feat(proxy): add certbot integration

GaspardKirira · GaspardKirira · commit 2b40decec5aa · 2026-05-25T08:30:16.000+03:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -192,6 +192,8 @@ else()
     endif()
 
     if (EXISTS "${_VIX_CRYPTO_DIR}/CMakeLists.txt" AND NOT TARGET vix::crypto)
+      set(VIX_CRYPTO_BUILD_TESTS OFF CACHE BOOL "" FORCE)
+      set(VIX_CRYPTO_BUILD_EXAMPLES OFF CACHE BOOL "" FORCE)
       add_subdirectory("${_VIX_CRYPTO_DIR}" "${CMAKE_BINARY_DIR}/_vix_crypto")
     endif()
 
@@ -353,6 +355,17 @@ else()
   message(STATUS "[cli] Game command disabled: vix::game target not found")
 endif()
 
+# ----------------------------------------------------
+# Optional crypto command support
+# ----------------------------------------------------
+if (TARGET vix::crypto)
+  message(STATUS "[cli] Crypto command enabled")
+  target_link_libraries(vix_cli PRIVATE vix::crypto)
+  target_compile_definitions(vix_cli PRIVATE VIX_CLI_HAS_CRYPTO=1)
+else()
+  message(STATUS "[cli] Crypto command disabled: vix::crypto target not found")
+endif()
+
 # ----------------------------------------------------
 # Optional db command support
 # ----------------------------------------------------
diff --git a/include/vix/cli/commands/proxy/NginxCertbot.hpp b/include/vix/cli/commands/proxy/NginxCertbot.hpp
@@ -0,0 +1,32 @@
+/**
+ *
+ *  @file NginxCertbot.hpp
+ *  @author Gaspard Kirira
+ *
+ *  Copyright 2026, Gaspard Kirira.  All rights reserved.
+ *  https://github.com/vixcpp/vix
+ *  Use of this source code is governed by a MIT license
+ *  that can be found in the License file.
+ *
+ *  Vix.cpp
+ */
+#ifndef VIX_NGINX_CERTBOT_HPP
+#define VIX_NGINX_CERTBOT_HPP
+
+#include <vix/cli/commands/proxy/ProxyTypes.hpp>
+
+namespace vix::commands::proxy::nginx_certbot
+{
+  /**
+   * @brief Issue or renew a Let's Encrypt certificate using Certbot.
+   *
+   * This prepares an HTTP Nginx config first, runs Certbot with the Nginx
+   * plugin, then reinstalls the final Vix TLS proxy config.
+   *
+   * @param cfg Loaded Nginx proxy configuration.
+   * @return Process exit code.
+   */
+  int run(const NginxProxyConfig &cfg);
+}
+
+#endif
diff --git a/src/commands/ProxyCommand.cpp b/src/commands/ProxyCommand.cpp
@@ -11,6 +11,7 @@
  *  Vix.cpp
  */
 #include <vix/cli/commands/ProxyCommand.hpp>
+#include <vix/cli/commands/proxy/NginxCertbot.hpp>
 #include <vix/cli/commands/proxy/NginxChecker.hpp>
 #include <vix/cli/commands/proxy/NginxGenerator.hpp>
 #include <vix/cli/commands/proxy/NginxOutput.hpp>
@@ -32,11 +33,13 @@ namespace vix::commands
           << "Commands:\n"
           << "  init       Generate, install and enable an Nginx config\n"
           << "  check      Validate the installed Nginx proxy config\n"
-          << "  reload     Validate and reload Nginx\n\n"
+          << "  reload     Validate and reload Nginx\n"
+          << "  certbot    Issue or renew a Let's Encrypt certificate\n\n"
           << "Examples:\n"
           << "  vix proxy nginx init\n"
           << "  vix proxy nginx check\n"
-          << "  vix proxy nginx reload\n";
+          << "  vix proxy nginx reload\n"
+          << "  vix proxy nginx certbot\n";
 
       return 0;
     }
@@ -58,6 +61,9 @@ namespace vix::commands
       if (action == "reload")
         return proxy::nginx_checker::reload(cfg);
 
