xamxam/nginx/deploy-production.sh

#!/bin/bash
# Deploy production nginx configuration and fix permissions for Post-ERG

set -e

echo "🚀 Post-ERG Production Deployment"
echo "=================================="
echo ""

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# Check if running as root
if [ "$EUID" -ne 0 ]; then 
    echo -e "${RED}Error: This script must be run as root (use sudo)${NC}"
    exit 1
fi

echo "📋 Step 1: Fixing file permissions..."
echo "--------------------------------------"

# Change group to posterg (www-data is member of this group)
chown -R theophile:posterg /var/www/html/
echo "✓ Changed group to posterg"

# Set directory permissions (755 - readable/executable by everyone)
find /var/www/html -type d -exec chmod 755 {} \;
echo "✓ Set directory permissions to 755"

# Set file permissions (640 - owner read/write, group read)
find /var/www/html -type f -exec chmod 640 {} \;
echo "✓ Set file permissions to 640"

# Make upload directories writable by group (for www-data to write)
if [ -d "/var/www/html/formulaire/data/theses" ]; then
    chmod 775 /var/www/html/formulaire/data/theses
    chmod 775 /var/www/html/formulaire/data/covers
    echo "✓ Set upload directories to 775"
fi

# Protect database if it exists
if [ -f "/var/www/html/storage/posterg.db" ]; then
    chmod 660 /var/www/html/storage/posterg.db
    chown www-data:posterg /var/www/html/storage/posterg.db
    echo "✓ Protected database file"
fi

echo ""
echo "📋 Step 2: Checking prerequisites..."
echo "--------------------------------------"

# Check if htpasswd is available
if ! command -v htpasswd &> /dev/null; then
    echo -e "${YELLOW}⚠️  htpasswd not found, installing apache2-utils...${NC}"
    apt-get update -qq
    apt-get install -y apache2-utils
    echo -e "${GREEN}✓ apache2-utils installed${NC}"
fi

# Check if htpasswd file exists
if [ ! -f "/etc/nginx/.htpasswd-posterg" ]; then
    echo -e "${YELLOW}⚠️  Warning: /etc/nginx/.htpasswd-posterg not found${NC}"
    echo "   Creating it now..."
    echo ""
    echo "Please enter admin username:"
    read -r ADMIN_USER
    htpasswd -c /etc/nginx/.htpasswd-posterg "$ADMIN_USER"
    echo -e "${GREEN}✓ Password file created${NC}"
    echo ""
else
    echo "✓ Password file exists"
fi

# Check if config file was uploaded
if [ ! -f "/tmp/posterg.conf" ]; then
    echo -e "${RED}✗ Error: /tmp/posterg.conf not found${NC}"
    echo "Please upload it first: rsync -vur ./nginx/posterg-production.conf posterg:/tmp/posterg.conf"
    exit 1
fi

echo ""
echo "📋 Step 3: Installing nginx configuration..."
echo "--------------------------------------"

# Backup existing config if it exists
if [ -f "/etc/nginx/sites-available/posterg" ]; then
    cp /etc/nginx/sites-available/posterg /etc/nginx/sites-available/posterg.backup.$(date +%Y%m%d_%H%M%S)
    echo "✓ Backed up existing config"
fi

# Copy new configuration
cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
echo "✓ Installed configuration to /etc/nginx/sites-available/posterg"

# Create symlink
if [ ! -L "/etc/nginx/sites-enabled/posterg" ]; then
    ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg
    echo "✓ Created symlink in sites-enabled"
else
    echo "✓ Symlink already exists"
fi

# Remove default site
if [ -L "/etc/nginx/sites-enabled/default" ]; then
    rm /etc/nginx/sites-enabled/default
    echo "✓ Disabled default site"
fi

echo ""
echo "📋 Step 4: Testing nginx configuration..."
echo "--------------------------------------"

if nginx -t; then
    echo -e "${GREEN}✓ Nginx configuration is valid${NC}"
else
    echo -e "${RED}✗ Nginx configuration has errors!${NC}"
    echo "Restoring backup..."
    if ls /etc/nginx/sites-available/posterg.backup* 1> /dev/null 2>&1; then
        BACKUP=$(ls -t /etc/nginx/sites-available/posterg.backup* | head -1)
        cp "$BACKUP" /etc/nginx/sites-available/posterg
        echo "Configuration restored from backup"
    fi
    exit 1
fi

echo ""
echo "📋 Step 5: Reloading nginx..."
echo "--------------------------------------"

if systemctl reload nginx; then
    echo -e "${GREEN}✓ Nginx reloaded successfully${NC}"
else
    echo -e "${RED}✗ Failed to reload nginx${NC}"
    exit 1
fi

echo ""
echo "📋 Step 6: Verifying services..."
echo "--------------------------------------"

# Check PHP-FPM
if systemctl is-active --quiet php8.4-fpm; then
    echo -e "${GREEN}✓ PHP 8.4-FPM is running${NC}"
else
    echo -e "${YELLOW}⚠️  PHP-FPM is not running, starting it...${NC}"
    systemctl start php8.4-fpm
    systemctl enable php8.4-fpm
    echo -e "${GREEN}✓ PHP-FPM started${NC}"
fi

# Check nginx
if systemctl is-active --quiet nginx; then
    echo -e "${GREEN}✓ Nginx is running${NC}"
else
    echo -e "${RED}✗ Nginx is not running!${NC}"
    exit 1
fi

echo ""
echo "═══════════════════════════════════════"
echo -e "${GREEN}✅ Deployment Complete!${NC}"
echo "═══════════════════════════════════════"
echo ""
echo "🧪 Quick Tests:"
echo "  • Test public site:  curl -I http://localhost/"
echo "  • Test admin panel:  curl -I http://localhost/formulaire/"
echo "  • Test PHP:          curl http://localhost/index.php"
echo ""
echo "📊 View logs:"
echo "  • Access log:  tail -f /var/log/nginx/posterg_access.log"
echo "  • Error log:   tail -f /var/log/nginx/posterg_error.log"
echo ""
echo "🔒 Security Checks:"
echo "  • Database blocked:  curl -I http://localhost/storage/posterg.db"
echo "  • MD files blocked:  curl -I http://localhost/README.md"
echo "  • Source blocked:    curl -I http://localhost/src/Database.php"
echo "  • Templates blocked: curl -I http://localhost/templates/header.php"
echo "  • Config blocked:    curl -I http://localhost/config/bootstrap.php"
echo ""