#!/usr/bin/env bash # Ensure TRUST_PROXY=1 exists in dbis_core API CT so req.ip / rate limits use X-Forwarded-For # when traffic arrives via NPM or the Phoenix API hub nginx. # # Usage: # bash scripts/deployment/ensure-dbis-api-trust-proxy-on-ct.sh --dry-run --vmid 10150 # PROXMOX_OPS_APPLY=1 PROXMOX_OPS_ALLOWED_VMIDS=10150 bash scripts/deployment/ensure-dbis-api-trust-proxy-on-ct.sh --apply --vmid 10150 # # Mutations: appends lines to /opt/dbis-core/.env (backup first), restarts dbis-api.service. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" # shellcheck source=/dev/null source "${PROJECT_ROOT}/scripts/lib/load-project-env.sh" # shellcheck source=/dev/null source "${PROJECT_ROOT}/scripts/lib/proxmox-production-guard.sh" ENV_PATH="${DBIS_API_ENV_PATH:-/opt/dbis-core/.env}" APPLY=false DRY_RUN=false VMID="${VMID_DBIS_API:-10150}" SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new" while [[ $# -gt 0 ]]; do case "$1" in --apply) APPLY=true ;; --dry-run) DRY_RUN=true ;; --vmid) VMID="${2:?}"; shift ;; *) echo "Unknown arg: $1" >&2; exit 2 ;; esac shift done PROXMOX_HOST="${PROXMOX_HOST:-$(get_host_for_vmid "$VMID")}" echo "=== ensure-dbis-api-trust-proxy-on-ct ===" echo "PVE: root@${PROXMOX_HOST} VMID=${VMID} env=${ENV_PATH}" echo "" if $DRY_RUN || ! $APPLY; then echo "[DRY-RUN] Would check ${ENV_PATH} on CT ${VMID}; append TRUST_PROXY=1 if missing; restart dbis-api." # shellcheck disable=SC2029 ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"if [[ ! -f '${ENV_PATH}' ]]; then echo '(missing ${ENV_PATH})'; exit 0; fi; if grep -qE '^(TRUST_PROXY|TRUST_PROXY_HOPS)=' '${ENV_PATH}' 2>/dev/null; then grep -E '^(TRUST_PROXY|TRUST_PROXY_HOPS)=' '${ENV_PATH}' | sed 's/=.*/=/'; else echo '(no TRUST_PROXY / TRUST_PROXY_HOPS lines yet)'; fi\"" echo "For apply: --apply and PROXMOX_OPS_APPLY=1 PROXMOX_OPS_ALLOWED_VMIDS=${VMID}" exit 0 fi if ! pguard_require_apply_flag true; then echo "Refused: set PROXMOX_OPS_APPLY=1" >&2 exit 3 fi if ! pguard_vmid_allowed "$VMID"; then exit 3 fi WORKDIR="$(mktemp -d)" trap 'rm -rf "$WORKDIR"' EXIT REMOTE_SH="${WORKDIR}/remote.sh" { printf 'ENV_PATH=%q\n' "$ENV_PATH" cat <<'EOS' set -euo pipefail if [[ ! -f "$ENV_PATH" ]]; then echo "ERROR: missing $ENV_PATH" >&2 exit 2 fi if grep -qE '^[[:space:]]*TRUST_PROXY[[:space:]]*=[[:space:]]*(1|true|yes)' "$ENV_PATH"; then echo "OK: TRUST_PROXY already enabled" exit 0 fi cp -a "$ENV_PATH" "${ENV_PATH}.bak.ensure-trust-proxy-$(date +%Y%m%d%H%M%S)" { echo "" echo "# Added by ensure-dbis-api-trust-proxy-on-ct.sh — NPM / Phoenix API hub" echo "TRUST_PROXY=1" } >>"$ENV_PATH" systemctl restart dbis-api.service systemctl is-active dbis-api.service echo "OK: appended TRUST_PROXY=1 and restarted dbis-api" EOS } >"$REMOTE_SH" ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -s" <"$REMOTE_SH"