proxmox/scripts/nginx-proxy-manager/add-gov-portals-xom-dev-proxy-hosts.sh

#!/usr/bin/env bash
# Add NPMplus proxy hosts for Gov Portals dev subdomain (*.xom-dev.phoenix.sankofa.nexus)
# Domains: dbis, iccc, omnl, xom → gov-portals-dev VM (7804) on ports 3001-3004
#
# Usage: NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/add-gov-portals-xom-dev-proxy-hosts.sh
# Or source .env and run (NPM_EMAIL, NPM_PASSWORD from proxmox root .env)
#
# Prerequisites: LXC 7804 (gov-portals-dev) must be running at IP_GOV_PORTALS_DEV
# DNS: Add A records for dbis/iccc/omnl/xom.xom-dev.phoenix.sankofa.nexus → 76.53.10.36
#      Or wildcard: *.xom-dev.phoenix.sankofa.nexus → 76.53.10.36
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null || true && set -u

# Gov Portals dev VM (7804) - see scripts/deployment/deploy-gov-portals-to-7804.sh
IP_GOV_PORTALS_DEV="${IP_GOV_PORTALS_DEV:-192.168.11.54}"
NPM_URL="${NPM_URL:-https://192.168.11.167:81}"
NPM_EMAIL="${NPM_EMAIL:-admin@example.org}"
NPM_PASSWORD="${NPM_PASSWORD:-}"

if [ -z "$NPM_PASSWORD" ]; then
  echo "Set NPM_PASSWORD (from proxmox .env or export)"
  exit 1
fi

echo "Adding Gov Portals xom-dev proxy hosts to NPMplus at $NPM_URL..."
echo "Target: $IP_GOV_PORTALS_DEV (ports 3001-3004)"

COOKIE_JAR="/tmp/npm_gov_portals_cookies_$$"
cleanup_cookies() { rm -f "$COOKIE_JAR"; }
trap cleanup_cookies EXIT

AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" -H "Content-Type: application/json" -d "$AUTH_JSON" -c "$COOKIE_JAR")
TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // .accessToken // .access_token // .data.token // empty' 2>/dev/null)

USE_COOKIE_AUTH=0
if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
  if echo "$TOKEN_RESPONSE" | jq -e '.expires' >/dev/null 2>&1; then
    USE_COOKIE_AUTH=1
    echo "Using cookie-based auth (NPM 2 style)."
  else
    echo "Authentication failed"
    echo "$TOKEN_RESPONSE" | jq -r '.message // .error // "unknown"' 2>/dev/null || echo "$TOKEN_RESPONSE"
    exit 1
  fi
fi

curl_auth() {
  if [ "$USE_COOKIE_AUTH" = "1" ]; then
    curl -s -k -b "$COOKIE_JAR" "$@"
  else
    curl -s -k -H "Authorization: Bearer $TOKEN" "$@"
  fi
}

add_proxy_host() {
  local domain=$1
  local fwd_port=$2
  local payload
  payload=$(jq -n \
    --arg domain "$domain" \
    --arg host "$IP_GOV_PORTALS_DEV" \
    --argjson port "$fwd_port" \
    '{
      domain_names: [$domain],
      forward_scheme: "http",
      forward_host: $host,
      forward_port: $port,
      allow_websocket_upgrade: false,
      block_exploits: false,
      certificate_id: null,
      ssl_forced: false
    }')
  local resp
  resp=$(curl_auth -X POST "$NPM_URL/api/nginx/proxy-hosts" \
    -H "Content-Type: application/json" \
    -d "$payload")
  local id
  id=$(echo "$resp" | jq -r '.id // empty' 2>/dev/null)
  if [ -n "$id" ] && [ "$id" != "null" ]; then
    echo "  Added: $domain -> $IP_GOV_PORTALS_DEV:$fwd_port"
    return 0
  else
    echo "  Skip (may exist): $domain - $(echo "$resp" | jq -r '.message // .error // "unknown"' 2>/dev/null)"
    return 1
  fi
}

# Four portals on xom-dev.phoenix.sankofa.nexus
add_proxy_host "dbis.xom-dev.phoenix.sankofa.nexus" 3001 || true
add_proxy_host "iccc.xom-dev.phoenix.sankofa.nexus" 3002 || true
add_proxy_host "omnl.xom-dev.phoenix.sankofa.nexus" 3003 || true
add_proxy_host "xom.xom-dev.phoenix.sankofa.nexus" 3004 || true

echo ""
echo "Done. Request Let's Encrypt certs in NPMplus UI for: dbis/iccc/omnl/xom.xom-dev.phoenix.sankofa.nexus"
echo "Ensure DNS A records point *.xom-dev.phoenix.sankofa.nexus → 76.53.10.36"