feat: SSL wildcard certificate picker from NPM

- NPM client: ListCertificates endpoint
- API: GET /api/settings/npm-certificates (wildcard-only filter)
- Settings UI: EntityPicker for selecting wildcard certs
- Deployer: applies certificate_id + ssl_forced to proxy hosts
- Uses HTTPS subdomain URLs when SSL cert is configured

internal/api/router.go

@@ -131,6 +131,7 @@ func (s *Server) Router() chi.Router {
 				r.Get("/images", s.listRegistryImages)
 			})
 			r.Get("/settings", s.getSettings)
+			r.Get("/settings/npm-certificates", s.listNpmCertificates)
 
 			// Admin-only routes: require admin role.
 			r.Group(func(r chi.Router) {

internal/api/settings.go

@@ -3,8 +3,10 @@ package api
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/alexei/docker-watcher/internal/crypto"
+	"github.com/alexei/docker-watcher/internal/npm"
 	"github.com/alexei/docker-watcher/internal/webhook"
 )
 
@@ -19,6 +21,7 @@ type settingsRequest struct {
 	NpmEmail         string `json:"npm_email"`
 	NpmPassword      string `json:"npm_password"`
 	PollingInterval  string `json:"polling_interval"`
+	SSLCertificateID *int   `json:"ssl_certificate_id,omitempty"`
 }
 
 // getSettings handles GET /api/settings.
@@ -31,16 +34,17 @@ func (s *Server) getSettings(w http.ResponseWriter, r *http.Request) {
 
 	// Return settings without sensitive fields.
 	respondJSON(w, http.StatusOK, map[string]any{
-		"domain":            settings.Domain,
-		"server_ip":         settings.ServerIP,
-		"network":           settings.Network,
-		"subdomain_pattern": settings.SubdomainPattern,
-		"notification_url":  settings.NotificationURL,
-		"npm_url":           settings.NpmURL,
-		"npm_email":         settings.NpmEmail,
-		"has_npm_password":  settings.NpmPassword != "",
-		"polling_interval":  settings.PollingInterval,
-		"updated_at":        settings.UpdatedAt,
+		"domain":              settings.Domain,
+		"server_ip":           settings.ServerIP,
+		"network":             settings.Network,
+		"subdomain_pattern":   settings.SubdomainPattern,
+		"notification_url":    settings.NotificationURL,
+		"npm_url":             settings.NpmURL,
+		"npm_email":           settings.NpmEmail,
+		"has_npm_password":    settings.NpmPassword != "",
+		"polling_interval":    settings.PollingInterval,
+		"ssl_certificate_id":  settings.SSLCertificateID,
+		"updated_at":          settings.UpdatedAt,
 	})
 }
 
@@ -89,6 +93,9 @@ func (s *Server) updateSettings(w http.ResponseWriter, r *http.Request) {
 	if req.PollingInterval != "" {
 		updated.PollingInterval = req.PollingInterval
 	}
+	if req.SSLCertificateID != nil {
+		updated.SSLCertificateID = *req.SSLCertificateID
+	}
 
 	if err := s.store.UpdateSettings(updated); err != nil {
 		respondError(w, http.StatusInternalServerError, "failed to update settings: "+err.Error())
@@ -140,3 +147,60 @@ func (s *Server) regenerateWebhookSecret(w http.ResponseWriter, r *http.Request)
 	})
 }
 
+// listNpmCertificates handles GET /api/settings/npm-certificates.
+// It authenticates to NPM using the stored credentials and returns only wildcard certificates.
+func (s *Server) listNpmCertificates(w http.ResponseWriter, r *http.Request) {
+	settings, err := s.store.GetSettings()
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to get settings: "+err.Error())
+		return
+	}
+
+	if settings.NpmURL == "" || settings.NpmEmail == "" || settings.NpmPassword == "" {
+		respondError(w, http.StatusBadRequest, "NPM credentials not configured")
+		return
+	}
+
+	npmPassword, err := crypto.Decrypt(s.encKey, settings.NpmPassword)
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to decrypt npm password: "+err.Error())
+		return
+	}
+
+	client := npm.New(settings.NpmURL)
+	if err := client.Authenticate(r.Context(), settings.NpmEmail, npmPassword); err != nil {
+		respondError(w, http.StatusBadGateway, "failed to authenticate to NPM: "+err.Error())
+		return
+	}
+
+	certs, err := client.ListCertificates(r.Context())
+	if err != nil {
+		respondError(w, http.StatusBadGateway, "failed to list certificates: "+err.Error())
+		return
+	}
+
+	// Filter to wildcard certificates only.
+	var wildcards []npm.Certificate
+	for _, cert := range certs {
+		if isWildcardCert(cert) {
+			wildcards = append(wildcards, cert)
+		}
+	}
+
+	if wildcards == nil {
+		wildcards = []npm.Certificate{}
+	}
+
+	respondJSON(w, http.StatusOK, wildcards)
+}
+
+// isWildcardCert returns true if any of the certificate's domain names contains "*".
+func isWildcardCert(cert npm.Certificate) bool {
+	for _, d := range cert.DomainNames {
+		if strings.Contains(d, "*") {
+			return true
+		}
+	}
+	return false
+}
+

