proxmox/scripts/archive/consolidated/verify/verify-npmplus-complete-setup.sh

#!/usr/bin/env bash
# Complete verification of NPMplus setup
# Checks all components: installation, certificates, proxy hosts, CSP headers

set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }

PROXMOX_HOST="${1:-192.168.11.11}"
CONTAINER_ID="${2:-10233}"
NPM_URL="${3:-https://192.168.0.166:81}"
NPM_EMAIL="${4:-nsatoshi2007@hotmail.com}"
NPM_PASSWORD="${5:-ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72}"

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🔍 NPMplus Complete Setup Verification"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# Check 1: Container and Docker
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Check 1: Container & Docker Status"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

CONTAINER_STATUS=$(ssh root@"$PROXMOX_HOST" "pct status $CONTAINER_ID 2>/dev/null || echo 'not running'")
if echo "$CONTAINER_STATUS" | grep -q "running"; then
    log_success "Container is running"
else
    log_error "Container is not running"
    exit 1
fi

DOCKER_STATUS=$(ssh root@"$PROXMOX_HOST" "pct exec $CONTAINER_ID -- docker ps --filter 'name=npmplus' --format '{{.Status}}' 2>/dev/null || echo 'not running'")
if echo "$DOCKER_STATUS" | grep -q "Up\|healthy"; then
    log_success "NPMplus container: $DOCKER_STATUS"
else
    log_error "NPMplus container is not running"
    exit 1
fi

YQ_CHECK=$(ssh root@"$PROXMOX_HOST" "pct exec $CONTAINER_ID -- command -v yq 2>/dev/null || echo 'not found'")
if [ "$YQ_CHECK" != "not found" ]; then
    log_success "yq installed: $YQ_CHECK"
else
    log_warn "yq not installed (optional for manual config)"
fi

DOCKER_COMPOSE_CHECK=$(ssh root@"$PROXMOX_HOST" "pct exec $CONTAINER_ID -- docker compose version 2>/dev/null || docker-compose --version 2>/dev/null || echo 'not found'")
if [ "$DOCKER_COMPOSE_CHECK" != "not found" ]; then
    log_success "docker compose: $DOCKER_COMPOSE_CHECK"
else
    log_error "docker compose not found"
    exit 1
fi

echo ""

# Check 2: API Authentication
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Check 2: API Authentication"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" \
    -H "Content-Type: application/json" \
    -d "{
        \"identity\": \"$NPM_EMAIL\",
        \"secret\": \"$NPM_PASSWORD\"
    }")

TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || echo "")

if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
    log_error "API authentication failed"
    exit 1
fi

log_success "API authentication working"
echo ""

# Check 3: Proxy Hosts
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Check 3: Proxy Hosts"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

PROXY_HOSTS_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json")

PROXY_COUNT=$(echo "$PROXY_HOSTS_JSON" | jq -r 'length' 2>/dev/null || echo "0")
ASSIGNED_COUNT=$(echo "$PROXY_HOSTS_JSON" | jq -r '[.[] | select(.certificate_id > 0)] | length' 2>/dev/null || echo "0")

log_info "Total proxy hosts: $PROXY_COUNT"
log_info "Hosts with certificates: $ASSIGNED_COUNT"

if [ "$ASSIGNED_COUNT" -ge 19 ]; then
    log_success "All production domains have certificates"
else
    log_warn "Some domains missing certificates: $((19 - ASSIGNED_COUNT))"
fi

echo ""

# Check 4: SSL Certificates
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Check 4: SSL Certificates"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

CERT_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/certificates" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json")

CERT_COUNT=$(echo "$CERT_JSON" | jq -r 'length' 2>/dev/null || echo "0")
ACTIVE_CERTS=$(echo "$CERT_JSON" | jq -r '[.[] | select(.expires_on != null and .expires_on > (now | todateiso8601))] | length' 2>/dev/null || echo "0")

log_info "Total certificates: $CERT_COUNT"
log_info "Active (non-expired) certificates: $ACTIVE_CERTS"

CERT_FILES=$(ssh root@"$PROXMOX_HOST" "pct exec $CONTAINER_ID -- docker exec npmplus find /data/tls/certbot/live -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l" || echo "0")
log_info "Certificate files on disk: $CERT_FILES"

if [ "$ACTIVE_CERTS" -ge 19 ]; then
    log_success "Sufficient active certificates"
else
    log_warn "Some certificates may be missing or expired"
fi

echo ""

# Check 5: CSP Headers
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Check 5: CSP Headers"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

TEST_DOMAIN="sankofa.nexus"
CSP_HEADER=$(curl -s -I -k "https://$TEST_DOMAIN" 2>/dev/null | grep -i "content-security-policy" | grep -v "upgrade-insecure-requests" | head -1 || echo "")

if echo "$CSP_HEADER" | grep -q "unsafe-eval"; then
    log_success "CSP header includes 'unsafe-eval'"
else
    log_warn "CSP header may not be configured (check: $TEST_DOMAIN)"
fi

echo ""

# Check 6: Network & DNS
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Check 6: Network & DNS"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

HTTP_TEST=$(curl -s -o /dev/null -w "%{http_code}" -I "http://76.53.10.36" 2>/dev/null || echo "000")
HTTPS_TEST=$(curl -s -o /dev/null -w "%{http_code}" -I -k "https://76.53.10.36" 2>/dev/null || echo "000")

if [ "$HTTP_TEST" != "000" ]; then
    log_success "HTTP port 80 accessible (returned: $HTTP_TEST)"
else
    log_warn "HTTP port 80 not accessible"
fi

if [ "$HTTPS_TEST" != "000" ]; then
    log_success "HTTPS port 443 accessible (returned: $HTTPS_TEST)"
else
    log_warn "HTTPS port 443 not accessible"
fi

DNS_TEST=$(dig +short "$TEST_DOMAIN" @8.8.8.8 2>/dev/null | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || echo "")
if [ "$DNS_TEST" = "76.53.10.36" ]; then
    log_success "DNS resolution correct: $TEST_DOMAIN → $DNS_TEST"
else
    log_warn "DNS resolution: $TEST_DOMAIN → $DNS_TEST (expected: 76.53.10.36)"
fi

echo ""

# Summary
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "📊 Summary"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
echo "  Container: ✅ Running"
echo "  Docker Compose: ✅ Available"
echo "  API Access: ✅ Working"
echo "  Proxy Hosts: $PROXY_COUNT (expected: 21)"
echo "  Certificates Assigned: $ASSIGNED_COUNT/19 production domains"
echo "  Active Certificates: $ACTIVE_CERTS"
echo "  Certificate Files: $CERT_FILES"
echo "  CSP Headers: $(if echo "$CSP_HEADER" | grep -q "unsafe-eval"; then echo '✅ Configured'; else echo '⚠️  Check needed'; fi)"
echo "  Network: HTTP=$HTTP_TEST HTTPS=$HTTPS_TEST"
echo "  DNS: ✅ Correct"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# Final status
if [ "$ASSIGNED_COUNT" -ge 19 ] && [ "$ACTIVE_CERTS" -ge 19 ] && [ "$HTTP_TEST" != "000" ] && [ "$HTTPS_TEST" != "000" ]; then
    log_success "✅ NPMplus setup is complete and working!"
    echo ""
    log_info "All components verified:"
    log_info "  • NPMplus is running and healthy"
    log_info "  • SSL certificates are active and assigned"
    log_info "  • Port forwarding is working"
    log_info "  • DNS is correctly configured"
    log_info "  • CSP headers are set"
    echo ""
else
    log_warn "⚠️  Some components may need attention (see details above)"
    echo ""
fi