feat: add phases 10-11, enhance phase 8 direct-check mode, and update Caddy migration
- Phase 10: local repo cutover (rename origin→github, add Gitea remote, push branches/tags) - Phase 11: custom runner infrastructure with toolchain-based naming (go-node-runner, jvm-android-runner) and repo variables via Gitea API - Add container_options support to manage_runner.sh for KVM passthrough - Phase 8: add --allow-direct-checks flag for LAN/split-DNS staging - Phase 7.5: add Cloudflare TLS block, retry logic for probes, multi-upstream support - Add toggle_dns.sh helper and update orchestration scripts for phases 10-11 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
S
@@ -16,6 +16,31 @@ set -euo pipefail
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
source "${SCRIPT_DIR}/lib/common.sh"
|
||||
|
||||
ALLOW_DIRECT_CHECKS=false
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
Usage: $(basename "$0") [options]
|
||||
|
||||
Options:
|
||||
--allow-direct-checks Allow fallback to direct Caddy-IP checks via --resolve
|
||||
(LAN/split-DNS staging mode; not a full public cutover)
|
||||
--help, -h Show this help
|
||||
EOF
|
||||
}
|
||||
|
||||
for arg in "$@"; do
|
||||
case "$arg" in
|
||||
--allow-direct-checks) ALLOW_DIRECT_CHECKS=true ;;
|
||||
--help|-h) usage; exit 0 ;;
|
||||
*)
|
||||
log_error "Unknown argument: $arg"
|
||||
usage
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
load_env
|
||||
require_vars UNRAID_IP UNRAID_SSH_USER UNRAID_GITEA_IP UNRAID_CADDY_IP \
|
||||
UNRAID_COMPOSE_DIR \
|
||||
@@ -236,6 +261,16 @@ caddyfile_has_domain_block() {
|
||||
sub(/[[:space:]]+$/, "", s)
|
||||
return s
|
||||
}
|
||||
function matches_domain(label, dom, wild_suffix, dot_pos) {
|
||||
if (label == dom) return 1
|
||||
# Wildcard match: *.example.com covers sub.example.com
|
||||
if (substr(label, 1, 2) == "*.") {
|
||||
wild_suffix = substr(label, 2)
|
||||
dot_pos = index(dom, ".")
|
||||
if (dot_pos > 0 && substr(dom, dot_pos) == wild_suffix) return 1
|
||||
}
|
||||
return 0
|
||||
}
|
||||
{
|
||||
line = $0
|
||||
if (line ~ /^[[:space:]]*#/) next
|
||||
@@ -248,7 +283,7 @@ caddyfile_has_domain_block() {
|
||||
gsub(/[[:space:]]+/, "", labels)
|
||||
n = split(labels, parts, ",")
|
||||
for (i = 1; i <= n; i++) {
|
||||
if (parts[i] == domain) {
|
||||
if (matches_domain(parts[i], domain)) {
|
||||
found = 1
|
||||
}
|
||||
}
|
||||
@@ -363,7 +398,6 @@ fi
|
||||
log_step 2 "Deploying Caddyfile..."
|
||||
GITEA_CONTAINER_IP="${UNRAID_GITEA_IP}"
|
||||
export GITEA_CONTAINER_IP GITEA_DOMAIN CADDY_DOMAIN
|
||||
CADDYFILE_UPDATED=0
|
||||
|
||||
# Build TLS block based on TLS_MODE
|
||||
if [[ "$TLS_MODE" == "cloudflare" ]]; then
|
||||
@@ -404,7 +438,6 @@ if ssh_exec UNRAID "test -f '${CADDY_DATA_PATH}/Caddyfile'" 2>/dev/null; then
|
||||
cat "$TMP_UPDATED" "$TMP_ROUTE_BLOCK" > "${TMP_UPDATED}.final"
|
||||
scp_to UNRAID "${TMP_UPDATED}.final" "${CADDY_DATA_PATH}/Caddyfile"
|
||||
log_success "Appended managed Gitea route to existing Caddyfile"
|
||||
CADDYFILE_UPDATED=1
|
||||
fi
|
||||
|
||||
rm -f "$TMP_EXISTING" "$TMP_UPDATED" "$TMP_ROUTE_BLOCK" "${TMP_UPDATED}.final"
|
||||
@@ -416,7 +449,6 @@ else
|
||||
scp_to UNRAID "$TMPFILE" "${CADDY_DATA_PATH}/Caddyfile"
|
||||
rm -f "$TMPFILE"
|
||||
log_success "Caddyfile deployed"
|
||||
CADDYFILE_UPDATED=1
|
||||
fi
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
@@ -505,12 +537,18 @@ fi
|
||||
# ---------------------------------------------------------------------------
|
||||
log_step 6 "Waiting for HTTPS (Caddy auto-provisions cert)..."
|
||||
check_unraid_gitea_backend
|
||||
if wait_for_https_public "${GITEA_DOMAIN}" 30; then
|
||||
if wait_for_https_public "${GITEA_DOMAIN}" 60; then
|
||||
log_success "HTTPS verified through current domain routing — https://${GITEA_DOMAIN} works"
|
||||
else
|
||||
log_warn "Public-domain routing to Caddy is not ready yet"
|
||||
wait_for_https_via_resolve "${GITEA_DOMAIN}" "${UNRAID_CADDY_IP}" 300
|
||||
log_success "HTTPS verified via direct Caddy path; public routing can be completed later"
|
||||
if [[ "$ALLOW_DIRECT_CHECKS" == "true" ]]; then
|
||||
wait_for_https_via_resolve "${GITEA_DOMAIN}" "${UNRAID_CADDY_IP}" 300
|
||||
log_warn "Proceeding with direct-only HTTPS validation (--allow-direct-checks)"
|
||||
else
|
||||
log_error "Refusing to continue cutover without public HTTPS reachability"
|
||||
log_error "Fix DNS/ingress routing and rerun Phase 8, or use --allow-direct-checks for staging only"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user