@simplens/onboard 1.0.5 → 1.0.7

package/dist/validators.js.map

@@ -1 +1 @@
-{"version":3,"file":"validators.js","sourceRoot":"","sources":["../src/validators.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EACH,uBAAuB,EACvB,qBAAqB,EACrB,qBAAqB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAInD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACtC,IAAI,CAAC;QACD,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACtB,MAAM,IAAI,uBAAuB,EAAE,CAAC;IACxC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACpC,IAAI,CAAC;QACD,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACtB,MAAM,YAAY,GAAI,KAAe,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAEnE,IAAI,YAAY,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChF,MAAM,IAAI,qBAAqB,EAAE,CAAC;QACtC,CAAC;QAED,IAAI,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,CAAC;YACnG,MAAM,IAAI,qBAAqB,EAAE,CAAC;QACtC,CAAC;QAED,uBAAuB;QACvB,MAAM,IAAI,qBAAqB,EAAE,CAAC;IACtC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,SAAS,CAAC;IAC3C,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IACzC,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC3C,OAAO,OAAO,CAAC,CAAC,mBAAmB;AACvC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACvC,UAAU,CAAC,gCAAgC,CAAC,CAAC;IAE7C,4BAA4B;IAC5B,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,CAAC,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IAC3C,IAAI,CAAC;QACD,MAAM,oBAAoB,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,CAAC,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAC5C,MAAM,KAAK,CAAC;IAChB,CAAC;IAED,sBAAsB;IACtB,CAAC,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAC5C,IAAI,CAAC;QACD,MAAM,kBAAkB,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,CAAC,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QACtC,MAAM,KAAK,CAAC;IAChB,CAAC;IAED,YAAY;IACZ,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;IACtB,UAAU,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;IAEjC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACjB,UAAU,CAAC,6EAA6E,CAAC,CAAC;IAC9F,CAAC;AACL,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW,EAAE,KAAa;IACvD,iBAAiB;IACjB,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,yBAAyB;QACzB,IAAI,GAAG,KAAK,WAAW,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC;QACjB,CAAC;QACD,IAAI,GAAG,KAAK,WAAW,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,UAAU,CAAC,QAAQ,IAAI,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC1E,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,wDAAwD;IACxD,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,mBAAmB,EAAE,CAAC;YAC1D,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC"}
+{"version":3,"file":"validators.js","sourceRoot":"","sources":["../src/validators.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EACH,uBAAuB,EACvB,qBAAqB,EACrB,qBAAqB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAInD;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,OAAO,oBAAoB,CAAC;IAChC,CAAC;IAED,IACI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QACrB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QACnB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QACnB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QACnB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QACnB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EACrB,CAAC;QACC,OAAO,qDAAqD,CAAC;IACjE,CAAC;IAED,oCAAoC;IACpC,MAAM,WAAW,GACb,uEAAuE,CAAC;IAE5E,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,kDAAkD,CAAC;IAC9D,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE3B,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,OAAO,mBAAmB,CAAC;IAC/B,CAAC;IAED,MAAM,UAAU,GAAG,4BAA4B,CAAC;IAChD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,mDAAmD,CAAC;IAC/D,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACtC,IAAI,CAAC;QACD,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACtB,MAAM,IAAI,uBAAuB,EAAE,CAAC;IACxC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACpC,IAAI,CAAC;QACD,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACtB,MAAM,YAAY,GAAI,KAAe,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAEnE,IAAI,YAAY,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChF,MAAM,IAAI,qBAAqB,EAAE,CAAC;QACtC,CAAC;QAED,IAAI,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,CAAC;YACnG,MAAM,IAAI,qBAAqB,EAAE,CAAC;QACtC,CAAC;QAED,uBAAuB;QACvB,MAAM,IAAI,qBAAqB,EAAE,CAAC;IACtC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,SAAS,CAAC;IAC3C,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IACzC,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC3C,OAAO,OAAO,CAAC,CAAC,mBAAmB;AACvC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACvC,UAAU,CAAC,gCAAgC,CAAC,CAAC;IAE7C,4BAA4B;IAC5B,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,CAAC,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IAC3C,IAAI,CAAC;QACD,MAAM,oBAAoB,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,CAAC,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAC5C,MAAM,KAAK,CAAC;IAChB,CAAC;IAED,sBAAsB;IACtB,CAAC,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAC5C,IAAI,CAAC;QACD,MAAM,kBAAkB,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,CAAC,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QACtC,MAAM,KAAK,CAAC;IAChB,CAAC;IAED,YAAY;IACZ,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;IACtB,UAAU,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;IAEjC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACjB,UAAU,CAAC,6EAA6E,CAAC,CAAC;IAC9F,CAAC;AACL,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW,EAAE,KAAa;IACvD,iBAAiB;IACjB,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,yBAAyB;QACzB,IAAI,GAAG,KAAK,WAAW,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC;QACjB,CAAC;QACD,IAAI,GAAG,KAAK,WAAW,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,UAAU,CAAC,QAAQ,IAAI,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC1E,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,wDAAwD;IACxD,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,mBAAmB,EAAE,CAAC;YAC1D,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simplens/onboard",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "type": "module",
   "main": "dist/index.js",
   "bin": {

