archy/scripts/setup-https-dev.sh

#!/bin/bash
#
# Set up HTTPS on Archipelago dev server for PWA installability.
# Browsers require HTTPS (or localhost) to install PWAs.
# Generates a self-signed certificate and configures nginx.
#
# Run on the target server: sudo ./setup-https-dev.sh
# Or via deploy: the deploy script runs this automatically.
#

set -e

SSL_DIR="/etc/archipelago/ssl"
NGINX_CFG="/etc/nginx/sites-available/archipelago"
CERT="$SSL_DIR/archipelago.crt"
KEY="$SSL_DIR/archipelago.key"

# Create SSL directory
mkdir -p "$SSL_DIR"
chmod 755 "$SSL_DIR"

# Generate self-signed cert if missing (valid 365 days)
# SAN includes common dev IPs so cert works when accessing via IP
# Build dynamic SAN with all node IPs (LAN + Tailscale + loopback)
SAN_IPS="DNS:archipelago.local,DNS:localhost,IP:127.0.0.1"
# Add all IPv4 addresses on this machine (LAN, Tailscale, etc.)
for ip in $(hostname -I 2>/dev/null | tr ' ' '\n' | grep -E '^[0-9]+\.' | grep -v '^127\.'); do
    SAN_IPS="$SAN_IPS,IP:$ip"
done
# Always include common LAN IPs as fallback
for ip in 192.168.1.228 192.168.1.198 10.0.0.1; do
    echo "$SAN_IPS" | grep -q "$ip" || SAN_IPS="$SAN_IPS,IP:$ip"
done

# Regenerate cert if missing OR if current cert doesn't include this node's primary IP
REGEN=false
if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then
    REGEN=true
else
    # Check if cert has this node's primary IP
    MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
    if [ -n "$MY_IP" ] && ! openssl x509 -in "$CERT" -noout -text 2>/dev/null | grep -q "$MY_IP"; then
        echo "   Certificate missing this node's IP ($MY_IP) — regenerating..."
        REGEN=true
    fi
fi

if [ "$REGEN" = true ]; then
    echo "Generating self-signed certificate for PWA (HTTPS)..."
    echo "   SAN: $SAN_IPS"
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
        -keyout "$KEY" \
        -out "$CERT" \
        -subj "/CN=archipelago.local/O=Archipelago/C=US" \
        -addext "subjectAltName=$SAN_IPS"
    chmod 644 "$CERT"
    chmod 600 "$KEY"
    echo "   Certificate created at $CERT"
fi

# PWA snippet for manifest + service worker headers (required for Android install)
NGINX_SNIPPETS="/etc/nginx/snippets"
PWA_SNIPPET="$NGINX_SNIPPETS/archipelago-pwa.conf"
mkdir -p "$NGINX_SNIPPETS"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if [ -f "$SCRIPT_DIR/nginx-pwa-snippet.conf" ]; then
    cp "$SCRIPT_DIR/nginx-pwa-snippet.conf" "$PWA_SNIPPET"
    echo "   PWA nginx snippet installed at $PWA_SNIPPET"
fi

# Add PWA snippet include to existing HTTPS block if missing
if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null && [ -f "$PWA_SNIPPET" ]; then
    if ! grep -q "archipelago-pwa" "$NGINX_CFG" 2>/dev/null; then
        echo "   Adding PWA snippet include to HTTPS block..."
        # Insert include after "index index.html;" within the HTTPS server block (listen 443 to next })
        sed -i '/listen 443 ssl/,/^}$/{
            /index index.html;/a\
    include snippets/archipelago-pwa.conf;
        }' "$NGINX_CFG" 2>/dev/null || true
    fi
fi

# Install app proxies snippet (mempool, fedimint, lnd, etc.) - fixes apps not opening over HTTPS (mixed content)
APPS_SNIPPET="$NGINX_SNIPPETS/archipelago-https-app-proxies.conf"
if [ -f "$SCRIPT_DIR/nginx-https-app-proxies.conf" ]; then
    cp "$SCRIPT_DIR/nginx-https-app-proxies.conf" "$APPS_SNIPPET"
    echo "   HTTPS app proxies snippet installed at $APPS_SNIPPET"
    # Add include to HTTPS block if missing
    if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null && ! grep -q "archipelago-https-app-proxies" "$NGINX_CFG" 2>/dev/null; then
        echo "   Adding app proxies include to HTTPS block..."
        sed -i '/listen 443 ssl/,/^}$/{
            /location \/ws {/i\
    include snippets/archipelago-https-app-proxies.conf;
        }' "$NGINX_CFG" 2>/dev/null || true
    fi
fi

# Check if HTTPS is already configured
if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null; then
    echo "HTTPS already configured in nginx."
    nginx -t 2>/dev/null && systemctl reload nginx
    MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
    echo ""
    echo "PWA: Use https://${MY_IP:-192.168.1.228} (not http) - accept cert once, then Install app."
    exit 0
fi

# Add HTTPS server block (duplicate of HTTP block with SSL)
# PWA requires HTTPS for install on Android
HTTPS_BLOCK='
# HTTPS - required for PWA install (Add to Home Screen) from dev servers
server {
    listen 443 ssl;
    server_name _;
    
    ssl_certificate '"$CERT"';
    ssl_certificate_key '"$KEY"';
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    
    root /opt/archipelago/web-ui;
    index index.html;
    include snippets/archipelago-pwa.conf;
    
    location / {
        try_files $uri $uri/ /index.html;
    }
    
    location /archipelago/ {
        proxy_pass http://127.0.0.1:5678;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    location /rpc/ {
        proxy_pass http://127.0.0.1:5678;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_connect_timeout 600s;
        proxy_send_timeout 600s;
        proxy_read_timeout 600s;
    }
    
    location /app/nextcloud/ {
        proxy_pass http://127.0.0.1:8085/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/vaultwarden/ {
        proxy_pass http://127.0.0.1:8082/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
    }
    location /app/immich/ {
        proxy_pass http://127.0.0.1:2283/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/penpot/ {
        proxy_pass http://127.0.0.1:9001/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/btcpay/ {
        proxy_pass http://127.0.0.1:23000/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
    }
    location /app/homeassistant/ {
        proxy_pass http://127.0.0.1:8123/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
    location /app/mempool/ {
        proxy_pass http://127.0.0.1:4080/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/fedimint/ {
        proxy_pass http://127.0.0.1:8175/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/lnd/ {
        proxy_pass http://127.0.0.1:8081/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/bitcoin-ui/ {
        proxy_pass http://127.0.0.1:8334/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
    }
    
    location /ws {
        proxy_pass http://127.0.0.1:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 86400s;
    }
}
'

# Append HTTPS block to nginx config
echo "$HTTPS_BLOCK" >> "$NGINX_CFG"
echo "Added HTTPS (port 443) to nginx config."

# Test and reload
nginx -t && systemctl reload nginx
echo ""
MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
echo "HTTPS enabled. PWA install: https://${MY_IP:-192.168.1.228} (accept the certificate warning once, then Install app)."