Add multi-provider DNS registry for ACME DNS-01 challenges

Replace hardcoded Cloudflare DNS-01 with a data-driven provider registry
supporting 11 providers (Cloudflare, Route 53, DigitalOcean, Duck DNS,
Hetzner, Vultr, Porkbun, GoDaddy, Namecheap, OVH, Linode). Users can
configure multiple providers with encrypted credentials and select a
default. Per-certificate provider override is supported via providerOptions.

- Add src/lib/dns-providers.ts with provider definitions, credential
  encrypt/decrypt, and Caddy config builder
- Change DnsProviderSettings to multi-provider format with default selection
- Auto-migrate legacy Cloudflare settings on startup (db.ts)
- Normalize old single-provider format on read (getDnsProviderSettings)
- Refactor buildTlsAutomation() to use provider registry
- Add GET /api/v1/dns-providers endpoint for provider discovery
- Add dns-provider settings group to REST API and instance sync
- Replace Cloudflare settings card with multi-provider UI (add/remove
  providers, set default, dynamic credential forms)
- Add 10 DNS provider modules to Caddy Dockerfile
- Update OpenAPI spec, E2E tests, and unit test mocks

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/api/v1/dns-providers/route.ts

@@ -0,0 +1,30 @@
+import { NextRequest, NextResponse } from "next/server";
+import { requireApiUser, apiErrorResponse } from "@/src/lib/api-auth";
+import { DNS_PROVIDERS } from "@/src/lib/dns-providers";
+
+export async function GET(request: NextRequest) {
+  try {
+    await requireApiUser(request);
+
+    // Return provider definitions without any credential values
+    const providers = DNS_PROVIDERS.map(({ name, displayName, description, docsUrl, fields, modulePath }) => ({
+      name,
+      displayName,
+      description,
+      docsUrl,
+      modulePath,
+      fields: fields.map(({ key, label, type, placeholder, description, required }) => ({
+        key,
+        label,
+        type,
+        placeholder,
+        description,
+        required,
+      })),
+    }));
+
+    return NextResponse.json(providers);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
+}

app/api/v1/openapi.json/route.ts

@@ -784,6 +784,7 @@ const spec = {
               enum: [
                 "general",
                 "cloudflare",
+                "dns-provider",
                 "authentik",
                 "metrics",
                 "logging",
@@ -807,6 +808,7 @@ const spec = {
                   oneOf: [
                     { $ref: "#/components/schemas/GeneralSettings" },
                     { $ref: "#/components/schemas/CloudflareSettings" },
+                    { $ref: "#/components/schemas/DnsProviderSettings" },
                     { $ref: "#/components/schemas/AuthentikSettings" },
                     { $ref: "#/components/schemas/MetricsSettings" },
                     { $ref: "#/components/schemas/LoggingSettings" },
@@ -836,6 +838,7 @@ const spec = {
               enum: [
                 "general",
                 "cloudflare",
+                "dns-provider",
                 "authentik",
                 "metrics",
                 "logging",
@@ -1864,6 +1867,27 @@ const spec = {
         },
         required: ["apiToken"],
       },
+      DnsProviderSettings: {
+        type: "object",
+        description: "DNS provider configuration for ACME DNS-01 challenges. Supports multiple configured providers with a default.",
+        properties: {
+          providers: {
+            type: "object",
+            additionalProperties: {
+              type: "object",
+              additionalProperties: { type: "string" },
+              description: "Credential key-value pairs for this provider",
+            },
+            description: "Configured providers keyed by name (e.g. { cloudflare: { api_token: '...' }, route53: { ... } })",
+          },
+          default: {
+            type: "string",
+            nullable: true,
+            description: "Name of the default provider used for DNS-01 challenges (null = HTTP-01 only)",
+          },
+        },
+        required: ["providers", "default"],
+      },
       AuthentikSettings: {
         type: "object",
         properties: {

app/api/v1/settings/[group]/route.ts

@@ -7,6 +7,7 @@ import {
   getMetricsSettings, saveMetricsSettings,
   getLoggingSettings, saveLoggingSettings,
   getDnsSettings, saveDnsSettings,
+  getDnsProviderSettings, saveDnsProviderSettings,
   getUpstreamDnsResolutionSettings, saveUpstreamDnsResolutionSettings,
   getGeoBlockSettings, saveGeoBlockSettings,
   getWafSettings, saveWafSettings,
@@ -27,6 +28,7 @@ const SETTINGS_HANDLERS: Record<string, SettingsHandler> = {
   metrics: { get: getMetricsSettings, save: saveMetricsSettings as (data: never) => Promise<void>, applyCaddy: true },
   logging: { get: getLoggingSettings, save: saveLoggingSettings as (data: never) => Promise<void>, applyCaddy: true },
   dns: { get: getDnsSettings, save: saveDnsSettings as (data: never) => Promise<void>, applyCaddy: true },
+  "dns-provider": { get: getDnsProviderSettings, save: saveDnsProviderSettings as (data: never) => Promise<void>, applyCaddy: true },
   "upstream-dns": { get: getUpstreamDnsResolutionSettings, save: saveUpstreamDnsResolutionSettings as (data: never) => Promise<void>, applyCaddy: true },
   geoblock: { get: getGeoBlockSettings, save: saveGeoBlockSettings as (data: never) => Promise<void>, applyCaddy: true },
   waf: { get: getWafSettings, save: saveWafSettings as (data: never) => Promise<void>, applyCaddy: true },