fix: auto-copy panel TLS certs for same-VPS nodes (#22)

- Add isSameVpsAsPanel() detection (domain, localhost, PANEL_IP env)
- Add certificate check/upload methods in NodeSSH
- Auto-copy panel certs during sync if missing on node

Author: ddddeadispose

src/services/nodeSSH.js

@@ -428,6 +428,107 @@ echo "Port hopping: ${startPort}-${endPort} -> ${mainPort}"
         }
     }
 
+    /**
+     * Check if TLS certificate files exist and are valid on the node
+     * @returns {Object} { exists: boolean, valid: boolean, error?: string }
+     */
+    async checkCertificates() {
+        try {
+            const certPath = this.node.paths?.cert || '/etc/hysteria/cert.pem';
+            const keyPath = this.node.paths?.key || '/etc/hysteria/key.pem';
+            
+            const result = await this.exec(`
+if [ -f "${certPath}" ] && [ -s "${certPath}" ] && [ -f "${keyPath}" ] && [ -s "${keyPath}" ]; then
+    if openssl x509 -in "${certPath}" -noout 2>/dev/null; then
+        echo "VALID"
+        openssl x509 -in "${certPath}" -noout -enddate 2>/dev/null | grep notAfter
+    else
+        echo "INVALID"
+    fi
+else
+    echo "MISSING"
+fi
+            `);
+            
+            const output = result.stdout.trim();
+            
+            if (output.includes('VALID')) {
+                return { exists: true, valid: true };
+            } else if (output.includes('INVALID')) {
+                return { exists: true, valid: false, error: 'Certificate is invalid or corrupted' };
+            } else {
+                return { exists: false, valid: false, error: 'Certificate files missing' };
+            }
+        } catch (error) {
+            logger.error(`[SSH] Certificate check error on ${this.node.name}: ${error.message}`);
+            return { exists: false, valid: false, error: error.message };
+        }
+    }
+
+    /**
+     * Upload TLS certificates to the node
+     * @param {string} cert - Certificate content (PEM)
+     * @param {string} key - Private key content (PEM)
+     * @returns {boolean} Success status
+     */
+    async uploadCertificates(cert, key) {
+        try {
+            const certPath = this.node.paths?.cert || '/etc/hysteria/cert.pem';
+            const keyPath = this.node.paths?.key || '/etc/hysteria/key.pem';
+            
+            await this.exec('mkdir -p /etc/hysteria');
+            
+            await this.writeFile(certPath, cert);
+            await this.writeFile(keyPath, key);
+            
+            await this.exec(`
+chmod 644 ${certPath}
+chmod 600 ${keyPath}
+if id "hysteria" &>/dev/null; then
+    chown hysteria:hysteria ${certPath} ${keyPath}
+fi
+            `);
+            
+            logger.info(`[SSH] Certificates uploaded to ${this.node.name}`);
+            return true;
+        } catch (error) {
+            logger.error(`[SSH] Certificate upload error on ${this.node.name}: ${error.message}`);
+            return false;
+        }
+    }
+
+    /**
+     * Ensure valid certificates exist on the node
+     * If useTlsFiles is true and certs are missing/invalid, tries to copy from panel
+     * @param {Object} panelCerts - { cert, key } from panel, or null
+     * @returns {Object} { success: boolean, action: string, error?: string }
+     */
+    async ensureCertificates(panelCerts) {
+        const certStatus = await this.checkCertificates();
+        
+        if (certStatus.exists && certStatus.valid) {
+            return { success: true, action: 'existing' };
+        }
+        
+        if (!panelCerts || !panelCerts.cert || !panelCerts.key) {
+            return { 
+                success: false, 
+                action: 'failed', 
+                error: 'Certificates missing on node and panel certs not available' 
+            };
+        }
+        
+        logger.info(`[SSH] ${this.node.name}: certificates ${certStatus.exists ? 'invalid' : 'missing'}, uploading from panel`);
+        
+        const uploaded = await this.uploadCertificates(panelCerts.cert, panelCerts.key);
+        
+        if (uploaded) {
+            return { success: true, action: 'uploaded' };
+        } else {
+            return { success: false, action: 'failed', error: 'Failed to upload certificates' };
+        }
+    }
+
     /**
      * Get system stats from node
      */

src/services/nodeSetup.js

@@ -11,6 +11,39 @@ const cryptoService = require('./cryptoService');
 const Settings = require('../models/settingsModel');
 const configGenerator = require('./configGenerator');
 
+/**
+ * Check if a node is on the same VPS as the panel
+ * Uses multiple heuristics: domain match, IP match via DNS, localhost detection
+ * @param {Object} node - Node object with ip and domain fields
+ * @returns {boolean} true if node appears to be on the same server as the panel
+ */
+function isSameVpsAsPanel(node) {
+    const panelDomain = config.PANEL_DOMAIN;
+    
+    // 1. Domain match - most reliable indicator
+    if (node.domain && node.domain === panelDomain) {
+        logger.debug(`[NodeSetup] Same VPS detected: domain match (${node.domain})`);
+        return true;
+    }
+    
+    // 2. Localhost / loopback detection
+    const nodeIp = (node.ip || '').toLowerCase().trim();
+    if (nodeIp === 'localhost' || nodeIp === '127.0.0.1' || nodeIp === '::1') {
+        logger.debug(`[NodeSetup] Same VPS detected: localhost IP (${nodeIp})`);
+        return true;
+    }
+    
+    // 3. Try to resolve panel domain and compare with node IP
+    // This is a sync check using cached DNS or env variable
+    const panelIpFromEnv = process.env.PANEL_IP || '';
+    if (panelIpFromEnv && panelIpFromEnv === nodeIp) {
+        logger.debug(`[NodeSetup] Same VPS detected: IP match via PANEL_IP env (${nodeIp})`);
+        return true;
+    }
+    
+    return false;
+}
+
 /**
  * Read panel's SSL certificates from Greenlock or Caddy directory
  * @param {string} domain - Panel domain
@@ -313,25 +346,14 @@ async function setupNode(node, options = {}) {
         }
 
