diff --git a/scripts/03_generate_secrets.sh b/scripts/03_generate_secrets.sh index 36384c1..7f3c3bf 100755 --- a/scripts/03_generate_secrets.sh +++ b/scripts/03_generate_secrets.sh @@ -275,44 +275,6 @@ fi # Ensure N8N_WORKER_COUNT is definitely set (should be by logic above) N8N_WORKER_COUNT="${N8N_WORKER_COUNT:-1}" -# Cloudflare Tunnel Token (optional) -echo "" -echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -echo "Cloudflare Tunnel Configuration (Optional)" -echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -echo "" -echo "Cloudflare Tunnel provides secure zero-trust access to your services" -echo "without exposing ports 80/443 on your server." -echo "" -echo "To set up:" -echo "1. Create a tunnel at https://one.dash.cloudflare.com/" -echo "3. Copy the tunnel token" -echo "" - -if [[ -v existing_env_vars[CLOUDFLARE_TUNNEL_TOKEN] ]]; then - CLOUDFLARE_TUNNEL_TOKEN="${existing_env_vars[CLOUDFLARE_TUNNEL_TOKEN]}" - if [[ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]]; then - log_info "Found existing Cloudflare Tunnel Token in .env" - else - log_info "Found empty Cloudflare Tunnel Token in .env. You can provide one now or leave empty." - echo "" - read -p "Cloudflare Tunnel Token (leave empty to skip): " CLOUDFLARE_TUNNEL_TOKEN - fi -else - echo "" - read -p "Cloudflare Tunnel Token (leave empty to skip): " CLOUDFLARE_TUNNEL_TOKEN -fi - -if [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; then - log_success "Cloudflare Tunnel Token configured" - echo "" - echo "🔒 After confirming the tunnel works, enhance security by:" - echo " Closing ports 80, 443, and 7687 in your VPS firewall" - echo " Example: sudo ufw delete allow 80/tcp" - echo "" -else - log_info "Cloudflare Tunnel skipped - you can enable it later in the service selection wizard" -fi log_info "Generating secrets and creating .env file..." @@ -416,10 +378,6 @@ if [[ -n "$OPENAI_API_KEY" ]]; then generated_values["OPENAI_API_KEY"]="$OPENAI_API_KEY" fi -if [[ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]]; then - generated_values["CLOUDFLARE_TUNNEL_TOKEN"]="$CLOUDFLARE_TUNNEL_TOKEN" -fi - # Create a temporary file for processing TMP_ENV_FILE=$(mktemp) # Ensure temp file is cleaned up on exit @@ -434,7 +392,6 @@ found_vars["RUN_N8N_IMPORT"]=0 found_vars["PROMETHEUS_USERNAME"]=0 found_vars["SEARXNG_USERNAME"]=0 found_vars["OPENAI_API_KEY"]=0 -found_vars["CLOUDFLARE_TUNNEL_TOKEN"]=0 found_vars["LANGFUSE_INIT_USER_EMAIL"]=0 found_vars["N8N_WORKER_COUNT"]=0 found_vars["WEAVIATE_USERNAME"]=0 @@ -569,7 +526,7 @@ if [[ -z "${generated_values[SERVICE_ROLE_KEY]}" ]]; then fi # Add any custom variables that weren't found in the template -for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME" "CLOUDFLARE_TUNNEL_TOKEN"; do +for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME"; do if [[ ${found_vars["$var"]} -eq 0 && -v generated_values["$var"] ]]; then # Before appending, check if it's already in TMP_ENV_FILE to avoid duplicates if ! grep -q -E "^${var}=" "$TMP_ENV_FILE"; then diff --git a/scripts/04_wizard.sh b/scripts/04_wizard.sh index 0985476..a802141 100755 --- a/scripts/04_wizard.sh +++ b/scripts/04_wizard.sh @@ -228,6 +228,46 @@ if [ ! -f "$ENV_FILE" ]; then touch "$ENV_FILE" fi +# If Cloudflare Tunnel is selected, prompt for the token and write to .env +cloudflare_selected=0 +for profile in "${selected_profiles[@]}"; do + if [ "$profile" == "cloudflare-tunnel" ]; then + cloudflare_selected=1 + break + fi +done + +if [ $cloudflare_selected -eq 1 ]; then + existing_cf_token="" + if grep -q "^CLOUDFLARE_TUNNEL_TOKEN=" "$ENV_FILE"; then + existing_cf_token=$(grep "^CLOUDFLARE_TUNNEL_TOKEN=" "$ENV_FILE" | cut -d'=' -f2- | sed 's/^\"//' | sed 's/\"$//') + fi + + if [ -n "$existing_cf_token" ]; then + log_info "Cloudflare Tunnel token found in .env; reusing it." + # Do not prompt; keep existing token as-is + else + log_info "Cloudflare Tunnel selected. Please provide your Cloudflare Tunnel token." + echo "" + read -p "Cloudflare Tunnel Token: " input_cf_token + token_to_write="$input_cf_token" + + # Update the .env with the token (may be empty if user skipped) + if grep -q "^CLOUDFLARE_TUNNEL_TOKEN=" "$ENV_FILE"; then + sed -i.bak "/^CLOUDFLARE_TUNNEL_TOKEN=/d" "$ENV_FILE" + fi + echo "CLOUDFLARE_TUNNEL_TOKEN=\"$token_to_write\"" >> "$ENV_FILE" + + if [ -n "$token_to_write" ]; then + log_success "Cloudflare Tunnel token saved to .env." + echo "" + echo "🔒 After confirming the tunnel works, consider closing ports 80, 443, and 7687 in your firewall." + else + log_warning "Cloudflare Tunnel token was left empty. You can set it later in .env." + fi + fi +fi + # Remove existing COMPOSE_PROFILES line if it exists if grep -q "^COMPOSE_PROFILES=" "$ENV_FILE"; then # Using a different delimiter for sed because a profile name might contain '/' (unlikely here) diff --git a/scripts/06_final_report.sh b/scripts/06_final_report.sh index 0197eba..bc05644 100755 --- a/scripts/06_final_report.sh +++ b/scripts/06_final_report.sh @@ -287,7 +287,7 @@ log_info "To update the services, run the 'update.sh' script: bash ./scripts/upd # ============================================ # Cloudflare Tunnel Security Notice # ============================================ -if is_profile_active "cloudflare-tunnel" && [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; then +if is_profile_active "cloudflare-tunnel"; then echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "🔒 CLOUDFLARE TUNNEL SECURITY" @@ -304,10 +304,6 @@ if is_profile_active "cloudflare-tunnel" && [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; t echo " • Port 443 (HTTPS)" echo " • Port 7687 (Neo4j Bolt)" echo "" - echo " Example commands:" - echo " └─ UFW: sudo ufw delete allow 80/tcp && sudo ufw delete allow 443/tcp" - echo " └─ IPtables: sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT" - echo "" echo " ⚠️ Only close ports AFTER confirming tunnel connectivity!" echo "" fi