#!/usr/bin/env bash set -euo pipefail # Déploiement initial A→Z avec certificats Let’s Encrypt (webroot) # Usage: ./scripts/deploy_first_install_with_certs.sh --domain dev4.4nkweb.com --email admin@example.com [--skip-ui] ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)" DOMAIN="" EMAIL="" BUILD_UI=1 while [[ $# -gt 0 ]]; do case "$1" in --domain) DOMAIN="$2"; shift 2;; --email) EMAIL="$2"; shift 2;; --skip-ui) BUILD_UI=0; shift;; *) echo "Option inconnue: $1" >&2; exit 2;; esac done if [[ -z "$DOMAIN" || -z "$EMAIL" ]]; then echo "Erreur: --domain et --email sont requis" >&2 exit 2 fi echo "[1/8] Préparation des dossiers (acme/letsencrypt/certs)" mkdir -p "$ROOT_DIR/acme/.well-known/acme-challenge" \ "$ROOT_DIR/letsencrypt" \ "$ROOT_DIR/letsencrypt_lib" \ "$ROOT_DIR/certs" chmod -R 755 "$ROOT_DIR/acme" echo "[2/8] Optionnel: build UI locale (ihm_client/dist)" if [[ $BUILD_UI -eq 1 && -x "$ROOT_DIR/scripts/build_ui_local.sh" ]]; then ( cd "$ROOT_DIR" && ./scripts/build_ui_local.sh ) || true fi echo "[3/8] Démarrage du reverse proxy pour le challenge ACME" docker compose -f "$ROOT_DIR/docker-compose.yml" up -d --no-deps reverse_proxy echo "[4/8] Émission du certificat (Let’s Encrypt, webroot) pour $DOMAIN" docker run --rm \ -v "$ROOT_DIR/acme:/var/www/certbot" \ -v "$ROOT_DIR/letsencrypt:/etc/letsencrypt" \ -v "$ROOT_DIR/letsencrypt_lib:/var/lib/letsencrypt" \ certbot/certbot certonly --webroot -w /var/www/certbot -d "$DOMAIN" --email "$EMAIL" --agree-tos --non-interactive echo "[5/8] Installation des fichiers de cert dans ./certs" install -m 0644 "$ROOT_DIR/letsencrypt/live/$DOMAIN/fullchain.pem" "$ROOT_DIR/certs/server.crt" install -m 0600 "$ROOT_DIR/letsencrypt/live/$DOMAIN/privkey.pem" "$ROOT_DIR/certs/server.key" echo "[6/8] Démarrage complet de l’infrastructure (build si nécessaire)" docker compose -f "$ROOT_DIR/docker-compose.yml" up -d --build echo "[7/8] Mise en place du renouvellement automatique (cron 03:00)" chmod +x "$ROOT_DIR/scripts/renew_certs.sh" || true (sudo crontab -l 2>/dev/null; echo "0 3 * * * $ROOT_DIR/scripts/renew_certs.sh >> $ROOT_DIR/logs/cert_renew.log 2>&1") | sudo crontab - echo "[8/8] Vérifications rapides" curl -skI "https://$DOMAIN" | head -n 1 || true curl -skI "https://$DOMAIN/signer/health" | head -n 1 || true echo "Déploiement initial terminé. Domaine: https://$DOMAIN"