#!/bin/bash set -euo pipefail export PATH="/usr/local/hestia/bin:/usr/local/bin:/usr/bin:/bin:$PATH" ######################################## # INGRESO DE VARIABLES ######################################## if [[ $# -lt 4 ]]; then echo "Uso: ./setup_cd_project4.sh \"\" <product> [password] [domain]" echo "Ejemplo: ./setup_cd_project4.sh juandev2 juan@mail.com \"Juan Dev Studio\" art-design" echo "Ejemplo: ./setup_cd_project4.sh juandev2 juan@mail.com \"Juan Dev Studio\" petite-website MyPass123 https://juandev2.bewpro.com" exit 1 fi BASE_NAME="${1,,}" # FIX: forzar minúsculas — HestiaCP rechaza mayúsculas en usuario/dominio EMAIL="$2" TITLE="$3" PRODUCT="$4" PASSWORD="${5:-$(openssl rand -base64 12 | tr -d '/+=')}" DOMAIN_ARG="${6:-}" DOMAIN_ARG="${DOMAIN_ARG,,}" # FIX: forzar minúsculas también en dominio custom SKIP_ASSETS="${SKIP_ASSETS:-false}" CLEAN_PROVISION="${CLEAN_PROVISION:-false}" BRAND_COLORS="${BRAND_COLORS:-}" ######################################## # VARIABLES AUTOMÁTICAS ######################################## # FIX: HestiaCP limita el username a 8 caracteres — truncar aquí para evitar # el error "mkdir: cannot create directory 'web/...': Permission denied" # que ocurre cuando el dominio se crea con un nombre diferente al esperado. # El DOMAIN_NAME usa BASE_NAME completo; solo el USERNAME se trunca. USERNAME="${BASE_NAME:0:8}" if [[ -n "${DOMAIN_ARG}" ]]; then APP_URL="${DOMAIN_ARG}" DOMAIN_NAME=$(echo "${DOMAIN_ARG}" | sed 's|https://||' | sed 's|/.*||') else DOMAIN_NAME="${BASE_NAME}.bewpro.com" APP_URL="https://${DOMAIN_NAME}" fi DB_NAME="bp" DB_USER="bpuser" DB_PASSWORD="${PASSWORD}" APP_NAME="${BASE_NAME}" REPO_SSH="git@github.com:LACOMPANIADIGITAL/cd-system.git" REPO_REFERENCE="/opt/cd-system-reference.git" PROJECT_DIR_NAME="${BASE_NAME}" PHP_BIN="/usr/bin/php8.2" [ -x "$PHP_BIN" ] || PHP_BIN="/usr/bin/php8.1" [ -x "$PHP_BIN" ] || PHP_BIN="php" COMPOSER_BIN="composer" COMPOSER_CACHE_DIR="/root/.composer-cache" WEB_ROOT="/home/${USERNAME}/web/${DOMAIN_NAME}/public_html" HOSTINGER_DNS_ZONE="bewpro.com" if [[ -n "${TARGET_SERVER_IP:-}" ]]; then HOSTINGER_SERVER_IP="${TARGET_SERVER_IP}" else HOSTINGER_SERVER_IP=$(curl -s --max-time 5 https://api.ipify.org 2>/dev/null || hostname -I | awk '{print $1}') fi CONFIG_FILE="/root/scripts/.airtable.env" [[ -f "$CONFIG_FILE" ]] && source "$CONFIG_FILE" HOSTINGER_TOKEN="${HOSTINGER_TOKEN:-}" ZEROSSL_EAB_KID="${ZEROSSL_EAB_KID:-}" ZEROSSL_EAB_HMAC_KEY="${ZEROSSL_EAB_HMAC_KEY:-}" ACME_BIN="/root/.acme.sh/acme.sh" ######################################## # FUNCIONES AUXILIARES ######################################## die() { echo "ERROR: $*" >&2 exit 1 } require_cmd() { command -v "$1" >/dev/null 2>&1 || die "No se encontró el comando requerido: $1" } ######################################## # FUNCIÓN: Sanear webserver # FIX: Solo elimina conf SSL si el cert tampoco existe en acme.sh # Evita el "gap" que causaba que el browser recibiera HSTS # con cert inválido y quedara bloqueado. ######################################## fix_and_reload_webserver() { local fixed=false for conf in /etc/apache2/conf.d/domains/*.ssl.conf; do [[ -f "$conf" ]] || continue cert_file=$(grep -oP "(?<=SSLCertificateFile ).*" "$conf" 2>/dev/null | head -1 || true) if [[ -n "$cert_file" ]] && [[ ! -f "$cert_file" ]]; then domain_from_conf=$(basename "$conf" .ssl.conf | sed 's/\.conf$//') if [[ ! -f "/root/.acme.sh/${domain_from_conf}_ecc/${domain_from_conf}.cer" ]]; then echo "[webserver] Eliminando conf apache roto (sin cert en acme.sh): ${conf}" >&2 rm -f "$conf" fixed=true else echo "[webserver] Cert existe en acme.sh, preservando conf apache: ${conf}" >&2 fi fi done for conf in /etc/nginx/conf.d/domains/*.ssl.conf; do [[ -f "$conf" ]] || continue cert_file=$(grep -oP "(?<=ssl_certificate ).*(?