Automating TLS Certificates in a Homelab: Smallstep PKI, Caddy, and Drone CI/CD — A Static Website Case Study
Abstract Running services in a homelab behind an internal reverse proxy creates a certificate management problem that is easy to underestimate. This article walks through a real deployment: a Hugo static website built and deployed by Drone CI/CD, with UAT served by an nginx container behind Caddy, and production hosted on Firebase. The core challenge is not just issuing certificates — it is ensuring that Docker containers running as part of the CI/CD pipeline actually trust the internal CA. We examine how Smallstep step-ca acts as the homelab root of trust, how Caddy automates certificate provisioning via ACME, and how an Ansible role bootstraps CA trust on the Docker host so that the Drone Server container can communicate with Gitea over HTTPS. The infrastructure provisioning side (via OpenTofu and Ansible) is also described, with an honest account of what IaC actually created versus what was pre-existing.