From 5306489d726295bf5531f5a39d4fefb48082cd4d Mon Sep 17 00:00:00 2001
From: Efim Poberezkin <8711996+efim-poberezkin@users.noreply.github.com>
Date: Tue, 11 Jan 2022 20:24:39 +0400
Subject: [PATCH] initialize server with IP and FQDN; specify FQDN as address
 if provided (#279)

---
 .../files/opt/simplex/on_login.sh             |  5 +-
 .../scripts/03-init-start.sh                  |  5 +-
 scripts/smp-server-linode.sh                  | 48 +++++++++++++------
 3 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/scripts/smp-server-digitalocean-droplet/files/opt/simplex/on_login.sh b/scripts/smp-server-digitalocean-droplet/files/opt/simplex/on_login.sh
index 499a72498..c7e63914e 100644
--- a/scripts/smp-server-digitalocean-droplet/files/opt/simplex/on_login.sh
+++ b/scripts/smp-server-digitalocean-droplet/files/opt/simplex/on_login.sh
@@ -1,13 +1,12 @@
 #!/bin/bash
 
 fingerprint=$1
-
-ip_address=$(hostname -I | awk '{print$1}')
+server_address=$2
 
 cat <<EOF
 ********************************************************************************
 
-SMP server address: $ip_address#$fingerprint
+SMP server address: smp://$fingerprint@$server_address
 Check SMP server status with: systemctl status smp-server
 
 To keep this server secure, the UFW firewall is enabled.
diff --git a/scripts/smp-server-digitalocean-droplet/scripts/03-init-start.sh b/scripts/smp-server-digitalocean-droplet/scripts/03-init-start.sh
index 63a4a66f2..bc75f69a3 100644
--- a/scripts/smp-server-digitalocean-droplet/scripts/03-init-start.sh
+++ b/scripts/smp-server-digitalocean-droplet/scripts/03-init-start.sh
@@ -21,13 +21,14 @@ source /etc/profile.d/simplex.sh
 smp-server --version
 
 # Initialize server
-smp-server init -l
+ip_address=$(curl ifconfig.me)
+smp-server init -l --ip @ip_address
 
 # Server fingerprint
 fingerprint=$(cat /etc/opt/simplex/fingerprint)
 
 # On login script
-echo "bash /opt/simplex/on_login.sh $fingerprint" >> /root/.bashrc
+echo "bash /opt/simplex/on_login.sh $fingerprint $ip_address" >> /root/.bashrc
 
 # / Create systemd service
 cat <<EOT >> /etc/systemd/system/smp-server.service
diff --git a/scripts/smp-server-linode.sh b/scripts/smp-server-linode.sh
index 82a36b490..07a46f51a 100644
--- a/scripts/smp-server-linode.sh
+++ b/scripts/smp-server-linode.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 
-# <UDF name="enable_store_log" label="Store log - persists SMP queues to append only log and restores them upon server restart." default="on" oneof="on, off" />
-# <UDF name="api_token" label="Linode API token - enables StackScript to create tags containing SMP server FQDN / IP address, CA certificate fingerprint and server version. Use `fqdn#fingerprint` or `ip#fingerprint` as SMP server address in the client. Note: minimal permissions token should have are - read/write access to `linodes` (to update linode tags) and `domains` (to add A record for the chosen 3rd level domain)" default="" />
-# <UDF name="fqdn" label="FQDN (Fully qualified domain name) - provide third level domain name (ex: smp.example.com). If provided can be used instead of IP address." default="" />
+# <UDF name="enable_store_log" label="Store log - persist SMP queues to append only log and restore them upon server restart." default="on" oneof="on, off" />
+# <UDF name="api_token" label="Linode API token - enable Linode to create tags with server address, fingerprint and version. Note: minimal permissions token should have are read/write access to `linodes` (to create tags) and `domains` (to add A record for the third level domain if FQDN is provided)." default="" />
+# <UDF name="fqdn" label="FQDN (Fully Qualified Domain Name) - provide third level domain name (e.g. smp.example.com). If provided use `smp://fingerprint@FQDN` as server address in the client. If FQDN is not provided use `smp://fingerprint@IP` instead." default="" />
 