=;)" "$conf" 2>/dev/null | head -1 || true) if [[ -n "$cert_file" ]] && [[ ! -f "$cert_file" ]]; then domain_from_conf=$(basename "$conf" .ssl.conf | sed 's/\.conf$//') if [[ ! -f "/root/.acme.sh/${domain_from_conf}_ecc/${domain_from_conf}.cer" ]]; then echo "[webserver] Eliminando conf nginx roto (sin cert en acme.sh): ${conf}" >&2 rm -f "$conf" fixed=true else echo "[webserver] Cert existe en acme.sh, preservando conf nginx: ${conf}" >&2 fi fi done if $fixed; then echo "[webserver] Confs rotos eliminados — recargando servicios..." >&2 # FIX carga paralela: serializar recargas de nginx/apache con flock ( flock -x -w 30 200 2>/dev/null || true systemctl reload nginx 2>/dev/null || systemctl restart nginx 2>/dev/null || true systemctl reload apache2 2>/dev/null || systemctl restart apache2 2>/dev/null || true ) 200>/var/lock/bewpro-webserver-reload.lock fi # Si no hubo nada roto, no recargar ni loguear nada } ######################################## # FUNCIÓN: Instalar cert en HestiaCP # HSTS desactivado — ver comentario al final de la función # quedó correctamente instalado y responde en el puerto 443. ######################################## install_cert_hestia() { local TMP_SSL TMP_SSL=$(mktemp -d /tmp/ssl_${USERNAME}_XXXXXX) local CERT_DIR="/home/${USERNAME}/conf/web/${DOMAIN_NAME}/ssl" local SSL_STATUS SSL_STATUS=$(v-list-web-domain "${USERNAME}" "${DOMAIN_NAME}" 2>/dev/null \ | grep -i "^SSL" | awk '{print $2}' || echo "no") if [[ "${SSL_STATUS,,}" != "yes" ]]; then echo "[SSL] Dominio sin SSL habilitado — activando con self-signed temporal..." >&2 local TMP_SELF TMP_SELF=$(mktemp -d /tmp/ssl_self_${USERNAME}_XXXXXX) openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 \ -keyout "${TMP_SELF}/${DOMAIN_NAME}.key" \ -out "${TMP_SELF}/${DOMAIN_NAME}.crt" \ -days 1 -nodes \ -subj "/CN=${DOMAIN_NAME}" 2>/dev/null || true cp "${TMP_SELF}/${DOMAIN_NAME}.crt" "${TMP_SELF}/${DOMAIN_NAME}.ca" 2>/dev/null || true cp "${TMP_SELF}/${DOMAIN_NAME}.crt" "${TMP_SELF}/${DOMAIN_NAME}.pem" 2>/dev/null || true if [[ -f "${TMP_SELF}/${DOMAIN_NAME}.crt" ]] && [[ -f "${TMP_SELF}/${DOMAIN_NAME}.key" ]]; then v-add-web-domain-ssl "${USERNAME}" "${DOMAIN_NAME}" "${TMP_SELF}" 2>/dev/null || true sleep 1 echo "[SSL] Self-signed temporal instalado — SSL flag activado ✓" >&2 fi rm -rf "${TMP_SELF}" fi # Copiar certs reales cp /root/.acme.sh/${DOMAIN_NAME}_ecc/${DOMAIN_NAME}.cer "${TMP_SSL}/${DOMAIN_NAME}.crt" cp /root/.acme.sh/${DOMAIN_NAME}_ecc/${DOMAIN_NAME}.key "${TMP_SSL}/${DOMAIN_NAME}.key" cp /root/.acme.sh/${DOMAIN_NAME}_ecc/ca.cer "${TMP_SSL}/${DOMAIN_NAME}.ca" cp /root/.acme.sh/${DOMAIN_NAME}_ecc/fullchain.cer "${TMP_SSL}/${DOMAIN_NAME}.pem" # FIX: usar siempre v-update-web-domain-ssl para reemplazar cualquier cert existente # (sea self-signed temporal o anterior), en lugar de v-add que falla con SSL=yes already exists echo "[SSL] Instalando cert real (v-update-web-domain-ssl)..." >&2 v-update-web-domain-ssl "${USERNAME}" "${DOMAIN_NAME}" "${TMP_SSL}" 2>/dev/null \ || v-add-web-domain-ssl "${USERNAME}" "${DOMAIN_NAME}" "${TMP_SSL}" 2>/dev/null \ || true v-add-web-domain-ssl-force "${USERNAME}" "${DOMAIN_NAME}" 2>/dev/null || true # FIX: verificar que el cert real quedó instalado (no el self-signed) sleep 2 local INSTALLED_ISSUER INSTALLED_ISSUER=$(echo | timeout 8 openssl s_client \ -connect "${DOMAIN_NAME}:443" \ -servername "${DOMAIN_NAME}" 2>/dev/null \ | openssl x509 -noout -issuer 2>/dev/null || echo "") if echo "${INSTALLED_ISSUER}" | grep -qi "hestia\|self\|CN=vps"; then echo "[SSL] WARN: nginx aún sirve self-signed — forzando reload manual..." >&2 # Copiar directamente a conf/web y recargar nginx mkdir -p "${CERT_DIR}" cp -f "${TMP_SSL}/${DOMAIN_NAME}.crt" "${CERT_DIR}/${DOMAIN_NAME}.crt" cp -f "${TMP_SSL}/${DOMAIN_NAME}.key" "${CERT_DIR}/${DOMAIN_NAME}.key" cp -f "${TMP_SSL}/${DOMAIN_NAME}.ca" "${CERT_DIR}/${DOMAIN_NAME}.ca" cp -f "${TMP_SSL}/${DOMAIN_NAME}.pem" "${CERT_DIR}/${DOMAIN_NAME}.pem" cp -f "${TMP_SSL}/${DOMAIN_NAME}.crt" "${CERT_DIR}/ssl.crt" 2>/dev/null || true cp -f "${TMP_SSL}/${DOMAIN_NAME}.key" "${CERT_DIR}/ssl.key" 2>/dev/null || true cp -f "${TMP_SSL}/${DOMAIN_NAME}.ca" "${CERT_DIR}/ssl.ca" 2>/dev/null || true cp -f "${TMP_SSL}/${DOMAIN_NAME}.pem" "${CERT_DIR}/ssl.pem" 2>/dev/null || true systemctl reload nginx 2>/dev/null || true echo "[SSL] Reload forzado ✓" >&2 else echo "[SSL] Cert real verificado en nginx ✓ (${INSTALLED_ISSUER})" >&2 fi # Copiar ssl.