proxmox/scripts/cloudflare/configure-mifos-dns.sh

#!/usr/bin/env bash
# Create or update Cloudflare DNS for mifos.d-bis.org.
# Mode: "direct" = A record to PUBLIC_IP_MIFOS (76.53.10.41); "tunnel" = CNAME to tunnel (set CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02).
# Usage: MIFOS_DNS_MODE=direct bash scripts/cloudflare/configure-mifos-dns.sh
#        MIFOS_DNS_MODE=tunnel bash scripts/cloudflare/configure-mifos-dns.sh
# Requires: .env with CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY (or CLOUDFLARE_API_TOKEN), and config/ip-addresses.conf
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"
source config/ip-addresses.conf 2>/dev/null || true
[ -f .env ] && set +u && source .env 2>/dev/null || true && set -u

ZONE_ID="${CLOUDFLARE_ZONE_ID:-${CLOUDFLARE_ZONE_ID_D_BIS_ORG}}"
HOSTNAME="mifos.d-bis.org"
MODE="${MIFOS_DNS_MODE:-tunnel}"

if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then
  AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
else
  echo "Set CLOUDFLARE_API_TOKEN or (CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY) in .env"
  exit 1
fi

[ -z "${ZONE_ID:-}" ] && { echo "Set CLOUDFLARE_ZONE_ID or CLOUDFLARE_ZONE_ID_D_BIS_ORG in .env"; exit 1; }

echo "Mifos DNS: $HOSTNAME (mode=$MODE)"

if [ "$MODE" = "direct" ]; then
  TARGET="${PUBLIC_IP_MIFOS:-76.53.10.41}"
  TYPE="A"
  CONTENT="$TARGET"
  DATA=$(jq -n --arg name "mifos" --arg content "$CONTENT" \
    '{type:"A",name:$name,content:$content,ttl:1,proxied:true}')
else
  TUNNEL_ID="${CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02:-}"
  [ -z "$TUNNEL_ID" ] && { echo "Set CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02 in .env for tunnel mode"; exit 1; }
  TARGET="${TUNNEL_ID}.cfargotunnel.com"
  TYPE="CNAME"
  CONTENT="$TARGET"
  DATA=$(jq -n --arg name "mifos" --arg content "$CONTENT" \
    '{type:"CNAME",name:$name,content:$content,ttl:1,proxied:true}')
fi

EXISTING=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${HOSTNAME}" \
  "${AUTH_H[@]}" -H "Content-Type: application/json")
RECORD_ID=$(echo "$EXISTING" | jq -r '.result[0].id // empty')
CURRENT_TYPE=$(echo "$EXISTING" | jq -r '.result[0].type // empty')
CURRENT_CONTENT=$(echo "$EXISTING" | jq -r '.result[0].content // empty')

if [ -n "$RECORD_ID" ] && [ "$RECORD_ID" != "null" ]; then
  if [ "$CURRENT_TYPE" = "$TYPE" ] && [ "$CURRENT_CONTENT" = "$CONTENT" ]; then
    echo "  $HOSTNAME: OK ($TYPE → $CONTENT)"
    exit 0
  fi
  UPD=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
    "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$DATA")
  if echo "$UPD" | jq -e '.success == true' >/dev/null 2>&1; then
    echo "  $HOSTNAME: Updated $TYPE → $CONTENT"
  else
    echo "  $HOSTNAME: Update failed ($(echo "$UPD" | jq -r '.errors[0].message // "unknown"' 2>/dev/null))"
    exit 1
  fi
else
  CR=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
    "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$DATA")
  if echo "$CR" | jq -e '.success == true' >/dev/null 2>&1; then
    echo "  $HOSTNAME: Created $TYPE → $CONTENT"
  else
    echo "  $HOSTNAME: Create failed ($(echo "$CR" | jq -r '.errors[0].message // "unknown"' 2>/dev/null))"
    exit 1
  fi
fi