sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: DashCaddy v1.0

Browse Source 
Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.
This commit is contained in:
Sami
2026-03-05 02:26:12 -08:00
commit f61e85d9a7
337 changed files with 75282 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
ca/scripts/generate-all.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
set -e
# DashCA Certificate Generation Script
# This script generates all required certificate formats
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CA_DIR="$(dirname "$SCRIPT_DIR")"
CADDY_CERT_DIR="C:/caddy/certs/pki/authorities/local"
echo "======================================"
echo "DashCA Certificate Format Generator"
echo "======================================"
echo ""
# Step 1: Copy certificates from Caddy
echo "[1/4] Copying certificates from Caddy PKI..."
if [ ! -f "$CADDY_CERT_DIR/root.crt" ]; then
echo "ERROR: Root certificate not found at $CADDY_CERT_DIR/root.crt"
exit 1
fi
cp "$CADDY_CERT_DIR/root.crt" "$CA_DIR/"
cp "$CADDY_CERT_DIR/intermediate.crt" "$CA_DIR/" 2>/dev/null || echo " (Intermediate certificate not found, skipping)"
echo " ✓ Certificates copied"
# Step 2: Generate DER format
echo "[2/4] Generating DER format..."
openssl x509 -in "$CA_DIR/root.crt" -outform DER -out "$CA_DIR/root.der"
echo " ✓ DER format generated: root.der"
# Step 3: Generate certificate info JSON
echo "[3/4] Extracting certificate metadata..."
node "$SCRIPT_DIR/generate-cert-info.js"
# Step 4: Generate Apple mobileconfig
echo "[4/4] Generating Apple mobile configuration profile..."
node "$SCRIPT_DIR/generate-mobileconfig.js"
echo ""
echo "======================================"
echo "✓ All certificate formats generated!"
echo "======================================"
echo ""
echo "Files created in: $CA_DIR"
ls -lh "$CA_DIR"/*.{crt,der,mobileconfig,json} 2>/dev/null || echo "Files created successfully"
echo ""
echo "To deploy to production:"
echo " cp -r $CA_DIR/* C:/caddy/sites/ca/"
echo ""

75
ca/scripts/generate-cert-info.js Normal file
View File

@@ -0,0 +1,75 @@
const { execSync } = require('child_process');
const fs = require('fs');
const path = require('path');
const CERT_PATH = path.join(__dirname, '../root.crt');
const OUTPUT_PATH = path.join(__dirname, '../cert-info.json');
function extractCertInfo() {
try {
console.log('Extracting certificate information from:', CERT_PATH);
// Extract SHA-256 fingerprint
const fingerprint = execSync(`openssl x509 -in "${CERT_PATH}" -noout -fingerprint -sha256`)
.toString()
.trim()
.split('=')[1];
// Extract validity dates
const dates = execSync(`openssl x509 -in "${CERT_PATH}" -noout -dates`).toString();
const notBefore = dates.match(/notBefore=(.*)/)[1].trim();
const notAfter = dates.match(/notAfter=(.*)/)[1].trim();
// Extract subject
const subject = execSync(`openssl x509 -in "${CERT_PATH}" -noout -subject`)
.toString()
.trim()
.split('CN = ')[1] || execSync(`openssl x509 -in "${CERT_PATH}" -noout -subject`)
.toString()
.trim()
.split('CN=')[1];
// Extract serial number
const serialNumber = execSync(`openssl x509 -in "${CERT_PATH}" -noout -serial`)
.toString()
.trim()
.split('=')[1];
// Calculate days until expiration
const expirationDate = new Date(notAfter);
const today = new Date();
const daysUntilExpiration = Math.floor((expirationDate - today) / (1000 * 60 * 60 * 24));
const certInfo = {
name: subject,
fingerprint: fingerprint,
validFrom: notBefore,
validUntil: notAfter,
daysUntilExpiration: daysUntilExpiration,
algorithm: 'ECDSA P-256 with SHA-256',
issuer: subject, // Self-signed root CA
serialNumber: serialNumber,
generatedAt: new Date().toISOString()
};
fs.writeFileSync(OUTPUT_PATH, JSON.stringify(certInfo, null, 2));
console.log('✓ Certificate information extracted successfully!');
console.log(' Output:', OUTPUT_PATH);
console.log(' Name:', certInfo.name);
console.log(' Fingerprint:', certInfo.fingerprint);
console.log(' Valid until:', certInfo.validUntil);
console.log(' Days until expiration:', certInfo.daysUntilExpiration);
return certInfo;
} catch (error) {
console.error('Error extracting certificate information:', error.message);
process.exit(1);
}
}
// Run if called directly
if (require.main === module) {
extractCertInfo();
}
module.exports = { extractCertInfo };

105
ca/scripts/generate-mobileconfig.js Normal file
View File

@@ -0,0 +1,105 @@
const fs = require('fs');
const crypto = require('crypto');
const path = require('path');
const CERT_PATH = path.join(__dirname, '../root.crt');
const OUTPUT_PATH = path.join(__dirname, '../root.mobileconfig');
function generateUUID() {
return crypto.randomUUID().toUpperCase();
}
function generateMobileConfig() {
try {
console.log('Generating Apple mobile configuration profile...');
console.log('Reading certificate from:', CERT_PATH);
// Read certificate
const certPem = fs.readFileSync(CERT_PATH, 'utf8');
// Extract base64 content (remove PEM headers and newlines)
const certBase64 = certPem
.replace('-----BEGIN CERTIFICATE-----', '')
.replace('-----END CERTIFICATE-----', '')
.replace(/\s/g, '');
// Generate UUIDs for profile and payload
const profileUUID = generateUUID();
const payloadUUID = generateUUID();
const mobileconfig = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadCertificateFileName</key>
<string>root.crt</string>
<key>PayloadContent</key>
<data>
${certBase64}
</data>
<key>PayloadDescription</key>
<string>Root CA certificate for Sami Home Network</string>
<key>PayloadDisplayName</key>
<string>Sami Home Network Root CA</string>
<key>PayloadIdentifier</key>
<string>com.sami-home.ca.root-ca</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>${payloadUUID}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Install the Sami Home Network Root CA to trust locally-issued certificates for *.sami domains.</string>
<key>PayloadDisplayName</key>
<string>Sami Home Network Root CA</string>
<key>PayloadIdentifier</key>
<string>com.sami-home.ca</string>
<key>PayloadOrganization</key>
<string>Sami Home Network</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>${profileUUID}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
`;
fs.writeFileSync(OUTPUT_PATH, mobileconfig);
console.log('✓ Mobile configuration profile generated successfully!');
console.log(' Output:', OUTPUT_PATH);
console.log(' Profile UUID:', profileUUID);
console.log(' Payload UUID:', payloadUUID);
console.log('\nTo install on iOS:');
console.log(' 1. Download root.mobileconfig to your device');
console.log(' 2. Open Settings app (it should prompt automatically)');
console.log(' 3. Tap "Install Profile" and follow the prompts');
console.log(' 4. Go to Settings > General > About > Certificate Trust Settings');
console.log(' 5. Enable full trust for "Sami Home Network Root CA"');
console.log('\nTo install on macOS:');
console.log(' 1. Download root.mobileconfig');
console.log(' 2. Open System Settings > Privacy & Security > Profiles');
console.log(' 3. Click the profile and click Install');
return { profileUUID, payloadUUID };
} catch (error) {
console.error('Error generating mobile configuration profile:', error.message);
process.exit(1);
}
}
// Run if called directly
if (require.main === module) {
generateMobileConfig();
}
module.exports = { generateMobileConfig };