package/src/__tests__/infra-prompts.test.ts

@@ -28,12 +28,14 @@ describe('promptInfraServicesWithBasePath', () => {
         const mockMultiselect = vi.mocked(multiselect);
         mockMultiselect.mockResolvedValue(['mongo', 'redis', 'nginx']);
 
-        const result = await promptInfraServicesWithBasePath({ allowNginx: true });
+        const result = await promptInfraServicesWithBasePath({ allowNginx: true, defaultNginx: true });
 
         // Should include nginx in options
         const callArgs = mockMultiselect.mock.calls[0][0] as any;
         const values = callArgs.options.map((o: any) => o.value);
         expect(values).toContain('nginx');
+        expect(callArgs.initialValues).toContain('nginx');
+        expect(callArgs.initialValues).not.toContain('kafka-ui');
 
         expect(result).toContain('nginx');
     });

package/src/__tests__/infra.test.ts

@@ -12,4 +12,19 @@ describe('infra app compose generation', () => {
         expect(compose).toContain('  nginx:');
         expect(compose).toContain('./nginx.conf:/etc/nginx/conf.d/default.conf:ro');
     });
+
+    it('does not include certbot services when ssl is disabled', () => {
+        const compose = buildAppComposeContent(true, { includeSsl: false });
+        expect(compose).not.toContain('  certbot:');
+        expect(compose).not.toContain('  certbot-renew:');
+    });
+
+    it('includes certbot services and volumes when ssl is enabled', () => {
+        const compose = buildAppComposeContent(false, { includeSsl: true });
+        expect(compose).toContain('  nginx:');
+        expect(compose).toContain('  certbot:');
+        expect(compose).toContain('  certbot-renew:');
+        expect(compose).toContain('certbot-etc:');
+        expect(compose).toContain('certbot-www:');
+    });
 });

package/src/__tests__/validators.test.ts

@@ -4,7 +4,9 @@ import {
     checkDockerRunning,
     detectOS,
     validatePrerequisites,
-    validateEnvValue
+    validateEnvValue,
+    validatePublicDomain,
+    validateEmailAddress
 } from '../validators.js';
 import {
     DockerNotInstalledError,
@@ -192,4 +194,28 @@ describe('validators', () => {
             });
         });
     });
+
+    describe('validatePublicDomain', () => {
+        it('accepts valid public domains', () => {
+            expect(validatePublicDomain('example.com')).toBe(true);
+            expect(validatePublicDomain('app.example.com')).toBe(true);
+        });
+
+        it('rejects urls or malformed values', () => {
+            expect(validatePublicDomain('https://example.com')).not.toBe(true);
+            expect(validatePublicDomain('example')).not.toBe(true);
+            expect(validatePublicDomain('example.com/path')).not.toBe(true);
+        });
+    });
+
+    describe('validateEmailAddress', () => {
+        it('accepts valid email addresses', () => {
+            expect(validateEmailAddress('admin@example.com')).toBe(true);
+        });
+
+        it('rejects invalid email values', () => {
+            expect(validateEmailAddress('admin@')).not.toBe(true);
+            expect(validateEmailAddress('not-an-email')).not.toBe(true);
+        });
+    });
 });

package/src/index.ts

@@ -15,7 +15,11 @@ import {
 } from './utils.js';
 import { text, confirm, select } from '@clack/prompts';
 import { intro, outro, handleCancel, log, note } from './ui.js';
-import { validatePrerequisites } from './validators.js';
+import {
+    validatePrerequisites,
+    validatePublicDomain,
+    validateEmailAddress,
+} from './validators.js';
 import {
     promptInfraServicesWithBasePath,
     generateInfraCompose,
@@ -45,6 +49,8 @@ import {
     waitForInfraHealth,
     startAppServices,
     displayServiceStatus,
+    setupSslCertificates,
+    getSslManualCommands,
 } from './services.js';
 
 const program = new Command();
@@ -61,6 +67,9 @@ program
     .option('--core-version <version>', 'Override CORE_VERSION in generated .env (primarily for --full mode)')
     .option('--dashboard-version <version>', 'Override DASHBOARD_VERSION in generated .env (primarily for --full mode)')
     .option('--plugin [plugins...]', 'Plugins to install (e.g., @simplens/mock @simplens/nodemailer-gmail)')
+    .option('--ssl', 'Enable optional SSL certificate setup using Dockerized Certbot')
+    .option('--ssl-domain <domain>', 'Public domain for SSL certificate (required with --ssl in --full mode)')
+    .option('--ssl-email <email>', 'Email for Let\'s Encrypt registration (required with --ssl in --full mode)')
     .option('--no-output', 'Suppress all console output (silent mode)');
 
 interface OnboardSetupOptions {
@@ -70,6 +79,9 @@ interface OnboardSetupOptions {
     targetDir: string;
     basePath: string;
     plugins: string[];
+    enableSsl: boolean;
+    sslDomain?: string;
+    sslEmail?: string;
 }
 
 function printStep(step: number, total: number, title: string): void {
@@ -112,6 +124,9 @@ function showSetupSummary(setupOptions: OnboardSetupOptions, targetDir: string,
     const pluginsLabel = setupOptions.plugins.length > 0 
         ? setupOptions.plugins.join(', ') 
         : 'none';
+    const sslLabel = setupOptions.enableSsl
+        ? `enabled (${setupOptions.sslDomain})`
+        : 'disabled';
 
     const summaryLines = [
         `Target directory   : ${targetDir}`,
@@ -119,6 +134,7 @@ function showSetupSummary(setupOptions: OnboardSetupOptions, targetDir: string,
         `Environment mode   : ${setupOptions.envMode}`,
         `BASE_PATH          : ${basePathLabel}`,
         `Plugins            : ${pluginsLabel}`,
+        `SSL (Certbot)      : ${sslLabel}`,
         `Nginx auto-include : ${autoNginx ? 'enabled (BASE_PATH is non-default)' : 'disabled'}`,
     ].join('\n');
 
@@ -170,6 +186,26 @@ async function promptSetupOptions(options: any): Promise<OnboardSetupOptions> {
             }
         }
 
+        if (options.ssl === true) {
+            if (!options.sslDomain) {
+                errors.push('--ssl-domain <domain> is required in --full mode when --ssl is enabled');
+            } else {
+                const domainValidation = validatePublicDomain(options.sslDomain);
+                if (domainValidation !== true) {
+                    errors.push(`Invalid --ssl-domain: ${domainValidation}`);
+                }
+            }
+
+            if (!options.sslEmail) {
+                errors.push('--ssl-email <email> is required in --full mode when --ssl is enabled');
+            } else {
+                const emailValidation = validateEmailAddress(options.sslEmail);
+                if (emailValidation !== true) {
+                    errors.push(`Invalid --ssl-email: ${emailValidation}`);
+                }
+            }
+        }
+
         if (errors.length > 0) {
             console.error('\\n❌ Validation errors in --full mode:\\n');
             errors.forEach(err => console.error(`  • ${err}`));
@@ -274,6 +310,65 @@ async function promptSetupOptions(options: any): Promise<OnboardSetupOptions> {
     }
     // If not provided and not in full mode, will prompt later in the main workflow
 
