feat: implement ACME setup service and integrate it into server provisioning workflow

Author: azadshaikh

modules/Platform/app/Console/ServerSetupAcmeCommand.php

@@ -2,32 +2,27 @@
 
 namespace Modules\Platform\Console;
 
-use App\Enums\ActivityAction;
-use App\Traits\ActivityTrait;
-use Exception;
 use Illuminate\Console\Command;
-use Illuminate\Support\Str;
 use Modules\Platform\Models\Server;
-use Modules\Platform\Services\ServerSSHService;
+use Modules\Platform\Services\ServerAcmeSetupService;
 
 /**
- * One-time acme.sh setup on a Hestia server.
+ * ACME setup entrypoint for a Hestia server.
  *
  * Creates the 'asterossl' user, installs acme.sh, registers a Let's Encrypt
- * account, and uploads the SSL helper scripts. This is a standalone command
- * (not a provisioning step) — run it once per server before provisioning websites.
+ * account, and uploads the SSL helper scripts. This command remains available
+ * for manual repair runs even though standard server provisioning now performs
+ * the same setup automatically.
  */
 class ServerSetupAcmeCommand extends Command
 {
-    use ActivityTrait;
-
     protected $signature = 'platform:server:setup-acme
                             {server_id : The ID of the server to configure}
                             {--force : Re-upload scripts even if server is already configured}';
 
     protected $description = 'Install acme.sh and configure SSL tooling on a Hestia server.';
 
-    public function handle(ServerSSHService $sshService): int
+    public function handle(ServerAcmeSetupService $acmeSetupService): int
     {
         $serverId = $this->argument('server_id');
         $server = Server::query()->findOrFail($serverId);
@@ -38,109 +33,16 @@ public function handle(ServerSSHService $sshService): int
             return self::SUCCESS;
         }
 
-        // If already configured but --force is set, skip setup steps and only re-upload scripts
-        if ($server->acme_configured && $this->option('force')) {
-            $this->info(sprintf('Re-uploading SSL scripts to server "%s" (#%d)...', $server->name, $server->id));
-
-            $this->uploadHelperScripts($sshService, $server);
-
-            $this->info('✅ Scripts re-uploaded successfully.');
-
-            return self::SUCCESS;
-        }
-
-        $this->info(sprintf('Setting up acme.sh on server "%s" (#%d)...', $server->name, $server->id));
-
-        // Derive email from server name: "Hestia SG1" → "hestia-sg1@astero.net.in"
-        $acmeEmail = Str::slug($server->name).'@astero.net.in';
-
-        // Step 1: Create asterossl user (idempotent — ignores if already exists)
-        $this->line('Creating asterossl user...');
-        $result = $sshService->executeCommand(
-            $server,
-            'id asterossl &>/dev/null || useradd --system --shell /bin/bash --create-home --home-dir /home/asterossl asterossl',
-            120
-        );
-        throw_unless($result['success'], Exception::class, 'Failed to create asterossl user: '.($result['message'] ?? 'Unknown error'));
-
-        // Step 2: Install acme.sh under asterossl user
-        $this->line('Installing acme.sh...');
-        $result = $sshService->executeCommand(
-            $server,
-            sprintf(
-                'sudo -u asterossl -H bash -c "cd /tmp && curl -s https://get.acme.sh | sh -s -- email=%s" 2>&1',
-                escapeshellarg($acmeEmail)
-            ),
-            180
-        );
-        throw_unless($result['success'], Exception::class, 'Failed to install acme.sh: '.($result['message'] ?? 'Unknown error'));
-
-        // Step 3: Set default CA to Let's Encrypt and register account
-        $this->line('Setting default CA to Let\'s Encrypt...');
-        $result = $sshService->executeCommand(
-            $server,
-            'sudo -u asterossl -H /home/asterossl/.acme.sh/acme.sh --set-default-ca --server letsencrypt 2>&1',
-            30
-        );
-        throw_unless($result['success'], Exception::class, 'Failed to set default CA: '.($result['message'] ?? 'Unknown error'));
-
-        $this->line('Registering Let\'s Encrypt account...');
-        $result = $sshService->executeCommand(
-            $server,
-            sprintf(
-                'sudo -u asterossl -H /home/asterossl/.acme.sh/acme.sh --register-account --server letsencrypt -m %s 2>&1',
-                escapeshellarg($acmeEmail)
-            ),
-            60
-        );
-        throw_unless($result['success'], Exception::class, 'Failed to register LE account: '.($result['message'] ?? 'Unknown error'));
+        $this->info(sprintf(
+            '%s server "%s" (#%d)...',
+            $this->option('force') ? 'Refreshing ACME scripts on' : 'Setting up ACME on',
+            $server->name,
+            $server->id
+        ));
 
