d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b7eebb87b33ea4af3efe689c5a0469df4a134313
proxmox/scripts/deployment/ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh
defiQUG b7eebb87b3 Add Sankofa consolidated hub operator tooling
2026-04-13 21:41:14 -07:00

142 lines
4.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Idempotent: align hub nginx location /graphql-ws on CT 7800 with install-sankofa-api-hub-nginx-on-pve.sh:
# Accept-Encoding cleared, proxy_buffering off, X-Real-IP / X-Forwarded-* (for TRUST_PROXY / logging).
#
# Usage:
# bash scripts/deployment/ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh --dry-run --vmid 7800
# PROXMOX_OPS_APPLY=1 PROXMOX_OPS_ALLOWED_VMIDS=7800 bash scripts/deployment/ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh --apply --vmid 7800
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# shellcheck source=/dev/null
source "${PROJECT_ROOT}/scripts/lib/load-project-env.sh"
# shellcheck source=/dev/null
source "${PROJECT_ROOT}/scripts/lib/proxmox-production-guard.sh"
SITE_CONF="${SANKOFA_PHOENIX_HUB_SITE_CONF:-/etc/sankofa-phoenix-api-hub/conf.d/site.conf}"
APPLY=false
DRY_RUN=false
VMID="${SANKOFA_PHOENIX_VMID:-7800}"
SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
while [[ $# -gt 0 ]]; do
case "$1" in
--apply) APPLY=true ;;
--dry-run) DRY_RUN=true ;;
--vmid) VMID="${2:?}"; shift ;;
*) echo "Unknown arg: $1" >&2; exit 2 ;;
esac
shift
done
PROXMOX_HOST="${PROXMOX_HOST:-$(get_host_for_vmid "$VMID")}"
echo "=== ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800 ==="
echo "PVE: root@${PROXMOX_HOST} VMID=${VMID} conf=${SITE_CONF}"
echo ""
if $DRY_RUN || ! $APPLY; then
echo "[DRY-RUN] Would ensure graphql-ws block has WS proxy + forwarded client headers."
# shellcheck disable=SC2029
ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"
if [[ ! -f '${SITE_CONF}' ]]; then echo 'missing ${SITE_CONF}'; exit 0; fi
awk '/location \\/graphql-ws/,/^ }/' '${SITE_CONF}' | head -30
\""
echo "For apply: --apply and PROXMOX_OPS_APPLY=1 PROXMOX_OPS_ALLOWED_VMIDS=${VMID}"
exit 0
fi
if ! pguard_require_apply_flag true; then
echo "Refused: set PROXMOX_OPS_APPLY=1" >&2
exit 3
fi
if ! pguard_vmid_allowed "$VMID"; then
exit 3
fi
WORKDIR="$(mktemp -d)"
trap 'rm -rf "$WORKDIR"' EXIT
REMOTE_SH="${WORKDIR}/remote.sh"
{
printf 'export SITE_CONF=%q\n' "$SITE_CONF"
cat <<'EOS'
set -euo pipefail
if [[ ! -f "$SITE_CONF" ]]; then
echo "ERROR: missing $SITE_CONF (install hub first?)" >&2
exit 2
fi
rc=0
python3 <<'PY' || rc=$?
import os
import re
import sys
from datetime import datetime
from pathlib import Path
p = Path(os.environ["SITE_CONF"])
t = p.read_text()
if "location /graphql-ws" not in t:
print("ERROR: no location /graphql-ws in site.conf", file=sys.stderr)
sys.exit(2)
m = re.search(r"location /graphql-ws \{([^}]*)\}", t, flags=re.DOTALL)
if not m:
print("ERROR: could not parse graphql-ws block", file=sys.stderr)
sys.exit(2)
orig_block = m.group(1)
block = orig_block
conn = ' proxy_set_header Connection "upgrade";\n'
extra = (
' proxy_set_header Connection "upgrade";\n'
' proxy_set_header Accept-Encoding "";\n'
' proxy_buffering off;\n'
)
if 'proxy_set_header Accept-Encoding ""' not in block or "proxy_buffering off" not in block:
if conn not in block:
print("ERROR: expected Connection upgrade line not found in graphql-ws block", file=sys.stderr)
sys.exit(2)
block = block.replace(conn, extra, 1)
host_line = ' proxy_set_header Host $host;\n'
xfwd = (
" proxy_set_header X-Real-IP $remote_addr;\n"
" proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n"
" proxy_set_header X-Forwarded-Proto $scheme;\n"
)
if host_line in block and "proxy_set_header X-Real-IP" not in block:
block = block.replace(host_line, host_line + xfwd, 1)
if block == orig_block:
print("OK: graphql-ws block already complete")
sys.exit(0)
bak = p.with_name(p.name + ".bak.ws-proxy-" + datetime.utcnow().strftime("%Y%m%d%H%M%S"))
bak.write_text(t)
t2 = t[: m.start(1)] + block + t[m.end(1) :]
p.write_text(t2)
print("OK: patched graphql-ws block (backup " + bak.name + ")")
sys.exit(10)
PY
if [[ "$rc" -eq 10 ]]; then
nginx -t -c /etc/sankofa-phoenix-api-hub/nginx.conf
if /usr/sbin/nginx -s reload -c /etc/sankofa-phoenix-api-hub/nginx.conf 2>/dev/null; then
echo "OK: hub nginx reloaded"
else
systemctl restart sankofa-phoenix-api-hub.service
systemctl is-active sankofa-phoenix-api-hub.service
echo "OK: hub nginx restarted"
fi
elif [[ "$rc" -eq 0 ]]; then
echo "OK: hub nginx unchanged (already had headers)"
else
exit "$rc"
fi
EOS
} >"$REMOTE_SH"
ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -s" <"$REMOTE_SH"
echo ""
echo "Verify: bash scripts/verify/smoke-phoenix-graphql-wss-public.sh"
Reference in New Issue View Git Blame Copy Permalink