+    // --- SSL ---
+    let enableSslValue = false;
+    let sslDomainValue: string | undefined;
+    let sslEmailValue: string | undefined;
+
+    if (options.ssl === true) {
+        enableSslValue = true;
+    } else if (!isFullMode) {
+        const sslConfirm = await confirm({
+            message: 'Do you want to automatically setup SSL certificate using Certbot?',
+            initialValue: false,
+            withGuide: true,
+        });
+        handleCancel(sslConfirm);
+        enableSslValue = sslConfirm as boolean;
+    }
+
+    if (enableSslValue) {
+        if (typeof options.sslDomain === 'string') {
+            const normalizedDomain = options.sslDomain.trim().toLowerCase();
+            const domainValidation = validatePublicDomain(normalizedDomain);
+            if (domainValidation !== true) {
+                throw new Error(`Invalid --ssl-domain value: ${domainValidation}`);
+            }
+            sslDomainValue = normalizedDomain;
+        } else if (!isFullMode) {
+            const domainAnswer = await text({
+                message: 'Public domain to secure (example: app.example.com):',
+                validate: (value: string | undefined) => {
+                    const validation = validatePublicDomain(value ?? '');
+                    return validation === true ? undefined : validation;
+                },
+                withGuide: true,
+            });
+            handleCancel(domainAnswer);
+            sslDomainValue = (domainAnswer as string).trim().toLowerCase();
+        }
+
+        if (typeof options.sslEmail === 'string') {
+            const normalizedEmail = options.sslEmail.trim();
+            const emailValidation = validateEmailAddress(normalizedEmail);
+            if (emailValidation !== true) {
+                throw new Error(`Invalid --ssl-email value: ${emailValidation}`);
+            }
+            sslEmailValue = normalizedEmail;
+        } else if (!isFullMode) {
+            const emailAnswer = await text({
+                message: 'Email for Let\'s Encrypt registration:',
+                validate: (value: string | undefined) => {
+                    const validation = validateEmailAddress(value ?? '');
+                    return validation === true ? undefined : validation;
+                },
+                withGuide: true,
+            });
+            handleCancel(emailAnswer);
+            sslEmailValue = (emailAnswer as string).trim();
+        }
+    }
+
     return {
         infra: infraValue,
         infraServices: infraServices,
@@ -281,6 +376,9 @@ async function promptSetupOptions(options: any): Promise<OnboardSetupOptions> {
         targetDir: targetDirValue || process.cwd(),
         basePath: basePathValue,
         plugins: pluginsValue,
+        enableSsl: enableSslValue,
+        sslDomain: sslDomainValue,
+        sslEmail: sslEmailValue,
     };
 }
 
@@ -318,6 +416,7 @@ async function main() {
         // Get target directory
         const targetDir = path.resolve(setupOptions.targetDir);
         const autoEnableNginx = shouldAutoEnableNginx(setupOptions.basePath);
+        const nginxRequired = autoEnableNginx || setupOptions.enableSsl;
 
         logDebug(`Resolved target directory: ${targetDir}`);
         showSetupSummary(setupOptions, targetDir, autoEnableNginx);
@@ -329,39 +428,50 @@ async function main() {
         // Step 2: Infrastructure setup (if --infra flag is provided)
         log.step('Step 2/6 — Infrastructure Setup');
         let selectedInfraServices: string[] = [];
+        const shouldSetupInfra = setupOptions.infra || nginxRequired;
 
-        if (setupOptions.infra) {
+        if (shouldSetupInfra) {
             // Use pre-provided services from CLI, or prompt for them
-            if (setupOptions.infraServices.length > 0) {
+            if (setupOptions.infra && setupOptions.infraServices.length > 0) {
                 selectedInfraServices = setupOptions.infraServices;
                 log.info(`Using infrastructure services: ${selectedInfraServices.join(', ')}`);
+            } else if (!setupOptions.infra && nginxRequired) {
+                selectedInfraServices = ['nginx'];
+                log.info('Nginx is required (BASE_PATH/SSL), so infrastructure compose will be generated with nginx.');
             } else {
                 // Prompt for services (interactive mode)
                 if (!autoEnableNginx) {
                     log.info('BASE_PATH is empty, nginx reverse proxy is disabled.');
-                    selectedInfraServices = await promptInfraServicesWithBasePath({ allowNginx: false });
+                    selectedInfraServices = await promptInfraServicesWithBasePath({
+                        allowNginx: false,
+                    });
                 } else {
-                    selectedInfraServices = await promptInfraServicesWithBasePath({ allowNginx: true });
+                    selectedInfraServices = await promptInfraServicesWithBasePath({
+                        allowNginx: true,
+                        defaultNginx: true,
+                    });
                 }
             }
 
