Harden quarantine provisioning; enforce strict permissions and update Ansible and docs
This commit is contained in:
88
scripts/rollout_enable_blocking.sh
Normal file
88
scripts/rollout_enable_blocking.sh
Normal file
@@ -0,0 +1,88 @@
|
||||
#!/usr/bin/env bash
|
||||
# Controlled rollout helper to enable blocking mode by swapping in a blocking config.
|
||||
# Usage: sudo ./scripts/rollout_enable_blocking.sh [--dry-run] [--confirm]
|
||||
|
||||
set -euo pipefail
|
||||
ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
ACTIVE_CFG="$ROOT_DIR/upload-logger.json"
|
||||
PROD_CFG="$ROOT_DIR/config/upload-logger.prod.json"
|
||||
BLOCK_CFG="$ROOT_DIR/config/upload-logger.blocking.json"
|
||||
BACKUP_DIR="$ROOT_DIR/config/backups"
|
||||
DRY_RUN=0
|
||||
CONFIRM=0
|
||||
|
||||
for arg in "$@"; do
|
||||
case "$arg" in
|
||||
--dry-run) DRY_RUN=1 ;;
|
||||
--confirm) CONFIRM=1 ;;
|
||||
-h|--help)
|
||||
echo "Usage: $0 [--dry-run] [--confirm]"
|
||||
exit 0 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ ! -f "$BLOCK_CFG" ]]; then
|
||||
echo "Blocking config not found: $BLOCK_CFG" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ ! -f "$PROD_CFG" ]]; then
|
||||
echo "Prod config not found: $PROD_CFG" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ $DRY_RUN -eq 1 ]]; then
|
||||
echo "DRY RUN: Would replace $ACTIVE_CFG with $BLOCK_CFG"
|
||||
echo "DRY RUN: Would reload PHP-FPM (if present)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ $CONFIRM -ne 1 ]]; then
|
||||
echo "This will replace $ACTIVE_CFG with the blocking config and reload PHP-FPM."
|
||||
echo "Run with --confirm to proceed, or --dry-run to preview."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "$BACKUP_DIR"
|
||||
TS=$(date +%Y%m%dT%H%M%S)
|
||||
if [[ -f "$ACTIVE_CFG" ]]; then
|
||||
cp -a "$ACTIVE_CFG" "$BACKUP_DIR/upload-logger.json.bak.$TS"
|
||||
echo "Backed up current config to $BACKUP_DIR/upload-logger.json.bak.$TS"
|
||||
fi
|
||||
|
||||
cp -a "$BLOCK_CFG" "$ACTIVE_CFG"
|
||||
echo "Copied blocking config to $ACTIVE_CFG"
|
||||
|
||||
# Try to reload PHP-FPM gracefully using common service names
|
||||
RELOADED=0
|
||||
if command -v systemctl >/dev/null 2>&1; then
|
||||
for svc in php-fpm php7.4-fpm php8.0-fpm php8.1-fpm php8.2-fpm; do
|
||||
if systemctl list-units --full -all | grep -q "^${svc}\.service"; then
|
||||
echo "Reloading $svc"
|
||||
systemctl reload "$svc" || systemctl restart "$svc"
|
||||
RELOADED=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ $RELOADED -eq 0 ]]; then
|
||||
if command -v service >/dev/null 2>&1; then
|
||||
for svc in php7.4-fpm php8.0-fpm php8.1-fpm php8.2-fpm php-fpm; do
|
||||
if service --status-all 2>&1 | grep -q "$svc"; then
|
||||
echo "Reloading $svc via service"
|
||||
service "$svc" reload || service "$svc" restart
|
||||
RELOADED=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ $RELOADED -eq 0 ]]; then
|
||||
echo "Warning: could not detect PHP-FPM service to reload. Please reload PHP-FPM manually."
|
||||
else
|
||||
echo "PHP-FPM reloaded; blocking config is active."
|
||||
fi
|
||||
|
||||
echo "Rollout complete. Monitor logs and be ready to rollback if necessary."
|
||||
Reference in New Issue
Block a user