fix: escape special characters in passwords for sed

Base64 passwords can contain /, +, = which break sed with |
delimiter. Also escape & and \ characters for safety.

.github/workflows/install-script-test.yml

@@ -0,0 +1,130 @@
+name: Install Script Test
+
+on:
+  push:
+    paths:
+      - 'scripts/install-ubuntu.sh'
+      - '.github/workflows/install-script-test.yml'
+  pull_request:
+    paths:
+      - 'scripts/install-ubuntu.sh'
+      - '.github/workflows/install-script-test.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  install-test:
+    name: Test Install Script (${{ matrix.scenario }})
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - scenario: default
+            db_pass: ''
+          - scenario: custom-password
+            db_pass: 'TestPass123!'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Make install script executable
+        run: chmod +x scripts/install-ubuntu.sh
+
+      - name: Run install script
+        env:
+          DB_PASS: ${{ matrix.db_pass }}
+        run: |
+          echo "Running install script with scenario: ${{ matrix.scenario }}"
+          sudo -E bash scripts/install-ubuntu.sh 2>&1 | tee install-output.log
+          echo "Install completed successfully"
+
+      - name: Wait for services to stabilize
+        run: sleep 10
+
+      - name: Verify Apache is running
+        run: |
+          echo "Checking Apache status..."
+          sudo systemctl status apache2 --no-pager
+          sudo systemctl is-active apache2
+
+      - name: Verify MariaDB is running
+        run: |
+          echo "Checking MariaDB status..."
+          sudo systemctl status mariadb --no-pager
+          sudo systemctl is-active mariadb
+
+      - name: Verify Apache HTTP response
+        run: |
+          echo "Testing HTTP response on port 80..."
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost/)
+          echo "HTTP Response Code: $HTTP_CODE"
+          if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "302" ]; then
+            echo "Apache is responding correctly"
+          elif [ "$HTTP_CODE" = "500" ]; then
+            echo "HTTP 500 - Application error. Checking .env configuration..."
+            sudo cat /var/www/ospos/.env 2>/dev/null | grep -E "database\.default\.(hostname|database|username|password)|encryption\.key|CI_ENVIRONMENT" | head -10
+            sudo cat /var/www/ospos/writable/logs/*.log 2>/dev/null | tail -20 || true
+            curl -s http://localhost/ | head -50
+            exit 1
+          else
+            echo "Unexpected HTTP code: $HTTP_CODE"
+            exit 1
+          fi
+
+      - name: Verify OSPOS login page
+        run: |
+          echo "Checking OSPOS login page..."
+          curl -s http://localhost/ | grep -qi "login\|password\|username" && echo "Login page content found" || {
+            echo "Login page verification failed"
+            curl -s http://localhost/ | head -50
+            exit 1
+          }
+
+      - name: Verify database exists
+        env:
+          DB_PASS: ${{ matrix.db_pass != '' && matrix.db_pass || '' }}
+        run: |
+          echo "Verifying database..."
+          
+          # Extract the generated password from install output if using default
+          if [ -z "${{ matrix.db_pass }}" ]; then
+            GENERATED_PASS=$(grep -oP 'Database Password: \K[^\s]+' install-output.log || true)
+            if [ -n "$GENERATED_PASS" ]; then
+              DB_PASS="$GENERATED_PASS"
+            fi
+          fi
+          
+          # Check database exists
+          sudo mysql -u root -e "SHOW DATABASES LIKE 'ospos';" | grep -q ospos && echo "Database 'ospos' exists" || {
+            echo "Database 'ospos' not found"
+            sudo mysql -u root -e "SHOW DATABASES;"
+            exit 1
+          }
+          
+          # Check tables exist
+          TABLE_COUNT=$(sudo mysql -u root ospos -e "SHOW TABLES;" | wc -l)
+          echo "Found $TABLE_COUNT tables in database"
+          if [ "$TABLE_COUNT" -gt 5 ]; then
+            echo "Database tables verified"
+          else
+            echo "Not enough tables found"
+            exit 1
+          fi
+
+      - name: Upload install log
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: install-log-${{ matrix.scenario }}
+          path: install-output.log
+          retention-days: 7

INSTALL.md

@@ -102,5 +102,73 @@ Do **not** use below command on live deployments unless you want to tear everyth
 
 ## Cloud install
 
-If you choose DigitalOcean:
-[Through this link](https://m.do.co/c/ac38c262507b), you will get a [**free $100, 60-day credit**](https://m.do.co/c/ac38c262507b). [Check the wiki](https://github.com/opensourcepos/opensourcepos/wiki/Getting-Started-installations) for further instructions on how to install the necessary components.