+      if (action == "certbot")
+        return proxy::nginx_certbot::run(cfg);
+
       proxy::nginx_output::error(
           std::cerr,
           "unknown nginx proxy command: " + action);
@@ -116,11 +122,13 @@ namespace vix::commands
         << "Commands:\n"
         << "  nginx init       Generate, install and enable an Nginx config\n"
         << "  nginx check      Validate the installed Nginx proxy config\n"
-        << "  nginx reload     Validate and reload Nginx\n\n"
+        << "  nginx reload     Validate and reload Nginx\n"
+        << "  nginx certbot    Issue or renew a Let's Encrypt certificate\n\n"
         << "Examples:\n"
         << "  vix proxy nginx init\n"
         << "  vix proxy nginx check\n"
-        << "  vix proxy nginx reload\n";
+        << "  vix proxy nginx reload\n"
+        << "  vix proxy nginx certbot\n";
 
     return 0;
   }
diff --git a/src/commands/proxy/NginxCertbot.cpp b/src/commands/proxy/NginxCertbot.cpp
@@ -0,0 +1,260 @@
+/**
+ *
+ *  @file NginxCertbot.cpp
+ *  @author Gaspard Kirira
+ *
+ *  Copyright 2026, Gaspard Kirira.  All rights reserved.
+ *  https://github.com/vixcpp/vix
+ *  Use of this source code is governed by a MIT license
+ *  that can be found in the License file.
+ *
+ *  Vix.cpp
+ */
+#include <vix/cli/commands/proxy/NginxCertbot.hpp>
+#include <vix/cli/commands/proxy/NginxGenerator.hpp>
+#include <vix/cli/commands/proxy/NginxOutput.hpp>
+
+#include <cstdlib>
+#include <filesystem>
+#include <fstream>
+#include <iostream>
+#include <string>
+
+namespace fs = std::filesystem;
+
+namespace vix::commands::proxy::nginx_certbot
+{
+  namespace
+  {
+    std::string shell_quote(const std::string &value)
+    {
+      std::string out = "'";
+
+      for (char c : value)
+      {
+        if (c == '\'')
+          out += "'\\''";
+        else
+          out += c;
+      }
+
+      out += "'";
+      return out;
+    }
+
+    bool run_cmd(const std::string &cmd)
+    {
+      return std::system(cmd.c_str()) == 0;
+    }
+
+    fs::path default_certificate_path(const std::string &domain)
+    {
+      return fs::path("/etc/letsencrypt/live") / domain / "fullchain.pem";
+    }
+
+    fs::path default_certificate_key_path(const std::string &domain)
+    {
+      return fs::path("/etc/letsencrypt/live") / domain / "privkey.pem";
+    }
+
+    bool install_rendered_config(const NginxProxyConfig &cfg)
+    {
+      const std::string config = nginx_generator::render_config(cfg);
+      const fs::path tmp = fs::temp_directory_path() / (cfg.appName + ".nginx");
+
+      {
+        std::ofstream out(tmp);
+
+        if (!out)
+        {
+          nginx_output::error(
+              std::cerr,
+              "Failed to write temporary Nginx config: " + tmp.string());
+
+          return false;
+        }
+
+        out << config;
+      }
+
+      if (!run_cmd(
+              "sudo cp " +
+              shell_quote(tmp.string()) +
+              " " +
+              shell_quote(cfg.sitesAvailablePath.string())))
+      {
+        nginx_output::error(std::cerr, "Failed to install Nginx site config.");
+        run_cmd("rm -f " + shell_quote(tmp.string()));
+        return false;
+      }
+
+      run_cmd("rm -f " + shell_quote(tmp.string()));
+
+      if (!run_cmd(
+              "sudo ln -sfn " +
+              shell_quote(cfg.sitesAvailablePath.string()) +
+              " " +
+              shell_quote(cfg.sitesEnabledPath.string())))
+      {
+        nginx_output::error(std::cerr, "Failed to enable Nginx site.");
+        return false;
+      }
+
+      return true;
+    }
+
+    bool nginx_test()
+    {
+      if (!run_cmd("sudo nginx -t"))
+      {
+        nginx_output::error(std::cerr, "Nginx config is invalid.");
+        nginx_output::fix(std::cerr, "sudo nginx -t");
+        return false;
+      }
+
+      nginx_output::ok(std::cout, "nginx config is valid");
+      return true;
+    }
+
+    bool reload_or_start_nginx()
+    {
+      if (run_cmd("systemctl is-active --quiet nginx"))
+      {
+        if (!run_cmd("sudo systemctl reload nginx"))