* para acme.sh --install-cert mkdir -p "${CERT_DIR}" cp -f "${CERT_DIR}/${DOMAIN_NAME}.crt" "${CERT_DIR}/ssl.crt" 2>/dev/null || true cp -f "${CERT_DIR}/${DOMAIN_NAME}.key" "${CERT_DIR}/ssl.key" 2>/dev/null || true cp -f "${CERT_DIR}/${DOMAIN_NAME}.ca" "${CERT_DIR}/ssl.ca" 2>/dev/null || true cp -f "${CERT_DIR}/${DOMAIN_NAME}.pem" "${CERT_DIR}/ssl.pem" 2>/dev/null || true rm -rf "${TMP_SSL}" fix_and_reload_webserver # Configurar renovación automática "${ACME_BIN}" --install-cert \ -d "${DOMAIN_NAME}" \ --cert-file "${CERT_DIR}/ssl.crt" \ --key-file "${CERT_DIR}/ssl.key" \ --ca-file "${CERT_DIR}/ssl.ca" \ --fullchain-file "${CERT_DIR}/ssl.pem" \ --reloadcmd "export PATH=/usr/local/hestia/bin:/usr/local/bin:\$PATH; \ TMP=\$(mktemp -d); \ cp /root/.acme.sh/${DOMAIN_NAME}_ecc/${DOMAIN_NAME}.cer \${TMP}/${DOMAIN_NAME}.crt && \ cp /root/.acme.sh/${DOMAIN_NAME}_ecc/${DOMAIN_NAME}.key \${TMP}/${DOMAIN_NAME}.key && \ cp /root/.acme.sh/${DOMAIN_NAME}_ecc/ca.cer \${TMP}/${DOMAIN_NAME}.ca && \ cp /root/.acme.sh/${DOMAIN_NAME}_ecc/fullchain.cer \${TMP}/${DOMAIN_NAME}.pem && \ v-update-web-domain-ssl ${USERNAME} ${DOMAIN_NAME} \${TMP} && \ rm -rf \${TMP} && \ systemctl reload nginx" \ >/dev/null 2>&1 || true echo "[SSL] HSTS desactivado intencionalmente — cert instalado sin HSTS ✓" >&2 } ######################################## # FUNCIÓN: Crear registro DNS ######################################## create_dns_record() { local subdomain="$1" if [[ "${APP_URL}" == *".bewpro.com"* ]] && [[ -n "${HOSTINGER_TOKEN}" ]]; then DNS_RESULT=$(curl -s -X PUT \ -H "Authorization: Bearer ${HOSTINGER_TOKEN}" \ -H "Content-Type: application/json" \ -d "{\"overwrite\": true, \"zone\": [{\"name\": \"${subdomain}\", \"type\": \"A\", \"ttl\": 3600, \"records\": [{\"content\": \"${HOSTINGER_SERVER_IP}\"}]}]}" \ "https://developers.hostinger.com/api/dns/v1/zones/${HOSTINGER_DNS_ZONE}") if echo "${DNS_RESULT}" | grep -Eq "accepted|success"; then echo "[DNS] Registro creado: ${subdomain}.${HOSTINGER_DNS_ZONE} → ${HOSTINGER_SERVER_IP}" >&2 else echo "[DNS] WARN: no pudo crearse automáticamente. Crear manualmente:" >&2 echo " ${subdomain}.bewpro.com → ${HOSTINGER_SERVER_IP}" >&2 echo " Respuesta API: ${DNS_RESULT}" >&2 fi elif [[ "${APP_URL}" != *".bewpro.com"* ]]; then echo "[DNS] Dominio custom detectado — DNS manual: ${APP_URL} → ${HOSTINGER_SERVER_IP}" >&2 else echo "[DNS] WARN: HOSTINGER_TOKEN no configurado." >&2 echo " Crear manualmente: ${subdomain}.bewpro.com → ${HOSTINGER_SERVER_IP}" >&2 fi } ######################################## # VALIDACIONES ######################################## if [[ "$(id -u)" -ne 0 ]]; then die "Este script debe ejecutarse como root." fi if [[ ! "$BASE_NAME" =~ ^[a-z0-9]+$ ]]; then die "base_name inválido. Solo letras minúsculas y números." fi # Advertir si se truncó el username if [[ ${#BASE_NAME} -gt 8 ]]; then echo "[WARN] base_name '${BASE_NAME}' tiene ${#BASE_NAME} chars — username truncado a '${USERNAME}' (límite HestiaCP)" >&2 fi if [[ ! "$EMAIL" =~ ^[^@[:space:]]+@[^@[:space:]]+\.[^@[:space:]]+$ ]]; then die "Email inválido: $EMAIL" fi require_cmd v-add-user require_cmd v-add-domain require_cmd v-add-database require_cmd git require_cmd "$PHP_BIN" require_cmd "$COMPOSER_BIN" require_cmd openssl require_cmd curl ######################################## # INICIO ######################################## echo "=========================================" >&2 echo " SETUP NUEVO PROYECTO: ${DOMAIN_NAME}" >&2 echo " Usuario HestiaCP: ${USERNAME}" >&2 echo " Email: ${EMAIL}" >&2 echo " Título: ${TITLE}" >&2 echo " Producto: ${PRODUCT}" >&2 echo " URL: ${APP_URL}" >&2 echo " Web Root: ${WEB_ROOT}" >&2 echo " SKIP_ASSETS: ${SKIP_ASSETS}" >&2 echo "=========================================" >&2 # Sanear webserver al inicio fix_and_reload_webserver ######################################## # 1. Crear usuario y dominio en HestiaCP ######################################## echo "[1/10] Creando usuario en HestiaCP..." >&2 if id "${USERNAME}" &>/dev/null; then echo "[1/10] Usuario ya existe — continuando (idempotente)." >&2 else v-add-user "${USERNAME}" "${DB_PASSWORD}" "${EMAIL}" \ || die "Error creando usuario ${USERNAME}" echo "[1/10] Usuario ${USERNAME} creado." >&2 fi DOMAIN_LIST=$(v-list-web-domains "${USERNAME}" 2>/dev/null || true) if echo "${DOMAIN_LIST}" | grep -q "${DOMAIN_NAME}"; then echo "[1/10] Dominio ya existe — continuando (idempotente)." >&2 else # FIX carga paralela: serializar v-add-domain con flock global en el VPS. # Sin esto, dos procesos paralelos escriben simultáneamente en named.conf # generando entradas duplicadas que rompen bind ("already exists previous definition"). # El flock garantiza que solo UN v-add-domain corre a la vez. Timeout 120s. # FIX: si el dominio existe en OTRO usuario, borrarlo antes de intentar agregar ORPHAN_USER=$(grep -rl "DOMAIN='${DOMAIN_NAME}'" /usr/local/hestia/data/users/*/web.conf 