b3a8fe4496
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- Config, docs, scripts, and backup manifests - Submodule refs unchanged (m = modified content in submodules) Made-with: Cursor
165 lines
6.2 KiB
Bash
Executable File
165 lines
6.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Synchronize NPMplus certificates from primary to secondary
|
|
|
|
set -euo pipefail
|
|
|
|
# Load IP configuration
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
|
|
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
|
|
|
if [ -f "$PROJECT_ROOT/.env" ]; then
|
|
set +euo pipefail
|
|
source "$PROJECT_ROOT/.env" 2>/dev/null || true
|
|
set -euo pipefail
|
|
fi
|
|
|
|
PRIMARY_HOST="${PRIMARY_HOST:-192.168.11.11}"
|
|
PRIMARY_VMID="${PRIMARY_VMID:-10233}"
|
|
SECONDARY_HOST="${SECONDARY_HOST:-192.168.11.12}"
|
|
SECONDARY_VMID="${SECONDARY_VMID:-10234}"
|
|
|
|
# Detect actual certificate path
|
|
detect_cert_path() {
|
|
local host=$1
|
|
local vmid=$2
|
|
|
|
# Try finding via docker volume inspect (most reliable)
|
|
VOLUME_PATH=$(ssh -o StrictHostKeyChecking=no root@"$host" \
|
|
"pct exec $vmid -- docker volume inspect npmplus_data --format '{{.Mountpoint}}' 2>/dev/null" || echo "")
|
|
|
|
if [ -n "$VOLUME_PATH" ] && [ "$VOLUME_PATH" != "null" ]; then
|
|
# Check if certbot/live exists in volume
|
|
if ssh -o StrictHostKeyChecking=no root@"$host" \
|
|
"test -d $VOLUME_PATH/tls/certbot/live 2>/dev/null" 2>/dev/null; then
|
|
echo "$VOLUME_PATH/tls/certbot/live"
|
|
return 0
|
|
elif ssh -o StrictHostKeyChecking=no root@"$host" \
|
|
"test -d $VOLUME_PATH/certbot/live 2>/dev/null" 2>/dev/null; then
|
|
echo "$VOLUME_PATH/certbot/live"
|
|
return 0
|
|
fi
|
|
fi
|
|
|
|
# Try container filesystem paths
|
|
for path in \
|
|
"/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/tls/certbot/live" \
|
|
"/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/certbot/live" \
|
|
"/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/letsencrypt/live"; do
|
|
|
|
if ssh -o StrictHostKeyChecking=no root@"$host" "test -d $path 2>/dev/null" 2>/dev/null; then
|
|
echo "$path"
|
|
return 0
|
|
fi
|
|
done
|
|
|
|
# Try finding certificates inside container
|
|
CERT_DIR=$(ssh -o StrictHostKeyChecking=no root@"$host" \
|
|
"pct exec $vmid -- docker exec npmplus find /data -name 'fullchain.pem' -type f 2>/dev/null | head -1 | xargs dirname 2>/dev/null" || echo "")
|
|
|
|
if [ -n "$CERT_DIR" ]; then
|
|
# Convert container path to host path
|
|
if [ -n "$VOLUME_PATH" ]; then
|
|
REL_PATH=$(echo "$CERT_DIR" | sed 's|^/data/||')
|
|
echo "$VOLUME_PATH/$REL_PATH"
|
|
return 0
|
|
fi
|
|
fi
|
|
|
|
# Default fallback
|
|
echo "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/tls/certbot/live"
|
|
return 1
|
|
}
|
|
|
|
# Detect certificate paths
|
|
PRIMARY_CERT_PATH=$(detect_cert_path "$PRIMARY_HOST" "$PRIMARY_VMID")
|
|
SECONDARY_CERT_PATH=$(detect_cert_path "$SECONDARY_HOST" "$SECONDARY_VMID")
|
|
|
|
# Colors
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
RED='\033[0;31m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
|
|
|
|
log_info "Starting certificate synchronization from primary to secondary..."