-            if (autoEnableNginx && !selectedInfraServices.includes('nginx')) {
+            if (setupOptions.enableSsl && !selectedInfraServices.includes('nginx')) {
                 selectedInfraServices.push('nginx');
-                log.info('BASE_PATH is non-default, so nginx was added automatically.');
+                log.info('SSL is enabled, so nginx was added automatically.');
             }
 
-            await generateInfraCompose(targetDir, selectedInfraServices);
+            const infraHasNginx = selectedInfraServices.includes('nginx');
+            await generateInfraCompose(targetDir, selectedInfraServices, {
+                includeSsl: setupOptions.enableSsl && infraHasNginx,
+            });
         } else {
             log.info('Skipping infrastructure setup (use --infra to enable).');
         }
 
         // Step 3: Always write app docker-compose
         log.step('Step 3/6 — Application Compose Setup');
-        const includeNginxInAppCompose = autoEnableNginx && !selectedInfraServices.includes('nginx');
-        if (includeNginxInAppCompose) {
-            log.info('Including nginx in docker-compose.yaml because BASE_PATH is non-default.');
-        }
-        await writeAppCompose(targetDir, { includeNginx: includeNginxInAppCompose });
+        await writeAppCompose(targetDir, {
+            includeNginx: false,
+            includeSsl: false,
+        });
 
         // Step 4: Environment configuration
         log.step('Step 4/6 — Environment Configuration');
@@ -390,9 +500,12 @@ async function main() {
         }
 
         // Generate nginx.conf whenever nginx is active in either compose file
-        const nginxEnabled = selectedInfraServices.includes('nginx') || includeNginxInAppCompose;
+        const nginxEnabled = selectedInfraServices.includes('nginx');
         if (nginxEnabled) {
-            await generateNginxConfig(targetDir, setupOptions.basePath);
+            await generateNginxConfig(targetDir, setupOptions.basePath, {
+                enableSsl: setupOptions.enableSsl,
+                domain: setupOptions.sslDomain,
+            });
         }
 
         // Step 5: Plugin installation
@@ -447,7 +560,7 @@ async function main() {
 
         if (shouldStart) {
             // Start infra services first (if --infra was used)
-            if (setupOptions.infra && selectedInfraServices.length > 0) {
+            if (selectedInfraServices.length > 0) {
                 await startInfraServices(targetDir);
                 await waitForInfraHealth(targetDir);
             }
@@ -455,15 +568,30 @@ async function main() {
             // Start app services
             await startAppServices(targetDir);
 
+            if (setupOptions.enableSsl && setupOptions.sslDomain && setupOptions.sslEmail) {
+                await setupSslCertificates(targetDir, {
+                    composeFile: 'docker-compose.infra.yaml',
+                    domain: setupOptions.sslDomain,
+                    email: setupOptions.sslEmail,
+                });
+            }
+
             // Display service status
             await displayServiceStatus();
         } else {
             log.info('Services not started. You can start them later with:');
             const commands: string[] = [];
-            if (setupOptions.infra) {
-                commands.push('docker-compose -f docker-compose.infra.yaml up -d');
+            if (selectedInfraServices.length > 0) {
+                commands.push('docker compose -f docker-compose.infra.yaml up -d');
+            }
+            commands.push('docker compose up -d');
+            if (setupOptions.enableSsl && setupOptions.sslDomain && setupOptions.sslEmail) {
+                commands.push(...getSslManualCommands({
+                    composeFile: 'docker-compose.infra.yaml',
+                    domain: setupOptions.sslDomain,
+                    email: setupOptions.sslEmail,
+                }));
             }
-            commands.push('docker-compose up -d');
             printCommandHints('Manual startup commands', commands);
         }
 