+        {
+          nginx_output::error(std::cerr, "Failed to reload Nginx.");
+          nginx_output::fix(std::cerr, "sudo systemctl reload nginx");
+          return false;
+        }
+
+        nginx_output::ok(std::cout, "nginx reloaded");
+        return true;
+      }
+
+      if (!run_cmd("sudo systemctl start nginx"))
+      {
+        nginx_output::error(std::cerr, "Failed to start Nginx.");
+        nginx_output::fix(std::cerr, "sudo systemctl start nginx");
+        return false;
+      }
+
+      nginx_output::ok(std::cout, "nginx started");
+      return true;
+    }
+
+    NginxProxyConfig make_http_bootstrap_config(const NginxProxyConfig &cfg)
+    {
+      NginxProxyConfig http_cfg = cfg;
+      http_cfg.tlsEnabled = false;
+      http_cfg.certificatePath.clear();
+      http_cfg.certificateKeyPath.clear();
+      return http_cfg;
+    }
+
+    NginxProxyConfig make_final_tls_config(const NginxProxyConfig &cfg)
+    {
+      NginxProxyConfig tls_cfg = cfg;
+      tls_cfg.tlsEnabled = true;
+
+      if (tls_cfg.certificatePath.empty())
+        tls_cfg.certificatePath = default_certificate_path(tls_cfg.domain);
+
+      if (tls_cfg.certificateKeyPath.empty())
+        tls_cfg.certificateKeyPath = default_certificate_key_path(tls_cfg.domain);
+
+      return tls_cfg;
+    }
+  }
+
+  int run(const NginxProxyConfig &cfg)
+  {
+    nginx_output::print_init_summary(std::cout, cfg);
+
+    if (cfg.domain.empty())
+    {
+      nginx_output::error(std::cerr, "Missing proxy domain.");
+      nginx_output::fix(std::cerr, "add production.proxy.domain to vix.json");
+      return 1;
+    }
+
+    if (!run_cmd("command -v nginx >/dev/null 2>&1"))
+    {
+      nginx_output::error(std::cerr, "Nginx is not installed or not available in PATH.");
+      nginx_output::fix(std::cerr, "install nginx");
+      return 1;
+    }
+
+    if (!run_cmd("command -v certbot >/dev/null 2>&1"))
+    {
+      nginx_output::error(std::cerr, "Certbot is not installed or not available in PATH.");
+      nginx_output::fix(std::cerr, "sudo apt install certbot python3-certbot-nginx");
+      return 1;
+    }
+
+    nginx_output::ok(std::cout, "preparing temporary HTTP config for Certbot");
+
+    const NginxProxyConfig http_cfg = make_http_bootstrap_config(cfg);
+
+    if (!install_rendered_config(http_cfg))
+      return 1;
+
+    if (!nginx_test())
+      return 1;
+
+    if (!reload_or_start_nginx())
+      return 1;
+
+    const std::string certbot_cmd =
+        "sudo certbot --nginx -d " +
+        shell_quote(cfg.domain);
+
+    nginx_output::ok(std::cout, "running certbot for " + cfg.domain);
+
+    if (!run_cmd(certbot_cmd))
+    {
+      nginx_output::error(std::cerr, "Certbot failed.");
+      nginx_output::fix(std::cerr, certbot_cmd);
+      return 1;
+    }
+
+    nginx_output::ok(std::cout, "certificate issued or renewed");
+
+    const NginxProxyConfig tls_cfg = make_final_tls_config(cfg);
+
+    if (!fs::exists(tls_cfg.certificatePath))
+    {
+      nginx_output::error(
+          std::cerr,
+          "Let's Encrypt certificate was not found: " +
+              tls_cfg.certificatePath.string());
+
+      nginx_output::fix(std::cerr, "check certbot output and domain DNS records");
+      return 1;
+    }
+
+    if (!fs::exists(tls_cfg.certificateKeyPath))
+    {
+      nginx_output::error(
+          std::cerr,
+          "Let's Encrypt private key was not found: " +
+              tls_cfg.certificateKeyPath.string());
+
+      nginx_output::fix(std::cerr, "check certbot output and domain DNS records");
+      return 1;
+    }
+
+    nginx_output::ok(std::cout, "installing final Vix TLS proxy config");
+
+    if (!install_rendered_config(tls_cfg))
+      return 1;
+
+    if (!nginx_test())
+      return 1;
+
+    if (!reload_or_start_nginx())
+      return 1;
+
+    nginx_output::ok(std::cout, "Let's Encrypt integration completed: " + cfg.domain);
+    return 0;
+  }
+}
diff --git a/src/commands/proxy/NginxChecker.cpp b/src/commands/proxy/NginxChecker.cpp