132
ca/scripts/install.ps1 Normal file
View File

@@ -0,0 +1,132 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Installs the Sami Home Network Root CA certificate to the Trusted Root Certification Authorities store.
.DESCRIPTION
This script downloads the root CA certificate from ca.sami, verifies its fingerprint,
and installs it to the local machine's trusted root store. This allows all *.sami domains
to be trusted system-wide without browser warnings.
.NOTES
Requires Administrator privileges.
For use with DashCA - https://ca.sami
#>
$ErrorActionPreference = "Stop"
# Configuration
$CertUrl = "https://ca.sami/root.crt"
$ExpectedFingerprint = "0898A563F5A1A2585F02D7A8A25487E6BC33969F9B5DB053622 07FAF9621290E"
$TempFile = "$env:TEMP\sami-root-ca.crt"
# Colors
$Red = [System.ConsoleColor]::Red
$Green = [System.ConsoleColor]::Green
$Cyan = [System.ConsoleColor]::Cyan
$Yellow = [System.ConsoleColor]::Yellow
Write-Host ""
Write-Host "========================================" -ForegroundColor $Cyan
Write-Host " DashCA Installer" -ForegroundColor $Cyan
Write-Host " Sami Home Network Root CA" -ForegroundColor $Cyan
Write-Host "========================================" -ForegroundColor $Cyan
Write-Host ""
# Step 1: Download certificate
Write-Host "[1/4] Downloading certificate from $CertUrl..." -ForegroundColor $Cyan
try {
$ProgressPreference = 'SilentlyContinue' # Disable progress bar for faster download
Invoke-WebRequest -Uri $CertUrl -OutFile $TempFile -UseBasicParsing -ErrorAction Stop
Write-Host " ✓ Certificate downloaded" -ForegroundColor $Green
} catch {
Write-Host " ✗ Failed to download certificate" -ForegroundColor $Red
Write-Host " Error: $_" -ForegroundColor $Red
Write-Host ""
Write-Host "Troubleshooting:" -ForegroundColor $Yellow
Write-Host " - Ensure you are on the Tailnet/network where ca.sami is accessible" -ForegroundColor $Yellow
Write-Host " - Try accessing https://ca.sami in your browser first" -ForegroundColor $Yellow
exit 1
}
# Step 2: Verify fingerprint
Write-Host "[2/4] Verifying certificate fingerprint..." -ForegroundColor $Cyan
try {
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($TempFile)
$Fingerprint = $Cert.Thumbprint
$NormalizedExpected = $ExpectedFingerprint -replace '[:\s]', ''
$NormalizedActual = $Fingerprint -replace '[:\s]', ''
if ($NormalizedActual -ne $NormalizedExpected) {
Write-Host " ✗ Fingerprint mismatch!" -ForegroundColor $Red
Write-Host " Expected: $ExpectedFingerprint" -ForegroundColor $Yellow
Write-Host " Got: $Fingerprint" -ForegroundColor $Red
Remove-Item $TempFile -Force
Write-Host ""
Write-Host "SECURITY WARNING: The downloaded certificate does not match the expected fingerprint." -ForegroundColor $Red
Write-Host "This could indicate a man-in-the-middle attack or certificate renewal." -ForegroundColor $Red
Write-Host "Please verify with your network administrator before proceeding." -ForegroundColor $Red
exit 1
}
Write-Host " ✓ Fingerprint verified: $Fingerprint" -ForegroundColor $Green
} catch {
Write-Host " ✗ Failed to verify fingerprint" -ForegroundColor $Red
Write-Host " Error: $_" -ForegroundColor $Red
Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
exit 1
}
# Step 3: Check if already installed
Write-Host "[3/4] Checking for existing certificate..." -ForegroundColor $Cyan
$ExistingCert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Thumbprint -eq $Fingerprint }
if ($ExistingCert) {
Write-Host " Certificate already installed" -ForegroundColor $Yellow
Write-Host " Subject: $($ExistingCert.Subject)" -ForegroundColor $Yellow
Write-Host " Not After: $($ExistingCert.NotAfter)" -ForegroundColor $Yellow
Remove-Item $TempFile -Force
Write-Host ""
Write-Host "The Sami Home Network Root CA is already trusted on this system." -ForegroundColor $Green
Write-Host "No further action needed!" -ForegroundColor $Green
Write-Host ""
exit 0
}
Write-Host " ✓ Certificate not yet installed, proceeding..." -ForegroundColor $Green
# Step 4: Install certificate
Write-Host "[4/4] Installing certificate to Trusted Root store..." -ForegroundColor $Cyan
try {
$ImportedCert = Import-Certificate -FilePath $TempFile -CertStoreLocation Cert:\LocalMachine\Root -ErrorAction Stop
Write-Host " ✓ Certificate installed successfully" -ForegroundColor $Green
Write-Host " Subject: $($ImportedCert.Subject)" -ForegroundColor $Green
Write-Host " Thumbprint: $($ImportedCert.Thumbprint)" -ForegroundColor $Green
} catch {
Write-Host " ✗ Failed to install certificate" -ForegroundColor $Red
Write-Host " Error: $_" -ForegroundColor $Red
Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
Write-Host ""
Write-Host "Installation failed. Please ensure you are running as Administrator." -ForegroundColor $Red
exit 1
}
# Cleanup
Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
Write-Host ""
Write-Host "========================================" -ForegroundColor $Green
Write-Host " SUCCESS!" -ForegroundColor $Green
Write-Host "========================================" -ForegroundColor $Green
Write-Host ""
Write-Host "The Sami Home Network Root CA has been installed to your Trusted Root store." -ForegroundColor $Green
Write-Host ""
Write-Host "What's next:" -ForegroundColor $Cyan
Write-Host " ✓ All *.sami domains will now be trusted system-wide" -ForegroundColor $Green
Write-Host " ✓ Browsers (Edge, Chrome, Firefox) will no longer show security warnings" -ForegroundColor $Green
Write-Host " ✓ Applications will trust HTTPS connections to your local services" -ForegroundColor $Green
Write-Host ""
Write-Host "Test it out:" -ForegroundColor $Cyan
Write-Host " Visit https://status.sami or any other *.sami service" -ForegroundColor $Yellow
Write-Host " The connection should show as secure with no warnings" -ForegroundColor $Yellow
Write-Host ""

