feat(domains): add custom certificate resolver support

- Extend domain configuration to support custom certificate resolvers - Add new "custom" certificate type option in domain forms - Update database schema and validation to include custom certificate resolver - Implement custom certificate resolver handling in Traefik and Docker domain configurations - Enhance domain management with more flexible SSL/TLS certificate options
2025-06-26 18:27:59 +00:00 · 2025-03-08 20:46:31 -06:00
parent 4730845a40
commit cc8ffca4d4
12 changed files with 5367 additions and 67 deletions
--- a/packages/server/src/db/schema/domain.ts
+++ b/packages/server/src/db/schema/domain.ts
@@ -41,6 +41,7 @@ export const domains = pgTable("domain", {
 	composeId: text("composeId").references(() => compose.composeId, {
 		onDelete: "cascade",
 	}),
+	customCertResolver: text("customCertResolver"),
 	applicationId: text("applicationId").references(
 		() => applications.applicationId,
 		{ onDelete: "cascade" },
@@ -76,6 +77,7 @@ export const apiCreateDomain = createSchema.pick({
 	https: true,
 	applicationId: true,
 	certificateType: true,
+	customCertResolver: true,
 	composeId: true,
 	serviceName: true,
 	domainType: true,
@@ -107,6 +109,7 @@ export const apiUpdateDomain = createSchema
 		port: true,
 		https: true,
 		certificateType: true,
+		customCertResolver: true,
 		serviceName: true,
 		domainType: true,
 	})
--- a/packages/server/src/db/schema/shared.ts
+++ b/packages/server/src/db/schema/shared.ts
@@ -10,4 +10,5 @@ export const applicationStatus = pgEnum("applicationStatus", [
 export const certificateType = pgEnum("certificateType", [
 	"letsencrypt",
 	"none",
+	"custom",
 ]);
--- a/packages/server/src/db/validations/domain.ts
+++ b/packages/server/src/db/validations/domain.ts
@@ -10,7 +10,8 @@ export const domain = z
 			.max(65535, { message: "Port must be 65535 or below" })
 			.optional(),
 		https: z.boolean().optional(),
-		certificateType: z.enum(["letsencrypt", "none"]).optional(),
+		certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
+		customCertResolver: z.string(),
 	})
 	.superRefine((input, ctx) => {
 		if (input.https && !input.certificateType) {
@@ -20,6 +21,14 @@ export const domain = z
 				message: "Required",
 			});
 		}
+
+		if (input.certificateType === "custom" && !input.customCertResolver) {
+			ctx.addIssue({
+				code: z.ZodIssueCode.custom,
+				path: ["customCertResolver"],
+				message: "Required when certificate type is custom",
+			});
+		}
 	});

 export const domainCompose = z
@@ -32,7 +41,8 @@ export const domainCompose = z
 			.max(65535, { message: "Port must be 65535 or below" })
 			.optional(),
 		https: z.boolean().optional(),
-		certificateType: z.enum(["letsencrypt", "none"]).optional(),
+		certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
+		customCertResolver: z.string(),
 		serviceName: z.string().min(1, { message: "Service name is required" }),
 	})
 	.superRefine((input, ctx) => {
@@ -43,4 +53,12 @@ export const domainCompose = z
 				message: "Required",
 			});
 		}
+
+		if (input.certificateType === "custom" && !input.customCertResolver) {
+			ctx.addIssue({
+				code: z.ZodIssueCode.custom,
+				path: ["customCertResolver"],
+				message: "Required when certificate type is custom",
+			});
+		}
 	});
--- a/packages/server/src/utils/docker/domain.ts
+++ b/packages/server/src/utils/docker/domain.ts
@@ -211,13 +211,9 @@ export const addDomainToCompose = async (
 			throw new Error(`The service ${serviceName} not found in the compose`);
 		}

-		const httpLabels = await createDomainLabels(appName, domain, "web");
+		const httpLabels = createDomainLabels(appName, domain, "web");
 		if (https) {
-			const httpsLabels = await createDomainLabels(
-				appName,
-				domain,
-				"websecure",
-			);
+			const httpsLabels = createDomainLabels(appName, domain, "websecure");
 			httpLabels.push(...httpsLabels);
 		}

@@ -279,12 +275,20 @@ export const writeComposeFile = async (
 	}
 };

-export const createDomainLabels = async (
+export const createDomainLabels = (
 	appName: string,
 	domain: Domain,
 	entrypoint: "web" | "websecure",
 ) => {
-	const { host, port, https, uniqueConfigKey, certificateType, path } = domain;
+	const {
+		host,
+		port,
+		https,
+		uniqueConfigKey,
+		certificateType,
+		path,
+		customCertResolver,
+	} = domain;
 	const routerName = `${appName}-${uniqueConfigKey}-${entrypoint}`;
 	const labels = [
 		`traefik.http.routers.${routerName}.rule=Host(\`${host}\`)${path && path !== "/" ? ` && PathPrefix(\`${path}\`)` : ""}`,
@@ -304,6 +308,10 @@ export const createDomainLabels = async (
 			labels.push(
 				`traefik.http.routers.${routerName}.tls.certresolver=letsencrypt`,
 			);
+		} else if (certificateType === "custom" && customCertResolver) {
+			labels.push(
+				`traefik.http.routers.${routerName}.tls.certresolver=${customCertResolver}`,
+			);
 		}
 	}

--- a/packages/server/src/utils/traefik/domain.ts
+++ b/packages/server/src/utils/traefik/domain.ts
@@ -148,6 +148,8 @@ export const createRouterConfig = async (
 	if (entryPoint === "websecure") {
 		if (certificateType === "letsencrypt") {
 			routerConfig.tls = { certResolver: "letsencrypt" };
+		} else if (certificateType === "custom" && domain.customCertResolver) {
+			routerConfig.tls = { certResolver: domain.customCertResolver };
 		} else if (certificateType === "none") {
 			routerConfig.tls = undefined;
 		}