Compare commits
12 Commits
ac367a148a
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| f42200dc42 | |||
| bfb7c80202 | |||
| c5517ebe05 | |||
| f986f39ff1 | |||
| 7655afa419 | |||
| 079899425a | |||
| cef90d34f8 | |||
| 53eec2deb4 | |||
| c98604352c | |||
| a801d596e3 | |||
| 68053c8ff0 | |||
| 83a12f0423 |
156
deploy.sh
156
deploy.sh
@@ -1,156 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# ==============================================================================
|
||||
# NGINX CONFIG & SSL DEPLOYMENT SCRIPT (v10)
|
||||
#
|
||||
# This script handles the "chicken-and-egg" problem of deploying a new site
|
||||
# with SSL. It first deploys a temporary HTTP-only version of the site by
|
||||
# commenting out the ENTIRE SSL server block, runs Certbot to acquire the
|
||||
# certificate (which then automatically re-enables HTTPS), and reloads Nginx.
|
||||
#
|
||||
# INSTRUCTIONS:
|
||||
# 1. Ensure Certbot is installed on the remote server.
|
||||
# (e.g., `sudo apt install certbot python3-certbot-nginx`)
|
||||
# 2. Make the script executable: chmod +x <script_name>.sh
|
||||
# 3. Run the script: ./<script_name>.sh
|
||||
# ==============================================================================
|
||||
|
||||
# --- Configuration ---
|
||||
REMOTE_USER="ubuntu" # The user you SSH in with (e.g., ubuntu, ec2-user)
|
||||
REMOTE_HOST="3.9.182.122" # The IP address or domain of your server
|
||||
CERTBOT_EMAIL="azeem.fidahusein@gmail.com" # Email for Let's Encrypt account
|
||||
|
||||
# --- File & Path Definitions ---
|
||||
KEY_FILE="~/repos/azeem-macbookair.pem"
|
||||
SOURCE_NGINX_CONF="nginx.conf"
|
||||
SOURCE_SITES_DIR="sites-available"
|
||||
|
||||
# Destination paths on the remote server
|
||||
DEST_NGINX_PATH="/etc/nginx/"
|
||||
DEST_SITES_PATH="/etc/nginx/sites-available/"
|
||||
|
||||
# Temporary directory on the remote server
|
||||
REMOTE_TEMP_DIR="nginx_deploy_temp"
|
||||
|
||||
# --- Script Logic ---
|
||||
|
||||
echo "🚀 Starting NGINX & SSL deployment to $REMOTE_HOST..."
|
||||
echo "--------------------------------------------------------"
|
||||
|
||||
# Expand the tilde (~) in the key file path to an absolute path.
|
||||
EVAL_KEY_FILE=$(eval echo "$KEY_FILE")
|
||||
|
||||
# --- Pre-flight Checks ---
|
||||
if [ ! -f "$EVAL_KEY_FILE" ]; then
|
||||
echo "❌ ERROR: SSH key not found at $EVAL_KEY_FILE"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -f "$SOURCE_NGINX_CONF" ]; then
|
||||
echo "❌ ERROR: Source file '$SOURCE_NGINX_CONF' not found."
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -d "$SOURCE_SITES_DIR" ]; then
|
||||
echo "❌ ERROR: Source directory '$SOURCE_SITES_DIR' not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# --- Local Operations ---
|
||||
CONFIG_FILES=$(ls "$SOURCE_SITES_DIR" | tr '\n' ' ')
|
||||
echo "-> Found site config files to process: $CONFIG_FILES"
|
||||
|
||||
echo "-> Scanning local 'sites-available' for unique domain names..."
|
||||
ALL_DOMAINS=$(grep -h -r "server_name" "$SOURCE_SITES_DIR" | sed 's/.*server_name\s*//' | sed 's/;//' | xargs -n1 | sort -u | tr '\n' ' ' | sed 's/ *$//')
|
||||
|
||||
if [ -z "$ALL_DOMAINS" ]; then
|
||||
echo "⚠️ WARNING: No domains found. Skipping Certbot step later."