package/src/infra.ts

@@ -1,4 +1,11 @@
-import { APP_COMPOSE_TEMPLATE, APP_NGINX_SERVICE_TEMPLATE } from './templates.js';
+import {
+    APP_COMPOSE_TEMPLATE,
+    APP_NGINX_SERVICE_TEMPLATE,
+    APP_NGINX_SSL_SERVICE_TEMPLATE,
+    APP_CERTBOT_SERVICES_TEMPLATE,
+    INFRA_CERTBOT_SERVICES_TEMPLATE,
+    INFRA_CERTBOT_VOLUMES,
+} from './templates.js';
 import { writeFile, logInfo, logSuccess } from './utils.js';
 import { multiselect } from '@clack/prompts';
 import { handleCancel, spinner } from './ui.js';
@@ -8,7 +15,7 @@ import type { InfraService } from './types/domain.js';
 const INFRA_SERVICES: InfraService[] = [
     { name: 'MongoDB (Database)', value: 'mongo', checked: true },
     { name: 'Kafka (Message Queue)', value: 'kafka', checked: true },
-    { name: 'Kafka UI (Dashboard)', value: 'kafka-ui', checked: true },
+    { name: 'Kafka UI (Dashboard)', value: 'kafka-ui', checked: false },
     { name: 'Redis (Cache)', value: 'redis', checked: true },
     { name: 'Nginx (Reverse Proxy)', value: 'nginx', checked: false },
     { name: 'Loki (Log Aggregation)', value: 'loki', checked: false },
@@ -31,9 +38,15 @@ export async function promptInfraServices(): Promise<string[]> {
  */
 export async function promptInfraServicesWithBasePath(options: {
     allowNginx: boolean;
+    defaultNginx?: boolean;
 }): Promise<string[]> {
     const choices = options.allowNginx
-        ? INFRA_SERVICES
+        ? INFRA_SERVICES.map(service => {
+            if (service.value === 'nginx') {
+                return { ...service, checked: options.defaultNginx === true };
+            }
+            return service;
+        })
         : INFRA_SERVICES.filter(service => service.value !== 'nginx');
 
     const message = options.allowNginx
@@ -179,6 +192,18 @@ const SERVICE_CHUNKS: Record<string, string> = {
     restart: unless-stopped`,
 };
 
+const NGINX_INFRA_SSL_SERVICE_CHUNK = `  nginx:
+    image: nginx:alpine
+    container_name: nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "./nginx.conf:/etc/nginx/conf.d/default.conf:ro"
+      - certbot-etc:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+    restart: unless-stopped`;
+
 /**
  * Service-to-volumes mapping
  */
@@ -195,7 +220,10 @@ const SERVICE_VOLUMES: Record<string, string[]> = {
 /**
  * Build docker-compose content from selected services
  */
-function buildInfraCompose(selectedServices: string[]): string {
+function buildInfraCompose(
+    selectedServices: string[],
+    options: { includeSsl?: boolean } = {}
+): string {
     // Header
     const header = `# ============================================
 # SimpleNS Infrastructure Services
@@ -212,9 +240,17 @@ services:
     const serviceBlocks: string[] = [];
     for (const service of selectedServices) {
         if (SERVICE_CHUNKS[service]) {
-            serviceBlocks.push(SERVICE_CHUNKS[service]);
+            if (service === 'nginx' && options.includeSsl === true) {
+                serviceBlocks.push(NGINX_INFRA_SSL_SERVICE_CHUNK);
+            } else {
+                serviceBlocks.push(SERVICE_CHUNKS[service]);
+            }
         }
     }
+
+    if (options.includeSsl === true) {
+        serviceBlocks.push(INFRA_CERTBOT_SERVICES_TEMPLATE);
+    }
     
     // Collect volumes for selected services
     const volumeSet = new Set<string>();
@@ -222,6 +258,12 @@ services:
         const volumes = SERVICE_VOLUMES[service] || [];
         volumes.forEach(v => volumeSet.add(v));
     }
+
+    if (options.includeSsl === true) {
+        for (const volumeName of INFRA_CERTBOT_VOLUMES) {
+            volumeSet.add(volumeName);
+        }
+    }
     
     // Build volumes section
     const volumeLines: string[] = ['', 'volumes:'];
@@ -248,13 +290,14 @@ services:
  */
 export async function generateInfraCompose(
     targetDir: string,
-    selectedServices: string[]
+    selectedServices: string[],
+    options: { includeSsl?: boolean } = {}
 ): Promise<void> {
     const s = spinner();
     s.start('Generating docker-compose.infra.yaml...');
 
     // Build compose content from service chunks
-    const infraContent = buildInfraCompose(selectedServices);
+    const infraContent = buildInfraCompose(selectedServices, options);
 