-        // Step 5: Create cert storage directory
-        $this->line('Creating SSL store directory...');
-        $result = $sshService->executeCommand($server, 'sudo -u asterossl -H mkdir -p /home/asterossl/.ssl-store', 30);
-        throw_unless($result['success'], Exception::class, 'Failed to create .ssl-store: '.($result['message'] ?? 'Unknown error'));
-
-        // Step 6: Upload helper scripts via SSH (base64 encoding — SFTP is unavailable on Hestia)
-        $this->line('Uploading SSL helper scripts...');
-        $this->uploadHelperScripts($sshService, $server);
-
-        // Mark server as acme-configured
-        $server->acme_configured = true;
-        $server->acme_email = $acmeEmail;
-        $server->save();
-
-        $successMessage = sprintf('acme.sh setup completed on server "%s" (email: %s)', $server->name, $acmeEmail);
-        $this->logActivity($server, ActivityAction::UPDATE, $successMessage);
-        $this->info('✅ '.$successMessage);
+        $result = $acmeSetupService->setup($server, (bool) $this->option('force'));
+        $this->info($result['summary']);
 
         return self::SUCCESS;
     }
-
-    /**
-     * Upload SSL helper scripts to the server via SSH (base64 encoded).
-     */
-    private function uploadHelperScripts(ServerSSHService $sshService, Server $server): void
-    {
-        $scriptsDir = '/usr/local/hestia/data/astero/bin';
-        $result = $sshService->executeCommand($server, sprintf('mkdir -p %s', $scriptsDir), 30);
-        throw_unless($result['success'], Exception::class, 'Failed to create scripts directory: '.($result['message'] ?? 'Unknown error'));
-
-        $localBinDir = base_path('hestia/bin');
-        $scripts = ['a-issue-wildcard-ssl', 'a-check-wildcard-ssl', 'a-renew-wildcard-ssl'];
-
-        foreach ($scripts as $script) {
-            $localPath = $localBinDir.'/'.$script;
-            $remotePath = $scriptsDir.'/'.$script;
-
-            throw_unless(file_exists($localPath), Exception::class, sprintf('Local script not found: %s', $localPath));
-
-            $base64Content = base64_encode(file_get_contents($localPath));
-            $uploadResult = $sshService->executeCommand(
-                $server,
-                sprintf('echo %s | base64 -d > %s && chmod 755 %s', escapeshellarg($base64Content), $remotePath, $remotePath),
-                30
-            );
-            throw_unless($uploadResult['success'], Exception::class, sprintf('Failed to upload %s: %s', $script, $uploadResult['message'] ?? 'Unknown error'));
-        }
-    }
 }