2>/dev/null | head -1 | cut -d'/' -f7 || true) if [[ -n "${ORPHAN_USER}" ]] && [[ "${ORPHAN_USER}" != "${USERNAME}" ]]; then echo "[1/10] Dominio huérfano en usuario '${ORPHAN_USER}' — limpiando..." >&2 v-delete-web-domain "${ORPHAN_USER}" "${DOMAIN_NAME}" 2>/dev/null || true DNS_ORPHAN=$(grep -rl "DOMAIN=\'${DOMAIN_NAME}\'" /usr/local/hestia/data/users/*/dns.conf 2>/dev/null | head -1 | cut -d'/' -f7 || true) MAIL_ORPHAN=$(grep -rl "DOMAIN=\'${DOMAIN_NAME}\'" /usr/local/hestia/data/users/*/mail.conf 2>/dev/null | head -1 | cut -d'/' -f7 || true) [[ -n "${DNS_ORPHAN}" ]] && v-delete-dns-domain "${DNS_ORPHAN}" "${DOMAIN_NAME}" 2>/dev/null || true [[ -n "${MAIL_ORPHAN}" ]] && v-delete-mail-domain "${MAIL_ORPHAN}" "${DOMAIN_NAME}" 2>/dev/null || true sleep 2 fi rm -f /tmp/vadd_domain_result_${USERNAME} /tmp/vadd_domain_err_${USERNAME} ( flock -x -w 120 201 2>/dev/null || { echo "[1/10] WARN: flock timeout esperando lock DNS — continuando de todas formas" >&2 } for domain_attempt in 1 2 3 4 5; do # Esperar a que rndc no esté activo antes de cada intento for dns_wait in $(seq 1 10); do pgrep -x "rndc" >/dev/null 2>&1 || break echo "[1/10] rndc ocupado — esperando 2s..." >&2 sleep 2 done if v-add-domain "${USERNAME}" "${DOMAIN_NAME}" 2>/tmp/vadd_domain_err_${USERNAME}; then echo "OK" > /tmp/vadd_domain_result_${USERNAME} echo "[1/10] Dominio ${DOMAIN_NAME} agregado (intento ${domain_attempt})." >&2 break else ERR_MSG=$(cat /tmp/vadd_domain_err_${USERNAME} 2>/dev/null | head -1 || true) echo "[1/10] v-add-domain intento ${domain_attempt}/5 falló: ${ERR_MSG}" >&2 if [[ $domain_attempt -lt 5 ]]; then echo "[1/10] Esperando 10s antes de reintentar..." >&2 sleep 10 fi fi done ) 201>/var/lock/bewpro-vadd-domain.lock V_ADD_DOMAIN_OK=false if [[ -f /tmp/vadd_domain_result_${USERNAME} ]]; then V_ADD_DOMAIN_OK=true fi rm -f /tmp/vadd_domain_result_${USERNAME} /tmp/vadd_domain_err_${USERNAME} if ! $V_ADD_DOMAIN_OK; then die "Error agregando dominio ${DOMAIN_NAME} tras 5 intentos" fi fi echo "[1/10] Esperando que el usuario esté disponible..." >&2 for _ in $(seq 1 15); do id "${USERNAME}" &>/dev/null && break sleep 2 done id "${USERNAME}" &>/dev/null || die "usuario ${USERNAME} no disponible tras 30s" ORIGINAL_SHELL=$(getent passwd "${USERNAME}" | cut -d: -f7) if [[ "${ORIGINAL_SHELL}" == *"nologin"* ]] || [[ "${ORIGINAL_SHELL}" == *"false"* ]]; then chsh -s /bin/bash "${USERNAME}" echo "[1/10] Shell habilitado temporalmente para provisión." >&2 RESTORE_SHELL=true else RESTORE_SHELL=false fi ######################################## # 2. Crear DB, usuario y permisos ######################################## echo "[2/10] Creando DB y usuario..." >&2 DB_LIST=$(v-list-databases "${USERNAME}" 2>/dev/null || true) if echo "${DB_LIST}" | grep -q "${DB_NAME}"; then echo "[2/10] DB ya existe — continuando (idempotente)." >&2 else v-add-database "${USERNAME}" "${DB_NAME}" "${DB_USER}" "${DB_PASSWORD}" mysql \ || die "Error creando base de datos ${DB_NAME}" fi mysql -e "ALTER DATABASE \`${USERNAME}_${DB_NAME}\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" 2>/dev/null || \ mysql -e "ALTER DATABASE \`${DB_NAME}\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" 2>/dev/null || true REAL_DB_NAME="${USERNAME}_${DB_NAME}" REAL_DB_USER="${USERNAME}_${DB_USER}" if [[ "${DB_NAME}" == "${USERNAME}_"* ]]; then REAL_DB_NAME="${DB_NAME}" REAL_DB_USER="${DB_USER}" fi echo "[2/10] DB ${REAL_DB_NAME} y USER ${REAL_DB_USER} listos." >&2 ######################################## # 3. Copiar claves SSH al usuario ######################################## echo "[3/10] Configurando claves SSH..." >&2 mkdir -p "/home/${USERNAME}/.ssh" [[ -f /root/.ssh/id_rsa ]] && cp /root/.ssh/id_rsa* "/home/${USERNAME}/.ssh/" || true [[ -f /root/.ssh/id_ed25519 ]] && cp /root/.ssh/id_ed25519* "/home/${USERNAME}/.ssh/" || true if compgen -G "/home/${USERNAME}/.ssh/*.pub" > /dev/null; then cat "/home/${USERNAME}/.ssh/"*.pub > "/home/${USERNAME}/.ssh/authorized_keys" fi chown -R "${USERNAME}:${USERNAME}" "/home/${USERNAME}/.ssh" chmod 700 "/home/${USERNAME}/.ssh" chmod 600 "/home/${USERNAME}/.ssh"/* || true chmod 644 "/home/${USERNAME}/.ssh/"*.pub || true chmod 600 "/home/${USERNAME}/.ssh/authorized_keys" || true ######################################## # 4. Crear estructura git-files ######################################## echo "[4/10] Preparando estructura