internal/deployer/deployer.go

@@ -425,6 +425,15 @@ func (d *Deployer) configureProxy(
 		Locations:      []any{},
 	}
 
+	// Apply SSL certificate if configured in settings.
+	if settings.SSLCertificateID > 0 {
+		proxyConfig.CertificateID = settings.SSLCertificateID
+		proxyConfig.SSLForced = true
+		proxyConfig.HSTSEnabled = true
+		proxyConfig.HTTP2Support = true
+		d.logDeploy(deployID, fmt.Sprintf("Using SSL certificate ID %d", settings.SSLCertificateID), "info")
+	}
+
 	if found {
 		d.logDeploy(deployID, fmt.Sprintf("Updating existing proxy host %d for %s", existing.ID, fqdn), "info")
 		host, err := d.npm.UpdateProxyHost(ctx, existing.ID, proxyConfig)

internal/npm/client.go

@@ -154,6 +154,15 @@ func (c *Client) FindProxyHostByDomain(ctx context.Context, domain string) (Prox
 	return ProxyHost{}, false, nil
 }
 
+// ListCertificates returns all SSL certificates from NPM.
+func (c *Client) ListCertificates(ctx context.Context) ([]Certificate, error) {
+	var certs []Certificate
+	if err := c.doJSON(ctx, http.MethodGet, "/nginx/certificates", nil, &certs); err != nil {
+		return nil, fmt.Errorf("list certificates: %w", err)
+	}
+	return certs, nil
+}
+
 // doJSON performs an authenticated JSON API request. If the token is expired or a 401
 // is received, it automatically re-authenticates and retries the request once.
 func (c *Client) doJSON(ctx context.Context, method, path string, reqBody any, result any) error {

internal/npm/types.go

@@ -50,6 +50,15 @@ type ProxyHost struct {
 	ModifiedOn       string   `json:"modified_on"`
 }
 
+// Certificate represents an SSL certificate as returned by the NPM API.
+type Certificate struct {
+	ID          int      `json:"id"`
+	NiceName    string   `json:"nice_name"`
+	DomainNames []string `json:"domain_names"`
+	ExpiresOn   string   `json:"expires_on"`
+	Provider    string   `json:"provider"`
+}
+
 // boolInt handles the NPM API's inconsistent use of 0/1 integers for boolean fields.
 type boolInt bool
 

internal/store/models.go

@@ -55,6 +55,7 @@ type Settings struct {
 	WebhookSecret    string `json:"webhook_secret"`
 	PollingInterval  string `json:"polling_interval"`
 	BaseVolumePath   string `json:"base_volume_path"`
+	SSLCertificateID int    `json:"ssl_certificate_id"`
 	UpdatedAt        string `json:"updated_at"`
 }
 

