proxmox/scripts/deployment/ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh

#!/usr/bin/env bash
# Bind Sankofa Phoenix (Fastify) Apollo to loopback only: HOST=127.0.0.1 in /opt/sankofa-api/.env
# so :4000 is not reachable from VLAN. Requires Tier-1 API hub nginx upstream **127.0.0.1:4000**
# (default in install-sankofa-api-hub-nginx-on-pve.sh).
#
# Usage:
#   bash scripts/deployment/ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh --dry-run --vmid 7800
#   PROXMOX_OPS_APPLY=1 PROXMOX_OPS_ALLOWED_VMIDS=7800 bash scripts/deployment/ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh --apply --vmid 7800
#
# Mutations: edits /opt/sankofa-api/.env (backup), restarts sankofa-api.service.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# shellcheck source=/dev/null
source "${PROJECT_ROOT}/scripts/lib/load-project-env.sh"
# shellcheck source=/dev/null
source "${PROJECT_ROOT}/scripts/lib/proxmox-production-guard.sh"

ENV_PATH="${SANKOFA_PHOENIX_ENV_PATH:-/opt/sankofa-api/.env}"
APPLY=false
DRY_RUN=false
VMID="${SANKOFA_PHOENIX_VMID:-7800}"
SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"

while [[ $# -gt 0 ]]; do
  case "$1" in
    --apply) APPLY=true ;;
    --dry-run) DRY_RUN=true ;;
    --vmid) VMID="${2:?}"; shift ;;
    *) echo "Unknown arg: $1" >&2; exit 2 ;;
  esac
  shift
done

PROXMOX_HOST="${PROXMOX_HOST:-$(get_host_for_vmid "$VMID")}"

echo "=== ensure-sankofa-phoenix-apollo-bind-loopback-7800 ==="
echo "PVE: root@${PROXMOX_HOST}  VMID=${VMID}  env=${ENV_PATH}"
echo ""

if $DRY_RUN || ! $APPLY; then
  echo "[DRY-RUN] Would set HOST=127.0.0.1 in ${ENV_PATH} and restart sankofa-api.service."
  # shellcheck disable=SC2029
  ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"
    set -e
    if [[ ! -f '${ENV_PATH}' ]]; then echo '(missing ${ENV_PATH})'; exit 0; fi
    echo '--- HOST lines (redact values):'
    grep -E '^HOST=' '${ENV_PATH}' 2>/dev/null | sed 's/=.*/=<set>/' || echo '(no HOST= line)'
    echo '--- :4000 listener:'
    command -v ss >/dev/null && ss -tlnp | grep ':4000' || true
    echo '--- hub upstream (expect 127.0.0.1:4000):'
    grep -A1 'upstream sankofa_phoenix_graphql' /etc/sankofa-phoenix-api-hub/conf.d/site.conf 2>/dev/null | head -3 || echo '(no hub conf)'
  \""
  echo "For apply: --apply and PROXMOX_OPS_APPLY=1 PROXMOX_OPS_ALLOWED_VMIDS=${VMID}"
  exit 0
fi

if ! pguard_require_apply_flag true; then
  echo "Refused: set PROXMOX_OPS_APPLY=1" >&2
  exit 3
fi
if ! pguard_vmid_allowed "$VMID"; then
  exit 3
fi

WORKDIR="$(mktemp -d)"
trap 'rm -rf "$WORKDIR"' EXIT
REMOTE_SH="${WORKDIR}/remote.sh"
{
  printf 'ENV_PATH=%q\n' "$ENV_PATH"
  cat <<'EOS'
set -euo pipefail
HUB_CONF="/etc/sankofa-phoenix-api-hub/conf.d/site.conf"
if [[ -f "$HUB_CONF" ]] && ! grep -q "server 127.0.0.1:4000" "$HUB_CONF" 2>/dev/null; then
  echo "ERROR: hub nginx must proxy Phoenix to 127.0.0.1:4000 (found other upstream in $HUB_CONF). Fix hub first." >&2
  exit 2
fi
if [[ ! -f "$ENV_PATH" ]]; then
  echo "ERROR: missing $ENV_PATH" >&2
  exit 2
fi
if grep -qE '^[[:space:]]*HOST[[:space:]]*=[[:space:]]*127\.0\.0\.1' "$ENV_PATH"; then
  echo "OK: HOST=127.0.0.1 already set"
  exit 0
fi
cp -a "$ENV_PATH" "${ENV_PATH}.bak.loopback-$(date +%Y%m%d%H%M%S)"
if grep -qE '^[[:space:]]*HOST[[:space:]]*=' "$ENV_PATH"; then
  sed -i -E 's/^[[:space:]]*HOST[[:space:]]*=.*/HOST=127.0.0.1/' "$ENV_PATH"
else
  {
    echo ""
    echo "# Added by ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh — VLAN cannot reach :4000; use hub :8080"
    echo "HOST=127.0.0.1"
  } >>"$ENV_PATH"
fi
systemctl restart sankofa-api.service
systemctl is-active sankofa-api.service
echo "OK: HOST=127.0.0.1 and sankofa-api restarted"
EOS
} >"$REMOTE_SH"

ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -s" <"$REMOTE_SH"

echo ""
echo "Post-check from operator (LAN): hub :8080 /health and GraphQL should still work; direct http://<CT_IP>:4000 should refuse from other hosts."