scripts/cloudflare/set-sankofa-zone-ssl-mode.sh

#!/usr/bin/env bash
# Set Cloudflare zone SSL/TLS encryption mode (fixes NPM redirect loops when mode was "flexible").
# Use "full" when your origin (NPM) terminates Let's Encrypt. Use "strict" if origin has a valid public cert.
#
# Usage:
#   bash scripts/cloudflare/set-sankofa-zone-ssl-mode.sh [full|strict|flexible|off] [--dry-run]
# Env: CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS, CLOUDFLARE_API_TOKEN (or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY)
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"
source config/ip-addresses.conf 2>/dev/null || true
if [ -f .env ]; then set +u && set -a && source .env && set +a && set -u; fi

MODE="${1:-full}"
DRY=false
[[ "${2:-}" == "--dry-run" ]] || [[ "${1:-}" == "--dry-run" ]] && DRY=true
[[ "$MODE" == "--dry-run" ]] && MODE="full" && DRY=true

case "$MODE" in
  full|strict|flexible|off) ;;
  *)
    echo "Usage: $0 [full|strict|flexible|off] [--dry-run]" >&2
    exit 1
    ;;
esac

ZONE_ID="${CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS:-}"
if [ -z "$ZONE_ID" ]; then
  echo "Set CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS in .env" >&2
  exit 1
fi

if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then
  AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
else
  echo "Set CLOUDFLARE_API_TOKEN or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY" >&2
  exit 1
fi

if $DRY; then
  echo "[dry-run] Would PATCH zones/$ZONE_ID/settings/ssl value=$MODE"
  exit 0
fi

BODY=$(jq -n --arg v "$MODE" '{value:$v}')
RESP=$(curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/settings/ssl" \
  "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$BODY")

if echo "$RESP" | jq -e '.success == true' >/dev/null 2>&1; then
  echo "OK: sankofa.nexus SSL mode set to $MODE"
else
  echo "$RESP" | jq . >&2 || echo "$RESP" >&2
  exit 1
fi
fix(it-ops): same-name IP dupes informational; Cloudflare SSL full helper - compute_ipam_drift: exit 2 only when same IP + different guest names; add same_name_duplicate_ip_guests - set-sankofa-zone-ssl-mode.sh: PATCH zone ssl (full\|strict\|flexible\|off) - Docs + bootstrap log; AGENTS Cloudflare SSL row Made-with: Cursor 2026-04-09 02:32:53 -07:00			`#!/usr/bin/env bash`
			`# Set Cloudflare zone SSL/TLS encryption mode (fixes NPM redirect loops when mode was "flexible").`
			`# Use "full" when your origin (NPM) terminates Let's Encrypt. Use "strict" if origin has a valid public cert.`
			`#`
			`# Usage:`
			`# bash scripts/cloudflare/set-sankofa-zone-ssl-mode.sh [full\|strict\|flexible\|off] [--dry-run]`
			`# Env: CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS, CLOUDFLARE_API_TOKEN (or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY)`
			`set -euo pipefail`

			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"`
			`cd "$PROJECT_ROOT"`
			`source config/ip-addresses.conf 2>/dev/null \|\| true`
			`if [ -f .env ]; then set +u && set -a && source .env && set +a && set -u; fi`

			`MODE="${1:-full}"`
			`DRY=false`
			`[[ "${2:-}" == "--dry-run" ]] \|\| [[ "${1:-}" == "--dry-run" ]] && DRY=true`
			`[[ "$MODE" == "--dry-run" ]] && MODE="full" && DRY=true`

			`case "$MODE" in`
			`full\|strict\|flexible\|off) ;;`
			`*)`
			`echo "Usage: $0 [full\|strict\|flexible\|off] [--dry-run]" >&2`
			`exit 1`
			`;;`
			`esac`

			`ZONE_ID="${CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS:-}"`
			`if [ -z "$ZONE_ID" ]; then`
			`echo "Set CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS in .env" >&2`
			`exit 1`
			`fi`

			`if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then`
			`AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")`
			`elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then`
			`AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")`
			`else`
			`echo "Set CLOUDFLARE_API_TOKEN or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY" >&2`
			`exit 1`
			`fi`

			`if $DRY; then`
			`echo "[dry-run] Would PATCH zones/$ZONE_ID/settings/ssl value=$MODE"`
			`exit 0`
			`fi`

			`BODY=$(jq -n --arg v "$MODE" '{value:$v}')`
			`RESP=$(curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/settings/ssl" \`
			`"${AUTH_H[@]}" -H "Content-Type: application/json" -d "$BODY")`

			`if echo "$RESP" \| jq -e '.success == true' >/dev/null 2>&1; then`
			`echo "OK: sankofa.nexus SSL mode set to $MODE"`
			`else`
			`echo "$RESP" \| jq . >&2 \|\| echo "$RESP" >&2`
			`exit 1`
			`fi`