# FlowerCore Apple MDM Infra This app hosts the private NanoHUB bootstrap service for FlowerCore iPad management at `https://mdm.iamworkin.lan`. ## Runtime Shape - Namespace: `fc-apple-mdm` - Host: `mdm.iamworkin.lan` - Image: `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617` - Upstream baseline: NanoHUB `v0.2.0`, published 2025-12-25 - Persistent data: `fc-apple-mdm-data` mounted at `/var/lib/nanohub` - NanoHUB file backend root: `/var/lib/nanohub/db` - Runtime secret: `OnePasswordItem/fc-apple-mdm-runtime` - Required secret field: `NANOHUB_API_KEY` - Optional secret field: `NANOHUB_WEBHOOK_URL` NanoHUB listens on HTTP `:9004` inside the pod; Traefik owns TLS using `Certificate/fc-apple-mdm-tls`. The public route intentionally exposes only `/mdm`, `/checkin`, and `/version`. The NanoHUB APIs under `/api/v1/*` stay cluster-internal for MDM-N1 and are intended for the FlowerCore DeviceManagement bridge. ## NanoHUB Endpoints - Device command/report and default check-in endpoint: `/mdm` - Separate check-in endpoint enabled by `NANOHUB_CHECKIN=true`: `/checkin` - Health/version endpoint: `/version` - Internal NanoMDM API: `/api/v1/nanomdm/` - Internal NanoCMD API: `/api/v1/nanocmd/` - Internal KMFDDM API: `/api/v1/ddm/` NanoHUB API authentication is HTTP Basic with username `nanohub` and password from `NANOHUB_API_KEY`. ## Operator Gates 1. Create `FlowerCore Apple MDM Runtime` in the `IAmWorkin` 1Password vault with field `NANOHUB_API_KEY`. Add `NANOHUB_WEBHOOK_URL` only after the DeviceManagement Nano bridge endpoint is live. 2. Add or confirm `mdm.iamworkin.lan -> 10.0.56.200` in FlowerCore.DNS/pfSense before cert-manager syncs the certificate. 3. Mirror or build the pinned NanoHUB image, then import it on every schedulable RKE2 node: ```bash podman pull --arch arm64 ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd podman tag ghcr.io/micromdm/nanohub@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 podman save localhost/fc-apple-mdm-nanohub:v0.2.0-20260617 -o fc-apple-mdm-nanohub-v0.2.0-20260617.tar # copy to each RKE2 node, then: sudo ctr -n k8s.io images import fc-apple-mdm-nanohub-v0.2.0-20260617.tar ``` If GHCR changes or becomes unavailable, rebuild/import from `nanohub-linux-arm64-v0.2.0.zip` with SHA-256 `b05968322a9bc34e79169ebee28d16554046f981eaee48a12cf80899f51a9dbd`. 4. Sync the ArgoCD app and prove `https://mdm.iamworkin.lan/version`. ## Support Boundary This MDM-N1 lane deploys the protocol substrate only. It does not create an APNs MDM push certificate, enrollment profile, SCEP/device identity service, managed Wi-Fi payload, managed app install, or supervised iPad enrollment. Those stay in MDM-N2 through MDM-N8.