From baa28cc324d82e259a3f178ac1dd9abb567c294c Mon Sep 17 00:00:00 2001 From: defiQUG Date: Mon, 27 Apr 2026 20:29:42 -0700 Subject: [PATCH] deployment: add NPMplus provision script for cybersecur.d-bis.org static upstream Made-with: Cursor --- .../provision-cybersecur-npmplus.sh | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100755 scripts/deployment/provision-cybersecur-npmplus.sh diff --git a/scripts/deployment/provision-cybersecur-npmplus.sh b/scripts/deployment/provision-cybersecur-npmplus.sh new file mode 100755 index 00000000..fbf8ec84 --- /dev/null +++ b/scripts/deployment/provision-cybersecur-npmplus.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +# Create NPMplus proxy host for cybersecur.d-bis.org → static upstream (default: MIM web nginx IP). +# Prerequisites: DNS A record for cybersecur.d-bis.org (Cloudflare → origin); static files on upstream (see CyberSecur-Global/deploy/). +set -euo pipefail +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" +# shellcheck disable=1091 +source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true +_orig_npm_url="${NPM_URL:-}" +_orig_npm_email="${NPM_EMAIL:-}" +_orig_npm_password="${NPM_PASSWORD:-}" +if [[ -f "${PROJECT_ROOT}/.env" ]]; then + set +u + set -a + # shellcheck disable=1091 + source "${PROJECT_ROOT}/.env" 2>/dev/null || true + set +a + set -u + [[ -n "$_orig_npm_url" ]] && NPM_URL="$_orig_npm_url" + [[ -n "$_orig_npm_email" ]] && NPM_EMAIL="$_orig_npm_email" + [[ -n "$_orig_npm_password" ]] && NPM_PASSWORD="$_orig_npm_password" +fi + +NPM_URL="${NPM_URL:-https://${IP_NPMPLUS:-192.168.11.167}:81}" +NPM_EMAIL="${NPM_EMAIL:?Set NPM_EMAIL}" +NPM_PASSWORD="${NPM_PASSWORD:?Set NPM_PASSWORD}" + +DOMAIN="${CYBERSECUR_DOMAIN:-cybersecur.d-bis.org}" +FORWARD_HOST="${CYBERSECUR_FORWARD_HOST:-${IP_MIM_WEB:-192.168.11.37}}" +FORWARD_PORT="${CYBERSECUR_FORWARD_PORT:-80}" + +curl_npm() { curl -s -k -L --connect-timeout 10 --max-time "${NPM_CURL_MAX_TIME:-120}" "$@"; } + +AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}') +TOKEN_RESPONSE=$(curl_npm -X POST "$NPM_URL/api/tokens" -H "Content-Type: application/json" -d "$AUTH_JSON") +TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || true) +if [[ -z "$TOKEN" || "$TOKEN" == "null" ]]; then + echo "❌ NPM authentication failed" >&2 + exit 1 +fi + +PROXY_HOSTS_JSON=$(curl_npm -X GET "$NPM_URL/api/nginx/proxy-hosts" -H "Authorization: Bearer $TOKEN") +HOST_ID=$(echo "$PROXY_HOSTS_JSON" | jq -r --arg d "$DOMAIN" '.[] | select(.domain_names[]? == $d) | .id' 2>/dev/null | head -1 || true) + +if [[ -n "${HOST_ID:-}" && "$HOST_ID" != "null" ]]; then + echo "✓ Proxy host already exists: $DOMAIN (id=$HOST_ID)" + exit 0 +fi + +CREATE_PAYLOAD=$(jq -n \ + --arg domain "$DOMAIN" \ + --arg forward_host "$FORWARD_HOST" \ + --argjson forward_port "$FORWARD_PORT" \ + '{ + domain_names: [$domain], + forward_scheme: "http", + forward_host: $forward_host, + forward_port: ($forward_port | tonumber), + allow_websocket_upgrade: false, + certificate_id: null, + ssl_forced: false + }') + +RESPONSE=$(curl_npm -X POST "$NPM_URL/api/nginx/proxy-hosts" \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d "$CREATE_PAYLOAD") + +NEW_ID=$(echo "$RESPONSE" | jq -r '.id // empty' 2>/dev/null || true) +if [[ -n "$NEW_ID" && "$NEW_ID" != "null" ]]; then + echo "✓ Created $DOMAIN → http://${FORWARD_HOST}:${FORWARD_PORT} (proxy host id=$NEW_ID)" + echo " Next: deploy static files to upstream (see CyberSecur-Global/deploy/) and request SSL in NPM or run request-npmplus-certificates.sh" +else + echo "❌ Failed: $(echo "$RESPONSE" | jq -c . 2>/dev/null || echo "$RESPONSE")" >&2 + exit 1 +fi