feat: add phases 10-11, enhance phase 8 direct-check mode, and update Caddy migration

- Phase 10: local repo cutover (rename origin→github, add Gitea remote, push branches/tags) - Phase 11: custom runner infrastructure with toolchain-based naming (go-node-runner, jvm-android-runner) and repo variables via Gitea API - Add container_options support to manage_runner.sh for KVM passthrough - Phase 8: add --allow-direct-checks flag for LAN/split-DNS staging - Phase 7.5: add Cloudflare TLS block, retry logic for probes, multi-upstream support - Add toggle_dns.sh helper and update orchestration scripts for phases 10-11 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 14:14:11 -06:00
parent 63f5bf6ea7
commit b799cb7970
19 changed files with 1931 additions and 55 deletions
--- a/phase8_post_check.sh
+++ b/phase8_post_check.sh
@@ -15,6 +15,31 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "${SCRIPT_DIR}/lib/common.sh"

+ALLOW_DIRECT_CHECKS=false
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [options]
+
+Options:
+  --allow-direct-checks   Allow fallback to direct Caddy-IP checks via --resolve
+                          (LAN/split-DNS staging mode; not a full public cutover check)
+  --help, -h              Show this help
+EOF
+}
+
+for arg in "$@"; do
+  case "$arg" in
+    --allow-direct-checks) ALLOW_DIRECT_CHECKS=true ;;
+    --help|-h) usage; exit 0 ;;
+    *)
+      log_error "Unknown argument: $arg"
+      usage
+      exit 1
+      ;;
+  esac
+done
+
 load_env
 require_vars GITEA_DOMAIN UNRAID_CADDY_IP GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
             GITHUB_USERNAME GITHUB_TOKEN \
@@ -39,9 +64,15 @@ run_check() {

 ACCESS_MODE="public"
 if ! curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version" 2>/dev/null; then
-  ACCESS_MODE="direct"
  log_warn "Public routing to ${GITEA_DOMAIN} not reachable from control plane"
-  log_warn "Using direct Caddy-IP checks via --resolve (${UNRAID_CADDY_IP})"
+  if [[ "$ALLOW_DIRECT_CHECKS" == "true" ]]; then
+    ACCESS_MODE="direct"
+    log_warn "Using direct Caddy-IP checks via --resolve (${UNRAID_CADDY_IP})"
+  else
+    log_error "Public HTTPS check failed; this is not a complete Phase 8 validation"
+    log_error "Fix DNS/ingress routing and rerun, or use --allow-direct-checks for staging-only checks"
+    exit 1
+  fi
 else
  log_info "Using public-domain checks for ${GITEA_DOMAIN}"
 fi