Sign Sunshine certs with a 1Password-backed root CA

Replaces Sunshine's self-signed cert with one minted from a private root CA
whose key material lives in 1Password. Every host running install.sh fetches
the CA via 'op read', mints itself a host cert with SANs for <hostname>.lan
and the current LAN IP, and installs the CA into the system trust store.

Bootstrap (run once, anywhere)
- scripts/cert-bootstrap.sh: generates a 4096-bit RSA root CA (10y validity),
  uploads it as a Secure Note titled "Omarchy-Stream Root CA" in the Private
  vault with two fields: cert (text) and key (concealed). Refuses to overwrite
  an existing item without --force.

Per-host (lib/certs.sh)
- fetch_and_install_certs: reads op://Private/Omarchy-Stream Root CA/{cert,key}
  to a tmpfs-staged temp dir (XDG_RUNTIME_DIR), mints a host cert via openssl
  with serverAuth + clientAuth EKU, drops cert/key at ~/.config/sunshine/
  credentials/{cacert,cakey}.pem, installs the CA at
  /etc/ca-certificates/trust-source/anchors/omarchy-stream-ca.pem and runs
  update-ca-trust.
- Idempotent: skips re-mint when on-disk cert is signed by the current CA,
  has the expected SANs, and isn't within 30 days of expiry. Override with
  FORCE_CERTS=1 or --force-certs.

install.sh
- Adds --no-certs, --force-certs flags; sources lib/certs.sh; runs cert step
  after permissions/config and before firewall so the service restart at the
  end of install picks up the new cert.

client/install-macos.sh
- After installing Moonlight, if `op` is available and signed in, fetches the
  CA and adds it as a trusted root to /Library/Keychains/System.keychain via
  `security add-trusted-cert -d -r trustRoot`. Skips cleanly when op isn't
  ready.

uninstall.sh
- Adds --remove-ca-trust to delete the system trust anchor. By default the
  CA is left in place since other tools may rely on it.

verify.sh
- Adds checks for: cert signed by omarchy-stream CA, cert >30 days from
  expiry, CA present in system trust store.

Docs
- README "Trusted TLS certs via 1Password" section: bootstrap flow, per-host
  flow, client trust matrix (Linux / macOS / iOS / Android / Apple TV),
  re-pairing note (first cert install on a host invalidates pinned Moonlight
  fingerprints), config env vars.
- client/README gains per-platform CA-trust install steps with concrete
  `op read` + platform-specific commands.

install.sh

@@ -26,6 +26,8 @@ source "$SCRIPT_DIR/lib/service.sh"
 source "$SCRIPT_DIR/lib/verify.sh"
 # shellcheck source=lib/headless.sh
 source "$SCRIPT_DIR/lib/headless.sh"
+# shellcheck source=lib/certs.sh
+source "$SCRIPT_DIR/lib/certs.sh"
 
 usage() {
   cat <<EOF
@@ -42,12 +44,16 @@ Options:
   --from-source     Build Sunshine from source (equivalent to SUNSHINE_PKG=sunshine)
   --headless        Force headless streaming mode (wlr capture of HEADLESS-1)
   --mirror          Force mirror mode (KMS capture of the real display)
+  --no-certs        Skip the 1Password-backed cert step (use Sunshine's self-signed)
+  --force-certs     Re-mint the host cert even if the current one is valid
   --doctor          Run only the post-install verification checks
   -h, --help        Show this help
 
 Environment overrides:
   SUNSHINE_PKG       AUR package to use for Sunshine (default: sunshine-bin)
                      Set to 'sunshine' to build from source instead.
+  OP_VAULT           1Password vault that holds the root CA (default: Private)
+  OP_CA_ITEM         Item title in that vault (default: Omarchy-Stream Root CA)
 EOF
 }
 
@@ -58,6 +64,7 @@ INSTALL_MOONLIGHT=1
 WRITE_CONFIG=1
 DOCTOR_ONLY=0
 MODE_OVERRIDE=""
+INSTALL_CERTS=1
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
@@ -66,6 +73,8 @@ while [[ $# -gt 0 ]]; do
     --no-moonlight)  INSTALL_MOONLIGHT=0 ;;
     --no-sunshine)   INSTALL_SUNSHINE=0 ;;
     --no-config)     WRITE_CONFIG=0 ;;
+    --no-certs)      INSTALL_CERTS=0 ;;
+    --force-certs)   export FORCE_CERTS=1 ;;
     --from-source)   export SUNSHINE_PKG=sunshine ;;
     --headless)      MODE_OVERRIDE="headless" ;;
     --mirror)        MODE_OVERRIDE="mirror" ;;
@@ -133,6 +142,18 @@ main() {
       info "Skipping sunshine.conf (--no-config)"
     fi
 
+    if [[ $INSTALL_CERTS -eq 1 ]]; then
+      step "Installing CA-signed Sunshine cert from 1Password"
+      if fetch_and_install_certs; then
+        CERTS_REPLACED=1
+      else
+        warn "Cert install failed — falling back to Sunshine's self-signed cert."
+        warn "Run scripts/cert-bootstrap.sh to create the CA item, then re-run install.sh."
+      fi
+    else
+      info "Skipping cert step (--no-certs)"
+    fi
+
     if [[ $FIREWALL -eq 1 ]]; then
       step "Configuring firewall for Sunshine ports"
       open_sunshine_ports