modules/Platform/app/Http/Controllers/ServerController.php

@@ -13,7 +13,6 @@
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controllers\HasMiddleware;
 use Illuminate\Routing\Controllers\Middleware;
-use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\DB;
 use Inertia\Inertia;
 use Inertia\Response;
@@ -27,6 +26,7 @@
 use Modules\Platform\Models\Secret;
 use Modules\Platform\Models\Server;
 use Modules\Platform\Models\Website;
+use Modules\Platform\Services\ServerAcmeSetupService;
 use Modules\Platform\Services\ServerService;
 use Modules\Platform\Services\ServerSSHService;
 use Modules\Platform\Services\SSHKeyService;
@@ -531,28 +531,14 @@ public function setupAcme(Request $request, int|string $id): JsonResponse|Redire
         }
 
         try {
-            $exitCode = Artisan::call('platform:server:setup-acme', [
-                'server_id' => $server->id,
-            ]);
-
-            if ($exitCode === 0) {
-                $message = 'acme.sh setup completed successfully.';
-                $this->logActivity($server, ActivityAction::UPDATE, $message);
-
-                if ($request->expectsJson()) {
-                    return response()->json(['status' => 'success', 'message' => $message]);
-                }
-
-                return back()->with('success', $message);
-            }
-
-            $message = 'acme.sh setup failed. Check server logs for details.';
+            $result = resolve(ServerAcmeSetupService::class)->setup($server);
+            $message = $result['summary'];
 
             if ($request->expectsJson()) {
-                return response()->json(['status' => 'error', 'message' => $message], 500);
+                return response()->json(['status' => 'success', 'message' => $message]);
             }
 
-            return back()->with('error', $message);
+            return back()->with('success', $message);
         } catch (Exception $exception) {
             $message = 'acme.sh setup failed: '.$exception->getMessage();
 
@@ -1142,6 +1128,11 @@ protected function getProvisioningStepsConfig(): array
                 'description' => 'Configure HestiaCP, PHP, and Astero directories',
                 'icon' => 'ri-settings-3-line',
             ],
+            'acme_setup' => [
+                'title' => 'ACME Setup',
+                'description' => 'Install acme.sh and wildcard SSL helper scripts',
+                'icon' => 'ri-shield-check-line',
+            ],
             'release_api_key' => [
                 'title' => 'Release API Key',
                 'description' => 'Configure release API key on the target server',
@@ -1167,6 +1158,11 @@ protected function getProvisioningStepsConfig(): array
                 'description' => 'Sync server information and stats',
                 'icon' => 'ri-macbook-line',
             ],
+            'pg_optimize' => [
+                'title' => 'Optimize PostgreSQL',
+                'description' => 'Apply PostgreSQL settings based on server resources',
+                'icon' => 'ri-database-2-line',
+            ],
         ];
     }
 

modules/Platform/app/Jobs/ServerProvision.php

@@ -17,6 +17,7 @@
 use Illuminate\Support\Sleep;
 use Modules\Platform\Libs\HestiaClient;
 use Modules\Platform\Models\Server;
+use Modules\Platform\Services\ServerAcmeSetupService;
 use Modules\Platform\Services\ServerService;
 use Modules\Platform\Services\ServerSSHService;
 use RecursiveDirectoryIterator;
@@ -33,9 +34,10 @@
  * 2. Install HestiaCP (if not installed)
  * 3. Upload Astero scripts
  * 4. Prepare server for Astero provisioning
- * 5. Create admin access key
- * 6. Verify installation
- * 7. Update server with credentials and mark as ready
+ * 5. Configure ACME SSL automation
+ * 6. Create admin access key
+ * 7. Verify installation
+ * 8. Update server with credentials and mark as ready
  *
  * Progress is tracked in server metadata['provisioning_steps'].
  */
@@ -91,6 +93,7 @@ class ServerProvision implements ShouldQueue
         'server_reboot' => 'Rebooting server',
         'scripts_upload' => 'Uploading Astero scripts',
         'server_setup' => 'Setting up server',
+        'acme_setup' => 'Setting up ACME SSL',
         'release_api_key' => 'Configuring release API key',
         'access_key' => 'Creating access key',
         'verification' => 'Verifying installation',
@@ -109,6 +112,7 @@ class ServerProvision implements ShouldQueue
         'server_reboot',
         'scripts_upload',
         'server_setup',
+        'acme_setup',
         'release_api_key',
         'access_key',
         'verification',
@@ -171,8 +175,11 @@ public function retryUntil(): DateTimeInterface
     /**
      * Execute the job.
      */
-    public function handle(ServerSSHService $sshService, ServerService $serverService): void
-    {
+    public function handle(
+        ServerSSHService $sshService,
+        ServerService $serverService,
+        ServerAcmeSetupService $acmeSetupService
+    ): void {
         $this->queueMonitorLabel('Server #'.$this->serverId);
         /** @var Server|null $server */
         $server = Server::query()->find($this->serverId);
@@ -287,15 +294,27 @@ public function handle(ServerSSHService $sshService, ServerService $serverServic
                 $this->updateStep($server, 'server_setup', 'completed', $serverSetupResult);
             }
 
