d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6945f69d7d28deb09eaaebb009035f6cf6c2ad52
proxmox/scripts/nginx-proxy-manager/update-npmplus-alltra-hybx-proxy-hosts.sh
defiQUG dbd517b279 Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers. 
- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor
2026-04-12 06:12:20 -07:00

265 lines
10 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Add NPMplus proxy hosts for Alltra/HYBX services
# NPMplus Alltra/HYBX: 192.168.11.169:81 (VMID 10235)
# Usage: NPM_URL=https://192.168.11.169:81 NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-alltra-hybx-proxy-hosts.sh
# See: docs/04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null || true && set -u
# Alltra/HYBX NPMplus: always use 192.168.11.169 (don't let .env NPM_URL override)
NPMPLUS_ALLTRA_IP="${IP_NPMPLUS_ALLTRA_HYBX:-192.168.11.169}"
NPM_URL="https://${NPMPLUS_ALLTRA_IP}:81"
NPM_EMAIL="${NPM_EMAIL:-admin@example.org}"
NPM_PASSWORD="${NPM_PASSWORD:-}"
INCLUDE_PLACEHOLDER_HOSTS="${INCLUDE_PLACEHOLDER_HOSTS:-0}"
SKIP_UNHEALTHY_UPSTREAMS="${SKIP_UNHEALTHY_UPSTREAMS:-1}"
if [ -z "$NPM_PASSWORD" ]; then
echo "Set NPM_PASSWORD. Get from: ssh root@192.168.11.11 'pct exec 10235 -- cat /opt/.npm_pwd 2>/dev/null'"
exit 1
fi
echo "Adding proxy hosts to NPMplus Alltra/HYBX at $NPM_URL..."
# Authenticate (some NPM 2 instances return only {expires} and set token in cookie)
COOKIE_JAR="/tmp/npm_alltra_cookies_$$"
cleanup_cookies() { rm -f "$COOKIE_JAR"; }
trap cleanup_cookies EXIT
AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" -H "Content-Type: application/json" -d "$AUTH_JSON" -c "$COOKIE_JAR")
TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // .accessToken // .access_token // .data.token // empty' 2>/dev/null)
# If no token in body but response has "expires", auth succeeded via cookie (NPM 2 style)
USE_COOKIE_AUTH=0
if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
if echo "$TOKEN_RESPONSE" | jq -e '.expires' >/dev/null 2>&1; then
USE_COOKIE_AUTH=1
echo "Using cookie-based auth (NPM 2 style)."
else
echo "Authentication failed"
MSG=$(echo "$TOKEN_RESPONSE" | jq -r '.message // .error // .error.message // empty' 2>/dev/null)
[ -n "$MSG" ] && echo "API: $MSG"
KEYS=$(echo "$TOKEN_RESPONSE" | jq -r 'keys | join(", ")' 2>/dev/null)
[ -n "$KEYS" ] && echo "Response keys: $KEYS"
exit 1
fi
fi
# Curl auth: Bearer token or cookie
curl_auth() {
if [ "$USE_COOKIE_AUTH" = "1" ]; then
curl -s -k -b "$COOKIE_JAR" "$@"
else
curl -s -k -H "Authorization: Bearer $TOKEN" "$@"
fi
}
add_proxy_host() {
local domain=$1
local fwd_host=$2
local fwd_port=$3
local ws=${4:-false}
local payload
payload=$(jq -n \
--arg domain "$domain" \
--arg host "$fwd_host" \
--argjson port "$fwd_port" \
--argjson ws "$ws" \
'{
domain_names: [$domain],
forward_scheme: "http",
forward_host: $host,
forward_port: $port,
allow_websocket_upgrade: $ws,
block_exploits: false,
certificate_id: null,
ssl_forced: false
}')
local resp
resp=$(curl_auth -X POST "$NPM_URL/api/nginx/proxy-hosts" \
-H "Content-Type: application/json" \
-d "$payload")
local id
id=$(echo "$resp" | jq -r '.id // empty' 2>/dev/null)
if [ -n "$id" ] && [ "$id" != "null" ]; then
echo " Added: $domain -> $fwd_host:$fwd_port"
return 0
else
echo " Skip (may exist): $domain - $(echo "$resp" | jq -r '.message // .error // "unknown"' 2>/dev/null)"
return 1
fi
}
fetch_proxy_hosts_json() {
curl_auth -X GET "$NPM_URL/api/nginx/proxy-hosts"
}
resolve_proxy_host_id() {
local domain=$1
local hosts_json=${2:-}
[ -z "$hosts_json" ] && hosts_json=$(fetch_proxy_hosts_json)
echo "$hosts_json" | jq -r --arg dom "$domain" '
if type == "array" then .