|
||||
else
|
||||
echo " ✅ Found domains: $ALL_DOMAINS"
|
||||
fi
|
||||
echo
|
||||
|
||||
# --- Remote Operations ---
|
||||
|
||||
# Step 1: Transfer files to a temporary directory
|
||||
echo "-> Creating temporary directory and transferring files..."
|
||||
ssh -i "$EVAL_KEY_FILE" "${REMOTE_USER}@${REMOTE_HOST}" "mkdir -p $REMOTE_TEMP_DIR"
|
||||
scp -i "$EVAL_KEY_FILE" -r "$SOURCE_NGINX_CONF" "$SOURCE_SITES_DIR" "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_TEMP_DIR}/"
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "❌ ERROR: File transfer failed. Aborting."
|
||||
exit 1
|
||||
fi
|
||||
echo " ✅ All files successfully transferred to temporary location."
|
||||
echo
|
||||
|
||||
# Step 2: Move files, TEMPORARILY disable SSL blocks, enable sites, and reload Nginx
|
||||
echo "- Moving files and enabling HTTP-only sites for Certbot validation..."
|
||||
ssh -i "$EVAL_KEY_FILE" "${REMOTE_USER}@${REMOTE_HOST}" << EOF
|
||||
# Move the main config file and site configs
|
||||
sudo mv "$REMOTE_TEMP_DIR/nginx.conf" "${DEST_NGINX_PATH}nginx.conf"
|
||||
sudo mv "$REMOTE_TEMP_DIR/sites-available/"* "$DEST_SITES_PATH"
|
||||
|
||||
# --- NEW: Temporarily disable the entire SSL server block ---
|
||||
echo " -> Temporarily commenting out SSL server blocks in configs..."
|
||||
for CONFIG_FILE in $CONFIG_FILES
|
||||
do
|
||||
# Use awk to comment out the entire server block containing 'listen 443'
|
||||
sudo awk '/server\s*{/{f=1} f && /listen\s+443/{p=1} f{b=b\$0"\\n"} /\s*}/ && f{f=0; if(!p){printf "%s", b} p=0; b=""}' "$DEST_SITES_PATH\$CONFIG_FILE" > "\$CONFIG_FILE.tmp" && sudo mv "\$CONFIG_FILE.tmp" "$DEST_SITES_PATH\$CONFIG_FILE"
|
||||
done
|
||||
# --- END NEW ---
|
||||
|
||||
# Enable sites by creating symbolic links
|
||||
echo " -> Checking and creating symbolic links in sites-enabled..."
|
||||
for CONFIG_FILE in $CONFIG_FILES
|
||||
do
|
||||
SOURCE_FILE="/etc/nginx/sites-available/\$CONFIG_FILE"
|
||||
LINK_FILE="/etc/nginx/sites-enabled/\$CONFIG_FILE"
|
||||
if [ ! -L "\$LINK_FILE" ]; then
|
||||
if [ -f "\$SOURCE_FILE" ]; then
|
||||
echo " -> Creating link for \$CONFIG_FILE..."
|
||||
sudo ln -s "\$SOURCE_FILE" "\$LINK_FILE"
|
||||
fi
|
||||
else
|
||||
echo " -> Link for \$CONFIG_FILE already exists."
|
||||
fi
|
||||
done
|
||||
|
||||
echo " -> Verifying and reloading Nginx for initial validation..."
|
||||
sudo nginx -t && sudo systemctl reload nginx
|
||||
EOF
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "⚠️ WARNING: An error occurred on the remote server during initial setup."
|
||||
echo "This might happen if your base HTTP config is invalid. Please check manually."
|
||||
exit 1
|
||||
fi
|
||||
echo " ✅ Initial Nginx config loaded successfully."
|
||||
echo
|
||||
|
||||
# Step 3: Run Certbot to acquire certificates and update configs to HTTPS
|
||||
if [ -n "$ALL_DOMAINS" ]; then
|
||||
read -p "Run Certbot for the discovered domains? (y/n) " -n 1 -r
|
||||
echo
|
||||
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||
CERTBOT_DOMAINS=$(echo "$ALL_DOMAINS" | sed 's/ / -d /g' | sed 's/^/-d /')
|
||||
|
||||
echo "- Running Certbot to acquire certificates and enable SSL..."
|
||||
echo " Certbot will now automatically update your Nginx configs for HTTPS."
|
||||
|
||||
ssh -t -i "$EVAL_KEY_FILE" "${REMOTE_USER}@${REMOTE_HOST}" \
|
||||
"sudo certbot --nginx --non-interactive --agree-tos --email $CERTBOT_EMAIL --redirect --expand $CERTBOT_DOMAINS"
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo " ✅ Certbot process completed successfully."
|
||||
else
|
||||
echo "⚠️ WARNING: Certbot process finished with errors. Please check the logs on the server."