220
ca/scripts/install.sh Normal file
View File

@@ -0,0 +1,220 @@
#!/bin/bash
#
# DashCA Installer - Sami Home Network Root CA
# Installs the root CA certificate system-wide on Linux and macOS
#
# Usage: curl -fsSL https://ca.sami/install.sh | sudo bash
#
set -e
# Configuration
CERT_URL="https://ca.sami/root.crt"
EXPECTED_FP="08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:9F:9B:5D:B0:53:62:20:7F:AF:96:21:29:0E"
CERT_NAME="Sami_Home_Network_Root_CA"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
CYAN='\033[0;36m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
echo ""
echo -e "${CYAN}========================================${NC}"
echo -e "${CYAN} DashCA Installer${NC}"
echo -e "${CYAN} Sami Home Network Root CA${NC}"
echo -e "${CYAN}========================================${NC}"
echo ""
# Check for root/sudo
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}✗ This script requires root privileges${NC}"
echo ""
echo "Please run with sudo:"
echo -e " ${YELLOW}curl -fsSL https://ca.sami/install.sh | sudo bash${NC}"
echo ""
echo "Or download first, then run:"
echo -e " ${YELLOW}curl -o install.sh https://ca.sami/install.sh${NC}"
echo -e " ${YELLOW}sudo bash install.sh${NC}"
echo ""
exit 1
fi
# Detect OS
echo -e "${CYAN}[1/6] Detecting operating system...${NC}"
if [[ "$OSTYPE" == "darwin"* ]]; then
OS="macos"
OS_NAME="macOS"
elif [[ -f /etc/os-release ]]; then
. /etc/os-release
if [[ "$ID" == "debian" ]] || [[ "$ID" == "ubuntu" ]] || [[ "$ID_LIKE" == *"debian"* ]]; then
OS="debian"
OS_NAME="Debian/Ubuntu"
elif [[ "$ID" == "fedora" ]] || [[ "$ID" == "rhel" ]] || [[ "$ID" == "centos" ]] || [[ "$ID_LIKE" == *"fedora"* ]] || [[ "$ID_LIKE" == *"rhel"* ]]; then
OS="redhat"
OS_NAME="RedHat/CentOS/Fedora"
elif [[ "$ID" == "arch" ]] || [[ "$ID_LIKE" == *"arch"* ]]; then
OS="arch"
OS_NAME="Arch Linux"
else
OS="unknown"
OS_NAME="Unknown Linux"
fi
elif [[ -f /etc/redhat-release ]]; then
OS="redhat"
OS_NAME="RedHat/CentOS"
elif [[ -f /etc/arch-release ]]; then
OS="arch"
OS_NAME="Arch Linux"
else
OS="unknown"
OS_NAME="Unknown"
fi
if [[ "$OS" == "unknown" ]]; then
echo -e "${RED} ✗ Unsupported operating system${NC}"
echo ""
echo "This script supports:"
echo " - Debian/Ubuntu"
echo " - RedHat/CentOS/Fedora"
echo " - Arch Linux"
echo " - macOS"
echo ""
echo "For manual installation, download the certificate:"
echo -e " ${YELLOW}curl -O $CERT_URL${NC}"
echo ""
exit 1
fi
echo -e "${GREEN} ✓ Detected: $OS_NAME${NC}"
# Download certificate
echo -e "${CYAN}[2/6] Downloading certificate from $CERT_URL...${NC}"
TEMP_CERT=$(mktemp)
if ! curl -fsSL "$CERT_URL" -o "$TEMP_CERT"; then
echo -e "${RED} ✗ Failed to download certificate${NC}"
echo ""
echo -e "${YELLOW}Troubleshooting:${NC}"
echo " - Ensure you are on the Tailnet/network where ca.sami is accessible"
echo " - Try accessing https://ca.sami in your browser first"
echo " - Check your network connection"
rm -f "$TEMP_CERT"
exit 1
fi
echo -e "${GREEN} ✓ Certificate downloaded${NC}"
# Verify fingerprint
echo -e "${CYAN}[3/6] Verifying certificate fingerprint...${NC}"
if ! command -v openssl &> /dev/null; then
echo -e "${RED} ✗ OpenSSL not found${NC}"
echo "Please install OpenSSL to verify certificate fingerprint"
rm -f "$TEMP_CERT"
exit 1
fi
ACTUAL_FP=$(openssl x509 -in "$TEMP_CERT" -noout -fingerprint -sha256 | cut -d= -f2)
