d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(npm): IT API TLS helper + treat certificate_id string 0 as missing
All checks were successful
Deploy to Phoenix / deploy (push) Successful in 6s
Details

Browse Source 
- jq select includes certificate_id == "0" for NPM JSON quirks
- request-it-api-tls-npm.sh wraps CERT_DOMAINS_FILTER for it-api.sankofa.nexus
- Docs: TLS command, Cloudflare redirect-loop note; spec remaining items

Made-with: Cursor
This commit is contained in:
defiQUG
2026-04-09 02:01:50 -07:00
parent a41c3adea0
commit 3e7c9b9941
5 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/02-architecture/SANKOFA_IT_OPERATIONS_CONTROLLER_SPEC.md
View File

@@ -171,7 +171,7 @@ The HTML controller should show a **joined view**: *public hostname → NPM →
1. **Full BFF** with OIDC (Keycloak) and Postgres — **`dbis_core` vs dedicated CT** — decide once.
2. **Keycloak** — assign **`sankofa-it-admin`** to real IT users (role creation is scripted; mapping is manual policy).
3. **TLS for `it-api.sankofa.nexus`**NPM certificate after DNS propagation; duplicate guest IP remediation (export exit **2**) on the cluster.
3. **TLS for `it-api.sankofa.nexus`**`scripts/deployment/request-it-api-tls-npm.sh` (or `CERT_DOMAINS_FILTER='it-api\.sankofa\.nexus'` + `request-npmplus-certificates.sh`). If public HTTPS redirect-loops, align Cloudflare proxy/SSL mode with NPM. **Duplicate guest IPs** (export exit **2**) — remediate on cluster.
4. **UniFi / NPM** live collectors — Phase 2 of this spec.
This spec does **not** replace change control; it gives you a **single product vision** so IP, VLAN, ports, hosts, licenses, and billing support evolve together instead of in silos.

2
docs/03-deployment/SANKOFA_IT_OPS_KEYCLOAK_PORTAL_NEXT_STEPS.md
View File

@@ -11,7 +11,7 @@ One command after `.env` has `NPM_PASSWORD`, Cloudflare vars (for DNS), and SSH
1. **`bash scripts/deployment/bootstrap-sankofa-it-read-api-lan.sh`** — Refreshes inventory JSON, rsyncs a minimal tree to **`/opt/proxmox`** on **`PROXMOX_HOST`** (default r630-01), installs **`sankofa-it-read-api`** (bind **`0.0.0.0:8787`**, secrets in **`/etc/sankofa-it-read-api.env`**), upserts **`IT_READ_API_URL`** / **`IT_READ_API_KEY`** in repo **`.env`**, enables weekly **`sankofa-it-inventory-export.timer`** on the same host, runs **`sankofa-portal-merge-it-read-api-env-from-repo.sh`** for CT **7801**. Export exit code **2** (duplicate guest IPs) does **not** abort the bootstrap.
2. **NPM:** `bash scripts/nginx-proxy-manager/upsert-it-read-api-proxy-host.sh` — proxy **`it-api.sankofa.nexus`** → **`http://<r630-01>:8787`** (override with **`IT_READ_API_PUBLIC_HOST`**).
3. **DNS:** `bash scripts/cloudflare/add-it-api-sankofa-dns.sh`**`it-api.sankofa.nexus`** A → **`PUBLIC_IP`** (proxied).
4. **TLS:** In NPM UI, request a certificate for **`it-api.sankofa.nexus`** after DNS propagates (or widen **`CERT_DOMAINS_FILTER`** in `scripts/request-npmplus-certificates.sh`).
4. **TLS:** `CERT_DOMAINS_FILTER='it-api\.sankofa\.nexus' bash scripts/request-npmplus-certificates.sh` (or NPM UI → SSL). If the public URL redirect-loops (e.g. Cloudflare **Proxied** + NPM **SSL forced**), set the record to **DNS only** temporarily or align Cloudflare SSL mode with your origin.
**Note:** Operator workstations outside VLAN 11 may be firewalled from **`192.168.11.11:8787`**; portal CT **7801** and NPM on LAN should still reach it.