internal/store/settings.go

@@ -9,10 +9,10 @@ func (s *Store) GetSettings() (Settings, error) {
 	var st Settings
 	err := s.db.QueryRow(
 		`SELECT domain, server_ip, network, subdomain_pattern, notification_url,
-		        npm_url, npm_email, npm_password, webhook_secret, polling_interval, base_volume_path, updated_at
+		        npm_url, npm_email, npm_password, webhook_secret, polling_interval, base_volume_path, ssl_certificate_id, updated_at
 		 FROM settings WHERE id = 1`,
 	).Scan(&st.Domain, &st.ServerIP, &st.Network, &st.SubdomainPattern, &st.NotificationURL,
-		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.WebhookSecret, &st.PollingInterval, &st.BaseVolumePath, &st.UpdatedAt)
+		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.WebhookSecret, &st.PollingInterval, &st.BaseVolumePath, &st.SSLCertificateID, &st.UpdatedAt)
 	if err != nil {
 		return Settings{}, fmt.Errorf("query settings: %w", err)
 	}
@@ -25,10 +25,10 @@ func (s *Store) UpdateSettings(st Settings) error {
 	_, err := s.db.Exec(
 		`UPDATE settings SET
 			domain=?, server_ip=?, network=?, subdomain_pattern=?, notification_url=?,
-			npm_url=?, npm_email=?, npm_password=?, webhook_secret=?, polling_interval=?, base_volume_path=?, updated_at=?
+			npm_url=?, npm_email=?, npm_password=?, webhook_secret=?, polling_interval=?, base_volume_path=?, ssl_certificate_id=?, updated_at=?
 		 WHERE id = 1`,
 		st.Domain, st.ServerIP, st.Network, st.SubdomainPattern, st.NotificationURL,
-		st.NpmURL, st.NpmEmail, st.NpmPassword, st.WebhookSecret, st.PollingInterval, st.BaseVolumePath, st.UpdatedAt,
+		st.NpmURL, st.NpmEmail, st.NpmPassword, st.WebhookSecret, st.PollingInterval, st.BaseVolumePath, st.SSLCertificateID, st.UpdatedAt,
 	)
 	if err != nil {
 		return fmt.Errorf("update settings: %w", err)

internal/store/store.go

@@ -79,6 +79,8 @@ func (s *Store) runMigrations() error {
 		`ALTER TABLE settings ADD COLUMN base_volume_path TEXT NOT NULL DEFAULT ''`,
 		// Add enable_proxy to stages (2026-03-29). Default true for backwards compat.
 		`ALTER TABLE stages ADD COLUMN enable_proxy INTEGER NOT NULL DEFAULT 1`,
+		// Add ssl_certificate_id to settings (2026-03-29).
+		`ALTER TABLE settings ADD COLUMN ssl_certificate_id INTEGER NOT NULL DEFAULT 0`,
 	}
 
 	for _, m := range migrations {
@@ -159,6 +161,7 @@ CREATE TABLE IF NOT EXISTS settings (
 	webhook_secret      TEXT NOT NULL DEFAULT '',
 	polling_interval    TEXT NOT NULL DEFAULT '5m',
 	base_volume_path   TEXT NOT NULL DEFAULT '',
+	ssl_certificate_id INTEGER NOT NULL DEFAULT 0,
 	updated_at          TEXT NOT NULL DEFAULT (datetime('now'))
 );
 

web/src/lib/api.ts

@@ -4,6 +4,7 @@ import type {
 	DeployLog,
 	InspectResult,
 	Instance,
+	NpmCertificate,
 	Project,
 	ProjectDetail,
 	Registry,
@@ -258,6 +259,10 @@ export function regenerateWebhookUrl(): Promise<{ url: string }> {
 	return post<{ url: string }>('/api/settings/webhook-url/regenerate');
 }
 
+export function listNpmCertificates(): Promise<NpmCertificate[]> {
+	return get<NpmCertificate[]>('/api/settings/npm-certificates');
+}
+
 // ── Auth ─────────────────────────────────────────────────────────────
 
 export function login(username: string, password: string): Promise<{ token: string; expires_at: string }> {

web/src/lib/i18n/en.json

@@ -207,7 +207,14 @@
     "regenerating": "Regenerating...",
     "regenerated": "Webhook URL regenerated",
     "regenerateFailed": "Failed to regenerate webhook URL",
-    "regenerateWarning": "Warning: regenerating will invalidate the current URL. Update your CI pipelines."
+    "regenerateWarning": "Warning: regenerating will invalidate the current URL. Update your CI pipelines.",
+    "sslCertificate": "SSL Certificate",
+    "sslCertificateHelp": "Wildcard certificate from NPM for auto-SSL on proxy hosts",
+    "selectCertificate": "Select Certificate",
+    "noCertificate": "None (no SSL)",
+    "clearCertificate": "Clear",
+    "loadingCertificates": "Loading certificates...",
+    "noCertificatesFound": "No wildcard certificates found in NPM"
   },
   "settingsRegistries": {
     "title": "Container Registries",

web/src/lib/i18n/ru.json

@@ -207,7 +207,14 @@
     "regenerating": "Перегенерация...",
     "regenerated": "URL вебхука перегенерирован",
     "regenerateFailed": "Не удалось перегенерировать URL вебхука",
-    "regenerateWarning": "Внимание: перегенерация сделает текущий URL недействительным. Обновите ваши CI-пайплайны."
+    "regenerateWarning": "Внимание: перегенерация сделает текущий URL недействительным. Обновите ваши CI-пайплайны.",
+    "sslCertificate": "SSL-сертификат",
+    "sslCertificateHelp": "Wildcard-сертификат из NPM для автоматического SSL на прокси-хостах",
+    "selectCertificate": "Выбрать сертификат",
+    "noCertificate": "Нет (без SSL)",
+    "clearCertificate": "Очистить",
+    "loadingCertificates": "Загрузка сертификатов...",
+    "noCertificatesFound": "Wildcard-сертификаты в NPM не найдены"
   },
   "settingsRegistries": {
     "title": "Реестры контейнеров",

web/src/lib/types.ts

@@ -105,9 +105,19 @@ export interface Settings {
 	webhook_secret: string;
 	polling_interval: string;
 	base_volume_path: string;
+	ssl_certificate_id: number;
 	updated_at: string;
 }
 
+/** An SSL certificate from Nginx Proxy Manager. */
+export interface NpmCertificate {
+	id: number;
+	nice_name: string;
+	domain_names: string[];
+	expires_on: string;
+	provider: string;
+}
+
 /** Standard API envelope returned by all backend endpoints. */
 export interface ApiEnvelope<T> {
 	success: boolean;

web/src/routes/settings/+page.svelte

@@ -1,10 +1,11 @@
 <script lang="ts">
-	import { getSettings, updateSettings, getWebhookUrl, regenerateWebhookUrl } from '$lib/api';
-	import type { Settings } from '$lib/types';
+	import { getSettings, updateSettings, getWebhookUrl, regenerateWebhookUrl, listNpmCertificates } from '$lib/api';
+	import type { EntityPickerItem } from '$lib/types';
 	import FormField from '$lib/components/FormField.svelte';
+	import EntityPicker from '$lib/components/EntityPicker.svelte';
 	import { toasts } from '$lib/stores/toast';
 	import { t } from '$lib/i18n';
-	import { IconLoader, IconCopy, IconRefresh } from '$lib/components/icons';
+	import { IconLoader, IconCopy, IconRefresh, IconShield, IconX } from '$lib/components/icons';
 	import Skeleton from '$lib/components/Skeleton.svelte';
 
 	let loading = $state(true);
@@ -20,6 +21,12 @@
 	let baseVolumePath = $state('');
 	let notificationUrl = $state('');
 
+	let sslCertificateId = $state(0);
+	let sslCertName = $state('');
+	let certPickerOpen = $state(false);
+	let certPickerItems = $state<EntityPickerItem[]>([]);
+	let loadingCerts = $state(false);
+
 	let errors = $state<Record<string, string>>({});
 
 	function validateDomain(value: string): string {
@@ -70,6 +77,7 @@
 			subdomainPattern = settings.subdomain_pattern ?? '';
 			pollingInterval = settings.polling_interval ?? '';
 			baseVolumePath = settings.base_volume_path ?? '';
+			sslCertificateId = settings.ssl_certificate_id ?? 0;
 			notificationUrl = settings.notification_url ?? '';
 		} catch (err) {
 			toasts.error(err instanceof Error ? err.message : $t('settingsGeneral.loadFailed'));
@@ -92,7 +100,8 @@
 			await updateSettings({
 				domain: domain.trim(), server_ip: serverIp.trim(), network: network.trim(),
 				subdomain_pattern: subdomainPattern.trim(), polling_interval: pollingInterval.trim(),
-				base_volume_path: baseVolumePath.trim(), notification_url: notificationUrl.trim()
+				base_volume_path: baseVolumePath.trim(), notification_url: notificationUrl.trim(),
+				ssl_certificate_id: sslCertificateId
 			});
 			toasts.success($t('settingsGeneral.saved'));
 		} catch (err) {
@@ -115,7 +124,60 @@
 		}
 	}
 
