Support for self-signed CA certificates (#1431)

Dockerfile

@@ -28,6 +28,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     iproute2 \
     libcap2-bin \
     openssh-client \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Install the Tailscale CLI only (no tailscaled — the daemon runs on the host).

deploy/docker-entrypoint.sh

@@ -31,6 +31,38 @@ set -eu
 PUID="${PUID:-1000}"
 PGID="${PGID:-1000}"
 
+# If requested, update and use the system trust store inside the container.
+# Users can set USE_SYSTEM_TRUST_STORE to any non-empty value to enable.
+if [ -n "${USE_SYSTEM_TRUST_STORE:-}" ]; then
+    echo "[entrypoint] USE_SYSTEM_TRUST_STORE is set"
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "[entrypoint] error: USE_SYSTEM_TRUST_STORE is set but not running as root; cannot update trust store"
+        exit 1
+    fi
+    # Check if we have any certificates to process. Error if directory is empty
+    if ls -1 /usr/local/share/ca-certificates/*.crt >/dev/null 2>&1; then
+        echo "[entrypoint] .crt files found in /usr/local/share/ca-certificates"
+    else
+        echo "[entrypoint] no .crt files in /usr/local/share/ca-certificates"
+        exit 1
+    fi
+    if command -v update-ca-certificates >/dev/null 2>&1; then
+        echo "[entrypoint] update-ca-certificates found; updating system trust store"
+        if update-ca-certificates --fresh ; then
+            echo "[entrypoint] update-ca-certificates succeeded; exporting SSL_CERT_DIR=/etc/ssl/certs"
+            export SSL_CERT_DIR="/etc/ssl/certs"
+        else
+            echo "[entrypoint] error: update-ca-certificates failed"
+            exit 1
+        fi
+    else
+        echo "[entrypoint] error: update-ca-certificates not found; cannot update trust store"
+        exit 1
+    fi
+else
+    echo "[entrypoint] USE_SYSTEM_TRUST_STORE not set; skipping system trust store update"
+fi
+
 # If we're not root, we can't chown anything. Exec the original command
 # and trust that the user has set up host-side ownership themselves.
 if [ "$(id -u)" -ne 0 ]; then

docker-compose.yml

@@ -62,6 +62,13 @@ services:
       # Without this mount, the Tailscale toggle in the UI is harmless —
       # Bambuddy falls back to self-signed certs.
       #- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
+      #
+      # Using a self signed certificate for Home Assistant
+      # Add your certificate to certs directory and mount it to the container.
+      # The certificate will be added to the system trust store on container startup.
+      # Enable the system trust store with the USE_SYSTEM_TRUST_STORE env var to
+      # have Bambuddy trust the certificate.
+      # - /path/to/certs:/usr/local/share/ca-certificates
     environment:
       - TZ=${TZ:-Europe/Berlin}
       # User/group the container drops to after the entrypoint normalises
@@ -93,6 +100,10 @@ services:
       # DATA_DIR/.mfa_encryption_key on first startup if unset. Override here
       # to manage the key out-of-band (e.g. via a secret manager).
       #- MFA_ENCRYPTION_KEY=
+      #
+      # Enable System Trust Store for certificate validation (e.g. for local Home Assistant)
+      # You also need to mount your certificates to the container (see volumes section above).
+      # - USE_SYSTEM_TRUST_STORE=true
     restart: unless-stopped
 
   # Optional: External PostgreSQL database