+### Recommended: DigitalOcean
+
+Sign up through [our referral link](https://m.do.co/c/ac38c262507b) to get a [**$100, 60-day credit**](https://m.do.co/c/ac38c262507b).
+
+1. Create an Ubuntu 20.04+ or 22.04+ droplet
+2. SSH into your server: `ssh root@<your-droplet-ip>`
+3. Run the one-line installer:
+   ```bash
+   curl -sSL https://opensourcepos.org/install | sudo bash
+   ```
+
+The installer will:
+- Install Apache, MariaDB, PHP 8.2 and required extensions
+- Download the **latest stable release** of OSPOS from GitHub
+- Create a database with secure random password
+- Configure OSPOS and Apache
+- **Set up SSL/TLS certificates** (interactive prompt or environment variables)
+- Display login credentials after completion
+
+**Interactive Mode (Recommended for first-time users):**
+
+When run without environment variables, the installer will prompt you:
+1. Whether to configure SSL (recommended for production)
+2. Your domain name (e.g., `pos.example.com`)
+3. Your email for Let's Encrypt (for production SSL)
+
+```bash
+curl -sSL https://opensourcepos.org/install | sudo bash
+# Script will ask:
+# - Configure SSL? (y/n)
+# - Domain name: pos.example.com
+# - Email for Let's Encrypt: admin@example.com
+```
+
+**Non-Interactive Mode (for automation):**
+
+```bash
+# Development (no SSL)
+curl -sSL https://opensourcepos.org/install | APACHE_SERVER_NAME=localhost sudo -E bash
+
+# Production with Let's Encrypt SSL
+curl -sSL https://opensourcepos.org/install | APACHE_SERVER_NAME=pos.example.com SSL_EMAIL=admin@example.com sudo -E bash
+
+# Custom database password
+curl -sSL https://opensourcepos.org/install | DB_PASS=securepassword APACHE_SERVER_NAME=pos.example.com SSL_EMAIL=admin@example.com sudo -E bash
+```
+
+**Environment variables:**
+- `DB_HOST` - Database host (default: localhost)
+- `DB_NAME` - Database name (default: ospos)
+- `DB_USER` - Database user (default: ospos)
+- `DB_PASS` - Database password (default: auto-generated)
+- `MYSQL_ROOT_PASS` - MariaDB root password (default: empty/no password)
+- `OSPOS_DIR` - Installation directory (default: /var/www/ospos)
+- `OSPOS_VERSION` - OSPOS version to install (default: latest stable release)
+- `PHP_VERSION` - PHP version (default: 8.2)
+- `APACHE_SERVER_NAME` - Server hostname (default: localhost, or set interactively)
+- `SSL_EMAIL` - Email for Let's Encrypt. When set, enables production SSL with auto-renewal
+- `SSL_DOMAIN` - Alternative to `APACHE_SERVER_NAME` for SSL certificate domain
+
+> **Testing:** This installer is tested with each commit via our CI workflow. A fresh Ubuntu container is spawned, the script runs to completion, and basic sanity checks verify the installation. For production deployments, we recommend testing on a staging server first. If you encounter issues, please [open an issue](https://github.com/opensourcepos/opensourcepos/issues/new?template=bug_report.yml) with your server version and error output.
+
+> **Note:** If the short URL is unavailable, use the direct GitHub URL:
+> ```bash
+> curl -sSL https://raw.githubusercontent.com/opensourcepos/opensourcepos/master/scripts/install-ubuntu.sh | sudo bash
+> ```
+
+For other cloud providers or manual installation, see the [detailed installation guide](https://github.com/opensourcepos/opensourcepos/wiki/Getting-Started-installations) in the wiki.
+
+**Important:** Change the default password after first login!

