qipai/scripts/setup/domain-https.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=lib.sh
. "${SCRIPT_DIR}/lib.sh"
# shellcheck source=certbot.sh
. "${SCRIPT_DIR}/certbot.sh"

qipai_domain_https_status() {
  local template_path nginx_available nginx_enabled
  template_path="${SCRIPT_DIR}/../../deploy/nginx/api.txyundm.cn.conf.template"
  nginx_available="/etc/nginx/sites-available/qipai-api.conf"
  nginx_enabled="/etc/nginx/sites-enabled/qipai-api.conf"

  qipai_info "domain: ${QIPAI_DOMAIN}"
  qipai_info "origin: ${QIPAI_API_ORIGIN}"
  qipai_info "app api: ${QIPAI_API_ORIGIN}/app-api"
  qipai_info "admin api: ${QIPAI_API_ORIGIN}/admin-api"
  qipai_info "nginx template: ${template_path}"
  qipai_info "target nginx config: ${nginx_available}"

  if [ -f "$template_path" ]; then
    qipai_pass "nginx template exists"
  else
    qipai_warn "nginx template not found"
  fi

  if command -v getent >/dev/null 2>&1; then
    if getent hosts "$QIPAI_DOMAIN" >/dev/null 2>&1; then
      qipai_pass "DNS resolves for ${QIPAI_DOMAIN}"
      getent hosts "$QIPAI_DOMAIN" | head -3
    else
      qipai_warn "DNS does not resolve from this host"
    fi
  else
    qipai_warn "getent not available; DNS check skipped"
  fi

  if command -v nginx >/dev/null 2>&1; then
    nginx -t && qipai_pass "nginx config test passed" || qipai_warn "nginx config test failed or requires production privileges"
  else
    qipai_warn "nginx not installed"
  fi

  if [ -f "$nginx_available" ]; then
    qipai_pass "nginx site file exists: ${nginx_available}"
  else
    qipai_warn "nginx site file not installed yet"
  fi

  if [ -L "$nginx_enabled" ] || [ -f "$nginx_enabled" ]; then
    qipai_pass "nginx site enabled: ${nginx_enabled}"
  else
    qipai_warn "nginx site not enabled yet"
  fi

  if command -v openssl >/dev/null 2>&1; then
    qipai_info "TLS certificate live check:"
    echo | openssl s_client -servername "$QIPAI_DOMAIN" -connect "${QIPAI_DOMAIN}:443" 2>/dev/null | openssl x509 -noout -subject -issuer -dates 2>/dev/null || qipai_warn "live TLS certificate not reachable"
  else
    qipai_warn "openssl not installed"
  fi

  if command -v curl >/dev/null 2>&1; then
    qipai_info "health probe: ${QIPAI_API_ORIGIN}/health"
    curl -fsSIL --max-time 10 "${QIPAI_API_ORIGIN}/health" >/dev/null 2>&1 && qipai_pass "HTTPS health endpoint reachable" || qipai_warn "HTTPS health endpoint not reachable"
  else
    qipai_warn "curl not installed"
  fi

  qipai_certbot_status

  qipai_info "manual install command after certificate is ready:"
  qipai_info "sudo install -m 0644 ${template_path} ${nginx_available} && sudo ln -sfn ${nginx_available} ${nginx_enabled} && sudo nginx -t && sudo systemctl reload nginx"
}

if [ "${1:-}" = "--run" ]; then
  qipai_domain_https_status
fi