#!/usr/bin/env bash set -euo pipefail # shellcheck disable=SC2329 # ============================================================================= # phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded # Checks: # 1. HTTPS works with valid cert # 2. HTTP redirects to HTTPS # 3. All repos accessible via HTTPS # 4. GitHub repos are marked as offsite backup # Exits 0 only if ALL checks pass. # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" source "${SCRIPT_DIR}/lib/common.sh" ALLOW_DIRECT_CHECKS=false usage() { cat </dev/null; then log_success "$description" PASS=$((PASS + 1)) else log_error "FAIL: $description" FAIL=$((FAIL + 1)) fi } ACCESS_MODE="public" if ! curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version" 2>/dev/null; then log_warn "Public routing to ${GITEA_DOMAIN} not reachable from control plane" if [[ "$ALLOW_DIRECT_CHECKS" == "true" ]]; then ACCESS_MODE="direct" log_warn "Using direct Caddy-IP checks via --resolve (${UNRAID_CADDY_IP})" else log_error "Public HTTPS check failed; this is not a complete Phase 8 validation" log_error "Fix DNS/ingress routing and rerun, or use --allow-direct-checks for staging-only checks" exit 1 fi else log_info "Using public-domain checks for ${GITEA_DOMAIN}" fi curl_https() { if [[ "$ACCESS_MODE" == "direct" ]]; then curl -sk --resolve "${GITEA_DOMAIN}:443:${UNRAID_CADDY_IP}" "$@" else curl -s "$@" fi } curl_http() { if [[ "$ACCESS_MODE" == "direct" ]]; then curl -s --resolve "${GITEA_DOMAIN}:80:${UNRAID_CADDY_IP}" "$@" else curl -s "$@" fi } # Check 1: HTTPS works # shellcheck disable=SC2329 check_https_version() { curl_https -f -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version" } run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" check_https_version # Check 2: HTTP redirects to HTTPS (returns 301) # shellcheck disable=SC2329 check_redirect() { local http_code http_code=$(curl_http -I -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/") [[ "$http_code" == "301" || "$http_code" == "308" ]] } run_check "HTTP → HTTPS redirect (301)" check_redirect # Check 3: SSL certificate is valid (not self-signed) # shellcheck disable=SC2329 check_ssl_cert() { # Verify openssl can connect and the cert is issued by a recognized CA local connect_target if [[ "$ACCESS_MODE" == "direct" ]]; then connect_target="${UNRAID_CADDY_IP}:443" else connect_target="${GITEA_DOMAIN}:443" fi local issuer issuer=$(echo | openssl s_client -connect "${connect_target}" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "") # Check that the issuer is not empty (meaning cert is valid) [[ -n "$issuer" ]] } run_check "SSL certificate is valid" check_ssl_cert # Check 4: All repos accessible via HTTPS # shellcheck disable=SC2329 check_repo_access() { local repo="$1" curl_https -f -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" \ "https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}" } for repo in "${REPOS[@]}"; do run_check "Repo ${repo} accessible at https://${GITEA_DOMAIN}/${GITEA_ORG_NAME}/${repo}" \ check_repo_access "$repo" done # Check 5: GitHub repos are marked as offsite backup for repo in "${REPOS[@]}"; do # shellcheck disable=SC2329 check_mirror_marked() { local desc desc=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.description // ""') [[ "$desc" == "[MIRROR]"* ]] } run_check "GitHub repo ${repo} marked as mirror" check_mirror_marked "$repo" done # Summary printf '\n' log_info "Results: ${PASS} passed, ${FAIL} failed" if [[ $FAIL -gt 0 ]]; then log_error "Phase 8 post-check FAILED" exit 1 else log_success "Phase 8 post-check PASSED — Gitea is live with HTTPS" exit 0 fi