git-files..." >&2 su - "${USERNAME}" -c "mkdir -p web/${DOMAIN_NAME}/public_html/git-files/${PROJECT_DIR_NAME}" >&2 su - "${USERNAME}" -c " mkdir -p ~/.ssh ssh-keyscan github.com >> ~/.ssh/known_hosts 2>/dev/null || true chmod 700 ~/.ssh chmod 644 ~/.ssh/known_hosts " >&2 ######################################## # 5. Clonar cd-system ######################################## echo "[5/10] Clonando repositorio cd-system..." >&2 if [[ ! -d "${REPO_REFERENCE}" ]]; then echo "[5/10] Inicializando reference clone (primera vez, puede tardar)..." >&2 git clone --bare "${REPO_SSH}" "${REPO_REFERENCE}" >&2 else git -C "${REPO_REFERENCE}" fetch --all --quiet >&2 || true fi HESTIA_PROJECT_PATH="web/${DOMAIN_NAME}/public_html/git-files/${PROJECT_DIR_NAME}" if su - "${USERNAME}" -c "test -d ${HESTIA_PROJECT_PATH}/.git" 2>/dev/null; then echo "[5/10] Repo ya existe — haciendo git pull (idempotente)." >&2 su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ git fetch origin && \ git checkout cd-system && \ git pull --ff-only origin cd-system " >&2 else su - "${USERNAME}" -c " rm -rf ${HESTIA_PROJECT_PATH} mkdir -p ${HESTIA_PROJECT_PATH} " >&2 su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ git clone --branch cd-system --reference ${REPO_REFERENCE} ${REPO_SSH} . " >&2 fi ######################################## # 6. Composer + env ######################################## echo "[6/10] Configurando Laravel..." >&2 su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ cp .env.example .env " >&2 su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ sed -i \ -e 's|^APP_NAME=.*|APP_NAME=\"${APP_NAME}\"|' \ -e 's|^APP_ENV=.*|APP_ENV=production|' \ -e 's|^APP_DEBUG=.*|APP_DEBUG=false|' \ -e 's|^APP_URL=.*|APP_URL=${APP_URL}|' \ -e 's|^DB_CONNECTION=.*|DB_CONNECTION=mysql|' \ -e 's|^DB_HOST=.*|DB_HOST=localhost|' \ -e 's|^DB_PORT=.*|DB_PORT=3306|' \ -e 's|^DB_DATABASE=.*|DB_DATABASE=${REAL_DB_NAME}|' \ -e 's|^DB_USERNAME=.*|DB_USERNAME=${REAL_DB_USER}|' \ -e 's|^DB_PASSWORD=.*|DB_PASSWORD=${DB_PASSWORD}|' \ -e 's|^RUN_PROJECT_SEEDER=.*|RUN_PROJECT_SEEDER=true|' \ -e 's|^MAIL_MAILER=.*|MAIL_MAILER=sendmail|' \ -e 's|^MAIL_HOST=.*|MAIL_HOST=localhost|' \ -e 's|^MAIL_PORT=.*|MAIL_PORT=25|' \ -e 's|^MAIL_USERNAME=.*|MAIL_USERNAME=null|' \ -e 's|^MAIL_PASSWORD=.*|MAIL_PASSWORD=null|' \ -e 's|^MAIL_ENCRYPTION=.*|MAIL_ENCRYPTION=null|' \ -e 's|^MAIL_FROM_ADDRESS=.*|MAIL_FROM_ADDRESS=noreply@bewpro.com|' \ -e 's|^MAIL_FROM_NAME=.*|MAIL_FROM_NAME=BewPro|' \ .env " >&2 APP_KEY_VALUE="base64:$(openssl rand -base64 32)" su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ sed -i 's|^APP_KEY=.*|APP_KEY=${APP_KEY_VALUE}|' .env " >&2 # ── FEATURE: Vendor cache compartido (opt-in) ─────────────────────────────── USE_VENDOR_CACHE="${BEWPRO_VENDOR_CACHE:-false}" VENDOR_CACHE_BASE="/opt/cd-vendor-cache" VENDOR_INSTALLED=false if [[ "${USE_VENDOR_CACHE}" == "true" ]]; then TENANT_DIR="/home/${USERNAME}/${HESTIA_PROJECT_PATH}" if [[ -f "${TENANT_DIR}/composer.lock" ]]; then LOCK_HASH=$(md5sum "${TENANT_DIR}/composer.lock" | cut -d' ' -f1 | head -c 16) CACHE_DIR="${VENDOR_CACHE_BASE}/${LOCK_HASH}" LOCK_FILE_VENDOR="/var/lock/cd-vendor-cache-${LOCK_HASH}" mkdir -p "${VENDOR_CACHE_BASE}" ( flock -x -w 600 200 || { echo "[VENDOR_CACHE] WARN: flock timeout, fallback a install fresh" >&2; exit 1; } if [[ -d "${CACHE_DIR}/vendor" ]] && [[ -f "${CACHE_DIR}/vendor/autoload.php" ]]; then echo "[6/10] Vendor cache HIT (hash=${LOCK_HASH}) — copiando..." >&2 cp -a "${CACHE_DIR}/vendor" "${TENANT_DIR}/vendor" chown -R "${USERNAME}:${USERNAME}" "${TENANT_DIR}/vendor" else echo "[6/10] Vendor cache MISS — composer install + populate..." >&2 su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ COMPOSER_CACHE_DIR=${COMPOSER_CACHE_DIR} ${COMPOSER_BIN} install --no-scripts --no-interaction --ignore-platform-reqs " >&2 if [[ -f "${TENANT_DIR}/vendor/autoload.php" ]]; then mkdir -p "${CACHE_DIR}" cp -a "${TENANT_DIR}/vendor" "${CACHE_DIR}/vendor" chmod -R o+r "${CACHE_DIR}/vendor" echo "[6/10] Vendor cache POPULATED en ${CACHE_DIR}" >&2 fi fi ) 200>"${LOCK_FILE_VENDOR}" if [[ -f "${TENANT_DIR}/vendor/autoload.php" ]]; then VENDOR_INSTALLED=true fi fi fi if ! $VENDOR_INSTALLED; then su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ COMPOSER_CACHE_DIR=${COMPOSER_CACHE_DIR} ${COMPOSER_BIN} install --no-scripts --no-interaction --ignore-platform-reqs " >&2 fi su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ ${PHP_BIN} artisan package:discover --ansi " >&2 || true su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ grep -q '^MAIL_VERIFY_PEER=' .env || echo 'MAIL_VERIFY_PEER=false' >> .env && \ grep -q '^MAIL_VERIFY_PEER_NAME=' .env || echo 'MAIL_VERIFY_PEER_NAME=false' >> .env && \ grep -q '^MAIL_ALLOW_SELF_SIGNED=' .env || echo 'MAIL_ALLOW_SELF_SIGNED=true' >> .env " >&2 HOLA_USER="${HOLA_MAIL_USERNAME:-hola@bewpro.com}" HOLA_PASS="${HOLA_MAIL_PASSWORD:-}" NOREPLY_USER="${NOREPLY_MAIL_USERNAME:-noreply@bewpro.com}" NOREPLY_PASS="${NOREPLY_MAIL_PASSWORD:-}" su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ grep -q '^MAIL_USERNAME_HOLA=' .env || echo 'MAIL_USERNAME_HOLA=${HOLA_USER}' >> .env && \ grep -q '^MAIL_PASSWORD_HOLA=' .env || echo 'MAIL_PASSWORD_HOLA=${HOLA_PASS}' >> .env && \ grep -q '^MAIL_USERNAME_NOREPLY=' .env || echo 'MAIL_USERNAME_NOREPLY=${NOREPLY_USER}' >> .env && \ grep -q '^MAIL_PASSWORD_NOREPLY=' .env || echo 'MAIL_PASSWORD_NOREPLY=${NOREPLY_PASS}' >> .env " >&2 AIRTABLE_TOKEN_VAL="${AIRTABLE_TOKEN:-}" AIRTABLE_BASE_ID_VAL="${AIRTABLE_BASE_ID:-}" AIRTABLE_PROJECTS_TABLE_VAL="${AIRTABLE_TABLE_ID:-}" su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ grep -q '^AIRTABLE_TOKEN=' .env || echo 'AIRTABLE_TOKEN=${AIRTABLE_TOKEN_VAL}' >> .env && \ grep -q '^AIRTABLE_BASE_ID=' .env || echo 'AIRTABLE_BASE_ID=${AIRTABLE_BASE_ID_VAL}' >> .env && \ grep -q '^AIRTABLE_SUBSCRIPTIONS_TABLE=' .env || echo 'AIRTABLE_SUBSCRIPTIONS_TABLE=${AIRTABLE_PROJECTS_TABLE_VAL}' >> .env && \ grep -q '^AIRTABLE_SUBSCRIPTIONS_TRACKING_TABLE=' .env || echo 'AIRTABLE_SUBSCRIPTIONS_TRACKING_TABLE=tblnpr52JhFBBi2Mg' >> .env " >&2 BILLING_PUSH_SECRET_VAL="${BILLING_PUSH_SECRET:-}" su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ grep -q '^BILLING_PUSH_SECRET=' .env || echo 'BILLING_PUSH_SECRET=${BILLING_PUSH_SECRET_VAL}' >> .env " >&2 DNS_SUBDOMAIN=$(echo "${APP_URL}" | sed 's|https://||' | sed 's|\.bewpro\.com.*||') echo "[6/10] Registrando DNS anticipado para ganar tiempo de propagación..." >&2 create_dns_record "${DNS_SUBDOMAIN}" ######################################## # 7. Provisionar con bewpro:new ######################################## echo "[7/10] Provisionando proyecto con bewpro:new..." >&2 EXTRA_FLAGS="" if [[ "${SKIP_ASSETS}" == "true" ]]; then EXTRA_FLAGS="${EXTRA_FLAGS} --skip-assets" echo "[7/10] Aviso: SKIP_ASSETS=true, se omitirá procesamiento de assets." >&2 fi if [[ "${CLEAN_PROVISION}" == "true" ]]; then EXTRA_FLAGS="${EXTRA_FLAGS} --clean" echo "[7/10] Modo: provisión limpia (--clean)" >&2 fi if [[ -n "${BRAND_COLORS}" ]]; then EXTRA_FLAGS="${EXTRA_FLAGS} --colors='${BRAND_COLORS}'" echo "[7/10] Colores de marca: ${BRAND_COLORS}" >&2 fi su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ ${PHP_BIN} artisan bewpro:new \ '${EMAIL}' \ '${TITLE}' \ '${PRODUCT}' \ --db='${REAL_DB_NAME}' \ --url='${APP_URL}' \ --password='${PASSWORD}' \ ${EXTRA_FLAGS} \ --no-email \ --no-interaction " >&2 su - "${USERNAME}" -c " cd ${HESTIA_PROJECT_PATH} && \ ${PHP_BIN} artisan storage:link " >&2 || true echo "[7/10] Proyecto provisionado." >&2 ######################################## # 8. Crear .htaccess final ######################################## echo "[8/10] Generando .htaccess..." >&2 HTACCESS_PATH="${WEB_ROOT}/.htaccess" cat > "${HTACCESS_PATH}" <<EOF <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^\.well-known/acme-challenge/ - [L,NC] RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ [NC] RewriteCond %{REQUEST_URI} !^/git-files/${PROJECT_DIR_NAME}/public/ [NC] RewriteRule ^(.*)$ git-files/${PROJECT_DIR_NAME}/public/\$1 [L] </IfModule> EOF chown "${USERNAME}:${USERNAME}" "${HTACCESS_PATH}" ######################################## # 9. Verificar / reintentar registro DNS ######################################## echo "[9/10] Verificando DNS (registrado anticipadamente en paso 6)..." >&2 DNS_SUBDOMAIN=$(echo "${APP_URL}" | sed 's|https://||' | sed 's|\.bewpro\.com.