-	$effect(() => { loadSettings(); loadWebhookUrlValue(); });
+	async function openCertPicker() {
+		loadingCerts = true;
+		certPickerOpen = true;
+		try {
+			const certs = await listNpmCertificates();
+			certPickerItems = certs.map((cert): EntityPickerItem => ({
+				value: String(cert.id),
+				label: cert.nice_name || `Certificate #${cert.id}`,
+				description: cert.domain_names.join(', ')
+			}));
+		} catch (err) {
+			toasts.error(err instanceof Error ? err.message : $t('settingsGeneral.noCertificatesFound'));
+			certPickerOpen = false;
+		} finally {
+			loadingCerts = false;
+		}
+	}
+
+	function handleCertSelect(value: string) {
+		const id = parseInt(value, 10);
+		sslCertificateId = id;
+		const item = certPickerItems.find((i) => i.value === value);
+		sslCertName = item?.label ?? '';
+		certPickerOpen = false;
+	}
+
+	function clearCertificate() {
+		sslCertificateId = 0;
+		sslCertName = '';
+	}
+
+	// When loading settings, try to resolve cert name if an ID is set.
+	async function resolveCertName() {
+		if (sslCertificateId <= 0) return;
+		try {
+			const certs = await listNpmCertificates();
+			const match = certs.find((c) => c.id === sslCertificateId);
+			if (match) {
+				sslCertName = match.nice_name || `Certificate #${match.id}`;
+			} else {
+				sslCertName = `Certificate #${sslCertificateId}`;
+			}
+		} catch {
+			sslCertName = `Certificate #${sslCertificateId}`;
+		}
+	}
+
+	async function init() {
+		await loadSettings();
+		await resolveCertName();
+		loadWebhookUrlValue();
+	}
+
+	$effect(() => { init(); });
 </script>
 
 <svelte:head>
@@ -144,6 +206,42 @@
 				<FormField label="Base Volume Path" name="baseVolumePath" bind:value={baseVolumePath} placeholder="/data" helpText="Prepended to relative volume sources (e.g., /data + my-app/uploads = /data/my-app/uploads)" />
 				<FormField label={$t('settingsGeneral.notificationUrl')} name="notificationUrl" bind:value={notificationUrl} placeholder="https://notify.example.com/webhook" error={errors.notificationUrl ?? ''} helpText={$t('settingsGeneral.notificationUrlHelp')} />
 			</div>
+			<!-- SSL Certificate -->
+			<div class="mt-6 border-t border-[var(--border-primary)] pt-4">
+				<div class="flex items-start gap-3">
+					<div class="flex-1">
+						<label class="block text-sm font-medium text-[var(--text-primary)]">{$t('settingsGeneral.sslCertificate')}</label>
+						<p class="mt-0.5 text-xs text-[var(--text-tertiary)]">{$t('settingsGeneral.sslCertificateHelp')}</p>
+						<div class="mt-2 flex items-center gap-2">
+							<button
+								type="button"
+								onclick={openCertPicker}
+								class="inline-flex items-center gap-2 rounded-lg border border-[var(--border-primary)] px-3 py-2 text-sm text-[var(--text-secondary)] hover:bg-[var(--surface-card-hover)] transition-colors"
+							>
+								<IconShield size={16} />
+								{#if loadingCerts}
+									{$t('settingsGeneral.loadingCertificates')}
+								{:else if sslCertificateId > 0 && sslCertName}
+									{sslCertName}
+								{:else}
+									{$t('settingsGeneral.noCertificate')}
+								{/if}
+							</button>
+							{#if sslCertificateId > 0}
+								<button
+									type="button"
+									onclick={clearCertificate}
+									class="inline-flex items-center gap-1 rounded-lg border border-[var(--border-primary)] px-2 py-2 text-sm text-[var(--text-tertiary)] hover:text-[var(--color-danger)] hover:bg-[var(--surface-card-hover)] transition-colors"
+									title={$t('settingsGeneral.clearCertificate')}
+								>
+									<IconX size={14} />
+								</button>
+							{/if}
+						</div>
+					</div>
+				</div>
+			</div>
+
 			<div class="mt-6">
 				<button onclick={handleSave} disabled={saving} class="inline-flex items-center gap-2 rounded-lg bg-[var(--color-brand-600)] px-4 py-2.5 text-sm font-medium text-white shadow-sm transition-all duration-150 hover:bg-[var(--color-brand-700)] disabled:opacity-50 active:animate-press">
 					{#if saving}<IconLoader size={16} />{/if}
@@ -189,3 +287,12 @@
 		</div>
 	{/if}
 </div>
+
+<EntityPicker
+	bind:open={certPickerOpen}
+	items={certPickerItems}
+	current={String(sslCertificateId)}
+	title={$t('settingsGeneral.selectCertificate')}
+	onselect={handleCertSelect}
+	onclose={() => { certPickerOpen = false; }}
+/>