#!/usr/bin/env bash # Deploy complete Nginx configuration to VMID 105 # Handles all domains with path-based routing set -euo pipefail # Load IP configuration SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; } log_error() { echo -e "${RED}[✗]${NC} $1"; } PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}" VMID_NGINX=105 NGINX_CONFIG_FILE="/etc/nginx/sites-available/public-services" echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "🔧 Deploy Complete Nginx Configuration" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" log_info "Proxmox Host: $PROXMOX_HOST" log_info "Nginx VMID: $VMID_NGINX" log_info "Config File: $NGINX_CONFIG_FILE" echo "" # Generate complete Nginx configuration generate_nginx_config() { cat << 'NGINX_CONFIG_EOF' # Complete Nginx Configuration for All Public Services # Single Public IP (76.53.10.35) → Nginx → Backend Services # Generated: 2026-01-09 # ============================================ # RPC Services # ============================================ # ThirdWeb RPC (defi-oracle.io domain) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rpc.public-0138.defi-oracle.io; ssl_certificate /etc/letsencrypt/live/rpc.public-0138.defi-oracle.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rpc.public-0138.defi-oracle.io/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; location / { proxy_pass https://${RPC_THIRDWEB_PRIMARY}:443; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; proxy_buffering off; } } # RPC Public HTTP server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rpc-http-pub.d-bis.org; ssl_certificate /etc/letsencrypt/live/rpc-http-pub.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rpc-http-pub.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass https://${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-192.168.11.252}}}}:443; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; proxy_buffering off; } } # RPC Public WebSocket server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rpc-ws-pub.d-bis.org; ssl_certificate /etc/letsencrypt/live/rpc-ws-pub.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rpc-ws-pub.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass https://${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-192.168.11.252}}}}:443; proxy_ssl_verify off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 86400; proxy_send_timeout 86400; } } # RPC Private HTTP server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rpc-http-prv.d-bis.org; ssl_certificate /etc/letsencrypt/live/rpc-http-prv.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rpc-http-prv.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass https://${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-192.168.11.251}}}}:443; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; } } # RPC Private WebSocket server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rpc-ws-prv.d-bis.org; ssl_certificate /etc/letsencrypt/live/rpc-ws-prv.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rpc-ws-prv.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass https://${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-192.168.11.251}}}}:443; proxy_ssl_verify off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 86400; proxy_send_timeout 86400; } } # ============================================ # Explorer # ============================================ server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name explorer.d-bis.org; ssl_certificate /etc/letsencrypt/live/explorer.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/explorer.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://${IP_BLOCKSCOUT}:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # ============================================ # DBIS Core Services # ============================================ # DBIS Admin server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name dbis-admin.d-bis.org; ssl_certificate /etc/letsencrypt/live/dbis-admin.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dbis-admin.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://${IP_DBIS_FRONTEND:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-192.168.11.13}}}0}:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # DBIS API Primary server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name dbis-api.d-bis.org; ssl_certificate /etc/letsencrypt/live/dbis-api.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dbis-api.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://${IP_DBIS_API:-192.168.11.155}:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # DBIS API Secondary server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name dbis-api-2.d-bis.org; ssl_certificate /etc/letsencrypt/live/dbis-api-2.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dbis-api-2.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://${IP_DBIS_API_2:-192.168.11.156}:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # DBIS Secure Portal (Path-based routing) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name secure.d-bis.org; ssl_certificate /etc/letsencrypt/live/secure.d-bis.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.d-bis.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; # Admin portal (path-based) location /admin { proxy_pass http://${IP_DBIS_FRONTEND:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-192.168.11.13}}}0}:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # User API endpoint (path-based) location /api { proxy_pass http://${IP_DBIS_API:-192.168.11.155}:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # Graph endpoint (path-based) location /graph { proxy_pass http://${IP_DBIS_API:-192.168.11.155}:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # User portal (default) location / { proxy_pass http://${IP_DBIS_FRONTEND:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-192.168.11.13}}}0}:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # ============================================ # MIM4U Services # ============================================ # MIM4U Main Site server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name mim4u.org www.mim4u.org; ssl_certificate /etc/letsencrypt/live/mim4u.