*||') if [[ "${APP_URL}" == *".bewpro.com"* ]]; then ALREADY_RESOLVED=$(dig +short A "${DNS_SUBDOMAIN}.bewpro.com" @8.8.8.8 2>/dev/null \ | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1 || true) if [[ "${ALREADY_RESOLVED}" == "${HOSTINGER_SERVER_IP}" ]]; then echo "[9/10] DNS ya propagado ✓ — saltando espera" >&2 else echo "[9/10] DNS aún propagando (resuelve: ${ALREADY_RESOLVED:-sin respuesta}) — reintentando registro..." >&2 create_dns_record "${DNS_SUBDOMAIN}" fi elif [[ "${APP_URL}" != *".bewpro.com"* ]]; then echo "[9/10] Dominio custom detectado — DNS manual:" >&2 echo " ${APP_URL} → ${HOSTINGER_SERVER_IP}" >&2 fi ######################################## # 10. Instalar SSL # Intenta ZeroSSL primero. Si detecta cooldown o falla, # hace fallback automático a Let's Encrypt. ######################################## echo "[10/10] Instalando SSL en ${DOMAIN_NAME}..." >&2 SSL_INSTALLED=false WEBROOT="${WEB_ROOT}" # Función para intentar emitir cert con una CA dada # Devuelve: 0=éxito, 1=fallo genérico, 2=cooldown detectado try_issue_cert() { local ca="$1" local ca_label="$2" local acme_log="/tmp/acme_${USERNAME}_$$.log" for ssl_attempt in 1 2 3; do echo "[10/10] [${ca_label}] Intento ${ssl_attempt}/3..." >&2 if "${ACME_BIN}" --issue \ --webroot "${WEBROOT}" \ -d "${DOMAIN_NAME}" \ --server "${ca}" 2>&1 | tee "${acme_log}" >&2; then install_cert_hestia echo "[10/10] SSL ${ca_label} instalado en ${DOMAIN_NAME} ✓" >&2 rm -f "${acme_log}" return 0 else if grep -qE "already exists|Domains not changed|Skipping" "${acme_log}" 2>/dev/null; then install_cert_hestia echo "[10/10] SSL ${ca_label} ya existía — reinstalado ✓" >&2 rm -f "${acme_log}" return 0 fi if grep -qE "retryafter=[0-9]{4,}" "${acme_log}" 2>/dev/null; then echo "[10/10] [${ca_label}] Cooldown detectado — abortando esta CA" >&2 rm -f "${acme_log}" return 2 fi echo "[10/10] [${ca_label}] Intento ${ssl_attempt} falló, esperando 15s..." >&2 sleep 15 fi done rm -f "${acme_log}" return 1 } if [[ ! -x "${ACME_BIN}" ]]; then echo "[10/10] WARN: acme.sh no encontrado — instalando..." >&2 curl -s https://get.acme.sh | sh -s email=admin@bewpro.com >&2 || true source ~/.bashrc 2>/dev/null || true fi if [[ -x "${ACME_BIN}" ]]; then # Registrar cuenta ZeroSSL si hay credenciales EAB if [[ -n "${ZEROSSL_EAB_KID}" ]] && [[ -n "${ZEROSSL_EAB_HMAC_KEY}" ]]; then "${ACME_BIN}" --register-account \ --server zerossl \ --eab-kid "${ZEROSSL_EAB_KID}" \ --eab-hmac-key "${ZEROSSL_EAB_HMAC_KEY}" \ 2>/dev/null || true "${ACME_BIN}" --set-default-ca --server zerossl 2>/dev/null || true fi # Intentar ZeroSSL primero echo "[10/10] Intentando ZeroSSL..." >&2 set +e try_issue_cert "zerossl" "ZeroSSL" ZEROSSL_RESULT=$? set -e if [[ $ZEROSSL_RESULT -eq 0 ]]; then SSL_INSTALLED=true else if [[ $ZEROSSL_RESULT -eq 2 ]]; then echo "[10/10] ZeroSSL en cooldown — usando Let's Encrypt como fallback..." >&2 else echo "[10/10] ZeroSSL falló — usando Let's Encrypt como fallback..." >&2 fi try_issue_cert "letsencrypt" "Let's Encrypt" LE_RESULT=$? if [[ $LE_RESULT -eq 0 ]]; then SSL_INSTALLED=true else echo "[10/10] WARN: ZeroSSL y Let's Encrypt fallaron." >&2 echo "[10/10] Reintentar manualmente:" >&2 echo " ${ACME_BIN} --issue --webroot ${WEBROOT} -d ${DOMAIN_NAME} --server letsencrypt" >&2 fi fi else echo "[10/10] WARN: acme.sh no disponible — saltando SSL." >&2 fi ######################################## # 11. Registrar cron schedule:run del tenant ######################################## echo "[11/12] Registrando cron schedule:run del tenant..." >&2 FULL_PROJECT_PATH="/home/${USERNAME}/${HESTIA_PROJECT_PATH}" CRON_LINE="* * * * * cd ${FULL_PROJECT_PATH} && ${PHP_BIN} artisan schedule:run >> /dev/null 2>&1" # FIX: usar crontab directo en lugar de v-list-cron-jobs para evitar # problemas de parsing del output de HestiaCP EXISTING_CRON=$(crontab -l -u "${USERNAME}" 2>/dev/null || true) if echo "${EXISTING_CRON}" | grep -q "schedule:run"; then echo "[11/12] schedule:run ya estaba registrado, OK." >&2 else # Intentar primero con v-add-cron-job de HestiaCP if v-add-cron-job "${USERNAME}" "*" "*" "*" "*" "*" \ "cd ${FULL_PROJECT_PATH} && ${PHP_BIN} artisan schedule:run >> /dev/null 2>&1" \ 2>/dev/null; then echo "[11/12] schedule:run registrado via HestiaCP en ${USERNAME}." >&2 else # Fallback directo a crontab { echo "${EXISTING_CRON}"; echo "${CRON_LINE}"; } | crontab -u "${USERNAME}" - echo "[11/12] schedule:run registrado via crontab directo en ${USERNAME}." >&2 fi fi ######################################## # 12. Reiniciar PHP-FPM ######################################## echo "[12/13] Reiniciando PHP-FPM para activar pool de ${USERNAME}..." >&2 systemctl restart php8.3-fpm 2>/dev/null || \ systemctl restart php8.2-fpm 2>/dev/null || \ systemctl restart php-fpm 2>/dev/null || true SOCK_PATH="/run/php/php8.3-fpm-${DOMAIN_NAME}.sock" for _ in $(seq 1 10); do [[ -S "${SOCK_PATH}" ]] && break sleep 1 done if [[ -S "${SOCK_PATH}" ]]; then echo "[12/13] PHP-FPM socket OK ✓" >&2 else echo "[12/13] WARN: Socket ${SOCK_PATH} no encontrado — revisar php8.3-fpm" >&2 fi ######################################## # 13. Instalar cron jobs del tenant # Comandos directos en vez de schedule:run para evitar overload: # cada minuto arranca un proceso PHP por tenant aunque no haya nada que hacer. # Con comandos directos solo corre cuando hay trabajo real. ######################################## echo "[13/14] Instalando cron jobs del tenant..." >&2 TENANT_ARTISAN_DIR="${WEB_ROOT}/git-files/${USERNAME}" (crontab -u "${USERNAME}" -l 2>/dev/null | grep -v "bewpro:check-billing\|bewpro:onboarding\|config:clear\|schedule:run" || true echo "0 * * * * cd ${TENANT_ARTISAN_DIR} && php artisan bewpro:check-billing >> /dev/null 2>&1" echo "0 3 * * * cd ${TENANT_ARTISAN_DIR} && php artisan bewpro:onboarding:cleanup-drafts >> /dev/null 2>&1" echo "0 0 * * * cd ${TENANT_ARTISAN_DIR} && php artisan config:clear >> /dev/null 2>&1" ) | crontab -u "${USERNAME}" - \ && echo "[13/14] Cron jobs instalados ✓" >&2 \ || echo "[13/14] WARN: No se pudo instalar cron — configurar manualmente" >&2 ######################################## # 14. Validación post-provision # FIX: curl sin -I para evitar códigos HTTP concatenados (ej: "3010") # Se usa -s -L (sin HEAD request) para obtener solo el código final. # Limpieza del valor con tr por seguridad. ######################################## echo "[14/14] Validando provision (HTTP + SSL)..." >&2 HTTP_OK=false HTTP_CODE_LAST="000" for attempt in 1 2 3 4 5 6; do RESOLVED_IP=$(dig +short A "${DOMAIN_NAME}" @8.8.8.8 2>/dev/null \ | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1 || true) if [[ -n "${RESOLVED_IP}" ]]; then # FIX: -s -L sin -I evita concatenación de múltiples status codes HTTP_CODE=$(curl -s -L -m 20 \ --resolve "${DOMAIN_NAME}:443:${RESOLVED_IP}" \ --resolve "${DOMAIN_NAME}:80:${RESOLVED_IP}" \ "${APP_URL}/" -o /dev/null -w "%{http_code}" 2>/dev/null || echo "000") # FIX: limpiar el valor por si hay caracteres extraños HTTP_CODE=$(echo "${HTTP_CODE}" | tr -dc '0-9' | head -c 3) HTTP_CODE="${HTTP_CODE:-000}" # Si HTTPS falla, probar HTTP plano if [[ ! "${HTTP_CODE}" =~ ^[23] ]]; then HTTP_CODE=$(curl -s -L -m 20 \ --resolve "${DOMAIN_NAME}:80:${RESOLVED_IP}" \ "http://${DOMAIN_NAME}/" -o /dev/null -w "%{http_code}" 2>/dev/null || echo "000") HTTP_CODE=$(echo "${HTTP_CODE}" | tr -dc '0-9' | head -c 3) HTTP_CODE="${HTTP_CODE:-000}" fi HTTP_CODE_LAST="${HTTP_CODE}" if [[ "${HTTP_CODE}" =~ ^[23] ]]; then HTTP_OK=true echo "[14/14] HTTP OK (${HTTP_CODE}, intento ${attempt})" >&2 break fi echo "[14/14] HTTP intento ${attempt}/6: ${HTTP_CODE}" >&2 else echo "[14/14] HTTP intento ${attempt}/6: DNS sin resolver" >&2 fi sleep 8 done if ! $HTTP_OK; then echo "[14/14] WARN: HTTP no responde 2xx/3xx tras 6 intentos (último: ${HTTP_CODE_LAST})" >&2 echo "[14/14] Sitio puede demorar 1-2 min adicionales." >&2 fi SSL_SUBJECT=$(echo | timeout 8 openssl s_client \ -connect "${DOMAIN_NAME}:443" \ -servername "${DOMAIN_NAME}" 2>/dev/null \ | openssl x509 -noout -subject 2>/dev/null || true) if echo "${SSL_SUBJECT}" | grep -qiE "${DOMAIN_NAME}|bewpro\.com"; then echo "[14/14] SSL bound OK al dominio ✓" >&2 else echo "[14/14] INFO: SSL se validará cuando propague el DNS / acme.sh termine" >&2 fi if $HTTP_OK; then echo "[14/14] ✅ Validación post-provision OK" >&2 else echo "[14/14] ⚠️ Validación con warnings (sitio responderá en breve, flujo sigue)" >&2 fi ######################################## # FIN ######################################## echo "=========================================" >&2 echo " PROYECTO CONFIGURADO EXITOSAMENTE" >&2 echo " URL: ${APP_URL}" >&2 echo " Usuario HestiaCP: ${USERNAME}" >&2 echo " DB: ${REAL_DB_NAME}" >&2 echo " Web Root: ${WEB_ROOT}" >&2 $HTTP_OK || echo " ⚠️ Validación HTTP soft-fail (sitio cargando)" >&2 echo "=========================================" >&2 if [[ "${RESTORE_SHELL:-false}" == "true" ]]; then chsh -s /usr/sbin/nologin "${USERNAME}" 2>/dev/null || true echo "Shell restaurado a nologin para ${USERNAME}." >&2 fi # IMPORTANTE: última línea — STDOUT limpio para el orquestador echo "${APP_URL}" exit 0