elif .data != null then .data
elif .proxy_hosts != null then .proxy_hosts
else []
end
| .[]
| select(.domain_names | type == "array")
| select(.domain_names[] == $dom)
| .id
' 2>/dev/null | head -n1
}
origin_tcp_ready() {
local fwd_host=$1
local fwd_port=$2
timeout 3 bash -lc "</dev/tcp/${fwd_host}/${fwd_port}" >/dev/null 2>&1
}
should_manage_proxy_host() {
local domain=$1
local fwd_host=$2
local fwd_port=$3
local purpose=${4:-active}
if [ "$purpose" = "placeholder" ] && [ "$INCLUDE_PLACEHOLDER_HOSTS" != "1" ]; then
echo " Skip placeholder host: $domain (set INCLUDE_PLACEHOLDER_HOSTS=1 after the real web service is deployed)"
return 1
fi
if [ "$SKIP_UNHEALTHY_UPSTREAMS" = "1" ] && ! origin_tcp_ready "$fwd_host" "$fwd_port"; then
echo " Skip $domain -> $fwd_host:$fwd_port (origin is not listening)"
return 1
fi
return 0
}
# Update existing proxy host while preserving cert/SSL state already on the row.
update_proxy_host() {
local domain=$1
local fwd_host=$2
local fwd_port=$3
local ws=${4:-false}
local hosts_json
hosts_json=$(fetch_proxy_hosts_json)
local arr
arr=$(echo "$hosts_json" | jq -c '
if type == "array" then .
elif .data != null then .data
elif .proxy_hosts != null then .proxy_hosts
else []
end
' 2>/dev/null)
[ -z "$arr" ] && return 1
local id
id=$(echo "$arr" | jq -r --arg dom "$domain" '
.[]
| select(.domain_names | type == "array")
| select(.domain_names[] == $dom)
| .id
' 2>/dev/null | head -n1)
if [ -z "$id" ] || [ "$id" = "null" ]; then return 1; fi
local payload
payload=$(jq -n \
--arg scheme "http" --arg host "$fwd_host" --argjson port "$fwd_port" --argjson ws "$ws" \
'{ forward_scheme: $scheme, forward_host: $host, forward_port: $port, allow_websocket_upgrade: $ws, block_exploits: false }')
local resp
resp=$(curl_auth -X PUT "$NPM_URL/api/nginx/proxy-hosts/$id" \
-H "Content-Type: application/json" \
-d "$payload")
local out_id
out_id=$(echo "$resp" | jq -r '.id // empty' 2>/dev/null)
if [ -n "$out_id" ] && [ "$out_id" != "null" ]; then
echo " Updated: $domain -> $fwd_host:$fwd_port"
return 0
fi
payload=$(jq -n \
--arg scheme "http" --arg host "$fwd_host" --argjson port "$fwd_port" --argjson ws "$ws" \
'{ forward_scheme: $scheme, forward_host: $host, forward_port: $port, allow_websocket_upgrade: $ws, blockCommonExploits: false }')
resp=$(curl_auth -X PUT "$NPM_URL/api/nginx/proxy-hosts/$id" -H "Content-Type: application/json" -d "$payload")
out_id=$(echo "$resp" | jq -r '.id // empty' 2>/dev/null)
if [ -n "$out_id" ] && [ "$out_id" != "null" ]; then
echo " Updated: $domain -> $fwd_host:$fwd_port"
return 0
fi
local host_obj
host_obj=$(echo "$arr" | jq -c --arg dom "$domain" '
.[]
| select(.domain_names | type == "array")
| select(.domain_names[] == $dom)
' 2>/dev/null | head -n1)
if [ -n "$host_obj" ]; then
payload=$(echo "$host_obj" | jq -c --arg host "$fwd_host" --argjson port "$fwd_port" --argjson ws "$ws" '
{
domain_names,
forward_scheme,
forward_host: $host,
forward_port: $port,
allow_websocket_upgrade: $ws,
block_exploits,
certificate_id,
ssl_forced,
caching_enabled,
advanced_config,
access_list_id,
enabled,
http2_support,
hsts_enabled,
hsts_subdomains
}
' 2>/dev/null)
if [ -n "$payload" ]; then
resp=$(curl_auth -X PUT "$NPM_URL/api/nginx/proxy-hosts/$id" -H "Content-Type: application/json" -d "$payload")
out_id=$(echo "$resp" | jq -r '.id // empty' 2>/dev/null)
if [ -n "$out_id" ] && [ "$out_id" != "null" ]; then
echo " Updated: $domain -> $fwd_host:$fwd_port"
return 0
fi
fi
fi
echo " Warning: could not update $domain via API. Check the NPM UI for this proxy host."
