From 7556ed75f5fd65ce56396ce5f638e09b5939dbb7 Mon Sep 17 00:00:00 2001
From: root <root@production-1.services.local>
Date: Sat, 6 Jun 2026 12:27:11 -0400
Subject: [PATCH] tangle-deploy: substitute CROWDSEC_LAPI_KEY from .env +
 verify after deploy

---
 tangle-deploy.sh | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/tangle-deploy.sh b/tangle-deploy.sh
index d46ec96..e19d36c 100644
--- a/tangle-deploy.sh
+++ b/tangle-deploy.sh
@@ -1,6 +1,5 @@
 #!/usr/bin/env bash
-# tangle-deploy — Tangle infrastructure.org and restart affected services
-GITEA_URL='http://amr:tangle-deploy-2026@10.10.10.201:3001/amr/infrastructure.git'
+GITEA_URL='ssh://git@git.gharbeia.net:2222/amr/infrastructure.git'
 REPO_DIR="${1:-/docker/compose/infrastructure}"
 ORG_FILE="${REPO_DIR}/infrastructure.org"
 if [ -z "${1:-}" ]; then
@@ -18,14 +17,33 @@ echo "=== Tangling $ORG_FILE ==="
 emacs --batch -Q --load /usr/share/emacs/28.2/lisp/org/org-loaddefs.el \
   --eval "(require 'org)" \
   --eval "(org-babel-tangle-file \"$ORG_FILE\")" 2>&1
+# Substitute env vars in tangled files
+# Read key from .env directly (avoid sourcing due to quoting issues in other vars)
+CROWDSEC_LAPI_KEY=$(grep ^CROWDSEC_LAPI_KEY /docker/compose/.env | cut -d= -f2-)
+if [ -z "$CROWDSEC_LAPI_KEY" ] || [ "$CROWDSEC_LAPI_KEY" = "__CROWDSEC_LAPI_KEY__" ]; then
+  echo "ERROR: CROWDSEC_LAPI_KEY not set or still a placeholder in .env!"
+  exit 1
+fi
+sed -i "s|__CROWDSEC_LAPI_KEY__|${CROWDSEC_LAPI_KEY}|g" /docker/appdata/traefik/dynamic.yaml
 echo "=== Restarting services ==="
 cd /docker/compose
-if [ -f /docker/compose/traefik-static.yaml ] || \
-   [ -f /docker/compose/traefik-internal.yaml ] || \
-   [ -f /docker/compose/traefik-internal-noauth.yaml ] || \
-   [ -f /docker/compose/traefik-dynamic.yaml ]; then
+if [ -f /docker/appdata/traefik/traefik.yaml ] || \
+   [ -f /docker/appdata/traefik/internal.yaml ] || \
+   [ -f /docker/appdata/traefik/internal-noauth.yaml ] || \
+   [ -f /docker/appdata/traefik/dynamic.yaml ]; then
   echo 'Traefik config changed -- restarting...'
   docker compose up -d traefik
+  # Verify CrowdSec bouncer is working after restart
+  sleep 2
+  STATUS=$(docker exec traefik wget -q -O /dev/null -S http://traefik:8081/application/o/authorize/ --header="Host: auth.gharbeia.net" 2>&1 | head -1 | awk '{print $2}')
+  if [ "$STATUS" = "403" ]; then
+    echo "WARNING: auth.gharbeia.net still returns 403 after deploy!"
+    echo "  CrowdSec bouncer may have a bad API key."
+    echo "  Run: docker exec crowdsec cscli bouncers add traefik-bouncer"
+    echo "  Then update CROWDSEC_LAPI_KEY in /docker/compose/.env and re-deploy."
+  else
+    echo "OK: auth.gharbeia.net returns $STATUS (expected: 400)"
+  fi
 fi
 if [ -f /docker/compose/docker-compose.yaml ]; then
   echo 'Docker compose changed -- restarting all services'