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "-> Skipping Certbot step as no domains were found."
|
||||
fi
|
||||
|
||||
# Final cleanup
|
||||
ssh -i "$EVAL_KEY_FILE" "${REMOTE_USER}@${REMOTE_HOST}" "rm -rf $REMOTE_TEMP_DIR"
|
||||
|
||||
# --- Completion ---
|
||||
echo "--------------------------------------------------------"
|
||||
echo "🎉 Deployment complete!"
|
||||
15
http_archive/homarr-http
Normal file
15
http_archive/homarr-http
Normal file
@@ -0,0 +1,15 @@
|
||||
# HTTP-only NGINX config for home.aaf.systems (no SSL)
|
||||
server {
|
||||
listen 80;
|
||||
server_name home.aaf.systems;
|
||||
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:7575;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
||||
@@ -1,18 +1,19 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name notes.aaf.systems;
|
||||
# Redirect all HTTP traffic to HTTPS
|
||||
|
||||
# This redirect is managed by Certbot's --redirect flag,
|
||||
# but we include it for completeness.
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name notes.aaf.systems;
|
||||
|
||||
# SSL Certificates (managed by Certbot)
|
||||
ssl_certificate /etc/letsencrypt/live/notes.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/notes.aaf.systems/privkey.pem;
|
||||
|
||||
# --- This is the location block that was missing ---
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:3010;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
@@ -22,4 +23,11 @@ server {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
# --- End of location block ---
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/git.aaf.systems/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.aaf.systems/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
28
sites-available/exp
Normal file
28
sites-available/exp
Normal file
@@ -0,0 +1,28 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name exp.aaf.systems;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name exp.aaf.systems;
|
||||
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:8080;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/exp.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/exp.aaf.systems/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
||||
@@ -1,19 +1,17 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name git.aaf.systems;
|
||||
# Redirect all HTTP traffic to HTTPS
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name git.aaf.systems;
|
||||
|
||||
# SSL Certificates (managed by Certbot)
|
||||
ssl_certificate /etc/letsencrypt/live/git.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.aaf.systems/privkey.pem;
|
||||
|
||||
location / {
|
||||
# IMPORTANT: Replace with the correct Tailscale IP for your Gitea server
|
||||
proxy_pass http://100.93.165.98:3000;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@@ -22,4 +20,10 @@ server {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/git.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.aaf.systems/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
||||
28
sites-available/homarr
Normal file
28
sites-available/homarr
Normal file
@@ -0,0 +1,28 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name home.aaf.systems;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name home.aaf.systems;
|
||||
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:7575;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/home.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/home.aaf.systems/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
||||
28
sites-available/koel
Normal file
28
sites-available/koel
Normal file
@@ -0,0 +1,28 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name music.aaf.systems;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name music.aaf.systems;
|
||||
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:4075;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/music.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/music.aaf.systems/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
||||
28
sites-available/plane
Normal file
28
sites-available/plane
Normal file
@@ -0,0 +1,28 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name projects.aaf.systems;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name projects.aaf.systems;
|
||||
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:3050;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/projects.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/projects.aaf.systems/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
||||
28
sites-available/vert
Normal file
28
sites-available/vert
Normal file
@@ -0,0 +1,28 @@
|
||||
# Block 1: Redirects all HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name convert.aaf.systems;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Block 2: Handles the secure HTTPS traffic
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name convert.aaf.systems;
|
||||
|
||||
location / {
|
||||
proxy_pass http://100.93.165.98:3090;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
# SSL settings managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/convert.aaf.systems/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/convert.aaf.systems/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
||||
Reference in New Issue
Block a user