return 1
}
add_or_update_proxy_host() {
local domain=$1
local fwd_host=$2
local fwd_port=$3
local ws=${4:-false}
local purpose=${5:-active}
should_manage_proxy_host "$domain" "$fwd_host" "$fwd_port" "$purpose" || return 0
if add_proxy_host "$domain" "$fwd_host" "$fwd_port" "$ws"; then
return 0
fi
update_proxy_host "$domain" "$fwd_host" "$fwd_port" "$ws"
}
# Add or fix Alltra/HYBX + Nathan core-2 proxy hosts (third NPMplus = 76.53.10.38 → 192.168.11.169)
# RPC hosts must have block_exploits false or POST to / returns 405
add_or_update_proxy_host "rpc-core-2.d-bis.org" "192.168.11.212" 8545 true active || true
add_or_update_proxy_host "rpc-alltra.d-bis.org" "192.168.11.172" 8545 true active || true
add_or_update_proxy_host "rpc-alltra-2.d-bis.org" "192.168.11.173" 8545 true active || true
add_or_update_proxy_host "rpc-alltra-3.d-bis.org" "192.168.11.174" 8545 true active || true
add_or_update_proxy_host "rpc-hybx.d-bis.org" "192.168.11.246" 8545 true active || true
add_or_update_proxy_host "rpc-hybx-2.d-bis.org" "192.168.11.247" 8545 true active || true
add_or_update_proxy_host "rpc-hybx-3.d-bis.org" "192.168.11.248" 8545 true active || true
add_or_update_proxy_host "cacti-alltra.d-bis.org" "192.168.11.177" 80 false active || true
add_or_update_proxy_host "cacti-hybx.d-bis.org" "192.168.11.251" 80 false active || true
# Firefly / Fabric / Indy web surfaces are placeholders until the actual HTTP listener is deployed.
add_or_update_proxy_host "firefly-alltra-1.d-bis.org" "192.168.11.175" 80 false placeholder || true
add_or_update_proxy_host "firefly-alltra-2.d-bis.org" "192.168.11.176" 80 false placeholder || true
add_or_update_proxy_host "firefly-hybx-1.d-bis.org" "192.168.11.249" 80 false placeholder || true
add_or_update_proxy_host "firefly-hybx-2.d-bis.org" "192.168.11.250" 80 false placeholder || true
add_or_update_proxy_host "fabric-alltra.d-bis.org" "192.168.11.178" 80 false placeholder || true
add_or_update_proxy_host "indy-alltra.d-bis.org" "192.168.11.179" 80 false placeholder || true
add_or_update_proxy_host "fabric-hybx.d-bis.org" "192.168.11.252" 80 false placeholder || true
add_or_update_proxy_host "indy-hybx.d-bis.org" "192.168.11.253" 80 false placeholder || true
echo ""
echo "Done. Request Let's Encrypt certs in NPMplus UI for each active domain."
echo "Placeholder Firefly/Fabric/Indy hosts are skipped by default until INCLUDE_PLACEHOLDER_HOSTS=1 and the real web service is listening."
Reference in New Issue View Git Blame Copy Permalink