feat(caddy): serve Caddy root CA at /ca.crt for guest trust
Air-gap mirror uses tls internal; guests must trust Caddy's local CA. Serve it at http://<domain>/ca.crt from a world-readable mount (the live pki dir is root-only 0600). build-stack --up mirror|full exports the CA after bring-up; landing page links it. Pre-creates the mount target to avoid a dir bind. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,13 @@
|
||||
# Static toggle — apex landing page + launcher downloads.
|
||||
# Mounted only when the stack runs with static files (build-stack.sh up static|full).
|
||||
http://{$BASE_DOMAIN} {
|
||||
# Caddy's local CA root, so guests can trust the air-gap HTTPS mirror.
|
||||
# Mounted from ./caddy/caddy-root-ca.crt (exported by build-stack prep;
|
||||
# the live pki dir is root-only 0600 and can't be served directly).
|
||||
handle /ca.crt {
|
||||
root * /srv/ca-pub
|
||||
file_server
|
||||
}
|
||||
# Launcher downloads are a sibling mount (/srv/launcher), not nested under
|
||||
# the read-only /srv/www. handle_path strips the /launcher prefix.
|
||||
handle_path /launcher/* {
|
||||
|
||||
Reference in New Issue
Block a user