DECNET/decnet/templates/https/entrypoint.sh

#!/bin/bash
# SPDX-License-Identifier: AGPL-3.0-or-later
set -e

TLS_DIR="/opt/tls"
mkdir -p "$TLS_DIR"

# TLS_CERT/TLS_KEY may arrive as either a host-side path OR raw PEM content.
# Detect by looking for a PEM header; if present, write to disk.
if [ -n "$TLS_CERT" ] && printf '%s' "$TLS_CERT" | grep -q 'BEGIN '; then
    printf '%s' "$TLS_CERT" > "$TLS_DIR/cert.pem"
    CERT="$TLS_DIR/cert.pem"
else
    CERT="${TLS_CERT:-$TLS_DIR/cert.pem}"
fi
if [ -n "$TLS_KEY" ] && printf '%s' "$TLS_KEY" | grep -q 'BEGIN '; then
    printf '%s' "$TLS_KEY" > "$TLS_DIR/key.pem"
    chmod 600 "$TLS_DIR/key.pem"
    KEY="$TLS_DIR/key.pem"
else
    KEY="${TLS_KEY:-$TLS_DIR/key.pem}"
fi

# Generate a self-signed certificate if none exists
if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then
    CN="${TLS_CN:-${NODE_NAME:-localhost}}"
    openssl req -x509 -newkey rsa:2048 -nodes \
        -keyout "$KEY" -out "$CERT" \
        -days 3650 -subj "/CN=$CN" \
        2>/dev/null
fi

# Parse HTTP_VERSIONS JSON → Caddy protocol tokens.
# Caddy handles h3 natively; h3 SETTINGS are captured via FPHandler (http3.Settingser).
CADDY_PROTOCOLS=$(python3 -c "
import json, os
versions = json.loads(os.environ.get('HTTP_VERSIONS', '[\"http/1.1\"]'))
tokens = []
if 'http/1.1' in versions:
    tokens.append('h1')
if 'http/2' in versions:
    tokens.append('h2')
if 'http/3' in versions:
    tokens.append('h3')
print(' '.join(tokens) if tokens else 'h1')
")

DECNET_FP_SOCK="${DECNET_FP_SOCK:-/run/decnet/fp.sock}"
# Remove stale socket from a previous run
rm -f "$DECNET_FP_SOCK"

cat > /etc/caddy/Caddyfile <<EOF
{
  admin off
  servers :443 {
    protocols ${CADDY_PROTOCOLS}
    listener_wrappers {
      decnet_fp
    }
  }
}

:443 {
  tls ${CERT} ${KEY}
  route {
    decnet_fp
    reverse_proxy 127.0.0.1:8443
  }
}
EOF

python3 /opt/server.py &
FLASK_PID=$!

# Wait for Flask to be ready before handing off to Caddy
python3 -c "
import socket, sys, time
for _ in range(80):
    try:
        s = socket.create_connection(('127.0.0.1', 8443), timeout=0.25)
        s.close()
        sys.exit(0)
    except OSError:
        time.sleep(0.1)
print('Flask did not bind to :8443 in time', file=sys.stderr)
sys.exit(1)
" || { echo 'Flask startup failed — aborting'; kill $FLASK_PID 2>/dev/null; exit 1; }

exec caddy run --config /etc/caddy/Caddyfile