deployment: add NPMplus provision script for cybersecur.d-bis.org static upstream

Made-with: Cursor

scripts/deployment/provision-cybersecur-npmplus.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# Create NPMplus proxy host for cybersecur.d-bis.org → static upstream (default: MIM web nginx IP).
+# Prerequisites: DNS A record for cybersecur.d-bis.org (Cloudflare → origin); static files on upstream (see CyberSecur-Global/deploy/).
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck disable=1091
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+_orig_npm_url="${NPM_URL:-}"
+_orig_npm_email="${NPM_EMAIL:-}"
+_orig_npm_password="${NPM_PASSWORD:-}"
+if [[ -f "${PROJECT_ROOT}/.env" ]]; then
+  set +u
+  set -a
+  # shellcheck disable=1091
+  source "${PROJECT_ROOT}/.env" 2>/dev/null || true
+  set +a
+  set -u
+  [[ -n "$_orig_npm_url" ]] && NPM_URL="$_orig_npm_url"
+  [[ -n "$_orig_npm_email" ]] && NPM_EMAIL="$_orig_npm_email"
+  [[ -n "$_orig_npm_password" ]] && NPM_PASSWORD="$_orig_npm_password"
+fi
+
+NPM_URL="${NPM_URL:-https://${IP_NPMPLUS:-192.168.11.167}:81}"
+NPM_EMAIL="${NPM_EMAIL:?Set NPM_EMAIL}"
+NPM_PASSWORD="${NPM_PASSWORD:?Set NPM_PASSWORD}"
+
+DOMAIN="${CYBERSECUR_DOMAIN:-cybersecur.d-bis.org}"
+FORWARD_HOST="${CYBERSECUR_FORWARD_HOST:-${IP_MIM_WEB:-192.168.11.37}}"
+FORWARD_PORT="${CYBERSECUR_FORWARD_PORT:-80}"
+
+curl_npm() { curl -s -k -L --connect-timeout 10 --max-time "${NPM_CURL_MAX_TIME:-120}" "$@"; }
+
+AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
+TOKEN_RESPONSE=$(curl_npm -X POST "$NPM_URL/api/tokens" -H "Content-Type: application/json" -d "$AUTH_JSON")
+TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || true)
+if [[ -z "$TOKEN" || "$TOKEN" == "null" ]]; then
+  echo "❌ NPM authentication failed" >&2
+  exit 1
+fi
+
+PROXY_HOSTS_JSON=$(curl_npm -X GET "$NPM_URL/api/nginx/proxy-hosts" -H "Authorization: Bearer $TOKEN")
+HOST_ID=$(echo "$PROXY_HOSTS_JSON" | jq -r --arg d "$DOMAIN" '.[] | select(.domain_names[]? == $d) | .id' 2>/dev/null | head -1 || true)
+
+if [[ -n "${HOST_ID:-}" && "$HOST_ID" != "null" ]]; then
+  echo "✓ Proxy host already exists: $DOMAIN (id=$HOST_ID)"
+  exit 0
+fi
+
+CREATE_PAYLOAD=$(jq -n \
+  --arg domain "$DOMAIN" \
+  --arg forward_host "$FORWARD_HOST" \
+  --argjson forward_port "$FORWARD_PORT" \
+  '{
+    domain_names: [$domain],
+    forward_scheme: "http",
+    forward_host: $forward_host,
+    forward_port: ($forward_port | tonumber),
+    allow_websocket_upgrade: false,
+    certificate_id: null,
+    ssl_forced: false
+  }')
+
+RESPONSE=$(curl_npm -X POST "$NPM_URL/api/nginx/proxy-hosts" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "$CREATE_PAYLOAD")
+
+NEW_ID=$(echo "$RESPONSE" | jq -r '.id // empty' 2>/dev/null || true)
+if [[ -n "$NEW_ID" && "$NEW_ID" != "null" ]]; then
+  echo "✓ Created $DOMAIN → http://${FORWARD_HOST}:${FORWARD_PORT} (proxy host id=$NEW_ID)"
+  echo "  Next: deploy static files to upstream (see CyberSecur-Global/deploy/) and request SSL in NPM or run request-npmplus-certificates.sh"
+else
+  echo "❌ Failed: $(echo "$RESPONSE" | jq -c . 2>/dev/null || echo "$RESPONSE")" >&2
+  exit 1
+fi