#!/usr/bin/env bash # Synchronize NPMplus certificates from primary to secondary set -euo pipefail # Load IP configuration SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" if [ -f "$PROJECT_ROOT/.env" ]; then set +euo pipefail source "$PROJECT_ROOT/.env" 2>/dev/null || true set -euo pipefail fi PRIMARY_HOST="${PRIMARY_HOST:-192.168.11.11}" PRIMARY_VMID="${PRIMARY_VMID:-10233}" SECONDARY_HOST="${SECONDARY_HOST:-192.168.11.12}" SECONDARY_VMID="${SECONDARY_VMID:-10234}" # Detect actual certificate path detect_cert_path() { local host=$1 local vmid=$2 # Try finding via docker volume inspect (most reliable) VOLUME_PATH=$(ssh -o StrictHostKeyChecking=no root@"$host" \ "pct exec $vmid -- docker volume inspect npmplus_data --format '{{.Mountpoint}}' 2>/dev/null" || echo "") if [ -n "$VOLUME_PATH" ] && [ "$VOLUME_PATH" != "null" ]; then # Check if certbot/live exists in volume if ssh -o StrictHostKeyChecking=no root@"$host" \ "test -d $VOLUME_PATH/tls/certbot/live 2>/dev/null" 2>/dev/null; then echo "$VOLUME_PATH/tls/certbot/live" return 0 elif ssh -o StrictHostKeyChecking=no root@"$host" \ "test -d $VOLUME_PATH/certbot/live 2>/dev/null" 2>/dev/null; then echo "$VOLUME_PATH/certbot/live" return 0 fi fi # Try container filesystem paths for path in \ "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/tls/certbot/live" \ "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/certbot/live" \ "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/letsencrypt/live"; do if ssh -o StrictHostKeyChecking=no root@"$host" "test -d $path 2>/dev/null" 2>/dev/null; then echo "$path" return 0 fi done # Try finding certificates inside container CERT_DIR=$(ssh -o StrictHostKeyChecking=no root@"$host" \ "pct exec $vmid -- docker exec npmplus find /data -name 'fullchain.pem' -type f 2>/dev/null | head -1 | xargs dirname 2>/dev/null" || echo "") if [ -n "$CERT_DIR" ]; then # Convert container path to host path if [ -n "$VOLUME_PATH" ]; then REL_PATH=$(echo "$CERT_DIR" | sed 's|^/data/||') echo "$VOLUME_PATH/$REL_PATH" return 0 fi fi # Default fallback echo "/var/lib/vz/containers/$vmid/var/lib/docker/volumes/npmplus_data/_data/tls/certbot/live" return 1 } # Detect certificate paths PRIMARY_CERT_PATH=$(detect_cert_path "$PRIMARY_HOST" "$PRIMARY_VMID") SECONDARY_CERT_PATH=$(detect_cert_path "$SECONDARY_HOST" "$SECONDARY_VMID") # Colors GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } log_error() { echo -e "${RED}[ERROR]${NC} $1"; } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; } log_info "Starting certificate synchronization from primary to secondary..." # Check if primary NPMplus is accessible if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@"$PRIMARY_HOST" "pct status $PRIMARY_VMID 2>/dev/null | grep -q running" 2>/dev/null; then log_error "Primary NPMplus container (VMID $PRIMARY_VMID) is not running" exit 1 fi # Check if secondary NPMplus is accessible if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@"$SECONDARY_HOST" "pct status $SECONDARY_VMID 2>/dev/null | grep -q running" 2>/dev/null; then log_warn "Secondary NPMplus container (VMID $SECONDARY_VMID) is not running" log_info "Attempting to start secondary container..." ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "pct start $SECONDARY_VMID" || { log_error "Failed to start secondary container" exit 1 } sleep 5 fi # Sync certificates from primary to secondary # Use intermediate temp directory since rsync can't do remote-to-remote directly log_info "Syncing certificates..." TEMP_DIR="/tmp/npmplus-cert-sync-$$" mkdir -p "$TEMP_DIR" trap "rm -rf $TEMP_DIR" EXIT # Copy from primary to local temp log_info "Copying certificates from primary to temporary location..." log_info "Primary certificate path: $PRIMARY_CERT_PATH" rsync -avz --delete \ -e "ssh -o StrictHostKeyChecking=no" \ root@"$PRIMARY_HOST:$PRIMARY_CERT_PATH/" \ "$TEMP_DIR/" 2>&1 | while IFS= read -r line; do log_info "$line" done # Copy from local temp to secondary if [ -d "$TEMP_DIR" ] && [ "$(ls -A $TEMP_DIR 2>/dev/null)" ]; then log_info "Copying certificates from temporary location to secondary..." log_info "Secondary certificate path: $SECONDARY_CERT_PATH" # Ensure destination directory exists ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "mkdir -p $SECONDARY_CERT_PATH" 2>/dev/null || true rsync -avz --delete \ -e "ssh -o StrictHostKeyChecking=no" \ "$TEMP_DIR/" \ root@"$SECONDARY_HOST:$SECONDARY_CERT_PATH/" 2>&1 | while IFS= read -r line; do log_info "$line" done else log_warn "No certificates found to sync" fi if [ ${PIPESTATUS[0]} -eq 0 ]; then log_success "Certificate synchronization complete" # Verify sync PRIMARY_COUNT=$(ssh -o StrictHostKeyChecking=no root@"$PRIMARY_HOST" "find $PRIMARY_CERT_PATH -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0") SECONDARY_COUNT=$(ssh -o StrictHostKeyChecking=no root@"$SECONDARY_HOST" "find $SECONDARY_CERT_PATH -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0") log_info "Primary certificates: $PRIMARY_COUNT directories" log_info "Secondary certificates: $SECONDARY_COUNT directories" if [ "$PRIMARY_COUNT" = "$SECONDARY_COUNT" ]; then log_success "Certificate counts match" else log_warn "Certificate counts differ - sync may be incomplete" fi else log_error "Certificate synchronization failed" exit 1 fi