scripts/install-ubuntu.sh

@@ -0,0 +1,381 @@
+#!/bin/bash
+
+set -e
+
+COLOR_RED='\033[0;31m'
+COLOR_GREEN='\033[0;32m'
+COLOR_YELLOW='\033[1;33m'
+COLOR_BLUE='\033[0;34m'
+COLOR_RESET='\033[0m'
+
+echo -e "${COLOR_BLUE}╔══════════════════════════════════════════════════════════╗${COLOR_RESET}"
+echo -e "${COLOR_BLUE}║     Open Source Point of Sale - Ubuntu Installer        ║${COLOR_RESET}"
+echo -e "${COLOR_BLUE}║                    Version 3.4+                          ║${COLOR_RESET}"
+echo -e "${COLOR_BLUE}╚══════════════════════════════════════════════════════════╝${COLOR_RESET}"
+echo ""
+
+if [ "$EUID" -ne 0 ]; then
+    echo -e "${COLOR_RED}Please run this script as root or with sudo${COLOR_RESET}"
+    exit 1
+fi
+
+export DEBIAN_FRONTEND=noninteractive
+
+DB_HOST="${DB_HOST:-localhost}"
+DB_NAME="${DB_NAME:-ospos}"
+DB_USER="${DB_USER:-ospos}"
+DB_PASS="${DB_PASS:-$(openssl rand -base64 24)}"
+OSPOS_DIR="${OSPOS_DIR:-/var/www/ospos}"
+OSPOS_VERSION="${OSPOS_VERSION:-}"
+PHP_VERSION="${PHP_VERSION:-8.2}"
+APACHE_SERVER_NAME="${APACHE_SERVER_NAME:-}"
+SSL_EMAIL="${SSL_EMAIL:-}"
+SSL_DOMAIN="${SSL_DOMAIN:-}"
+MYSQL_ROOT_PASS="${MYSQL_ROOT_PASS:-}"
+
+# Validate database variables contain only safe characters (alphanumeric, underscore, hyphen, dot)
+validate_db_vars() {
+    local var_name="$1"
+    local var_value="$2"
+    local pattern='^[a-zA-Z0-9_\-\.]+$'
+    if [[ ! "$var_value" =~ $pattern ]]; then
+        echo -e "${COLOR_RED}Error: ${var_name} contains invalid characters. Only alphanumeric, underscore, hyphen, and dot are allowed.${COLOR_RESET}"
+        exit 1
+    fi
+}
+
+# Validate critical database variables
+validate_db_vars "DB_NAME" "$DB_NAME"
+validate_db_vars "DB_USER" "$DB_USER"
+validate_db_vars "DB_HOST" "$DB_HOST"
+
+# Check if running interactively
+INTERACTIVE=false
+if [ -t 0 ]; then
+    INTERACTIVE=true
+fi
+
+echo -e "${COLOR_YELLOW}Configuration:${COLOR_RESET}"
+echo -e "  Database Name: ${DB_NAME}"
+echo -e "  Database User: ${DB_USER}"
+echo -e "  Database Host: ${DB_HOST}"
+echo -e "  Install Directory: ${OSPOS_DIR}"
+echo -e "  PHP Version: ${PHP_VERSION}"
+if [ -n "$OSPOS_VERSION" ]; then
+    echo -e "  OSPOS Version: ${OSPOS_VERSION}"
+else
+    echo -e "  OSPOS Version: latest"
+fi
+if [ -n "$APACHE_SERVER_NAME" ]; then
+    echo -e "  Server Name: ${APACHE_SERVER_NAME}"
+fi
+echo ""
+
+if [ -d "$OSPOS_DIR" ]; then
+    echo -e "${COLOR_RED}Installation directory $OSPOS_DIR already exists${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Remove it or set OSPOS_DIR environment variable${COLOR_RESET}"
+    exit 1
+fi
+
+echo -e "${COLOR_GREEN}[1/9] Updating system packages...${COLOR_RESET}"
+apt-get update -qq
+
+echo -e "${COLOR_GREEN}[2/9] Installing Apache, PHP, and dependencies...${COLOR_RESET}"
+# Add PHP repository for newer PHP versions if not available in default repos
+if ! apt-cache policy php${PHP_VERSION} 2>/dev/null | grep -q "Candidate:"; then
+    echo -e "${COLOR_YELLOW}PHP ${PHP_VERSION} not in default repos, adding ondrej/php PPA...${COLOR_RESET}"
+    apt-get install -y -qq software-properties-common
+    add-apt-repository -y ppa:ondrej/php
+    apt-get update -qq
+fi
+
+apt-get install -y -qq \
+    apache2 \
+    mariadb-server \
+    mariadb-client \
+    php${PHP_VERSION} \
+    php${PHP_VERSION}-mysql \
+    php${PHP_VERSION}-gd \
+    php${PHP_VERSION}-bcmath \
