proxmox/scripts/cloudflare/set-d-bis-org-zone-ssl-mode.sh

#!/usr/bin/env bash
# Set Cloudflare d-bis.org zone SSL/TLS mode (same fix as sankofa: Flexible + NPM SSL forced → redirect loops).
#
# Usage: bash scripts/cloudflare/set-d-bis-org-zone-ssl-mode.sh [full|strict|flexible|off] [--dry-run]
# Env: CLOUDFLARE_ZONE_ID_D_BIS_ORG (or CLOUDFLARE_ZONE_ID), CLOUDFLARE_API_TOKEN (or email + global key)
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"
# shellcheck source=/dev/null
source config/ip-addresses.conf 2>/dev/null || true
if [ -f .env ]; then set +u && set -a && source .env && set +a && set -u; fi

MODE="${1:-full}"
DRY=false
[[ "${2:-}" == "--dry-run" ]] || [[ "${1:-}" == "--dry-run" ]] && DRY=true
[[ "$MODE" == "--dry-run" ]] && MODE="full" && DRY=true

case "$MODE" in
  full|strict|flexible|off) ;;
  *)
    echo "Usage: $0 [full|strict|flexible|off] [--dry-run]" >&2
    exit 1
    ;;
esac

ZONE_ID="${CLOUDFLARE_ZONE_ID_D_BIS_ORG:-${CLOUDFLARE_ZONE_ID:-}}"
if [ -z "$ZONE_ID" ]; then
  echo "Set CLOUDFLARE_ZONE_ID_D_BIS_ORG (or CLOUDFLARE_ZONE_ID) in .env" >&2
  exit 1
fi

if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then
  AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
else
  echo "Set CLOUDFLARE_API_TOKEN or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY" >&2
  exit 1
fi

if $DRY; then
  echo "[dry-run] Would PATCH zones/$ZONE_ID/settings/ssl value=$MODE (d-bis.org)"
  exit 0
fi

BODY=$(jq -n --arg v "$MODE" '{value:$v}')
RESP=$(curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/settings/ssl" \
  "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$BODY")

if echo "$RESP" | jq -e '.success == true' >/dev/null 2>&1; then
  echo "OK: d-bis.org SSL mode set to $MODE"
else
  echo "$RESP" | jq . >&2 || echo "$RESP" >&2
  exit 1
fi