feat(acme): add DB-backed ACME configuration management and OpsServer certificate settings UI

ts_interfaces/data/acme-config.ts

@@ -0,0 +1,25 @@
+/**
+ * ACME configuration for automated TLS certificate issuance via Let's Encrypt.
+ *
+ * Persisted as a singleton `AcmeConfigDoc` in the DcRouterDb. Replaces the
+ * legacy constructor fields `tls.contactEmail` / `smartProxyConfig.acme.*`
+ * which are now seed-only (used once on first boot if the DB is empty).
+ *
+ * Managed via the OpsServer UI at **Domains > Certificates > Settings**.
+ */
+export interface IAcmeConfig {
+  /** Contact email used for Let's Encrypt account registration. */
+  accountEmail: string;
+  /** Whether ACME is enabled. If false, no certs are issued via ACME. */
+  enabled: boolean;
+  /** True = Let's Encrypt production, false = staging. */
+  useProduction: boolean;
+  /** Whether to automatically renew certs before expiry. */
+  autoRenew: boolean;
+  /** Renew when a cert has fewer than this many days of validity left. */
+  renewThresholdDays: number;
+  /** Unix ms timestamp of last config change. */
+  updatedAt: number;
+  /** Who last updated the config (userId or 'seed' / 'system'). */
+  updatedBy: string;
+}

ts_interfaces/data/index.ts

@@ -6,4 +6,5 @@ export * from './target-profile.js';
 export * from './vpn.js';
 export * from './dns-provider.js';
 export * from './domain.js';
-export * from './dns-record.js';
+export * from './dns-record.js';
+export * from './acme-config.js';

ts_interfaces/data/route-management.ts

@@ -17,7 +17,8 @@ export type TApiTokenScope =
   | 'targets:read' | 'targets:write'
   | 'dns-providers:read' | 'dns-providers:write'
   | 'domains:read' | 'domains:write'
-  | 'dns-records:read' | 'dns-records:write';
+  | 'dns-records:read' | 'dns-records:write'
+  | 'acme-config:read' | 'acme-config:write';
 
 // ============================================================================
 // Source Profile Types (source-side: who can access)