+    php${PHP_VERSION}-intl \
+    php${PHP_VERSION}-mbstring \
+    php${PHP_VERSION}-curl \
+    php${PHP_VERSION}-xml \
+    php${PHP_VERSION}-zip \
+    git \
+    curl \
+    unzip \
+    openssl
+
+echo -e "${COLOR_GREEN}[3/9] Starting MariaDB...${COLOR_RESET}"
+systemctl start mariadb
+systemctl enable mariadb
+
+if [ -z "$MYSQL_ROOT_PASS" ]; then
+    echo -e "${COLOR_BLUE}Securing MariaDB installation...${COLOR_RESET}"
+    mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';"
+    mysql -e "FLUSH PRIVILEGES;"
+else
+    mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASS}';"
+fi
+
+echo -e "${COLOR_GREEN}[4/9] Creating database and user...${COLOR_RESET}"
+if [ -n "$MYSQL_ROOT_PASS" ]; then
+    mysql -u root -p"${MYSQL_ROOT_PASS}" <<EOF
+CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
+CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASS}';
+GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'${DB_HOST}';
+FLUSH PRIVILEGES;
+EOF
+else
+    mysql -u root <<EOF
+CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
+CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASS}';
+GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'${DB_HOST}';
+FLUSH PRIVILEGES;
+EOF
+fi
+
+echo -e "${COLOR_GREEN}[5/9] Downloading OSPOS...${COLOR_RESET}"
+mkdir -p "$(dirname "$OSPOS_DIR")"
+cd "$(dirname "$OSPOS_DIR")"
+
+if [ -z "$OSPOS_VERSION" ]; then
+    OSPOS_VERSION=$(curl -sS https://api.github.com/repos/opensourcepos/opensourcepos/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
+    if [ -z "$OSPOS_VERSION" ]; then
+        echo -e "${COLOR_RED}Failed to get latest release version${COLOR_RESET}"
+        exit 1
+    fi
+fi
+
+echo -e "${COLOR_BLUE}Downloading OSPOS version ${OSPOS_VERSION}...${COLOR_RESET}"
+ASSET_URL=$(curl -sS "https://api.github.com/repos/opensourcepos/opensourcepos/releases/tags/${OSPOS_VERSION}" | grep '"browser_download_url"' | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+
+if [ -z "$ASSET_URL" ]; then
+    echo -e "${COLOR_RED}Failed to find release asset for ${OSPOS_VERSION}${COLOR_RESET}"
+    exit 1
+fi
+
+curl -sSL "$ASSET_URL" -o ospos.zip
+
+if [ ! -f ospos.zip ] || [ ! -s ospos.zip ]; then
+    echo -e "${COLOR_RED}Failed to download OSPOS release ${OSPOS_VERSION}${COLOR_RESET}"
+    rm -f ospos.zip
+    exit 1
+fi
+
+unzip -q ospos.zip -d ospos-temp
+mkdir -p "${OSPOS_DIR}"
+cp -r ospos-temp/. "${OSPOS_DIR}/"
+rm -rf ospos-temp ospos.zip
+
+echo -e "${COLOR_GREEN}Downloaded OSPOS ${OSPOS_VERSION}${COLOR_RESET}"
+
+echo -e "${COLOR_GREEN}[6/9] Setting up OSPOS...${COLOR_RESET}"
+cd "${OSPOS_DIR}"
+
+curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer 2>/dev/null
+
+if [ -f "composer.json" ]; then
+    echo -e "${COLOR_BLUE}Installing dependencies...${COLOR_RESET}"
+    composer install --no-dev --optimize-autoloader --no-interaction --quiet 2>/dev/null
+fi
+
+echo -e "${COLOR_GREEN}[7/9] Configuring OSPOS...${COLOR_RESET}"
+if [ -f ".env.example" ]; then
+    cp .env.example .env
+fi
+
+if [ -f ".env" ]; then
+    # Escape special characters in password for sed
+    ESCAPED_DB_PASS=$(printf '%s\n' "$DB_PASS" | sed 's/[&/\]/\\&/g')
+    
+    sed -i "s|database\.default\.hostname = 'localhost'|database.default.hostname = '${DB_HOST}'|" .env
+    sed -i "s|database\.default\.database = 'ospos'|database.default.database = '${DB_NAME}'|" .env
+    sed -i "s|database\.default\.username = 'admin'|database.default.username = '${DB_USER}'|" .env
+    sed -i "s|database\.default\.password = 'pointofsale'|database.default.password = '${ESCAPED_DB_PASS}'|" .env
+    sed -i "s|CI_ENVIRONMENT = development|CI_ENVIRONMENT = production|" .env
+    
+    if grep -q "encryption\.key = ''" .env; then
+        ENCRYPTION_KEY=$(openssl rand -base64 32)
+        ESCAPED_KEY=$(printf '%s\n' "$ENCRYPTION_KEY" | sed 's/[&/\]/\\&/g')
+        sed -i "s|encryption\.key = ''|encryption.key = '${ESCAPED_KEY}'|" .env
+    fi
+fi
+
+echo -e "${COLOR_GREEN}[8/9] Importing database schema...${COLOR_RESET}"
+if [ -n "$MYSQL_ROOT_PASS" ]; then
+    mysql -u root -p"${MYSQL_ROOT_PASS}" ${DB_NAME} < app/Database/database.sql
+else
+    mysql -u root ${DB_NAME} < app/Database/database.sql
+fi
+
+# Interactive SSL configuration
+if $INTERACTIVE && [ -z "$SSL_EMAIL" ] && [ -z "$APACHE_SERVER_NAME" ]; then
+    echo ""
+    echo -e "${COLOR_BLUE}╔══════════════════════════════════════════════════════════╗${COLOR_RESET}"
+    echo -e "${COLOR_BLUE}║            SSL/TLS Configuration                          ║${COLOR_RESET}"
+    echo -e "${COLOR_BLUE}╚══════════════════════════════════════════════════════════╝${COLOR_RESET}"
+    echo ""
+    echo -e "${COLOR_YELLOW}SSL provides secure HTTPS access to your OSPOS installation.${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}For production, we recommend Let's Encrypt (free SSL certificate).${COLOR_RESET}"
+    echo ""
+    
+    read -p "Configure SSL? (y/n) [n]: " CONFIGURE_SSL
+    CONFIGURE_SSL=${CONFIGURE_SSL:-n}
+    
+    if [[ "$CONFIGURE_SSL" =~ ^[Yy]$ ]]; then
+        read -p "Enter your domain name (e.g., pos.example.com): " SSL_DOMAIN
+        SSL_DOMAIN=${SSL_DOMAIN:-localhost}
+        APACHE_SERVER_NAME=$SSL_DOMAIN
+        
+        read -p "Enter your email for Let's Encrypt notifications: " SSL_EMAIL
+        
+        if [ -z "$SSL_EMAIL" ]; then
+            echo -e "${COLOR_YELLOW}No email provided. Using self-signed certificate (not recommended for production).${COLOR_RESET}"
+            SSL_TYPE="self-signed"
+        else
+            SSL_TYPE="letsencrypt"
+        fi
+    else
+        APACHE_SERVER_NAME="localhost"
+        SSL_TYPE="none"
+    fi
+fi
+
+# Set default server name if not provided
+if [ -z "$APACHE_SERVER_NAME" ]; then
+    APACHE_SERVER_NAME="localhost"
+fi
+
+# If SSL_EMAIL is set without SSL_DOMAIN, use APACHE_SERVER_NAME
+if [ -n "$SSL_EMAIL" ] && [ -z "$SSL_DOMAIN" ] && [ "$APACHE_SERVER_NAME" != "localhost" ]; then
+    SSL_DOMAIN="$APACHE_SERVER_NAME"
+fi
+
+echo -e "${COLOR_GREEN}[9/9] Configuring Apache...${COLOR_RESET}"
+cat > /etc/apache2/sites-available/ospos.conf <<EOF
+<VirtualHost *:80>
+    ServerName ${APACHE_SERVER_NAME}
+    DocumentRoot ${OSPOS_DIR}/public
+
+    <Directory ${OSPOS_DIR}/public>
+        Options -Indexes +FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/ospos_error.log
+    CustomLog \${APACHE_LOG_DIR}/ospos_access.log combined
+</VirtualHost>
+EOF
+
+a2enmod rewrite
+a2dissite 000-default.conf
+a2ensite ospos.conf
+
+chown -R www-data:www-data "${OSPOS_DIR}"
+chmod -R 750 "${OSPOS_DIR}/writable"
+
+systemctl restart apache2
+systemctl enable apache2
+
+# Configure SSL if requested
+if [ -n "$SSL_EMAIL" ] && [ -n "$SSL_DOMAIN" ]; then
+    # Let's Encrypt SSL
+    echo -e "${COLOR_BLUE}Installing Certbot for Let's Encrypt...${COLOR_RESET}"
+    apt-get install -y -qq certbot python3-certbot-apache
+    
+    echo -e "${COLOR_BLUE}Obtaining SSL certificate for ${SSL_DOMAIN}...${COLOR_RESET}"
+    certbot --apache -d ${SSL_DOMAIN} --non-interactive --agree-tos --email ${SSL_EMAIL} --redirect
+    
+    echo -e "${COLOR_BLUE}Setting up auto-renewal...${COLOR_RESET}"
+    systemctl enable certbot.timer
+    systemctl start certbot.timer
+    
+    PROTOCOL="https"
+    FINAL_URL="https://${SSL_DOMAIN}/"
+elif [ -n "$SSL_DOMAIN" ]; then
+    # Self-signed SSL
+    echo -e "${COLOR_BLUE}Generating self-signed SSL certificate...${COLOR_RESET}"
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout /etc/ssl/private/ospos-selfsigned.key \
+        -out /etc/ssl/certs/ospos-selfsigned.crt \
+        -subj "/C=US/ST=State/L=City/O=Organization/CN=${SSL_DOMAIN}" 2>/dev/null
+    
+    cat > /etc/apache2/sites-available/ospos-ssl.conf <<EOF
+<VirtualHost *:443>
+    ServerName ${SSL_DOMAIN}
+    DocumentRoot ${OSPOS_DIR}/public
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/certs/ospos-selfsigned.crt
+    SSLCertificateKeyFile /etc/ssl/private/ospos-selfsigned.key
+
+    <Directory ${OSPOS_DIR}/public>
+        Options -Indexes +FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/ospos_ssl_error.log
+    CustomLog \${APACHE_LOG_DIR}/ospos_ssl_access.log combined
+</VirtualHost>
+EOF
+    
+    a2enmod ssl
+    a2ensite ospos-ssl.conf
+    
+    cat > /etc/apache2/sites-available/ospos.conf <<EOF
+<VirtualHost *:80>
+    ServerName ${SSL_DOMAIN}
+    Redirect permanent / https://${SSL_DOMAIN}/
+</VirtualHost>
+EOF
+    
+    a2dissite ospos.conf
+    a2ensite ospos.conf
+    
+    PROTOCOL="https"
+    FINAL_URL="https://${SSL_DOMAIN}/"
+    
+    echo -e "${COLOR_YELLOW}Note: Your browser will show a security warning for self-signed${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}      certificates. For production, re-run with an email for Let's Encrypt.${COLOR_RESET}"
+else
+    PROTOCOL="http"
+    FINAL_URL="http://${APACHE_SERVER_NAME}/"
+fi
+
+systemctl restart apache2
+
+# Configure allowed hostnames
+if [ -f "${OSPOS_DIR}/.env" ]; then
+    sed -i "s|app\.allowedHostnames = ''|app.allowedHostnames = '${APACHE_SERVER_NAME}'|" ${OSPOS_DIR}/.env
+fi
+
+echo ""
+echo -e "${COLOR_GREEN}╔══════════════════════════════════════════════════════════╗${COLOR_RESET}"
+echo -e "${COLOR_GREEN}║            Installation Complete!                         ║${COLOR_RESET}"
+echo -e "${COLOR_GREEN}╚══════════════════════════════════════════════════════════╝${COLOR_RESET}"
+echo ""
+echo -e "${COLOR_YELLOW}Database Credentials:${COLOR_RESET}"
+echo -e "  Database: ${DB_NAME}"
+echo -e "  Username: ${DB_USER}"
+echo -e "  Password: ${DB_PASS}"
+echo ""
+echo -e "${COLOR_YELLOW}Login Credentials:${COLOR_RESET}"
+echo -e "  URL:      ${FINAL_URL}"
+if [ -n "$SSL_EMAIL" ]; then
+    echo -e "  SSL:      Let's Encrypt (auto-renewal enabled)"
+elif [ -n "$SSL_DOMAIN" ]; then
+    echo -e "  SSL:      Self-signed certificate"
+else
+    echo -e "  SSL:      Not configured (HTTP only)"
+fi
+echo -e "  Username: admin"
+echo -e "  Password: pointofsale"
+echo ""
+echo -e "${COLOR_RED}IMPORTANT: Change the default password after first login!${COLOR_RESET}"
+echo ""
+echo -e "${COLOR_BLUE}Configuration file: ${OSPOS_DIR}/.env${COLOR_RESET}"
+echo ""