Skip to content

docs: trust-the-device user guide + reverse-proxy CA rewrite#14

Merged
mairas merged 3 commits into
mainfrom
docs/local-ca-trust-install
May 26, 2026
Merged

docs: trust-the-device user guide + reverse-proxy CA rewrite#14
mairas merged 3 commits into
mainfrom
docs/local-ca-trust-install

Conversation

@mairas

@mairas mairas commented May 26, 2026

Copy link
Copy Markdown
Contributor

Tracked under halos-org/halos#116. Companion to halos-org/halos-core-containers#149 (developer-facing CERTS.md updates).

What this PR covers

User-facing documentation half of the local CA epic.

New: `docs/user-guide/trust-the-device.md`

End-user / operator workflow for installing the device CA on a workstation. Per-OS recipes for macOS Keychain, Windows certmgr, Linux `update-ca-certificates`, iOS configuration profile, Firefox (separate trust store), plus a brief pointer to AOSP docs for Android (user CAs not honored by app WebViews — documenting the limitation rather than promising what we can't deliver).

Includes a fingerprint-verification walk-through (linking back to the canonical version in CERTS.md) and a "Why per-device CAs" subsection explaining the deliberate trade-off against fleet-wide shared anchors (blast-radius isolation > N trust-store entries).

Rewritten: `docs/architecture/reverse-proxy.md` § TLS / HTTPS

The previous "Self-Signed Certificates" section was pre-CA-epic — it still claimed 365-day validity, no CA, and Cockpit having a separate cert. New version covers:

  • 20-year CA, 824-day leaf (Apple compliance ceiling).
  • Shared with Cockpit `:9090` via the `99-halos.cert` override.
  • Custom CA optional via `/etc/halos/ca/` (with a security pointer to the fleet-pattern discussion in CERTS.md — does NOT advertise the drop slot as a fleet feature).
  • Renewal mechanics (24h cadence, 60d threshold, no container restart on rotation).
  • CA download at `/halos-ca.crt` with `Content-Disposition: attachment`.

nav

Adds Trust the Device to the User Guide nav, between Web Interface and Dashboard.

Verification

  • `mkdocs build --strict` green — no broken links, no nav issues.
  • Reviewer click-through on the rendered site: trust-the-device.md flows top-to-bottom; per-OS sections are clearly delineated; the Android pointer is honest about limitations.
  • After docs(certs): document Traefik reload + custom CA install halos-core-containers#149 merges, the cross-links from trust-the-device.md → CERTS.md anchors resolve correctly.

Out of scope

Refs halos-org/halos#116

🤖 Generated with Claude Code

Documents the user-facing half of the local CA epic (tracked in
halos-org/halos#116). Companion PR in halos-core-containers
(halos-org/halos-core-containers#149) covers the developer-facing
CERTS.md + README updates.

New: docs/user-guide/trust-the-device.md

Walks an operator through installing the device CA on their workstation,
which is the supported path for getting trust across every app and every
port on a HaLOS device. Per-OS recipes (macOS Keychain, Windows certmgr,
Linux update-ca-certificates, iOS configuration profile, Firefox), plus
a short Android pointer to the AOSP Network Security Configuration docs
(user-installed CAs are not honored by app WebViews; documenting the
limitation honestly rather than promising what we can't deliver).

Includes:

- The chicken-and-egg fingerprint-verification dance, with a link out to
  the canonical version in halos-core-containers/docs/CERTS.md.
- A "Why per-device CAs" section explaining the deliberate trade against
  fleet-wide shared anchors — N trust-store entries on the workstation
  in exchange for blast-radius isolation if a device is compromised. This
  is the user-facing counterpart to the security note in CERTS.md against
  fleet ca.key distribution.
- A "Removing the trust anchor" section for decommission scenarios.

Updated: docs/architecture/reverse-proxy.md

Replaces the "Self-Signed Certificates" subsection (still claimed 365-day
validity, no CA) with the device-CA reality:

- 20-year CA, 824-day leaf (Apple compliance ceiling).
- Shared with Cockpit on :9090 via the 99-halos.cert override.
- Custom CA optional via /etc/halos/ca/ (with a security pointer to the
  fleet-pattern discussion in CERTS.md).
- Renewal timer mechanics (24h cadence, 60d threshold, no container
  restart on rotation — cockpit reload-or-restart + Traefik touch).
- CA download at /halos-ca.crt with Content-Disposition: attachment.

Updated: mkdocs.yml

Adds "Trust the Device" to the User Guide nav, between Web Interface
(architecture-level overview) and Dashboard (first thing users see).

Verified locally with `mkdocs build --strict` — no broken links, no nav
issues, page renders.

Refs halos-org/halos#116

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mairas added 2 commits May 26, 2026 21:13
Cuts the "Why per-device CAs" section from trust-the-device.md and the
"This is a single-device feature ..." sentence from the Custom CA blurb
in reverse-proxy.md. Same antipattern as the CERTS.md cleanup in
halos-org/halos-core-containers#149 — spending paragraphs justifying why
we don't have a fleet pattern is commit-message lore, not user guidance.
Replaced with a single neutral sentence noting that each device has its
own CA.

Companion commit to halos-org/halos-core-containers#149.

Refs halos-org/halos#116
Self-review finding: end users don't care which HTTP header triggers
the browser's download/install dialog. The trust-the-device page is a
recipe, not architecture documentation. The same mention stays in
docs/architecture/reverse-proxy.md where it's appropriate.

Refs halos-org/halos#116
@mairas mairas merged commit f6316cc into main May 26, 2026
@mairas mairas deleted the docs/local-ca-trust-install branch May 26, 2026 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant