Initial infrastructure documentation - comprehensive homelab reference

2026-02-23 03:42:22 +00:00
commit 0682c79580
169 changed files with 63913 additions and 0 deletions
--- a/infrastructure/CA-WORK-IN-PROGRESS.md
+++ b/infrastructure/CA-WORK-IN-PROGRESS.md
@@ -0,0 +1,153 @@
+# CA Integration Work - Status & Resume Guide
+
+**Last Updated:** 2026-01-25
+**Status:** Phase 1 Complete ✅ - Ready for Phase 2
+
+## Quick Summary
+
+You were concerned that your internal CA server (10.0.10.15, CT 115) wasn't being used by services, causing certificate warnings when accessing them remotely. We've completed Phase 1 of fixing this.
+
+## What's Been Done ✅
+
+### Phase 1: Internal HTTPS (Complete)
+- ✅ Distributed homelab CA root cert to all containers, Proxmox hosts, and VPS
+- ✅ Deployed Caddy reverse proxy on CT 127 with SSL termination
+- ✅ All Docker services (Sonarr, Radarr, Prowlarr, Bazarr, Deluge, Calibre, Vikunja, Dockge) now have HTTPS
+
+**Key Files:**
+- [CA-DEPLOYMENT-SUMMARY.md](CA-DEPLOYMENT-SUMMARY.md) - Complete documentation
+- [scripts/deploy-ca-certificates.sh](scripts/deploy-ca-certificates.sh) - Automation script
+- Caddy config: `/opt/caddy-internal/Caddyfile` on CT 127
+
+**Services:** All accessible at `https://<service>.nianticbooks.home`
+
+**Caddy Container:**
+- Running on CT 127 (10.0.10.27)
+- Container name: `caddy-internal`
+- Listens on port 443 (HTTPS only)
+- Uses Caddy internal PKI (self-signed certificates)
+
+## What You Still Need To Do
+
+**Immediate (to remove browser warnings):**
+1. Install CA certificate on your devices: `Caddy-Internal-Root-CA.crt` (in this directory)
+   - See CA-DEPLOYMENT-SUMMARY.md for platform-specific instructions
+2. Add DNS entries or edit hosts file:
+   ```
+   10.0.10.27  sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home ...
+   ```
+
+## What's Still Needed (Phase 2)
+
+### High Priority
+
+1. **Migrate to Step-CA ACME** (instead of Caddy internal PKI)
+   - Problem: CA server cert at 10.0.10.15 doesn't have IP SAN
+   - Solution: Regenerate CA server cert with IP SAN, or use DNS name
+   - Benefit: Single CA for entire homelab
+
+2. **Add SSL to remaining services:**
+   - Home Assistant (10.0.10.24) - has SSL, needs CA-signed cert
+   - Proxmox hosts (10.0.10.2, 10.0.10.3, 10.0.10.4) - have SSL, need CA-signed certs
+   - n8n (10.0.10.22) - HTTP only
+   - Authentik (10.0.10.21) - HTTP only
+   - Grafana (10.0.10.25) - HTTP only
+
+3. **Update VPS Caddy:**
+   - Configure VPS Caddy to use internal CA for public services
+   - Fixes cert warnings when accessing services from outside network
+
+### Lower Priority
+
+- Update SERVICES.md with new HTTPS endpoints
+- Set up certificate expiration monitoring
+- Add more services as needed
+
+## How To Resume This Work
+
+**To continue CA integration:**
+```bash
+cd ~/projects/infrastructure
+# Review current state
+cat CA-DEPLOYMENT-SUMMARY.md
+cat CA-WORK-IN-PROGRESS.md  # This file
+
+# Check Caddy status
+ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal"
+
+# Continue with Phase 2 tasks above
+```
+
+**To modify Caddy configuration:**
+```bash
+ssh root@10.0.10.3
+pct exec 127 -- bash
+cd /opt/caddy-internal
+nano Caddyfile
+docker restart caddy-internal
+```
+
+**To add more services:**
+1. Edit `/opt/caddy-internal/Caddyfile` on CT 127
+2. Add new service block (see existing examples)
+3. Restart: `docker restart caddy-internal`
+4. Add DNS entry or hosts file entry
+
+## Key Locations
+
+**CA Certificates:**
+- Homelab CA root: `/usr/local/share/ca-certificates/homelab-ca.crt` (on all systems)
+- Caddy internal CA: Extract with `docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt`
+- Step-CA root: `/etc/step-ca/.step/certs/root_ca.crt` on CT 115
+
+**Caddy Configuration:**
+- Config directory: `/opt/caddy-internal/` on CT 127
+- Caddyfile: `/opt/caddy-internal/Caddyfile`
+- Docker compose: `/opt/caddy-internal/docker-compose.yml`
+- Certificate storage: Inside container at `/data/caddy/certificates/local/`
+
+**Services:**
+- CA Server: 10.0.10.15 (CT 115) - ACME endpoint: https://10.0.10.15:8443/acme/acme/directory
+- Caddy proxy: 10.0.10.27 (CT 127) - Port 443
+
+## Problem Context (Why We Did This)
+
+**Original Issue:**
+- You have many Docker services with web UIs
+- They were HTTP only, causing download/connection issues
+- When accessed remotely through VPS Caddy, certificate warnings appeared
+- Your internal CA server wasn't being utilized by services
+
+**Solution Implemented:**
+- Deployed SSL reverse proxy for all internal services
+- Distributed CA certificates to trust the proxy
+- Now all services have HTTPS with valid certificates (once CA cert installed on clients)
+
+## Commands Reference
+
+**View Caddy logs:**
+```bash
+ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"
+```
+
+**Restart Caddy:**
+```bash
+ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"
+```
+
+**Check listening ports:**
+```bash
+ssh root@10.0.10.3 "pct exec 127 -- ss -tlnp | grep caddy"
+```
+
+**Redeploy CA certificates (if needed):**
+```bash
+cd ~/projects/infrastructure
+./scripts/deploy-ca-certificates.sh
+```
+
+---
+
+**Git Commit:** `2418b48` - Deploy CA certificates and internal HTTPS reverse proxy
+**Branch:** master
+**Files Modified:** CA-DEPLOYMENT-SUMMARY.md, scripts/deploy-ca-certificates.sh, scripts/setup-internal-caddy.sh