proxmox/scripts/npmplus/sync-certificates.sh.bak

#!/bin/bash
# Synchronize NPMplus certificates from primary to secondary

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"

if [ -f "$PROJECT_ROOT/.env" ]; then
    set +euo pipefail
    source "$PROJECT_ROOT/.env" 2>/dev/null || true
    set -euo pipefail
fi

PRIMARY_HOST="${PRIMARY_HOST:-192.168.11.11}"
PRIMARY_VMID="${PRIMARY_VMID:-10233}"
SECONDARY_HOST="${SECONDARY_HOST:-192.168.11.12}"
SECONDARY_VMID="${SECONDARY_VMID:-10234}"

# Detect actual certificate path
detect_cert_path() {
    local host=$1
    local vmid=$2
    
    # Try finding via docker volume inspect (most reliable)
    VOLUME_PATH=$(ssh -o StrictHostKeyChecking=no root@"$host" \
        "pct exec $vmid -- docker volume inspect npmplus_data --format '{{.Mountpoint}}' 2>/dev/null" || echo "")
    
    if [ -n "$VOLUME_PATH" ] && [ "$VOLUME_PATH" != "null" ]; then
        # Check if certbot/live exists in volume
        if ssh -o StrictHostKeyChecking=no root@"$host" \
            "test -d $VOLUME_PATH/tls/certbot/live 2>/dev/null" 2>/dev/null; then
            echo "$VOLUME_PATH/tls/certbot/live"
            return 0
        elif ssh -o StrictHostKeyChecking=no root@"$host" \
            "test -d $VOLUME_PATH/certbot/live 2>/dev/null" 2>/dev/null; then
            echo "$VOLUME_PATH/certbot/live"
            return 0
        fi
    fi
    
    # Try container filesystem paths
    for path in \
        "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/tls/certbot/live" \
        "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/certbot/live" \
        "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/letsencrypt/live"; do
        
        if ssh -o StrictHostKeyChecking=no root@"$host" "test -d $path 2>/dev/null" 2>/dev/null; then
            echo "$path"
            return 0
        fi
    done
    
    # Try finding certificates inside container
    CERT_DIR=$(ssh -o StrictHostKeyChecking=no root@"$host" \
        "pct exec $vmid -- docker exec npmplus find /data -name 'fullchain.pem' -type f 2>/dev/null | head -1 | xargs dirname 2>/dev/null" || echo "")
    
    if [ -n "$CERT_DIR" ]; then
        # Convert container path to host path
        if [ -n "$VOLUME_PATH" ]; then
            REL_PATH=$(echo "$CERT_DIR" | sed 's|^/data/||')
            echo "$VOLUME_PATH/$REL_PATH"
            return 0
        fi
    fi
    
    # Default fallback
    echo "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/tls/certbot/live"
    return 1
}

# Detect certificate paths
PRIMARY_CERT_PATH=$(detect_cert_path "$PRIMARY_HOST" "$PRIMARY_VMID")
SECONDARY_CERT_PATH=$(detect_cert_path "$SECONDARY_HOST" "$SECONDARY_VMID")

# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }

log_info "Starting certificate synchronization from primary to secondary..."

# Check if primary NPMplus is accessible
if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@"$PRIMARY_HOST" "pct status $PRIMARY_VMID 2>/dev/null | grep -q running" 2>/dev/null; then
    log_error "Primary NPMplus container (VMID $PRIMARY_VMID) is not running"
    exit 1
fi

# Check if secondary NPMplus is accessible
if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@"$SECONDARY_HOST" "pct status $SECONDARY_VMID 2>/dev/null | grep -q running" 2>/dev/null; then
    log_warn "Secondary NPMplus container (VMID $SECONDARY_VMID) is not running"
    log_info "Attempting to start secondary container..."
    ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "pct start $SECONDARY_VMID" || {
        log_error "Failed to start secondary container"
        exit 1
    }
    sleep 5
fi

# Sync certificates from primary to secondary
# Use intermediate temp directory since rsync can't do remote-to-remote directly
log_info "Syncing certificates..."
TEMP_DIR="/tmp/npmplus-cert-sync-$$"
mkdir -p "$TEMP_DIR"
trap "rm -rf $TEMP_DIR" EXIT

# Copy from primary to local temp
log_info "Copying certificates from primary to temporary location..."
log_info "Primary certificate path: $PRIMARY_CERT_PATH"
rsync -avz --delete \
    -e "ssh -o StrictHostKeyChecking=no" \
    root@"$PRIMARY_HOST:$PRIMARY_CERT_PATH/" \
    "$TEMP_DIR/" 2>&1 | while IFS= read -r line; do
        log_info "$line"
    done

# Copy from local temp to secondary
if [ -d "$TEMP_DIR" ] && [ "$(ls -A $TEMP_DIR 2>/dev/null)" ]; then
    log_info "Copying certificates from temporary location to secondary..."
    log_info "Secondary certificate path: $SECONDARY_CERT_PATH"
    # Ensure destination directory exists
    ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "mkdir -p $SECONDARY_CERT_PATH" 2>/dev/null || true
    rsync -avz --delete \
        -e "ssh -o StrictHostKeyChecking=no" \
        "$TEMP_DIR/" \
        root@"$SECONDARY_HOST:$SECONDARY_CERT_PATH/" 2>&1 | while IFS= read -r line; do
            log_info "$line"
        done
else
    log_warn "No certificates found to sync"
fi

if [ ${PIPESTATUS[0]} -eq 0 ]; then
    log_success "Certificate synchronization complete"
    
    # Verify sync
    PRIMARY_COUNT=$(ssh -o StrictHostKeyChecking=no root@"$PRIMARY_HOST" "find $PRIMARY_CERT_PATH -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0")
    SECONDARY_COUNT=$(ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "find $SECONDARY_CERT_PATH -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0")
    
    log_info "Primary certificates: $PRIMARY_COUNT directories"
    log_info "Secondary certificates: $SECONDARY_COUNT directories"
    
    if [ "$PRIMARY_COUNT" = "$SECONDARY_COUNT" ]; then
        log_success "Certificate counts match"
    else
        log_warn "Certificate counts differ - sync may be incomplete"
    fi
else
    log_error "Certificate synchronization failed"
    exit 1
fi