gitea-migration/phase8_post_check.sh

#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=SC2329

# =============================================================================
# phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded
# Checks:
#   1. HTTPS works with valid cert
#   2. HTTP redirects to HTTPS
#   3. All repos accessible via HTTPS
#   4. GitHub repos are marked as offsite backup
# Exits 0 only if ALL checks pass.
# =============================================================================

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"

load_env
require_vars GITEA_DOMAIN UNRAID_CADDY_IP GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
             GITHUB_USERNAME GITHUB_TOKEN \
             REPO_NAMES

log_info "=== Phase 8 Post-Check ==="

read -ra REPOS <<< "$REPO_NAMES"
PASS=0
FAIL=0

run_check() {
  local description="$1"; shift
  if "$@" 2>/dev/null; then
    log_success "$description"
    PASS=$((PASS + 1))
  else
    log_error "FAIL: $description"
    FAIL=$((FAIL + 1))
  fi
}

ACCESS_MODE="public"
if ! curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version" 2>/dev/null; then
  ACCESS_MODE="direct"
  log_warn "Public routing to ${GITEA_DOMAIN} not reachable from control plane"
  log_warn "Using direct Caddy-IP checks via --resolve (${UNRAID_CADDY_IP})"
else
  log_info "Using public-domain checks for ${GITEA_DOMAIN}"
fi

curl_https() {
  if [[ "$ACCESS_MODE" == "direct" ]]; then
    curl -sk --resolve "${GITEA_DOMAIN}:443:${UNRAID_CADDY_IP}" "$@"
  else
    curl -s "$@"
  fi
}

curl_http() {
  if [[ "$ACCESS_MODE" == "direct" ]]; then
    curl -s --resolve "${GITEA_DOMAIN}:80:${UNRAID_CADDY_IP}" "$@"
  else
    curl -s "$@"
  fi
}

# Check 1: HTTPS works
# shellcheck disable=SC2329
check_https_version() {
  curl_https -f -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"
}
run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" check_https_version

# Check 2: HTTP redirects to HTTPS (returns 301)
# shellcheck disable=SC2329
check_redirect() {
  local http_code
  http_code=$(curl_http -I -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
  [[ "$http_code" == "301" || "$http_code" == "308" ]]
}
run_check "HTTP → HTTPS redirect (301)" check_redirect

# Check 3: SSL certificate is valid (not self-signed)
# shellcheck disable=SC2329
check_ssl_cert() {
  # Verify openssl can connect and the cert is issued by a recognized CA
  local connect_target
  if [[ "$ACCESS_MODE" == "direct" ]]; then
    connect_target="${UNRAID_CADDY_IP}:443"
  else
    connect_target="${GITEA_DOMAIN}:443"
  fi
  local issuer
  issuer=$(echo | openssl s_client -connect "${connect_target}" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "")
  # Check that the issuer is not empty (meaning cert is valid)
  [[ -n "$issuer" ]]
}
run_check "SSL certificate is valid" check_ssl_cert

# Check 4: All repos accessible via HTTPS
# shellcheck disable=SC2329
check_repo_access() {
  local repo="$1"
  curl_https -f -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" \
    "https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}"
}
for repo in "${REPOS[@]}"; do
  run_check "Repo ${repo} accessible at https://${GITEA_DOMAIN}/${GITEA_ORG_NAME}/${repo}" \
    check_repo_access "$repo"
done

# Check 5: GitHub repos are marked as offsite backup
for repo in "${REPOS[@]}"; do
  # shellcheck disable=SC2329
  check_mirror_marked() {
    local desc
    desc=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.description // ""')
    [[ "$desc" == "[MIRROR]"* ]]
  }
  run_check "GitHub repo ${repo} marked as mirror" check_mirror_marked "$repo"
done

# Summary
printf '\n'
log_info "Results: ${PASS} passed, ${FAIL} failed"

if [[ $FAIL -gt 0 ]]; then
  log_error "Phase 8 post-check FAILED"
  exit 1
else
  log_success "Phase 8 post-check PASSED — Gitea is live with HTTPS"
  exit 0
fi