feat(caddy): serve Caddy root CA at /ca.crt for guest trust

Air-gap mirror uses tls internal; guests must trust Caddy's local CA. Serve it
at http://<domain>/ca.crt from a world-readable mount (the live pki dir is
root-only 0600). build-stack --up mirror|full exports the CA after bring-up;
landing page links it. Pre-creates the mount target to avoid a dir bind.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-24 05:32:31 +02:00
parent b277fc6268
commit 390f8c78af
6 changed files with 44 additions and 0 deletions

View File

@@ -18,6 +18,9 @@ export const site = {
// packwiz modpack entrypoint.
packwizUrl: `http://packwiz.${BASE_DOMAIN}/pack.toml`,
// Caddy local CA root — guests import this to trust the offline asset mirror.
caCertUrl: `http://${BASE_DOMAIN}/ca.crt`,
// Launcher downloads. Stable filenames are symlinks created by
// tooling/fetch-launcher.sh — keep these in sync with that script.
launcher: {

View File

@@ -50,6 +50,11 @@ const { launcher } = site;
Need credentials? Register at <a href={site.authUrl}>{site.authUrl}</a>, then log in
with that username and password.
</p>
<p class="note">
Offline party? Download and trust the
<a href={site.caCertUrl}>local CA certificate</a> so the game-file
mirror works over HTTPS.
</p>
</li>
<li>