#!/bin/bash # # Set up HTTPS on Archipelago dev server for PWA installability. # Browsers require HTTPS (or localhost) to install PWAs. # Generates a self-signed certificate and configures nginx. # # Run on the target server: sudo ./setup-https-dev.sh # Or via deploy: the deploy script runs this automatically. # set -e SSL_DIR="/etc/archipelago/ssl" NGINX_CFG="/etc/nginx/sites-available/archipelago" CERT="$SSL_DIR/archipelago.crt" KEY="$SSL_DIR/archipelago.key" # Create SSL directory mkdir -p "$SSL_DIR" chmod 755 "$SSL_DIR" # Generate self-signed cert if missing (valid 365 days) # SAN includes common dev IPs so cert works when accessing via IP # Build dynamic SAN with all node IPs (LAN + Tailscale + loopback) SAN_IPS="DNS:archipelago.local,DNS:localhost,IP:127.0.0.1" # Add all IPv4 addresses on this machine (LAN, Tailscale, etc.) for ip in $(hostname -I 2>/dev/null | tr ' ' '\n' | grep -E '^[0-9]+\.' | grep -v '^127\.'); do SAN_IPS="$SAN_IPS,IP:$ip" done # Always include common LAN IPs as fallback for ip in 192.168.1.228 192.168.1.198 10.0.0.1; do echo "$SAN_IPS" | grep -q "$ip" || SAN_IPS="$SAN_IPS,IP:$ip" done # Regenerate cert if missing OR if current cert doesn't include this node's primary IP REGEN=false if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then REGEN=true else # Check if cert has this node's primary IP MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}') if [ -n "$MY_IP" ] && ! openssl x509 -in "$CERT" -noout -text 2>/dev/null | grep -q "$MY_IP"; then echo " Certificate missing this node's IP ($MY_IP) — regenerating..." REGEN=true fi fi if [ "$REGEN" = true ]; then echo "Generating self-signed certificate for PWA (HTTPS)..." echo " SAN: $SAN_IPS" openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout "$KEY" \ -out "$CERT" \ -subj "/CN=archipelago.local/O=Archipelago/C=US" \ -addext "subjectAltName=$SAN_IPS" chmod 644 "$CERT" chmod 600 "$KEY" echo " Certificate created at $CERT" fi # PWA snippet for manifest + service worker headers (required for Android install) NGINX_SNIPPETS="/etc/nginx/snippets" PWA_SNIPPET="$NGINX_SNIPPETS/archipelago-pwa.conf" mkdir -p "$NGINX_SNIPPETS" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" if [ -f "$SCRIPT_DIR/nginx-pwa-snippet.conf" ]; then cp "$SCRIPT_DIR/nginx-pwa-snippet.conf" "$PWA_SNIPPET" echo " PWA nginx snippet installed at $PWA_SNIPPET" fi # Add PWA snippet include to existing HTTPS block if missing if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null && [ -f "$PWA_SNIPPET" ]; then if ! grep -q "archipelago-pwa" "$NGINX_CFG" 2>/dev/null; then echo " Adding PWA snippet include to HTTPS block..." # Insert include after "index index.html;" within the HTTPS server block (listen 443 to next }) sed -i '/listen 443 ssl/,/^}$/{ /index index.html;/a\ include snippets/archipelago-pwa.conf; }' "$NGINX_CFG" 2>/dev/null || true fi fi # Install app proxies snippet (mempool, fedimint, lnd, etc.) - fixes apps not opening over HTTPS (mixed content) APPS_SNIPPET="$NGINX_SNIPPETS/archipelago-https-app-proxies.conf" if [ -f "$SCRIPT_DIR/nginx-https-app-proxies.conf" ]; then cp "$SCRIPT_DIR/nginx-https-app-proxies.conf" "$APPS_SNIPPET" echo " HTTPS app proxies snippet installed at $APPS_SNIPPET" # Add include to HTTPS block if missing if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null && ! grep -q "archipelago-https-app-proxies" "$NGINX_CFG" 2>/dev/null; then echo " Adding app proxies include to HTTPS block..." sed -i '/listen 443 ssl/,/^}$/{ /location \/ws {/i\ include snippets/archipelago-https-app-proxies.conf; }' "$NGINX_CFG" 2>/dev/null || true fi fi # Check if HTTPS is already configured if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null; then echo "HTTPS already configured in nginx." nginx -t 2>/dev/null && systemctl reload nginx MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}') echo "" echo "PWA: Use https://${MY_IP:-192.168.1.228} (not http) - accept cert once, then Install app." exit 0 fi # Add HTTPS server block (duplicate of HTTP block with SSL) # PWA requires HTTPS for install on Android HTTPS_BLOCK=' # HTTPS - required for PWA install (Add to Home Screen) from dev servers server { listen 443 ssl; server_name _; ssl_certificate '"$CERT"'; ssl_certificate_key '"$KEY"'; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; root /opt/archipelago/web-ui; index index.html; include snippets/archipelago-pwa.conf; location / { try_files $uri $uri/ /index.html; } location /archipelago/ { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } location /rpc/ { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_connect_timeout 600s; proxy_send_timeout 600s; proxy_read_timeout 600s; } location /app/nextcloud/ { proxy_pass http://127.0.0.1:8085/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/vaultwarden/ { proxy_pass http://127.0.0.1:8082/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/immich/ { proxy_pass http://127.0.0.1:2283/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/penpot/ { proxy_pass http://127.0.0.1:9001/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/btcpay/ { proxy_pass http://127.0.0.1:23000/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/homeassistant/ { proxy_pass http://127.0.0.1:8123/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } location /app/mempool/ { proxy_pass http://127.0.0.1:4080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/fedimint/ { proxy_pass http://127.0.0.1:8175/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/lnd/ { proxy_pass http://127.0.0.1:8081/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/bitcoin-ui/ { proxy_pass http://127.0.0.1:8334/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /ws { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_read_timeout 86400s; } } ' # Append HTTPS block to nginx config echo "$HTTPS_BLOCK" >> "$NGINX_CFG" echo "Added HTTPS (port 443) to nginx config." # Test and reload nginx -t && systemctl reload nginx echo "" MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}') echo "HTTPS enabled. PWA install: https://${MY_IP:-192.168.1.228} (accept the certificate warning once, then Install app)."