diff --git a/deploy.sh b/deploy.sh index 6e0c6727a..dc2f9edac 100755 --- a/deploy.sh +++ b/deploy.sh @@ -28,9 +28,9 @@ if [ "$1" != "prod" ] && [ "$1" != "staging" ]; then fi # Validate second argument (host) -if [ "$2" != "falk1" ] && [ "$2" != "nbg1" ] && [ "$2" != "staging" ] && [ "$2" != "masters" ]; then - echo "Error: Second argument must be either 'falk1', 'nbg1', 'staging', or 'masters'" - echo "Usage: $0 [prod|staging] [falk1|nbg1|staging|masters] [version_tag] [subdomain]" +if [ "$2" != "falk1" ] && [ "$2" != "falk2" ] && [ "$2" != "nbg1" ] && [ "$2" != "staging" ] && [ "$2" != "masters" ]; then + echo "Error: Second argument must be either 'falk1', 'falk2', 'nbg1', 'staging', or 'masters'" + echo "Usage: $0 [prod|staging] [falk1|falk2|nbg1|staging|masters] [version_tag] [subdomain]" exit 1 fi @@ -75,6 +75,9 @@ elif [ "$HOST" == "nbg1" ]; then elif [ "$HOST" == "masters" ]; then print_header "DEPLOYING TO MASTERS HOST" SERVER_HOST=$SERVER_HOST_MASTERS +elif [ "$HOST" == "falk2" ]; then + print_header "DEPLOYING TO FALK2 HOST" + SERVER_HOST=$SERVER_HOST_FALK2 else print_header "DEPLOYING TO FALK1 HOST" SERVER_HOST=$SERVER_HOST_FALK1 diff --git a/setup.sh b/setup.sh index f47776de2..316f5c72f 100644 --- a/setup.sh +++ b/setup.sh @@ -7,10 +7,31 @@ echo "=====================================================" echo "🚀 STARTING SERVER SETUP" echo "=====================================================" +# Load environment variables from .env.setup if present +ENV_FILE="$(dirname "$0")/.env.setup" +if [ -f "$ENV_FILE" ]; then + echo "📂 Loading environment from $ENV_FILE" + set -a + # shellcheck source=/dev/null + source "$ENV_FILE" + set +a +else + echo "ℹī¸ No .env.setup file found, using environment variables" +fi + # Verify required environment variables if [ -z "$OTEL_EXPORTER_OTLP_ENDPOINT" ] || [ -z "$OTEL_AUTH_HEADER" ]; then echo "❌ ERROR: Required environment variables are not set!" - echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER" + echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER in .env.setup or the environment" + exit 1 +fi + +# CF_ORIGIN_CERT and CF_ORIGIN_KEY: Cloudflare Origin Certificate and private key. +# Generate at: Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate +if [ -z "$CF_ORIGIN_CERT" ] || [ -z "$CF_ORIGIN_KEY" ]; then + echo "❌ ERROR: CF_ORIGIN_CERT and CF_ORIGIN_KEY are not set!" + echo "Generate an origin certificate at: Cloudflare → SSL/TLS → Origin Server → Create Certificate" + echo "Then add CF_ORIGIN_CERT and CF_ORIGIN_KEY to .env.setup" exit 1 fi @@ -94,7 +115,13 @@ else fi TRAEFIK_CONFIG_DIR="/home/openfront/traefik" -mkdir -p "$TRAEFIK_CONFIG_DIR" +TRAEFIK_CERTS_DIR="$TRAEFIK_CONFIG_DIR/certs" +mkdir -p "$TRAEFIK_CERTS_DIR" + +# Write Cloudflare origin certificate and key (passed as env vars) +echo "$CF_ORIGIN_CERT" > "$TRAEFIK_CERTS_DIR/origin.crt" +echo "$CF_ORIGIN_KEY" > "$TRAEFIK_CERTS_DIR/origin.key" +chmod 600 "$TRAEFIK_CERTS_DIR/origin.crt" "$TRAEFIK_CERTS_DIR/origin.key" # No [api] block — dashboard is disabled for production. # To access it for debugging, SSH tunnel: ssh -L 8080:localhost:8080 user@server @@ -105,6 +132,8 @@ cat > "$TRAEFIK_CONFIG_DIR/traefik.toml" << 'EOF' [entryPoints] [entryPoints.web] address = ":80" + [entryPoints.websecure] + address = ":443" [providers] [providers.docker] @@ -112,6 +141,20 @@ cat > "$TRAEFIK_CONFIG_DIR/traefik.toml" << 'EOF' exposedByDefault = false # Only route containers with traefik.enable=true network = "web" watch = true + [providers.file] + filename = "/etc/traefik/tls.toml" + watch = true +EOF + +# Static TLS configuration referencing the Cloudflare origin cert +cat > "$TRAEFIK_CONFIG_DIR/tls.toml" << 'EOF' +[[tls.certificates]] + certFile = "/certs/origin.crt" + keyFile = "/certs/origin.key" + +[tls.options] + [tls.options.default] + minVersion = "VersionTLS12" EOF cat > "$TRAEFIK_CONFIG_DIR/compose.yaml" << 'EOF' @@ -122,14 +165,17 @@ networks: services: traefik: - image: traefik:v3.4 + image: traefik:v3.6 container_name: traefik restart: unless-stopped ports: - "80:80" + - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /home/openfront/traefik/traefik.toml:/etc/traefik/traefik.toml:ro + - /home/openfront/traefik/tls.toml:/etc/traefik/tls.toml:ro + - /home/openfront/traefik/certs:/certs:ro networks: - web EOF @@ -240,7 +286,7 @@ echo "🎉 SETUP COMPLETE!" echo "=====================================================" echo "The openfront user has been set up and has Docker permissions." echo "UDP buffer sizes have been configured for optimal QUIC/WebSocket performance." -echo "Traefik reverse proxy is running (HTTP :80)." +echo "Traefik reverse proxy is running (HTTP :80, HTTPS :443 with Cloudflare origin cert)." echo "Node Exporter is collecting system metrics." echo "OpenTelemetry Collector is forwarding metrics to your endpoint." echo "" diff --git a/update.sh b/update.sh index 89e056f1e..6d16ed9aa 100755 --- a/update.sh +++ b/update.sh @@ -73,7 +73,8 @@ docker run -d \ --network web \ --label "traefik.enable=true" \ --label "traefik.http.routers.${CONTAINER_NAME}.rule=Host(\`${SUBDOMAIN}.${DOMAIN}\`)" \ - --label "traefik.http.routers.${CONTAINER_NAME}.entrypoints=web" \ + --label "traefik.http.routers.${CONTAINER_NAME}.entrypoints=websecure" \ + --label "traefik.http.routers.${CONTAINER_NAME}.tls=true" \ --label "traefik.http.services.${CONTAINER_NAME}.loadbalancer.server.port=80" \ "${GHCR_IMAGE}"