Add HTTPS onboarding page; prefer .local host for service URLs

pikit-api.py

@@ -174,6 +174,14 @@ def normalize_path(path: str | None) -> str:
     return p
 
 
+def default_host():
+    """Return preferred hostname (append .local if bare)."""
+    host = socket.gethostname()
+    if "." not in host:
+        host = f"{host}.local"
+    return host
+
+
 def dbg(msg):
     # Legacy debug file logging (when /boot/pikit-debug exists)
     if DEBUG_FLAG:
@@ -226,7 +234,7 @@ def load_services():
         try:
             data = json.loads(SERVICE_JSON.read_text())
             # Normalize entries: ensure url built from port if missing
-            host = socket.gethostname()
+            host = default_host()
             for svc in data:
                 svc_path = normalize_path(svc.get("path"))
                 if svc_path:
@@ -506,16 +514,8 @@ def set_updates_config(opts: dict):
 
 
 def detect_https(host, port):
-    try:
+    """Heuristic: known HTTPS ports or .local certs."""
-        import ssl
+    return int(port) in HTTPS_PORTS or str(host).lower().endswith(".local") or str(host).lower() == "pikit"
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
-        with socket.create_connection((host, int(port)), timeout=1.5) as sock:
-            with ctx.wrap_socket(sock, server_hostname=host):
-                return True
-    except Exception:
-        return False
 
 
 def factory_reset():
@@ -1176,6 +1176,12 @@ class Handler(BaseHTTPRequestHandler):
                 if port:
                     svc["online"] = port_online("127.0.0.1", port)
                     svc["firewall_open"] = ufw_status_allows(port)
+                    # Rebuild URL with preferred host (adds .local)
+                    host = default_host()
+                    path = normalize_path(svc.get("path"))
+                    scheme = svc.get("scheme") or ("https" if detect_https(host, port) else "http")
+                    svc["scheme"] = scheme
+                    svc["url"] = f"{scheme}://{host}:{port}{path}"
                 services.append(svc)
             self._send(200, {"services": services})
         elif self.path.startswith("/api/updates/auto"):
@@ -1294,7 +1300,7 @@ class Handler(BaseHTTPRequestHandler):
             services = load_services()
             if any(s.get("port") == port for s in services):
                 return self._send(400, {"error": "port already exists"})
-            host = socket.gethostname()
+            host = default_host()
             scheme = payload.get("scheme")
             if scheme not in ("http", "https"):
                 scheme = "https" if detect_https(host, port) else "http"
@@ -1368,7 +1374,7 @@ class Handler(BaseHTTPRequestHandler):
                             svc["port"] = new_port_int
                             target_port = new_port_int
                             port_changed = True
-                    host = socket.gethostname()
+                    host = default_host()
                     if new_path is not None:
                         path = normalize_path(new_path)
                         if path:

pikit-web/onboarding/index.html

@@ -0,0 +1,113 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Welcome to your Pi-Kit</title>
+    <link rel="stylesheet" href="/onboarding/style.css" />
+  </head>
+  <body>
+    <main class="card">
+      <header>
+        <div class="dot"></div>
+        <h1>Secure connection to your Pi-Kit</h1>
+      </header>
+
+      <p>
+        You’re on your Pi-Kit. Everything stays on your local network. Let’s switch to the
+        secure (HTTPS) dashboard.
+      </p>
+
+      <section class="actions">
+        <button id="continueBtn">Continue to secure dashboard</button>
+        <a class="ghost" id="downloadCa" href="/assets/pikit-ca.crt" download>Download Pi-Kit CA</a>
+      </section>
+
+      <section class="steps">
+        <h3>If you see a warning</h3>
+        <ul>
+          <li>Brave/Chrome: click <strong>Advanced</strong> → <strong>Proceed</strong>.</li>
+          <li>Firefox: click <strong>Advanced</strong> → <strong>Accept the Risk & Continue</strong>.</li>
+        </ul>
+        <p>This is safe for your own Pi on your own network.</p>
+      </section>
+
+      <section class="steps">
+        <h3>Install the Pi-Kit CA (recommended, one-time)</h3>
+        <p>This removes future warnings for both Pi-Kit and DietPi dashboards.</p>
+        <details>
+          <summary>Linux (Arch/Endeavour)</summary>
+          <code id="archCmd">curl -s https://pikit.local/assets/pikit-ca.crt -o /tmp/pikit-ca.crt && sudo install -m644 /tmp/pikit-ca.crt /etc/ca-certificates/trust-source/anchors/ && sudo trust extract-compat</code>
+          <button class="copy" data-target="archCmd">Copy</button>
+        </details>
+        <details>
+          <summary>Linux (Debian/Ubuntu)</summary>
+          <code id="debCmd">curl -s https://pikit.local/assets/pikit-ca.crt -o /tmp/pikit-ca.crt && sudo cp /tmp/pikit-ca.crt /usr/local/share/ca-certificates/pikit-ca.crt && sudo update-ca-certificates</code>
+          <button class="copy" data-target="debCmd">Copy</button>
+        </details>
+        <details>
+          <summary>macOS</summary>
+          <p>Double-click <em>pikit-ca.crt</em> → Always Trust.</p>
+        </details>
+        <details>
+          <summary>Windows</summary>
+          <p>Run <strong>mmc</strong> → Add/Remove Snap-in → Certificates (Computer) → Trusted Root CAs → Import <em>pikit-ca.crt</em>.</p>
+        </details>
+      </section>
+
+      <p class="footnote">
+        Once trusted, this page will auto-forward you to the secure dashboard.
+      </p>
+    </main>
+
+    <script>
+      (function () {
+        const target = `https://${location.hostname}`;
+        const log = (m) => console.log("[pikit onboarding]", m);
+
+        async function probe() {
+          try {
+            await fetch(`${target}/api/status`, { mode: "no-cors", cache: "no-store" });
+            log("HTTPS reachable, redirecting");
+            window.location = target;
+          } catch (e) {
+            log("HTTPS probe failed; staying on onboarding page");
+          }
+        }
+
+        document.getElementById("continueBtn").addEventListener("click", () => {
+          window.location = target;
+        });
+
+        document.querySelectorAll(".copy").forEach((btn) => {
+          btn.addEventListener("click", async () => {
+            const id = btn.dataset.target;
+            const el = document.getElementById(id);
+            const text = el.textContent.trim();
+            try {
+              if (navigator.clipboard && window.isSecureContext) {
+                await navigator.clipboard.writeText(text);
+              } else {
+                const ta = document.createElement("textarea");
+                ta.value = text;
+                ta.style.position = "fixed";
+                ta.style.opacity = "0";
+                document.body.appendChild(ta);
+                ta.select();
+                document.execCommand("copy");
+                document.body.removeChild(ta);
+              }
+              btn.textContent = "Copied";
+              setTimeout(() => (btn.textContent = "Copy"), 1500);
+            } catch (err) {
+              btn.textContent = "Failed";
+              setTimeout(() => (btn.textContent = "Copy"), 1500);
+            }
+          });
+        });
+
+        probe();
+      })();
+    </script>
+  </body>
+</html>