if [[ "$ACTUAL_FP" != "$EXPECTED_FP" ]]; then
echo -e "${RED} ✗ Fingerprint mismatch!${NC}"
echo -e "${YELLOW} Expected: $EXPECTED_FP${NC}"
echo -e "${RED} Got: $ACTUAL_FP${NC}"
rm -f "$TEMP_CERT"
echo ""
echo -e "${RED}SECURITY WARNING: The downloaded certificate does not match the expected fingerprint.${NC}"
echo -e "${RED}This could indicate a man-in-the-middle attack or certificate renewal.${NC}"
echo -e "${RED}Please verify with your network administrator before proceeding.${NC}"
echo ""
exit 1
fi
echo -e "${GREEN} ✓ Fingerprint verified${NC}"
# Extract certificate details
echo -e "${CYAN}[4/6] Extracting certificate information...${NC}"
CERT_SUBJECT=$(openssl x509 -in "$TEMP_CERT" -noout -subject | sed 's/subject=//')
CERT_NOT_AFTER=$(openssl x509 -in "$TEMP_CERT" -noout -enddate | sed 's/notAfter=//')
echo -e "${GREEN} ✓ Subject: $CERT_SUBJECT${NC}"
echo -e "${GREEN} ✓ Valid until: $CERT_NOT_AFTER${NC}"
# Check if already installed
echo -e "${CYAN}[5/6] Checking for existing installation...${NC}"
ALREADY_INSTALLED=false
case "$OS" in
debian)
if [[ -f "/usr/local/share/ca-certificates/${CERT_NAME}.crt" ]]; then
ALREADY_INSTALLED=true
fi
;;
redhat)
if [[ -f "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt" ]]; then
ALREADY_INSTALLED=true
fi
;;
arch)
if [[ -f "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt" ]]; then
ALREADY_INSTALLED=true
fi
;;
macos)
if security find-certificate -a -c "$CERT_SUBJECT" /Library/Keychains/System.keychain &>/dev/null; then
ALREADY_INSTALLED=true
fi
;;
esac
if [[ "$ALREADY_INSTALLED" == "true" ]]; then
echo -e "${YELLOW} Certificate already installed${NC}"
rm -f "$TEMP_CERT"
echo ""
echo -e "${GREEN}The Sami Home Network Root CA is already trusted on this system.${NC}"
echo -e "${GREEN}No further action needed!${NC}"
echo ""
exit 0
fi
echo -e "${GREEN} ✓ Certificate not yet installed, proceeding...${NC}"
# Install based on OS
echo -e "${CYAN}[6/6] Installing certificate...${NC}"
case "$OS" in
debian)
cp "$TEMP_CERT" "/usr/local/share/ca-certificates/${CERT_NAME}.crt"
update-ca-certificates
echo -e "${GREEN} ✓ Certificate installed via update-ca-certificates${NC}"
;;
redhat)
cp "$TEMP_CERT" "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt"
update-ca-trust
echo -e "${GREEN} ✓ Certificate installed via update-ca-trust${NC}"
;;
arch)
cp "$TEMP_CERT" "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt"
trust extract-compat
echo -e "${GREEN} ✓ Certificate installed via trust extract-compat${NC}"
;;
macos)
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$TEMP_CERT"
echo -e "${GREEN} ✓ Certificate installed to System Keychain${NC}"
;;
esac
# Cleanup
rm -f "$TEMP_CERT"
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN} SUCCESS!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo -e "${GREEN}The Sami Home Network Root CA has been installed system-wide.${NC}"
echo ""
echo -e "${CYAN}What's next:${NC}"
echo -e " ${GREEN}${NC} All *.sami domains will now be trusted"
echo -e " ${GREEN}${NC} Browsers will no longer show security warnings"
echo -e " ${GREEN}${NC} Applications will trust HTTPS connections to your local services"
echo ""
echo -e "${CYAN}Test it out:${NC}"
echo -e " ${YELLOW}Visit https://status.sami or any other *.sami service${NC}"
echo -e " ${YELLOW}The connection should show as secure with no warnings${NC}"
echo ""