#!/bin/bash set -euo pipefail # ============================================================ # Jefflix VPN Cutover Script # Removes public access to *.jefflix.lol # Run ONLY after setup.sh and testing VPN access works # ============================================================ echo "========================================" echo " Jefflix Public Access Cutover" echo "========================================" echo "" # Pre-flight check: verify VPN access works TAILSCALE_IP=$(tailscale ip -4 2>/dev/null || echo "") if [ -z "$TAILSCALE_IP" ]; then echo "ERROR: Tailscale not running on this server. Run setup.sh first." exit 1 fi echo "Server Tailscale IP: $TAILSCALE_IP" echo "" # Check DNS works DIG_RESULT=$(dig +short @${TAILSCALE_IP} movies.jefflix.lol 2>/dev/null || echo "FAILED") if [ "$DIG_RESULT" != "$TAILSCALE_IP" ]; then echo "ERROR: CoreDNS not resolving correctly. Got: $DIG_RESULT (expected $TAILSCALE_IP)" echo "Fix CoreDNS before proceeding." exit 1 fi echo "✓ CoreDNS resolving correctly" echo "" echo "This will REMOVE public access to all *.jefflix.lol services." echo "Users will need Tailscale connected to vpn.jeffemmett.com to access Jefflix." echo "" read -p "Continue? [y/N] " -n 1 -r echo "" if [[ ! $REPLY =~ ^[Yy]$ ]]; then echo "Aborted." exit 0 fi # --- Remove jefflix entries from Cloudflare tunnel --- echo "" echo "[Cutover] Removing *.jefflix.lol from Cloudflare tunnel..." TUNNEL_CONFIG="/root/cloudflared/config.yml" # Backup current config (timestamped) cp "$TUNNEL_CONFIG" "${TUNNEL_CONFIG}.pre-cutover-$(date +%Y%m%d-%H%M%S)" # Remove all jefflix.lol hostname entries (hostname + service lines) # This removes the "- hostname: *.jefflix.lol" and its " service:" line python3 -c " import yaml, sys with open('$TUNNEL_CONFIG', 'r') as f: config = yaml.safe_load(f) original_count = len(config.get('ingress', [])) # Filter out jefflix.lol entries config['ingress'] = [ entry for entry in config.get('ingress', []) if not (isinstance(entry.get('hostname', ''), str) and 'jefflix.lol' in entry.get('hostname', '')) ] removed = original_count - len(config['ingress']) with open('$TUNNEL_CONFIG', 'w') as f: yaml.dump(config, f, default_flow_style=False, sort_keys=False) print(f' Removed {removed} jefflix.lol entries from tunnel config') " # Restart cloudflared echo " Restarting cloudflared..." docker restart cloudflared echo " ✓ Cloudflared restarted" # Wait and verify sleep 5 echo "" echo "========================================" echo " Cutover Complete" echo "========================================" echo "" echo "Public access to *.jefflix.lol is now REMOVED." echo "" echo "Verify from a non-VPN device:" echo " curl -I https://movies.jefflix.lol (should fail/404)" echo "" echo "Verify from a VPN device:" echo " curl http://movies.jefflix.lol (should work)" echo "" echo "To ROLLBACK: run rollback.sh"