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mim4u.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; # Admin portal (path-based) location /admin { proxy_pass http://192.168.11.19:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Main site (default) location / { proxy_pass http://192.168.11.19:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # MIM4U Secure Portal server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name secure.mim4u.org; ssl_certificate /etc/letsencrypt/live/secure.mim4u.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.mim4u.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://192.168.11.19:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # MIM4U Training Portal server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name training.mim4u.org; ssl_certificate /etc/letsencrypt/live/training.mim4u.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/training.mim4u.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://192.168.11.19:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # ============================================ # Sankofa Services (sankofa.nexus) # ============================================ # Sankofa Main Website server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name sankofa.nexus www.sankofa.nexus; ssl_certificate /etc/letsencrypt/live/sankofa.nexus/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/sankofa.nexus/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; # API endpoint (path-based) location /api { proxy_pass http://10.160.0.10:4000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # Main portal (default) location / { proxy_pass http://10.160.0.11:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # Phoenix Website server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name phoenix.sankofa.nexus www.phoenix.sankofa.nexus; ssl_certificate /etc/letsencrypt/live/phoenix.sankofa.nexus/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/phoenix.sankofa.nexus/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; # API endpoint (path-based) location /api { proxy_pass http://10.160.0.XX:4000; # Update with Phoenix API IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # Main portal (default) location / { proxy_pass http://10.160.0.XX:3000; # Update with Phoenix portal IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # The Order Portal server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name the-order.sankofa.nexus; ssl_certificate /etc/letsencrypt/live/the-order.sankofa.nexus/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/the-order.sankofa.nexus/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://10.160.0.XX:3000; # Update with The Order portal IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # ============================================ # HTTP to HTTPS Redirect (All Domains) # ============================================ server { listen 80; listen [::]:80; server_name # RPC Services rpc.public-0138.defi-oracle.io rpc-http-pub.d-bis.org rpc-ws-pub.d-bis.org rpc-http-prv.d-bis.org rpc-ws-prv.d-bis.org # Explorer explorer.d-bis.org # DBIS Services dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org # MIM4U mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org # Sankofa/Phoenix sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus; return 301 https://$host$request_uri; } NGINX_CONFIG_EOF } # Deploy configuration deploy_config() { log_info "Generating Nginx configuration..." # Create config file on Nginx server generate_nginx_config | ssh -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" \ "pct exec $VMID_NGINX -- tee $NGINX_CONFIG_FILE > /dev/null" if [ $? -eq 0 ]; then log_success "Configuration file created" else log_error "Failed to create configuration file" return 1 fi # Enable site log_info "Enabling Nginx site..." ssh -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" \ "pct exec $VMID_NGINX -- ln -sf $NGINX_CONFIG_FILE /etc/nginx/sites-enabled/public-services" 2>/dev/null || true # Test configuration log_info "Testing Nginx configuration..." test_result=$(ssh -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" \ "pct exec $VMID_NGINX -- nginx -t 2>&1") if echo "$test_result" | grep -q "syntax is ok"; then log_success "Nginx configuration is valid" # Reload Nginx log_info "Reloading Nginx..." ssh -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" \ "pct exec $VMID_NGINX -- systemctl reload nginx" if [ $? -eq 0 ]; then log_success "Nginx reloaded successfully" return 0 else log_error "Failed to reload Nginx" return 1 fi else log_error "Nginx configuration test failed" echo "$test_result" return 1 fi } # Main execution main() { if deploy_config; then echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" log_success "✅ Nginx Configuration Deployed" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" log_warn "⚠️ Note: Update placeholder IPs for Phoenix and The Order services" log_warn "⚠️ Note: Obtain SSL certificates for all domains" echo "" log_info "Next steps:" echo " 1. Update Phoenix and The Order IPs in config" echo " 2. Obtain Let's Encrypt certificates" echo " 3. Test all endpoints" echo "" else log_error "Deployment failed" exit 1 fi } main "$@"