Enhance Windows 11 WSL 2 integration - automatically install root CA / doh / hosts

[ilnytskyi]

Check List

• Matching PR in the documentation repo Windows 11 related WSL updates root ca docs docs#54
• Entry in CHANGELOG.md

Is your feature request related to a problem? Please describe.
When Warden is installed inside WSL, warden install currently trusts the generated root CA only inside the Linux certificate store. Windows browsers running on the host OS still see the Warden certificates as untrusted, so users have to manually import the CA into Windows before local HTTPS works cleanly.

Describe the solution you've submitted
This change detects when warden install is running inside WSL and, when powershell.exe is available, imports the generated Warden root CA into the Windows CurrentUser\Root certificate store. The Linux and macOS trust logic remains unchanged, and the Windows import is idempotent by certificate thumbprint so reruns do not create duplicates.

Describe alternatives you've considered
The main alternative was to leave Windows CA trust as a manual post-install step documented in the docs repo. That keeps the install script simpler, but it preserves a confusing failure mode where Warden appears installed correctly inside WSL while Windows browsers still warn on every HTTPS site. Another alternative was to use Import-Certificate, but the .NET certificate store API worked more reliably from a non-interactive WSL session.

Additional context
I validated the resulting certificate trust flow from WSL on a current Windows 11 setup with Firefox, Chrome, and Edge. A matching documentation update has been prepared in the docs repo on branch codex/wsl-windows-root-ca-docs.

• Major browsers all green

• Prompt asking for cert import confirmation

[Copilot]

Pull request overview

Adds WSL-aware behavior to warden install so that, when run inside WSL, the generated Warden root CA is also trusted by Windows (host) browsers by importing it into the Windows CurrentUser\Root certificate store.

Changes:

• Add WSL detection and a PowerShell-based Windows certificate import helper.
• Invoke the Windows root CA trust step during warden install when PowerShell is available in WSL.
• Document the behavior in CHANGELOG.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
utils/install.sh	Adds WSL detection + PowerShell logic to import/replace the root CA in the Windows CurrentUser root store.
commands/install.cmd	Calls the Windows trust helper during warden install when running under WSL.
CHANGELOG.md	Notes the new WSL-to-Windows root CA trust behavior in UNRELEASED.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ilnytskyi]

I added a bit more WSL related enhancements:

1. We can now use DNS over HTTPS as workaround for domains resolution. It required to make main root ca support pki.

• this required adding one more opt-in dns service, unfortunately there is no drop-in replacement for current dnsmasq with DoH support. But new service only works as forwarder to dnsmasq, it will only meant to translate DoH requests.
• for DoH on windows to work properly we need to serve revocation endpoint over plan HTTP, that required moving hard traefik http -> https redirect into middleware. That way some services can be http-only on demand.

3. Certs automatically installed into windows machine store to allow DoH. - User store only makes warden domains green but is not enough for DNS over HTTPS 4. doctor command also checks how networking seen from windows side when it detects we are running inside WSL.

Those changes do not touch any advanced system defaults like Hyper-V configs, WSL default settings, removing SharedAccess service.

[ilnytskyi]

• looks like pki endpoints can be baked directly into powedns container without busybox for simplification.