feat(order): HAProxy on 10210, NPM → 192.168.11.39:80

- Add order-haproxy config template and provision-order-haproxy-10210.sh (SSH to r630-01) - Document one-time unprivileged CT idmap chown repair when apt fails - Default THE_ORDER_UPSTREAM_* to IP_ORDER_HAPROXY:80; portal bypass via env - Align update-sankofa-npmplus-proxy-hosts.sh, AGENTS, ALL_VMIDS, E2E notes Made-with: Cursor
2026-03-27 14:05:37 -07:00
parent 0df175d9cb
commit 430431f2f6
7 changed files with 116 additions and 10 deletions
--- a/scripts/deployment/provision-order-haproxy-10210.sh
+++ b/scripts/deployment/provision-order-haproxy-10210.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# Install HAProxy in LXC 10210 (order-haproxy) and proxy :80 → Sankofa/Order portal (Next.js).
+# Requires SSH to Proxmox host that runs CT 10210 (default: r630-01). See config/ip-addresses.conf.
+# Usage: ./scripts/deployment/provision-order-haproxy-10210.sh [--dry-run]
+#
+# One-time repair (unprivileged CT with host uid 0 on disk → "nobody" inside, apt broken): on Proxmox host,
+#   pct stop 10210 && pct mount 10210 && chown -R 100000:100000 /var/lib/lxc/10210/rootfs && pct unmount 10210 && pct start 10210
+# (Default Proxmox idmap: container root = 100000 on host.)
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "$PROJECT_ROOT/config/ip-addresses.conf"
+
+DRY_RUN=false
+for a in "$@"; do [[ "$a" == "--dry-run" ]] && DRY_RUN=true; done
+
+PROXMOX="${PROXMOX_ORDER_HAPROXY_NODE:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+VMID="${ORDER_HAPROXY_VMID:-10210}"
+BACKEND_HOST="${ORDER_HAPROXY_BACKEND_HOST:-${IP_SANKOFA_PORTAL:-192.168.11.51}}"
+BACKEND_PORT="${ORDER_HAPROXY_BACKEND_PORT:-${SANKOFA_PORTAL_PORT:-3000}}"
+TEMPLATE="$PROJECT_ROOT/config/haproxy/order-haproxy-10210.cfg.template"
+
+if [[ ! -r "$TEMPLATE" ]]; then
+  echo "❌ Missing template: $TEMPLATE"
+  exit 1
+fi
+
+CFG=$(sed -e "s/__BACKEND_HOST__/${BACKEND_HOST}/g" -e "s/__BACKEND_PORT__/${BACKEND_PORT}/g" "$TEMPLATE")
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "Provision order-haproxy (CT $VMID on $PROXMOX)"
+echo "  Backend: http://${BACKEND_HOST}:${BACKEND_PORT}"
+echo "  Dry-run: $DRY_RUN"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+if [[ "$DRY_RUN" == true ]]; then
+  echo "$CFG"
+  exit 0
+fi
+
+remote_run() {
+  ssh -o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new \
+    "${PROXMOX_SSH_USER:-root}@$PROXMOX" "$@"
+}
+
+if ! remote_run "pct status $VMID" 2>/dev/null | grep -q running; then
+  echo "❌ CT $VMID is not running on $PROXMOX"
+  exit 1
+fi
+
+remote_run "pct exec $VMID -- bash -c '
+set -e
+export DEBIAN_FRONTEND=noninteractive
+if ! dpkg -s haproxy >/dev/null 2>&1; then
+  apt-get update -qq
+  apt-get install -y -qq haproxy
+fi
+'"
+
+echo "$CFG" | remote_run "pct exec $VMID -- bash -c 'cat > /etc/haproxy/haproxy.cfg'"
+
+remote_run "pct exec $VMID -- bash -c '
+set -e
+haproxy -c -f /etc/haproxy/haproxy.cfg
+systemctl enable haproxy
+systemctl restart haproxy
+sleep 1
+systemctl is-active --quiet haproxy
+echo OK: haproxy active
+command -v ss >/dev/null && ss -lntp | grep -E \":80|:443\" || true
+'"
+
+IP_ORDER="${IP_ORDER_HAPROXY:-192.168.11.39}"
+echo ""
+echo "✅ Done. From LAN: curl -sS -o /dev/null -w '%{http_code}\\n' http://${IP_ORDER}:80/"
+echo "   Then NPM: THE_ORDER_UPSTREAM_IP=${IP_ORDER} THE_ORDER_UPSTREAM_PORT=80 bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh"