cc-ci/scripts/deploy-proxy.sh

#!/usr/bin/env bash
# Reproducibly deploy the canonical Co-op Cloud `traefik` recipe as cc-ci's reverse proxy,
# in wildcard / file-provider mode — serving the operator's pre-issued wildcard cert, with
# NO ACME and NO DNS token on the box (see DECISIONS.md "Proxy: real coop-cloud/traefik").
#
# Idempotent: safe to re-run. Run as root on cc-ci (abra drives the local Docker swarm).
#   ssh cc-ci 'bash /root/cc-ci/scripts/deploy-proxy.sh'
#
# Prereqs (declared in the flake): docker + single-node swarm + `proxy` overlay (modules/swarm.nix),
# abra (modules/abra.nix), and the wildcard cert at /var/lib/ci-certs/live/ (operator-provided).
set -euo pipefail

PROXY_DOMAIN="${PROXY_DOMAIN:-traefik.ci.commoninternet.net}"
CERT_DIR="${CERT_DIR:-/var/lib/ci-certs/live}"
ENV_FILE="$HOME/.abra/servers/default/${PROXY_DOMAIN}.env"

export PATH=/run/current-system/sw/bin:"$PATH"

echo "==> ensure local abra server"
abra server ls -m -n >/dev/null 2>&1 || abra server add --local -n || true

echo "==> fetch traefik recipe"
abra recipe fetch traefik -n >/dev/null

if [ ! -f "$ENV_FILE" ]; then
  echo "==> create traefik app ($PROXY_DOMAIN)"
  abra app new traefik -s default -D "$PROXY_DOMAIN" -n
fi

echo "==> configure wildcard / no-ACME env"
# Set each var deterministically: drop any existing (commented or not) line, then append.
# Empty LETS_ENCRYPT_ENV => the traefik router uses no cert resolver => no ACME ever fires.
set_env() {
  local key="$1" val="$2"
  sed -i -E "/^[[:space:]]*#?[[:space:]]*${key}=/d" "$ENV_FILE"
  printf '%s=%s\n' "$key" "$val" >> "$ENV_FILE"
}
set_env LETS_ENCRYPT_ENV ""
set_env WILDCARDS_ENABLED "1"
set_env SECRET_WILDCARD_CERT_VERSION "v1"
set_env SECRET_WILDCARD_KEY_VERSION "v1"
set_env COMPOSE_FILE '"compose.yml:compose.wildcard.yml"'
echo "  env written: $ENV_FILE"

echo "==> insert wildcard cert secrets (v1) from $CERT_DIR (idempotent)"
# Check the actual swarm secret (generated name ${STACK_NAME}_<name>_v1), not abra's
# recipe-defined list (which always shows the names with "created on server":"false").
have_secret() { docker secret ls --format '{{.Name}}' | grep -q "_${1}_v1\$"; }
# Insert from file (-f) so the multi-line PEM is read verbatim, not arg-parsed.
if ! have_secret ssl_cert; then
  abra app secret insert "$PROXY_DOMAIN" ssl_cert v1 "$CERT_DIR/fullchain.pem" -f -n
fi
if ! have_secret ssl_key; then
  abra app secret insert "$PROXY_DOMAIN" ssl_key v1 "$CERT_DIR/privkey.pem" -f -n
fi

echo "==> deploy traefik"
abra app deploy "$PROXY_DOMAIN" -n -C

echo "==> done"