696 |
+| Bazarr | https://bazarr.nianticbooks.home | 6767 |
+| Deluge | https://deluge.nianticbooks.home | 8112 |
+| Calibre-Web | https://calibre.nianticbooks.home | 8083 |
+| Vikunja | https://vikunja.nianticbooks.home | 3456 |
+| Dockge | https://dockge.nianticbooks.home | 5001 |
+
+**Certificate Type:** Caddy Internal PKI (self-signed)
+**Certificate Authority:** Caddy Local Authority - 2026 ECC Root
+
+## Client Configuration Required
+
+To access these services without certificate warnings, you need to install the Caddy Internal CA certificate on your client devices.
+
+### CA Certificate Location
+
+The Caddy internal root CA certificate is saved at:
+- **Infrastructure Repo:** `~/projects/infrastructure/Caddy-Internal-Root-CA.crt`
+- **On Server:** Extract with `docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt`
+
+### Installation Instructions
+
+#### Windows
+1. Download `Caddy-Internal-Root-CA.crt` from the infrastructure repo
+2. Double-click the certificate file
+3. Click "Install Certificate"
+4. Select "Local Machine" (requires admin)
+5. Choose "Place all certificates in the following store"
+6. Click "Browse" and select "Trusted Root Certification Authorities"
+7. Click "Next" and "Finish"
+
+#### Linux/WSL
+```bash
+sudo cp Caddy-Internal-Root-CA.crt /usr/local/share/ca-certificates/
+sudo update-ca-certificates
+```
+
+#### macOS
+```bash
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain Caddy-Internal-Root-CA.crt
+```
+
+#### Firefox (All Platforms)
+Firefox uses its own certificate store:
+1. Open Firefox Settings → Privacy & Security → Certificates → View Certificates
+2. Click "Authorities" tab → "Import"
+3. Select `Caddy-Internal-Root-CA.crt`
+4. Check "Trust this CA to identify websites"
+5. Click OK
+
+## DNS Configuration
+
+For the `.nianticbooks.home` domains to resolve, add to your DNS server (UCG Ultra DHCP/DNS):
+
+```
+sonarr.nianticbooks.home    → 10.0.10.27
+radarr.nianticbooks.home    → 10.0.10.27
+prowlarr.nianticbooks.home  → 10.0.10.27
+bazarr.nianticbooks.home    → 10.0.10.27
+deluge.nianticbooks.home    → 10.0.10.27
+calibre.nianticbooks.home   → 10.0.10.27
+vikunja.nianticbooks.home   → 10.0.10.27
+dockge.nianticbooks.home    → 10.0.10.27
+```
+
+Or add a wildcard entry:
+```
+*.nianticbooks.home → 10.0.10.27
+```
+
+Alternatively, add to your local `/etc/hosts` (Linux/Mac) or `C:\Windows\System32\drivers\etc\hosts` (Windows):
+```
+10.0.10.27 sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home bazarr.nianticbooks.home deluge.nianticbooks.home calibre.nianticbooks.home vikunja.nianticbooks.home dockge.nianticbooks.home
+```
+
+## Management Commands
+
+### View Caddy Logs
+```bash
+ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"
+```
+
+### Restart Caddy
+```bash
+ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"
+```
+
+### Update Caddyfile
+```bash
+# Edit on server
+ssh root@10.0.10.3
+pct exec 127 -- bash
+cd /opt/caddy-internal
+nano Caddyfile
+docker restart caddy-internal
+```
+
+### View Generated Certificates
+```bash
+ssh root@10.0.10.3 "pct exec 127 -- docker exec caddy-internal ls -la /data/caddy/certificates/local/"
+```
+
+## What's Still Needed (Phase 2)
+
+### Step-CA ACME Integration
+
+The current setup uses Caddy's internal PKI (self-signed certificates). For better integration with your existing Step-CA server, we need to:
+
+1. **Fix CA Server Certificate:** The Step-CA server certificate needs an IP SAN for 10.0.10.15
+2. **Configure ACME Client:** Update Caddy to use Step-CA ACME endpoint
+3. **Trust Chain:** Ensure Caddy trusts the Step-CA root certificate
+
+**Benefit:** Single CA for the entire homelab instead of two separate CAs.
+
+### Services Still Needing SSL
+
+**Proxmox Hosts:**
+- ✅ main-pve (10.0.10.3) - Already has SSL, needs CA-signed cert
+- ✅ pve-router (10.0.10.2) - Already has SSL, needs CA-signed cert
+- ✅ pve-storage (10.0.10.4) - Already has SSL, needs CA-signed cert
+
+**LXC Services:**
+- ✅ Home Assistant (10.0.10.24) - Already has SSL, needs CA-signed cert
+- ⚠️ n8n (10.0.10.22) - HTTP only
+- ⚠️ Authentik (10.0.10.21) - HTTP only
+- ⚠️ Grafana (10.0.10.25) - HTTP only
+
+**VPS Caddy:**
+- Update VPS Caddy to use internal CA for public services
+- Avoids "invalid certificate" warnings when accessing services remotely
+
+### Documentation
+
+- [ ] Update SERVICES.md with new HTTPS endpoints
+- [ ] Create quick-start guide for new devices
+- [ ] Add monitoring for certificate expiration
+
+## Scripts Created
+
+- **`scripts/deploy-ca-certificates.sh`** - Deploys homelab CA root to all containers
+- **`scripts/setup-internal-caddy.sh`** - Interactive Caddy deployment (not used - manual deployment preferred)
+
+## Troubleshooting
+
+### Certificate Warnings Still Appear
+
+1. Verify CA certificate is installed on client device
+2. Check that DNS resolves to 10.0.10.27
+3. Ensure you're using `https://` (not `http://`)
+4. Clear browser cache and restart browser
+
+### Service Not Accessible
+
+1. Check Caddy is running: `docker ps | grep caddy-internal`
+2. Check Caddy logs: `docker logs caddy-internal`
+3. Verify backend service is running: `docker ps` or `systemctl status <service>`
+4. Check firewall rules on CT 127
+
+### Connection Refused
+
+- Caddy listens on port 443 only (no port 80)
+- Ensure you're using HTTPS URLs
+- Verify Caddy container is in `host` network mode
+
+## Security Considerations
+
+**Current State:**
+- ✅ All internal traffic encrypted
+- ✅ CA certificates properly distributed
+- ⚠️ Using Caddy internal PKI (self-signed) instead of Step-CA
+
+**Recommendations:**
+- Install CA certificate on all client devices immediately
+- Do NOT expose Caddy internal proxy ports publicly (internal use only)
+- Regularly update Caddy container for security patches
+
+## Next Steps
+
+1. **Immediate:** Install Caddy CA certificate on your primary devices
+2. **Short-term:** Add DNS entries or hosts file entries
+3. **Medium-term:** Migrate from Caddy internal PKI to Step-CA ACME
+4. **Long-term:** Add remaining services (n8n, Authentik, Grafana) to HTTPS
+
+---
+
+**Deployment Completed By:** Fred (with Claude Code)
+**Last Updated:** 2026-01-25
+**Status:** ✅ Phase 1 Complete - Services accessible via HTTPS with self-signed certificates