-            // Step 7: Configure release API key for secured release sync
+            // Step 7: Install ACME tooling and wildcard SSL helper scripts
+            if (! $this->isStepDone($server, 'acme_setup')) {
+                if ((bool) $server->acme_configured) {
+                    $this->updateStep($server, 'acme_setup', 'skipped', ['reason' => 'Already configured']);
+                } else {
+                    $this->abortIfProvisioningStopRequested($server);
+                    $this->updateStep($server, 'acme_setup', 'running');
+                    $acmeSetupResult = $acmeSetupService->setup($server);
+                    $this->updateStep($server, 'acme_setup', 'completed', $acmeSetupResult);
+                }
+            }
+
+            // Step 8: Configure release API key for secured release sync
             if (! $this->isStepDone($server, 'release_api_key')) {
                 $this->abortIfProvisioningStopRequested($server);
                 $this->updateStep($server, 'release_api_key', 'running');
                 $releaseKeyResult = $this->configureReleaseApiKey($server, $sshService);
                 $this->updateStep($server, 'release_api_key', 'completed', $releaseKeyResult);
             }
 
-            // Step 8: Create access key
+            // Step 9: Create access key
             $credentials = null;
             if (! $this->isStepDone($server, 'access_key')) {
                 $this->abortIfProvisioningStopRequested($server);
@@ -310,31 +329,31 @@ public function handle(ServerSSHService $sshService, ServerService $serverServic
                 ]);
             }
 
-            // Step 9: Verify installation
+            // Step 10: Verify installation
             if (! $this->isStepDone($server, 'verification')) {
                 $this->abortIfProvisioningStopRequested($server);
                 $this->updateStep($server, 'verification', 'running');
                 $verificationResult = $this->verifyInstallation($server, $sshService);
                 $this->updateStep($server, 'verification', 'completed', $verificationResult);
             }
 
-            // Step 10: Update releases
+            // Step 11: Update releases
             if (! $this->isStepDone($server, 'update_releases')) {
                 $this->abortIfProvisioningStopRequested($server);
                 $this->updateStep($server, 'update_releases', 'running');
                 $updateReleaseResult = $this->updateReleases($server, $sshService, $serverService);
                 $this->updateStep($server, 'update_releases', 'completed', $updateReleaseResult);
             }
 
-            // Step 11: Sync server info
+            // Step 12: Sync server info
             if (! $this->isStepDone($server, 'server_sync')) {
                 $this->abortIfProvisioningStopRequested($server);
                 $this->updateStep($server, 'server_sync', 'running');
                 $syncServerResult = $this->syncServer($server, $serverService);
                 $this->updateStep($server, 'server_sync', 'completed', $syncServerResult);
             }
 
-            // Step 12: Optimize PostgreSQL settings
+            // Step 13: Optimize PostgreSQL settings
             if (! $this->isStepDone($server, 'pg_optimize')) {
                 $this->abortIfProvisioningStopRequested($server);
                 $this->updateStep($server, 'pg_optimize', 'running');