proxmox/scripts/install-tunnel-mifos-r630-02.sh

#!/usr/bin/env bash
# Install Cloudflare Tunnel (cloudflared) inside LXC 5800 (mifos) on r630-02.
# Run after creating the tunnel in Cloudflare Zero Trust and copying the token.
#
# Usage: ./scripts/install-tunnel-mifos-r630-02.sh <TUNNEL_TOKEN>
#   Or:  CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02='eyJ...' ./scripts/install-tunnel-mifos-r630-02.sh
#
# See: docs/04-configuration/MIFOS_R630_02_DEPLOYMENT.md

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
# Optional: load .env for token
[[ -f "${PROJECT_ROOT}/.env" ]] && set -a && source "${PROJECT_ROOT}/.env" 2>/dev/null && set +a

TUNNEL_TOKEN="${1:-${CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02:-}}"
HOST="${PROXMOX_HOST_R630_02:-${PROXMOX_R630_02:-192.168.11.12}}"
VMID=5800
SSH_OPTS="-o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"

if [ -z "$TUNNEL_TOKEN" ]; then
  echo "Error: Tunnel token required!"
  echo ""
  echo "Usage: $0 <TUNNEL_TOKEN>"
  echo "   Or set CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02 in .env (do not commit)."
  echo ""
  echo "Get token: Zero Trust → Networks → Tunnels → Create tunnel (mifos-r630-02) → Copy token"
  exit 1
fi

echo "Installing Cloudflare Tunnel in LXC $VMID on $HOST (mifos-r630-02)..."

# Ensure container is running
STATUS=$(ssh $SSH_OPTS root@$HOST "pct status $VMID 2>/dev/null | awk '{print \$2}'" || true)
if [ "$STATUS" != "running" ]; then
  echo "Starting container $VMID..."
  ssh $SSH_OPTS root@$HOST "pct start $VMID"
  sleep 5
fi

# Install cloudflared if missing
if ! ssh $SSH_OPTS root@$HOST "pct exec $VMID -- command -v cloudflared" 2>/dev/null; then
  echo "Installing cloudflared in container..."
  ssh $SSH_OPTS root@$HOST "pct exec $VMID -- bash -c 'apt-get update -qq && apt-get install -y -qq wget && wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared-linux-amd64.deb || apt-get install -f -y -qq'"
fi

# Install tunnel service with token
ssh $SSH_OPTS root@$HOST "pct exec $VMID -- cloudflared service install $TUNNEL_TOKEN"
ssh $SSH_OPTS root@$HOST "pct exec $VMID -- systemctl enable cloudflared"
ssh $SSH_OPTS root@$HOST "pct exec $VMID -- systemctl start cloudflared"

sleep 3
echo ""
echo "Tunnel status:"
ssh $SSH_OPTS root@$HOST "pct exec $VMID -- systemctl status cloudflared --no-pager -l" | head -12
echo ""
ssh $SSH_OPTS root@$HOST "pct exec $VMID -- cloudflared tunnel list" 2>/dev/null || true
echo ""
echo "Next: In Cloudflare add Public Hostname (mifos.d-bis.org → http://127.0.0.1:80), DNS CNAME, and Regional Services (UK). See docs/04-configuration/MIFOS_R630_02_DEPLOYMENT.md"