From b5d5d74bbdba9f327592a2c39a7aaa853ff1ec0b Mon Sep 17 00:00:00 2001
From: Nicolas Cantu <nicolas.cantu@pm.me>
Date: Mon, 23 Mar 2026 01:14:18 +0100
Subject: [PATCH] Fix deploy script: empty DEPLOY_SSH_PROXY_HOST means direct
 SSH to proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Motivations:**
- DEPLOY_SSH_PROXY_HOST= was overridden by default bastion due to ${VAR:-default}.

**Root causes:**
- Bash treats empty VAR as unset for :- expansion, reapplying 4nk.myftp.biz.

**Correctifs:**
- Use -v / empty check: unset bastion when explicitly empty; default only when unset.

**Evolutions:**
- README and failure hint for LAN direct deploy.

**Pages affectées:**
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/README-ia-enso.md
---
 deploy/nginx/README-ia-enso.md          |  2 +-
 deploy/nginx/deploy-ia-enso-to-proxy.sh | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/deploy/nginx/README-ia-enso.md b/deploy/nginx/README-ia-enso.md
index 794d583..5574707 100644
--- a/deploy/nginx/README-ia-enso.md
+++ b/deploy/nginx/README-ia-enso.md
@@ -19,7 +19,7 @@ Depuis la racine du dépôt **`smart_ide`**, sur une machine avec accès SSH au
 
 ```bash
 export IA_ENSO_OLLAMA_BEARER_TOKEN='secret-long-ascii-sans-guillemets-ni-backslash'
-# optionnel si accès LAN direct au proxy, sans bastion :
+# accès LAN direct au proxy (.100), sans bastion (variable vide = pas de ProxyJump) :
 # export DEPLOY_SSH_PROXY_HOST=
 ./deploy/nginx/deploy-ia-enso-to-proxy.sh
 ```
diff --git a/deploy/nginx/deploy-ia-enso-to-proxy.sh b/deploy/nginx/deploy-ia-enso-to-proxy.sh
index 2722dba..fcfaf92 100755
--- a/deploy/nginx/deploy-ia-enso-to-proxy.sh
+++ b/deploy/nginx/deploy-ia-enso-to-proxy.sh
@@ -28,9 +28,13 @@ source "$SSH_LIB"
 IA_ENSO_SSH_KEY="${IA_ENSO_SSH_KEY:-${HOME}/.ssh/id_ed25519}"
 IA_ENSO_PROXY_USER="${IA_ENSO_PROXY_USER:-ncantu}"
 IA_ENSO_PROXY_HOST="${IA_ENSO_PROXY_HOST:-192.168.1.100}"
-DEPLOY_SSH_PROXY_HOST="${DEPLOY_SSH_PROXY_HOST:-4nk.myftp.biz}"
 DEPLOY_SSH_PROXY_USER="${DEPLOY_SSH_PROXY_USER:-$IA_ENSO_PROXY_USER}"
-export DEPLOY_SSH_PROXY_HOST
+# ${VAR:-default} treats empty VAR as unset, so DEPLOY_SSH_PROXY_HOST= would wrongly become the bastion.
+if [[ ! -v DEPLOY_SSH_PROXY_HOST ]]; then
+	export DEPLOY_SSH_PROXY_HOST='4nk.myftp.biz'
+elif [[ -z "$DEPLOY_SSH_PROXY_HOST" ]]; then
+	unset DEPLOY_SSH_PROXY_HOST
+fi
 export DEPLOY_SSH_PROXY_USER
 
 TOKEN="${IA_ENSO_OLLAMA_BEARER_TOKEN:-}"
@@ -100,7 +104,7 @@ if ! try_install 1; then
 	echo "Retrying with Bearer map only (websocket map likely already defined on proxy)..."
 	if ! try_install 0; then
 		echo "Deploy failed (SSH, sudo, nginx -t, or missing include /etc/nginx/conf.d/*.conf)." >&2
-		echo "Re-run from a host with ProxyJump access to the proxy; reuse token with IA_ENSO_OLLAMA_BEARER_TOKEN if needed." >&2
+		echo "Re-run from a host with SSH access to the proxy (LAN direct: DEPLOY_SSH_PROXY_HOST=); reuse token with IA_ENSO_OLLAMA_BEARER_TOKEN if needed." >&2
 		exit 1
 	fi
 fi