anchorage_layer_simple/configure-nginx-proxy.sh

#!/bin/bash

# Script de configuration Nginx pour les sous-domaines certificator.4nkweb.com
# Usage: ./configure-nginx-proxy.sh

set -e

PROXY_HOST="192.168.1.100"
PROXY_USER="ncantu"
NGINX_SITES_AVAILABLE="/etc/nginx/sites-available"
NGINX_SITES_ENABLED="/etc/nginx/sites-enabled"
CERTBOT_BIN="/usr/bin/certbot"

echo "=== Configuration Nginx pour certificator.4nkweb.com ==="
echo ""

# Vérifier que nous sommes sur le proxy ou que nous pouvons y accéder
# Note: Le script peut être exécuté localement ou via SSH
CURRENT_IP=$(hostname -I 2>/dev/null | awk '{print $1}' || echo "")
if [ "$CURRENT_IP" != "192.168.1.100" ] && [ -z "$SSH_CONNECTION" ]; then
    echo "ℹ️  Ce script peut être exécuté sur le proxy (192.168.1.100)"
    echo "   Ou via SSH: ssh ${PROXY_USER}@${PROXY_HOST} 'sudo bash -s' < $0"
    echo ""
fi

# Vérifier les permissions (sudo disponible pour ncantu)
if [ "$EUID" -ne 0 ]; then
    if command -v sudo &> /dev/null && sudo -n true 2>/dev/null; then
        echo "✅ Utilisation de sudo (droits non interactifs)"
        # Le script continuera avec sudo pour les commandes nécessitant root
    else
        echo "⚠️  Ce script nécessite les permissions root pour configurer Nginx"
        echo "   Utilisez: sudo $0"
        exit 1
    fi
fi

# Fonction pour exécuter les commandes nécessitant root
SUDO_CMD=""
if [ "$EUID" -ne 0 ]; then
    SUDO_CMD="sudo"
fi

echo "✅ Vérification de Nginx..."
# Vérifier Nginx (peut être dans /usr/sbin/nginx)
NGINX_BIN=""
if command -v nginx &> /dev/null; then
    NGINX_BIN="nginx"
elif [ -f /usr/sbin/nginx ]; then
    NGINX_BIN="/usr/sbin/nginx"
elif [ -f /usr/bin/nginx ]; then
    NGINX_BIN="/usr/bin/nginx"
else
    echo "❌ Nginx n'est pas installé"
    exit 1
fi
echo "   Nginx trouvé: ${NGINX_BIN}"

echo "✅ Vérification de Certbot..."
# Vérifier Certbot (peut être dans /usr/bin/certbot)
CERTBOT_BIN=""
if command -v certbot &> /dev/null; then
    CERTBOT_BIN="certbot"
elif [ -f /usr/bin/certbot ]; then
    CERTBOT_BIN="/usr/bin/certbot"
else
    echo "⚠️  Certbot n'est pas installé. Installation..."
    ${SUDO_CMD} apt-get update
    ${SUDO_CMD} apt-get install -y certbot python3-certbot-nginx
    CERTBOT_BIN="certbot"
fi
echo "   Certbot trouvé: ${CERTBOT_BIN}"

# Créer les configurations Nginx pour chaque sous-domaine

# 1. Dashboard (port 3020)
echo ""
echo "📝 Configuration de dashboard.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/dashboard.certificator.4nkweb.com" > /dev/null << 'EOF'
# Dashboard Bitcoin Signet
server {
    listen 80;
    server_name dashboard.certificator.4nkweb.com;

    # Logs
    access_log /var/log/nginx/dashboard.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/dashboard.certificator.4nkweb.com.error.log;

    # Proxy vers le service Node.js (port 3020)
    # Note: Les services tournent sur 192.168.1.105
    location / {
        proxy_pass http://192.168.1.105:3020;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# 2. Faucet (port 3021)
echo "📝 Configuration de faucet.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/faucet.certificator.4nkweb.com" > /dev/null << 'EOF'
# API Faucet Bitcoin Signet
server {
    listen 80;
    server_name faucet.certificator.4nkweb.com;

    # Logs
    access_log /var/log/nginx/faucet.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/faucet.certificator.4nkweb.com.error.log;

    # Proxy vers le service Node.js (port 3021)
    # Note: Les services tournent sur 192.168.1.105
    location / {
        proxy_pass http://192.168.1.105:3021;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# 3. Anchorage (port 3010)
echo "📝 Configuration de anchorage.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/anchorage.certificator.4nkweb.com" > /dev/null << 'EOF'
# API Anchorage Bitcoin Signet
server {
    listen 80;
    server_name anchorage.certificator.4nkweb.com;

    # Logs
    access_log /var/log/nginx/anchorage.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/anchorage.certificator.4nkweb.com.error.log;

    # Proxy vers le service Node.js (port 3010)
    # Note: Les services tournent sur 192.168.1.105
    location / {
        proxy_pass http://192.168.1.105:3010;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# 4. Watermark (port 3022)
echo "📝 Configuration de watermark.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/watermark.certificator.4nkweb.com" > /dev/null << 'EOF'
# API Watermark Bitcoin Signet
server {
    listen 80;
    server_name watermark.certificator.4nkweb.com;

    # Logs
    access_log /var/log/nginx/watermark.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/watermark.certificator.4nkweb.com.error.log;

