studio/services/proxy/deploy.sh

#!/bin/bash
# Deploy tinqs-proxy on Lightsail (replaces Caddy).
# Run as: ssh ubuntu@46.51.144.31 'bash -s' < proxy/deploy.sh
#
# Prerequisites: binary already built by Gitea Actions or manually:
#   cd proxy && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o tinqs-proxy-linux-amd64 .
#   scp tinqs-proxy-linux-amd64 ubuntu@46.51.144.31:/tmp/

set -euo pipefail

BIN=/usr/local/bin/tinqs-proxy
SVC=/etc/systemd/system/tinqs-proxy.service
CERT_DIR=/var/lib/tinqs-proxy/certs

echo "=== tinqs-proxy deploy ==="

# 1. Create cert dir
sudo mkdir -p "$CERT_DIR"
sudo chown ubuntu:ubuntu "$CERT_DIR"

# 2. Install binary (from Gitea Actions output or manual upload)
SRC="$HOME/bot-arikigame/public/proxy/releases/tinqs-proxy-linux-amd64"
if [ ! -f "$SRC" ]; then
  SRC="/tmp/tinqs-proxy-linux-amd64"
fi
if [ ! -f "$SRC" ]; then
  echo "ERROR: no binary found at ~/bot-arikigame/public/proxy/releases/ or /tmp/"
  exit 1
fi
sudo cp "$SRC" "$BIN"
sudo chmod +x "$BIN"
echo "OK binary: $BIN"

# 3. Install systemd unit
cat <<'UNIT' | sudo tee "$SVC" > /dev/null
[Unit]
Description=tinqs-proxy — TLS reverse proxy for *.arikigame.com
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/tinqs-proxy
Restart=always
RestartSec=3
Environment=CERT_DIR=/var/lib/tinqs-proxy/certs
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
User=ubuntu
Group=ubuntu
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/var/lib/tinqs-proxy

[Install]
WantedBy=multi-user.target
UNIT
echo "OK systemd unit"

# 4. Stop Caddy (free ports 80/443)
if systemctl is-active --quiet caddy; then
  sudo systemctl stop caddy
  sudo systemctl disable caddy
  echo "OK stopped + disabled caddy"
else
  echo "OK caddy not running"
fi

# 5. Start tinqs-proxy
sudo systemctl daemon-reload
sudo systemctl enable tinqs-proxy
sudo systemctl start tinqs-proxy
sleep 2

if systemctl is-active --quiet tinqs-proxy; then
  echo "OK tinqs-proxy is running"
  sudo journalctl -u tinqs-proxy --no-pager -n 5
else
  echo "FAIL tinqs-proxy did not start"
  sudo journalctl -u tinqs-proxy --no-pager -n 20
  exit 1
fi

echo ""
echo "=== Done. Caddy disabled, tinqs-proxy active. ==="
echo "Test: curl -I https://git.arikigame.com"
echo "Rollback: sudo systemctl stop tinqs-proxy  # Caddy fully removed 2026-04-27"