bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

fc-apple-mdm: add NanoHUB GitOps workload

Browse Source
This commit is contained in:
Robot
2026-06-17 17:57:17 -05:00
parent 4b58b0ca5f
commit 8ac3557b01
11 changed files with 521 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
apps/fc-apple-mdm/README.md Normal file
View File

@@ -0,0 +1,65 @@
# FlowerCore Apple MDM Infra
This app hosts the private NanoHUB bootstrap service for FlowerCore iPad
management at `https://mdm.iamworkin.lan`.
## Runtime Shape
- Namespace: `fc-apple-mdm`
- Host: `mdm.iamworkin.lan`
- Image: `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617`
- Upstream baseline: NanoHUB `v0.2.0`, published 2025-12-25
- Persistent data: `fc-apple-mdm-data` mounted at `/var/lib/nanohub`
- NanoHUB file backend root: `/var/lib/nanohub/db`
- Runtime secret: `OnePasswordItem/fc-apple-mdm-runtime`
- Required secret field: `NANOHUB_API_KEY`
- Optional secret field: `NANOHUB_WEBHOOK_URL`
NanoHUB listens on HTTP `:9004` inside the pod; Traefik owns TLS using
`Certificate/fc-apple-mdm-tls`. The public route intentionally exposes only
`/mdm`, `/checkin`, and `/version`. The NanoHUB APIs under `/api/v1/*` stay
cluster-internal for MDM-N1 and are intended for the FlowerCore
DeviceManagement bridge.
## NanoHUB Endpoints
- Device command/report and default check-in endpoint: `/mdm`
- Separate check-in endpoint enabled by `NANOHUB_CHECKIN=true`: `/checkin`
- Health/version endpoint: `/version`
- Internal NanoMDM API: `/api/v1/nanomdm/`
- Internal NanoCMD API: `/api/v1/nanocmd/`
- Internal KMFDDM API: `/api/v1/ddm/`
NanoHUB API authentication is HTTP Basic with username `nanohub` and password
from `NANOHUB_API_KEY`.
## Operator Gates
1. Create `FlowerCore Apple MDM Runtime` in the `IAmWorkin` 1Password vault with
field `NANOHUB_API_KEY`. Add `NANOHUB_WEBHOOK_URL` only after the
DeviceManagement Nano bridge endpoint is live.
2. Add or confirm `mdm.iamworkin.lan -> 10.0.56.200` in FlowerCore.DNS/pfSense
before cert-manager syncs the certificate.
3. Mirror or build the pinned NanoHUB image, then import it on every schedulable
RKE2 node:
```bash
podman pull --arch arm64 ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd
podman tag ghcr.io/micromdm/nanohub@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
podman save localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 -o fc-apple-mdm-nanohub-v0.2.0-20260617.tar
# copy to each RKE2 node, then:
sudo ctr -n k8s.io images import fc-apple-mdm-nanohub-v0.2.0-20260617.tar
```
If GHCR changes or becomes unavailable, rebuild/import from
`nanohub-linux-arm64-v0.2.0.zip` with SHA-256
`b05968322a9bc34e79169ebee28d16554046f981eaee48a12cf80899f51a9dbd`.
4. Sync the ArgoCD app and prove `https://mdm.iamworkin.lan/version`.
## Support Boundary
This MDM-N1 lane deploys the protocol substrate only. It does not create an APNs
MDM push certificate, enrollment profile, SCEP/device identity service, managed
Wi-Fi payload, managed app install, or supervised iPad enrollment. Those stay in
MDM-N2 through MDM-N8.