#!/bin/sh set -e echo "[Pre-Flight] Starting checks..." # Check environment if [ -z "$HOST_PUBLIC_IP" ]; then echo "[Pre-Flight] WARNING: HOST_PUBLIC_IP not set. DNS checks might be inaccurate." fi # Iterate site configs for DNS checks for conf in /etc/nginx/conf.d/*.conf; do [ -e "$conf" ] || continue echo "[Pre-Flight] Checking config: $conf" # Simple extraction of server_name (naive, but works for standard configs) DOMAINS=$(grep -E "^\s*server_name\s+" "$conf" | sed -r 's/.*server_name\s+(.*);/\1/') for domain in $DOMAINS; do if [ "$domain" = "_" ] || [ "$domain" = "localhost" ]; then continue; fi echo "[Pre-Flight] Validating DNS for $domain..." RESOLVED_IP=$(dig +short "$domain" @1.1.1.1 | tail -n 1) if [ "$RESOLVED_IP" != "$HOST_PUBLIC_IP" ]; then echo "[Pre-Flight] WARNING: Domain $domain resolves to $RESOLVED_IP, expected $HOST_PUBLIC_IP" else echo "[Pre-Flight] DNS OK: $domain -> $RESOLVED_IP" fi done done # Run SSL Renewal Check (handles its own iteration) echo "[Pre-Flight] Running SSL renewal check..." /scripts/renew_ssl.sh # Setup Daily Cron for Renewal (run at 01:00) # ============================================================================== # GIT SYNC & DYNAMIC CONFIG SETUP # ============================================================================== REPO_DIR="/opt/repo" GIT_USER="gitea-deploy" GIT_PASS="o3%21VV3H6qBg%5Erucv2UvF6mdK%24NWyNj%403" GIT_REPO="git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder.git" GIT_URL="https://${GIT_USER}:${GIT_PASS}@${GIT_REPO}" echo "[Pre-Flight] Checking repository at $REPO_DIR..." if [ ! -d "$REPO_DIR/.git" ]; then echo "[Pre-Flight] Repository not found. Cloning..." # Ensure dir exists mkdir -p "$REPO_DIR" # Clone git clone "$GIT_URL" "$REPO_DIR" else echo "[Pre-Flight] Repository exists. Pulling latest..." cd "$REPO_DIR" git config --global --add safe.directory "$REPO_DIR" # Attempt pull, if fails (lock file or corruption), wipe and re-clone if ! git pull; then echo "[Pre-Flight] ERROR: Git pull failed (likely corrupt ref/lock). Re-cloning..." # If REPO_DIR is a mountpoint, we cannot remove it. We must empty it. # find is safer than globbing for hidden files find "$REPO_DIR" -mindepth 1 -delete git clone "$GIT_URL" "$REPO_DIR" fi fi # SYMLINK SETUP # We want Nginx to use the configs from the repo (dynamic) instead of the baked-in ones (static). echo "[Pre-Flight] Setting up symlinks..." # 1. conf.d (Sites) if [ -d "$REPO_DIR/conf.d" ]; then echo "[Pre-Flight] Linking conf.d..." rm -rf /etc/nginx/conf.d ln -s "$REPO_DIR/conf.d" /etc/nginx/conf.d fi # 2. snippets (Optional, but good for consistency) if [ -d "$REPO_DIR/snippets" ]; then echo "[Pre-Flight] Linking snippets..." rm -rf /etc/nginx/snippets ln -s "$REPO_DIR/snippets" /etc/nginx/snippets fi # 3. ModSecurity Rules (Optional) if [ -d "$REPO_DIR/modsec_rules" ]; then echo "[Pre-Flight] Linking modsec_rules..." rm -rf /etc/nginx/custom_rules ln -s "$REPO_DIR/modsec_rules" /etc/nginx/custom_rules fi # Setup Daily Cron for Renewal (run at 01:00) echo "0 1 * * * /scripts/renew_ssl.sh >> /var/log/nginx/ssl_renew.log 2>&1" >> /etc/crontabs/root # Setup Git Sync Cron (Run every 5 minutes) echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /etc/crontabs/root # Start Crond in background crond -b -l 8 echo "[Pre-Flight] Checks complete. Starting NGINX..." # Background: Trigger SSL renewal again in 60s # This catches the fresh snakeoil certs (1 day expire) and renews them using the NOW RUNNING Nginx. (sleep 60 && /scripts/renew_ssl.sh >> /var/log/nginx/ssl_bootstrap.log 2>&1) & exec "$@"