     // Write infrastructure compose file
     const infraPath = path.join(targetDir, 'docker-compose.infra.yaml');
@@ -266,17 +309,35 @@ export async function generateInfraCompose(
  * Build app docker-compose content.
  * Optionally inject nginx reverse-proxy service before the volumes section.
  */
-export function buildAppComposeContent(includeNginx: boolean): string {
-    if (!includeNginx) {
-        return APP_COMPOSE_TEMPLATE;
+export function buildAppComposeContent(
+    includeNginx: boolean,
+    options: { includeSsl?: boolean } = {}
+): string {
+    let content = APP_COMPOSE_TEMPLATE;
+    const includeSsl = options.includeSsl === true;
+    const shouldIncludeNginx = includeNginx || includeSsl;
+    const marker = '\nvolumes:';
+
+    if (!content.includes(marker)) {
+        return content;
     }
 
-    const marker = '\nvolumes:';
-    if (!APP_COMPOSE_TEMPLATE.includes(marker)) {
-        return APP_COMPOSE_TEMPLATE;
+    if (shouldIncludeNginx) {
+        const nginxBlock = includeSsl
+            ? APP_NGINX_SSL_SERVICE_TEMPLATE
+            : APP_NGINX_SERVICE_TEMPLATE;
+        content = content.replace(marker, `\n${nginxBlock}\n${marker}`);
+    }
+
+    if (includeSsl) {
+        content = content.replace(marker, `\n${APP_CERTBOT_SERVICES_TEMPLATE}\n${marker}`);
+        content = content.replace(
+            '\nvolumes:\n  plugin-data:',
+            '\nvolumes:\n  certbot-etc:\n  certbot-www:\n  plugin-data:'
+        );
     }
 
-    return APP_COMPOSE_TEMPLATE.replace(marker, `\n${APP_NGINX_SERVICE_TEMPLATE}\n${marker}`);
+    return content;
 }
 
 /**
@@ -284,12 +345,14 @@ export function buildAppComposeContent(includeNginx: boolean): string {
  */
 export async function writeAppCompose(
     targetDir: string,
-    options: { includeNginx?: boolean } = {}
+    options: { includeNginx?: boolean; includeSsl?: boolean } = {}
 ): Promise<void> {
     const s = spinner();
     s.start('Generating docker-compose.yaml...');
     const appPath = path.join(targetDir, 'docker-compose.yaml');
-    const appContent = buildAppComposeContent(options.includeNginx === true);
+    const appContent = buildAppComposeContent(options.includeNginx === true, {
+        includeSsl: options.includeSsl === true,
+    });
     await writeFile(appPath, appContent);
     s.stop('Generated docker-compose.yaml');
 }
@@ -299,7 +362,8 @@ export async function writeAppCompose(
  */
 export async function generateNginxConfig(
     targetDir: string,
-    basePath: string
+    basePath: string,
+    options: { enableSsl?: boolean; domain?: string } = {}
 ): Promise<void> {
     const s = spinner();
     s.start('Generating nginx.conf...');
@@ -307,12 +371,10 @@ export async function generateNginxConfig(
     // Normalize basePath (remove leading/trailing slashes for template)
     const normalizedPath = basePath.trim().replace(/^\/|\/$/g, '');
     const hasBasePath = normalizedPath.length > 0;
+    const enableSsl = options.enableSsl === true;
+    const domain = options.domain?.trim() || 'localhost';
 
-    // Template for nginx.conf
-    const nginxTemplate = `server {
-    listen 80;
-    server_name localhost;
-
+    const proxyRoutes = `
     location /api {
         proxy_pass http://api:3000;
         proxy_http_version 1.1;
@@ -395,10 +457,44 @@ ${hasBasePath ? `
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 `}
+`;
+
+    const nginxTemplate = enableSsl
+        ? `server {
+    listen 80;
+    server_name ${domain};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name ${domain};
+
+    ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    location = / {
+        return 302 /dashboard;
+    }
+    ${proxyRoutes}
+}
+`
+        : `server {
+    listen 80;
+    server_name localhost;${proxyRoutes}
 }
 `;
 
     const nginxPath = path.join(targetDir, 'nginx.conf');
     await writeFile(nginxPath, nginxTemplate);
-    s.stop(`Generated nginx.conf${hasBasePath ? ` with base path: /${normalizedPath}` : ' (root path)'}`);
+    const sslLabel = enableSsl ? `, SSL domain: ${domain}` : '';
+    s.stop(`Generated nginx.conf${hasBasePath ? ` with base path: /${normalizedPath}` : ' (root path)'}${sslLabel}`);
 }