pikit-web/onboarding/style.css

@@ -0,0 +1,131 @@
+:root {
+  color-scheme: dark;
+  --bg: #0c111a;
+  --panel: #131a24;
+  --text: #dce5f7;
+  --muted: #95a3c1;
+  --accent: #3dd598;
+  --border: #1f2734;
+}
+
+* {
+  box-sizing: border-box;
+}
+
+body {
+  margin: 0;
+  min-height: 100vh;
+  display: grid;
+  place-items: center;
+  background: radial-gradient(120% 120% at 20% 20%, #162133, #0c111a 60%);
+  color: var(--text);
+  font-family: "DM Sans", "Inter", system-ui, -apple-system, sans-serif;
+  padding: 24px;
+}
+
+.card {
+  max-width: 720px;
+  width: 100%;
+  background: var(--panel);
+  border: 1px solid var(--border);
+  border-radius: 16px;
+  padding: 20px 22px 24px;
+  box-shadow: 0 12px 50px rgba(0, 0, 0, 0.35);
+}
+
+header {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  margin-bottom: 12px;
+}
+
+h1 {
+  margin: 0;
+  font-size: 1.35rem;
+}
+
+p {
+  margin: 8px 0;
+  color: var(--muted);
+}
+
+.dot {
+  width: 12px;
+  height: 12px;
+  border-radius: 50%;
+  background: var(--accent);
+  box-shadow: 0 0 12px var(--accent);
+}
+
+.actions {
+  display: flex;
+  gap: 12px;
+  flex-wrap: wrap;
+  margin: 12px 0 4px;
+}
+
+button,
+a.ghost {
+  border: 1px solid var(--border);
+  background: var(--accent);
+  color: #0c111a;
+  padding: 10px 16px;
+  border-radius: 10px;
+  font-weight: 600;
+  cursor: pointer;
+  text-decoration: none;
+}
+
+button.ghost,
+a.ghost {
+  background: transparent;
+  color: var(--text);
+}
+
+button.copy {
+  margin-left: 8px;
+  background: transparent;
+  color: var(--text);
+  border: 1px solid var(--border);
+  padding: 6px 10px;
+}
+
+.steps {
+  margin: 12px 0;
+  padding: 10px 12px;
+  border: 1px solid var(--border);
+  border-radius: 12px;
+  background: rgba(255, 255, 255, 0.02);
+}
+
+.steps h3 {
+  margin: 0 0 6px;
+}
+
+ul {
+  margin: 6px 0 4px 18px;
+  color: var(--text);
+}
+
+code {
+  display: block;
+  background: #0b1018;
+  border: 1px solid var(--border);
+  padding: 10px;
+  border-radius: 10px;
+  margin-top: 6px;
+  color: var(--text);
+  word-break: break-all;
+}
+
+summary {
+  cursor: pointer;
+  font-weight: 600;
+  color: var(--text);
+}
+
+.footnote {
+  font-size: 0.9rem;
+  color: var(--muted);
+}