fred/homelab-docs

Fork 0

Files

Funky (OpenClaw) 0682c79580 Initial infrastructure documentation - comprehensive homelab reference

2026-02-23 03:42:22 +00:00

5.1 KiB

Raw Blame History

CA Integration Work - Status & Resume Guide

Last Updated: 2026-01-25 Status: Phase 1 Complete ✅ - Ready for Phase 2

Quick Summary

You were concerned that your internal CA server (10.0.10.15, CT 115) wasn't being used by services, causing certificate warnings when accessing them remotely. We've completed Phase 1 of fixing this.

What's Been Done ✅

Phase 1: Internal HTTPS (Complete)

✅ Distributed homelab CA root cert to all containers, Proxmox hosts, and VPS
✅ Deployed Caddy reverse proxy on CT 127 with SSL termination
✅ All Docker services (Sonarr, Radarr, Prowlarr, Bazarr, Deluge, Calibre, Vikunja, Dockge) now have HTTPS

Key Files:

CA-DEPLOYMENT-SUMMARY.md - Complete documentation
scripts/deploy-ca-certificates.sh - Automation script
Caddy config: /opt/caddy-internal/Caddyfile on CT 127

Services: All accessible at https://<service>.nianticbooks.home

Caddy Container:

Running on CT 127 (10.0.10.27)
Container name: caddy-internal
Listens on port 443 (HTTPS only)
Uses Caddy internal PKI (self-signed certificates)

What You Still Need To Do

Immediate (to remove browser warnings):

Install CA certificate on your devices: Caddy-Internal-Root-CA.crt (in this directory)
- See CA-DEPLOYMENT-SUMMARY.md for platform-specific instructions

Add DNS entries or edit hosts file:

10.0.10.27  sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home ...

What's Still Needed (Phase 2)

High Priority

Migrate to Step-CA ACME (instead of Caddy internal PKI)
- Problem: CA server cert at 10.0.10.15 doesn't have IP SAN
- Solution: Regenerate CA server cert with IP SAN, or use DNS name
- Benefit: Single CA for entire homelab
Add SSL to remaining services:
- Home Assistant (10.0.10.24) - has SSL, needs CA-signed cert
- Proxmox hosts (10.0.10.2, 10.0.10.3, 10.0.10.4) - have SSL, need CA-signed certs
- n8n (10.0.10.22) - HTTP only
- Authentik (10.0.10.21) - HTTP only
- Grafana (10.0.10.25) - HTTP only
Update VPS Caddy:
- Configure VPS Caddy to use internal CA for public services
- Fixes cert warnings when accessing services from outside network

Lower Priority

Update SERVICES.md with new HTTPS endpoints
Set up certificate expiration monitoring
Add more services as needed

How To Resume This Work

To continue CA integration:

cd ~/projects/infrastructure
# Review current state
cat CA-DEPLOYMENT-SUMMARY.md
cat CA-WORK-IN-PROGRESS.md  # This file

# Check Caddy status
ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal"

# Continue with Phase 2 tasks above

To modify Caddy configuration:

ssh root@10.0.10.3
pct exec 127 -- bash
cd /opt/caddy-internal
nano Caddyfile
docker restart caddy-internal

To add more services:

Edit /opt/caddy-internal/Caddyfile on CT 127
Add new service block (see existing examples)
Restart: docker restart caddy-internal
Add DNS entry or hosts file entry

Key Locations

CA Certificates:

Homelab CA root: /usr/local/share/ca-certificates/homelab-ca.crt (on all systems)
Caddy internal CA: Extract with docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt
Step-CA root: /etc/step-ca/.step/certs/root_ca.crt on CT 115

Caddy Configuration:

Config directory: /opt/caddy-internal/ on CT 127
Caddyfile: /opt/caddy-internal/Caddyfile
Docker compose: /opt/caddy-internal/docker-compose.yml
Certificate storage: Inside container at /data/caddy/certificates/local/

Services:

CA Server: 10.0.10.15 (CT 115) - ACME endpoint: https://10.0.10.15:8443/acme/acme/directory
Caddy proxy: 10.0.10.27 (CT 127) - Port 443

Problem Context (Why We Did This)

Original Issue:

You have many Docker services with web UIs
They were HTTP only, causing download/connection issues
When accessed remotely through VPS Caddy, certificate warnings appeared
Your internal CA server wasn't being utilized by services

Solution Implemented:

Deployed SSL reverse proxy for all internal services
Distributed CA certificates to trust the proxy
Now all services have HTTPS with valid certificates (once CA cert installed on clients)

Commands Reference

View Caddy logs:

ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"

Restart Caddy:

ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"

Check listening ports:

ssh root@10.0.10.3 "pct exec 127 -- ss -tlnp | grep caddy"

Redeploy CA certificates (if needed):

cd ~/projects/infrastructure
./scripts/deploy-ca-certificates.sh

Git Commit: 2418b48 - Deploy CA certificates and internal HTTPS reverse proxy Branch: master Files Modified: CA-DEPLOYMENT-SUMMARY.md, scripts/deploy-ca-certificates.sh, scripts/setup-internal-caddy.sh

5.1 KiB Raw Blame History