|
|
|
|
# Check if primary NPMplus is accessible
|
|
if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@"$PRIMARY_HOST" "pct status $PRIMARY_VMID 2>/dev/null | grep -q running" 2>/dev/null; then
|
|
log_error "Primary NPMplus container (VMID $PRIMARY_VMID) is not running"
|
|
exit 1
|
|
fi
|
|
|
|
# Check if secondary NPMplus is accessible
|
|
if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@"$SECONDARY_HOST" "pct status $SECONDARY_VMID 2>/dev/null | grep -q running" 2>/dev/null; then
|
|
log_warn "Secondary NPMplus container (VMID $SECONDARY_VMID) is not running"
|
|
log_info "Attempting to start secondary container..."
|
|
ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "pct start $SECONDARY_VMID" || {
|
|
log_error "Failed to start secondary container"
|
|
exit 1
|
|
}
|
|
sleep 5
|
|
fi
|
|
|
|
# Sync certificates from primary to secondary
|
|
# Use intermediate temp directory since rsync can't do remote-to-remote directly
|
|
log_info "Syncing certificates..."
|
|
TEMP_DIR="/tmp/npmplus-cert-sync-$$"
|
|
mkdir -p "$TEMP_DIR"
|
|
trap "rm -rf $TEMP_DIR" EXIT
|
|
|
|
# Copy from primary to local temp
|
|
log_info "Copying certificates from primary to temporary location..."
|
|
log_info "Primary certificate path: $PRIMARY_CERT_PATH"
|
|
rsync -avz --delete \
|
|
-e "ssh -o StrictHostKeyChecking=no" \
|
|
root@"$PRIMARY_HOST:$PRIMARY_CERT_PATH/" \
|
|
"$TEMP_DIR/" 2>&1 | while IFS= read -r line; do
|
|
log_info "$line"
|
|
done
|
|
|
|
# Copy from local temp to secondary
|
|
if [ -d "$TEMP_DIR" ] && [ "$(ls -A $TEMP_DIR 2>/dev/null)" ]; then
|
|
log_info "Copying certificates from temporary location to secondary..."
|
|
log_info "Secondary certificate path: $SECONDARY_CERT_PATH"
|
|
# Ensure destination directory exists
|
|
ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "mkdir -p $SECONDARY_CERT_PATH" 2>/dev/null || true
|
|
rsync -avz --delete \
|
|
-e "ssh -o StrictHostKeyChecking=no" \
|
|
"$TEMP_DIR/" \
|
|
root@"$SECONDARY_HOST:$SECONDARY_CERT_PATH/" 2>&1 | while IFS= read -r line; do
|
|
log_info "$line"
|
|
done
|
|
else
|
|
log_warn "No certificates found to sync"
|
|
fi
|
|
|
|
if [ ${PIPESTATUS[0]} -eq 0 ]; then
|
|
log_success "Certificate synchronization complete"
|
|
|
|
# Verify sync
|
|
PRIMARY_COUNT=$(ssh -o StrictHostKeyChecking=no root@"$PRIMARY_HOST" "find $PRIMARY_CERT_PATH -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0")
|
|
SECONDARY_COUNT=$(ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "find $SECONDARY_CERT_PATH -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0")
|
|
|
|
log_info "Primary certificates: $PRIMARY_COUNT directories"
|
|
log_info "Secondary certificates: $SECONDARY_COUNT directories"
|
|
|
|
if [ "$PRIMARY_COUNT" = "$SECONDARY_COUNT" ]; then
|
|
log_success "Certificate counts match"
|
|
else
|
|
log_warn "Certificate counts differ - sync may be incomplete"
|
|
fi
|
|
else
|
|
log_error "Certificate synchronization failed"
|
|
exit 1
|
|
fi
|