         // Determine TLS mode: same-VPS (copy panel certs), ACME, or self-signed
-        const isSameVpsSetup = node.domain && node.domain === config.PANEL_DOMAIN;
+        // Use improved detection: checks domain match, localhost, and PANEL_IP env
+        const isSameVpsSetup = isSameVpsAsPanel(node);
         let useTlsFiles = false;
 
-        if (!node.domain) {
-            // No domain - use self-signed certificate
-            log('No domain specified, generating self-signed certificate...');
-            const certResult = await execSSH(conn, SELF_SIGNED_CERT_SCRIPT);
-            logs.push(certResult.output);
-            
-            if (!certResult.success) {
-                throw new Error(`Certificate generation failed: ${certResult.error}`);
-            }
-            log('Certificate ready (self-signed)');
-            useTlsFiles = true;
-            
-        } else if (isSameVpsSetup) {
-            // Same domain as panel - copy panel's certificates to node
-            log(`Same-VPS setup detected (domain: ${node.domain})`);
-            log('Copying panel certificates to node...');
+        if (isSameVpsSetup) {
+            // Same server as panel - try to copy panel's certificates
+            log(`Same-VPS setup detected (node IP: ${node.ip}, panel domain: ${config.PANEL_DOMAIN})`);
+            log('Attempting to copy panel certificates to node...');
 
             const panelCerts = getPanelCertificates(config.PANEL_DOMAIN);
 
@@ -360,8 +382,20 @@ ls -la /etc/hysteria/*.pem
                 useTlsFiles = true;
             }
 
+        } else if (!node.domain) {
+            // No domain and not same VPS - use self-signed certificate
+            log('No domain specified, generating self-signed certificate...');
+            const certResult = await execSSH(conn, SELF_SIGNED_CERT_SCRIPT);
+            logs.push(certResult.output);
+            
+            if (!certResult.success) {
+                throw new Error(`Certificate generation failed: ${certResult.error}`);
+            }
+            log('Certificate ready (self-signed)');
+            useTlsFiles = true;
+            
         } else {
-            // Different domain - use ACME (but warn about potential port 80 conflict)
+            // Different domain on different VPS - use ACME
             log(`Domain detected (${node.domain}), ACME will be used`);
             log('⚠️  WARNING: If this node is on the same VPS as the panel, ACME may fail!');
             log('⚠️  Port 80 is used by the panel for its own ACME challenges.');
@@ -996,4 +1030,6 @@ module.exports = {
     generateX25519Keys,
     checkXrayNodeStatus,
     getXrayNodeLogs,
+    getPanelCertificates,
+    isSameVpsAsPanel,
 };

src/services/syncService.js

@@ -23,6 +23,7 @@ const axios = require('axios');
 const https = require('https');
 const config = require('../../config');
 const webhook = require('./webhookService');
+const { getPanelCertificates, isSameVpsAsPanel } = require('./nodeSetup');
 
 // HTTPS agent that ignores self-signed certs (agent uses self-signed cert by default)
 const selfSignedAgent = new https.Agent({ rejectUnauthorized: false });
@@ -445,11 +446,28 @@ class SyncService {
         try {
             await ssh.connect();
 
+            // Determine if this node uses TLS files (not ACME)
+            const useTlsFiles = node.useTlsFiles || !node.domain;
+            
+            // For same-VPS nodes or nodes using TLS files, ensure certificates exist
+            if (useTlsFiles || isSameVpsAsPanel(node)) {
+                const panelCerts = getPanelCertificates(config.PANEL_DOMAIN);
+                const certResult = await ssh.ensureCertificates(panelCerts);
+                
+                if (certResult.success) {
+                    if (certResult.action === 'uploaded') {
+                        logger.info(`[Sync] ${node.name}: certificates uploaded from panel`);
+                    }
+                } else {
+                    logger.warn(`[Sync] ${node.name}: certificate issue - ${certResult.error}`);
+                    logger.warn(`[Sync] ${node.name}: Hysteria may fail to start without valid certificates`);
+                }
+            }
+            
             // Use custom config or generate automatically
             let configContent;
             const customConfig = (node.customConfig || '').trim();
             if (node.useCustomConfig && customConfig && customConfig.length > 50) {
-                // Basic validation: must contain listen and auth/tls/acme
                 if (!customConfig.includes('listen:')) {
                     throw new Error('Custom config invalid: missing listen:');
                 }
@@ -465,7 +483,6 @@ class SyncService {
                 const authUrl = this.getAuthUrl();
                 const settings = await Settings.get();
                 const authInsecure = settings?.nodeAuth?.insecure ?? true;
-                const useTlsFiles = node.useTlsFiles || false;
                 configContent = configGenerator.generateNodeConfig(node, authUrl, { authInsecure, useTlsFiles });
             }