 # Log all stdout output to stackscript.log
 exec &> >(tee -i /var/log/stackscript.log)
@@ -66,26 +66,43 @@ smp-server --version
 
 # Initialize server
 init_opts=()
+
 [[ $ENABLE_STORE_LOG == "on" ]] && init_opts+=(-l)
+
+ip_address=$(curl ifconfig.me)
+init_opts+=(--ip $ip_address)
+
+[[ -n "$FQDN" ]] && init_opts+=(-n $FQDN)
+
 smp-server init "${init_opts[@]}"
 
 # Server fingerprint
 fingerprint=$(cat /etc/opt/simplex/fingerprint)
 
-# On login script
+# Determine server address for welcome script and tag
+# ! If FQDN was provided and used as part of server initialization, client will not validate this server by IP address,
+# ! so we have to specify FQDN for server address regardless of creation of A record in Linode
+# ! https://hackage.haskell.org/package/x509-validation-1.6.10/docs/src/Data-X509-Validation.html#validateCertificateName
+if [[ -n "$FQDN" ]]; then
+  server_address=$FQDN
+else
+  server_address=$ip_address
+fi
+
+# Set up welcome script
 on_login_script="/opt/simplex/on_login.sh"
 
+# / Welcome script
 cat <<EOT >> $on_login_script
 #!/bin/bash
 
 fingerprint=\$1
-
-ip_address=\$(hostname -I | awk '{print\$1}')
+server_address=\$2
 
 cat <<EOF
 ********************************************************************************
 
-SMP server address: \$ip_address#\$fingerprint
+SMP server address: smp://\$fingerprint@\$server_address
 Check SMP server status with: systemctl status smp-server
 
 To keep this server secure, the UFW firewall is enabled.
@@ -96,25 +113,23 @@ To stop seeing this message delete line - bash /opt/simplex/on_login.sh - from /
 EOF
 
 EOT
+# Welcome script /
 
 chmod +x $on_login_script
-echo "bash $on_login_script $fingerprint" >> /root/.bashrc
+echo "bash $on_login_script $fingerprint $server_address" >> /root/.bashrc
 
 # Create A record and update Linode's tags
-if [ ! -z "$API_TOKEN" ]; then
-  ip_address=$(curl ifconfig.me)
-  address=$ip_address
-  if [ ! -z "$FQDN" ]; then
+if [[ -n "$API_TOKEN" ]]; then
+  if [[ -n "$FQDN" ]]; then
     domain_address=$(echo $FQDN | rev | cut -d "." -f 1,2 | rev)
     domain_id=$(curl -H "Authorization: Bearer $API_TOKEN" https://api.linode.com/v4/domains \
     | jq --arg da "$domain_address" '.data[] | select( .domain == $da ) | .id')
-    if [[ ! -z $domain_id ]]; then
+    if [[ -n $domain_id ]]; then
       curl \
         -s -H "Content-Type: application/json" \
         -H "Authorization: Bearer $API_TOKEN" \
         -X POST -d "{\"type\":\"A\",\"name\":\"$FQDN\",\"target\":\"$ip_address\"}" \
         https://api.linode.com/v4/domains/${domain_id}/records
-      address=$FQDN
     fi
   fi
 
@@ -123,7 +138,7 @@ if [ ! -z "$API_TOKEN" ]; then
   curl \
     -s -H "Content-Type: application/json" \
     -H "Authorization: Bearer $API_TOKEN" \
-    -X PUT -d "{\"tags\":[\"$address\",\"#$fingerprint\",\"$version\"]}" \
+    -X PUT -d "{\"tags\":[\"$server_address\",\"#$fingerprint\",\"$version\"]}" \
     https://api.linode.com/v4/linode/instances/$LINODE_ID
 fi
 
@@ -146,3 +161,6 @@ EOT
 chmod 644 /etc/systemd/system/smp-server.service
 sudo systemctl enable smp-server
 sudo systemctl start smp-server
+
+# Reboot Linode to apply upgrades
+sudo reboot