proxmox/scripts/cloudflare/configure-omdnl-org-dns.sh

#!/usr/bin/env bash
# Cloudflare DNS for omdnl.org: apex (@) and www → PUBLIC_IP (A records, proxied).
#
# Prerequisite: Zone omdnl.org exists in Cloudflare and nameservers are delegated.
# Requires .env: CLOUDFLARE_API_TOKEN (or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY),
#                 CLOUDFLARE_ZONE_ID_OMDNL_ORG (or CLOUDFLARE_ZONE_ID when zone is omdnl.org)
#                 PUBLIC_IP (WAN IP that reaches NPMplus, same pattern as other public sites)
#
# Usage: bash scripts/cloudflare/configure-omdnl-org-dns.sh [--dry-run]
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"
source config/ip-addresses.conf 2>/dev/null || true
[ -f .env ] && set +u && source .env 2>/dev/null || true && set -u

ZONE_ID="${CLOUDFLARE_ZONE_ID_OMDNL_ORG:-${CLOUDFLARE_ZONE_ID:-}}"
PUBLIC_IP="${PUBLIC_IP:-}"
ZONE_NAME="${OMDNL_ORG_DNS_ZONE:-omdnl.org}"
DRY=false
[[ "${1:-}" == "--dry-run" ]] && DRY=true

[ -n "$PUBLIC_IP" ] || { echo "Set PUBLIC_IP in .env (WAN IP for NPM)" >&2; exit 1; }

if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then
  AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
else
  echo "Set CLOUDFLARE_API_TOKEN or (CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY) in .env" >&2
  exit 1
fi

[ -n "$ZONE_ID" ] || { echo "Set CLOUDFLARE_ZONE_ID_OMDNL_ORG (or CLOUDFLARE_ZONE_ID) in .env" >&2; exit 1; }

upsert_a() {
  local api_name="$1"
  local query_name="$2"
  local data
  data=$(jq -n --arg name "$api_name" --arg content "$PUBLIC_IP" \
    '{type:"A",name:$name,content:$content,ttl:1,proxied:true}')

  if $DRY; then
    echo "[dry-run] would upsert A $api_name → $PUBLIC_IP"
    return 0
  fi

  local existing record_id
  existing=$(curl -s -G "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
    --data-urlencode "name=${query_name}" \
    --data-urlencode "type=A" \
    "${AUTH_H[@]}" -H "Content-Type: application/json")
  record_id=$(echo "$existing" | jq -r '.result[0].id // empty')

  if [ -n "$record_id" ] && [ "$record_id" != "null" ]; then
    local upd
    upd=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${record_id}" \
      "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$data")
    echo "$upd" | jq -e '.success == true' >/dev/null 2>&1 && echo "Updated A ${query_name}" || { echo "$upd" | jq . >&2; return 1; }
  else
    local cr code
    cr=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
      "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$data")
    if echo "$cr" | jq -e '.success == true' >/dev/null 2>&1; then
      echo "Created A ${query_name}"
      return 0
    fi
    code=$(echo "$cr" | jq -r '.errors[0].code // empty')
    if [ "$code" = "81058" ]; then
      echo "OK A ${query_name} (already exists with same target)"
      return 0
    fi
    echo "$cr" | jq . >&2
    return 1
  fi
}

echo "omdnl.org DNS (zone id set) → ${PUBLIC_IP} (proxied)"
# Apex: API name @ ; list API returns full record name omdnl.org
upsert_a "@" "${ZONE_NAME}"
# www
upsert_a "www" "www.${ZONE_NAME}"
echo "Done. After propagation: request NPM TLS for omdnl.org and www.omdnl.org."