feat: add phase 8.5 Nginx to Caddy migration wrapper and enhance post-check script for direct access handling
This commit is contained in:
S
@@ -16,7 +16,7 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
source "${SCRIPT_DIR}/lib/common.sh"
|
||||
|
||||
load_env
|
||||
require_vars GITEA_DOMAIN GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
|
||||
require_vars GITEA_DOMAIN UNRAID_CADDY_IP GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
|
||||
GITHUB_USERNAME GITHUB_TOKEN \
|
||||
REPO_NAMES
|
||||
|
||||
@@ -37,16 +37,44 @@ run_check() {
|
||||
fi
|
||||
}
|
||||
|
||||
ACCESS_MODE="public"
|
||||
if ! curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version" 2>/dev/null; then
|
||||
ACCESS_MODE="direct"
|
||||
log_warn "Public routing to ${GITEA_DOMAIN} not reachable from control plane"
|
||||
log_warn "Using direct Caddy-IP checks via --resolve (${UNRAID_CADDY_IP})"
|
||||
else
|
||||
log_info "Using public-domain checks for ${GITEA_DOMAIN}"
|
||||
fi
|
||||
|
||||
curl_https() {
|
||||
if [[ "$ACCESS_MODE" == "direct" ]]; then
|
||||
curl -sk --resolve "${GITEA_DOMAIN}:443:${UNRAID_CADDY_IP}" "$@"
|
||||
else
|
||||
curl -s "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
curl_http() {
|
||||
if [[ "$ACCESS_MODE" == "direct" ]]; then
|
||||
curl -s --resolve "${GITEA_DOMAIN}:80:${UNRAID_CADDY_IP}" "$@"
|
||||
else
|
||||
curl -s "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Check 1: HTTPS works
|
||||
run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" \
|
||||
curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"
|
||||
# shellcheck disable=SC2329
|
||||
check_https_version() {
|
||||
curl_https -f -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"
|
||||
}
|
||||
run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" check_https_version
|
||||
|
||||
# Check 2: HTTP redirects to HTTPS (returns 301)
|
||||
# shellcheck disable=SC2329
|
||||
check_redirect() {
|
||||
local http_code
|
||||
http_code=$(curl -sI -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
|
||||
[[ "$http_code" == "301" ]]
|
||||
http_code=$(curl_http -I -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
|
||||
[[ "$http_code" == "301" || "$http_code" == "308" ]]
|
||||
}
|
||||
run_check "HTTP → HTTPS redirect (301)" check_redirect
|
||||
|
||||
@@ -54,17 +82,29 @@ run_check "HTTP → HTTPS redirect (301)" check_redirect
|
||||
# shellcheck disable=SC2329
|
||||
check_ssl_cert() {
|
||||
# Verify openssl can connect and the cert is issued by a recognized CA
|
||||
local connect_target
|
||||
if [[ "$ACCESS_MODE" == "direct" ]]; then
|
||||
connect_target="${UNRAID_CADDY_IP}:443"
|
||||
else
|
||||
connect_target="${GITEA_DOMAIN}:443"
|
||||
fi
|
||||
local issuer
|
||||
issuer=$(echo | openssl s_client -connect "${GITEA_DOMAIN}:443" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "")
|
||||
issuer=$(echo | openssl s_client -connect "${connect_target}" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "")
|
||||
# Check that the issuer is not empty (meaning cert is valid)
|
||||
[[ -n "$issuer" ]]
|
||||
}
|
||||
run_check "SSL certificate is valid" check_ssl_cert
|
||||
|
||||
# Check 4: All repos accessible via HTTPS
|
||||
# shellcheck disable=SC2329
|
||||
check_repo_access() {
|
||||
local repo="$1"
|
||||
curl_https -f -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" \
|
||||
"https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}"
|
||||
}
|
||||
for repo in "${REPOS[@]}"; do
|
||||
run_check "Repo ${repo} accessible at https://${GITEA_DOMAIN}/${GITEA_ORG_NAME}/${repo}" \
|
||||
curl -sf -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}"
|
||||
check_repo_access "$repo"
|
||||
done
|
||||
|
||||
# Check 5: GitHub repos are marked as offsite backup
|
||||
|
||||
Reference in New Issue
Block a user