#!/usr/bin/env bash # Reproducibly deploy the canonical Co-op Cloud `traefik` recipe as cc-ci's reverse proxy, # in wildcard / file-provider mode — serving the operator's pre-issued wildcard cert, with # NO ACME and NO DNS token on the box (see DECISIONS.md "Proxy: real coop-cloud/traefik"). # # Idempotent: safe to re-run. Run as root on cc-ci (abra drives the local Docker swarm). # ssh cc-ci 'bash /root/cc-ci/scripts/deploy-proxy.sh' # # Prereqs (declared in the flake): docker + single-node swarm + `proxy` overlay (modules/swarm.nix), # abra (modules/abra.nix), and the wildcard cert at /var/lib/ci-certs/live/ (operator-provided). set -euo pipefail PROXY_DOMAIN="${PROXY_DOMAIN:-traefik.ci.commoninternet.net}" CERT_DIR="${CERT_DIR:-/var/lib/ci-certs/live}" ENV_FILE="$HOME/.abra/servers/default/${PROXY_DOMAIN}.env" export PATH=/run/current-system/sw/bin:"$PATH" echo "==> ensure local abra server" abra server ls -m -n >/dev/null 2>&1 || abra server add --local -n || true echo "==> fetch traefik recipe" abra recipe fetch traefik -n >/dev/null if [ ! -f "$ENV_FILE" ]; then echo "==> create traefik app ($PROXY_DOMAIN)" abra app new traefik -s default -D "$PROXY_DOMAIN" -n fi echo "==> configure wildcard / no-ACME env" # Set each var deterministically: drop any existing (commented or not) line, then append. # Empty LETS_ENCRYPT_ENV => the traefik router uses no cert resolver => no ACME ever fires. set_env() { local key="$1" val="$2" sed -i -E "/^[[:space:]]*#?[[:space:]]*${key}=/d" "$ENV_FILE" printf '%s=%s\n' "$key" "$val" >> "$ENV_FILE" } set_env LETS_ENCRYPT_ENV "" set_env WILDCARDS_ENABLED "1" set_env SECRET_WILDCARD_CERT_VERSION "v1" set_env SECRET_WILDCARD_KEY_VERSION "v1" set_env COMPOSE_FILE '"compose.yml:compose.wildcard.yml"' echo " env written: $ENV_FILE" echo "==> insert wildcard cert secrets (v1) from $CERT_DIR (idempotent)" # Check the actual swarm secret (generated name ${STACK_NAME}__v1), not abra's # recipe-defined list (which always shows the names with "created on server":"false"). have_secret() { docker secret ls --format '{{.Name}}' | grep -q "_${1}_v1\$"; } # Insert from file (-f) so the multi-line PEM is read verbatim, not arg-parsed. if ! have_secret ssl_cert; then abra app secret insert "$PROXY_DOMAIN" ssl_cert v1 "$CERT_DIR/fullchain.pem" -f -n fi if ! have_secret ssl_key; then abra app secret insert "$PROXY_DOMAIN" ssl_key v1 "$CERT_DIR/privkey.pem" -f -n fi echo "==> deploy traefik" abra app deploy "$PROXY_DOMAIN" -n -C echo "==> done"