    # Proxy vers le service Node.js (port 3022)
    # Note: Les services tournent sur 192.168.1.105
    location / {
        proxy_pass http://192.168.1.105:3022;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# 5. UserWallet (port 3018)
echo "📝 Configuration de userwallet.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/userwallet.certificator.4nkweb.com" > /dev/null << 'EOF'
# UserWallet frontend (Vite)
server {
    listen 80;
    server_name userwallet.certificator.4nkweb.com;

    # Logs
    access_log /var/log/nginx/userwallet.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/userwallet.certificator.4nkweb.com.error.log;

    # Proxy vers le frontend UserWallet (port 3018) sur 192.168.1.105
    location / {
        proxy_pass http://192.168.1.105:3018;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# 6. Website skeleton (port 3024)
echo "📝 Configuration de skeleton.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/skeleton.certificator.4nkweb.com" > /dev/null << 'EOF'
# Website skeleton (UserWallet iframe)
server {
    listen 80;
    server_name skeleton.certificator.4nkweb.com;

    access_log /var/log/nginx/skeleton.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/skeleton.certificator.4nkweb.com.error.log;

    location / {
        proxy_pass http://192.168.1.105:3024;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# 7. Relay / api-relay (port 3019)
echo "📝 Configuration de relay.certificator.4nkweb.com..."
${SUDO_CMD} tee "${NGINX_SITES_AVAILABLE}/relay.certificator.4nkweb.com" > /dev/null << 'EOF'
# API Relay (UserWallet)
server {
    listen 80;
    server_name relay.certificator.4nkweb.com;

    # Logs
    access_log /var/log/nginx/relay.certificator.4nkweb.com.access.log;
    error_log /var/log/nginx/relay.certificator.4nkweb.com.error.log;

    # Proxy vers api-relay (port 3019) sur 192.168.1.105
    location / {
        proxy_pass http://192.168.1.105:3019;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}
EOF

# Activer les sites
echo ""
echo "🔗 Activation des sites..."
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/dashboard.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/dashboard.certificator.4nkweb.com"
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/faucet.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/faucet.certificator.4nkweb.com"
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/anchorage.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/anchorage.certificator.4nkweb.com"
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/watermark.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/watermark.certificator.4nkweb.com"
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/userwallet.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/userwallet.certificator.4nkweb.com"
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/skeleton.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/skeleton.certificator.4nkweb.com"
${SUDO_CMD} ln -sf "${NGINX_SITES_AVAILABLE}/relay.certificator.4nkweb.com" "${NGINX_SITES_ENABLED}/relay.certificator.4nkweb.com"

# Tester la configuration Nginx
echo ""
echo "🔍 Test de la configuration Nginx..."
if ${SUDO_CMD} ${NGINX_BIN} -t; then
    echo "✅ Configuration Nginx valide"
else
    echo "❌ Erreur dans la configuration Nginx"
    exit 1
fi

# Recharger Nginx (configuration HTTP uniquement pour l'instant)
echo ""
echo "🔄 Rechargement de Nginx (configuration HTTP)..."
${SUDO_CMD} systemctl reload nginx || ${SUDO_CMD} service nginx reload

# Générer les certificats SSL avec Certbot
echo ""
echo "🔐 Génération des certificats SSL avec Certbot..."
echo "   Note: Certbot va automatiquement créer les configurations HTTPS"
echo ""

# Générer les certificats (un par un pour éviter les erreurs)
DOMAINS=(
    "dashboard.certificator.4nkweb.com"
    "faucet.certificator.4nkweb.com"
    "anchorage.certificator.4nkweb.com"
    "watermark.certificator.4nkweb.com"
    "userwallet.certificator.4nkweb.com"
    "skeleton.certificator.4nkweb.com"
    "relay.certificator.4nkweb.com"
)

for domain in "${DOMAINS[@]}"; do
    echo "📜 Génération du certificat pour ${domain}..."
    # Certbot va automatiquement modifier la config pour ajouter HTTPS et redirection
    if ${SUDO_CMD} ${CERTBOT_BIN} --nginx -d "${domain}" --non-interactive --agree-tos --email admin@4nkweb.com --redirect; then
        echo "✅ Certificat généré et configuration HTTPS créée pour ${domain}"
    else
        echo "⚠️  Erreur lors de la génération du certificat pour ${domain}"
        echo "   Vous pouvez le générer manuellement avec:"
        echo "   sudo ${CERTBOT_BIN} --nginx -d ${domain}"
    fi
done

# Recharger Nginx final
echo ""
echo "🔄 Rechargement final de Nginx..."
${SUDO_CMD} systemctl reload nginx || ${SUDO_CMD} service nginx reload

echo ""
echo "✅ Configuration terminée !"
echo ""
echo "📋 Résumé:"
echo "   - dashboard.certificator.4nkweb.com -> http://192.168.1.105:3020"
echo "   - faucet.certificator.4nkweb.com -> http://192.168.1.105:3021"
echo "   - anchorage.certificator.4nkweb.com -> http://192.168.1.105:3010"
echo "   - watermark.certificator.4nkweb.com -> http://192.168.1.105:3022"
echo "   - userwallet.certificator.4nkweb.com -> http://192.168.1.105:3018"
echo "   - skeleton.certificator.4nkweb.com -> http://192.168.1.105:3024"
echo "   - relay.certificator.4nkweb.com -> http://192.168.1.105:3019"
echo ""
echo "⚠️  Note: Si les services tournent sur une autre machine,"
echo "   modifiez les IP dans les fichiers de configuration Nginx"
echo ""
echo "🔍 Vérification:"
echo "   - Test Nginx: nginx -t"
echo "   - Status: systemctl status nginx"
echo "   - Logs: tail -f /var/log/nginx/*.error.log"
echo ""