ROMFASTSQL/proxmox/vm201-windows/scripts/setup-new-iis-sites.ps1

# setup-new-iis-sites.ps1
# Creare site-uri IIS noi pentru infrastructura Dokploy ROMFAST
#
# Site-uri create:
#   1. roa-qr.romfast.ro  → proxy la LXC 103 Traefik (pdf-qr-app)
#   2. *.roa.romfast.ro   → proxy wildcard la LXC 103 Traefik (toate app-urile Dokploy)
#
# Rulat pe VM 201 (roacentral) ca Administrator
# Prerequisite: IIS URL Rewrite Module instalat
#
# Verificare prerequisite:
#   Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/rewrite' -name 'enabled'

Import-Module WebAdministration

$LXC103_IP = "10.0.20.167"
$ADMIN_EMAIL = "admin@romfast.ro"

# ============================================================
# SITE 1: roa-qr.romfast.ro
# ============================================================

$RoaQrName = "roa-qr"
$RoaQrHost = "roa-qr.romfast.ro"
$RoaQrPath = "C:\inetpub\roa-qr"

Write-Host "Creare site: $RoaQrHost" -ForegroundColor Cyan

# Creare director
New-Item -Path $RoaQrPath -ItemType Directory -Force | Out-Null

# Creare site IIS (HTTP)
if (-not (Get-Website -Name $RoaQrName -ErrorAction SilentlyContinue)) {
    New-Website -Name $RoaQrName `
                -PhysicalPath $RoaQrPath `
                -HostHeader $RoaQrHost `
                -Port 80
    Write-Host "  [OK] Site $RoaQrName creat pe port 80" -ForegroundColor Green
} else {
    Write-Host "  [INFO] Site $RoaQrName deja existent" -ForegroundColor Yellow
}

# Adaugă binding HTTPS cu SNI
$existingHttps = Get-WebBinding -Name $RoaQrName -Protocol "https" -ErrorAction SilentlyContinue
if (-not $existingHttps) {
    New-WebBinding -Name $RoaQrName `
                   -Protocol https `
                   -Port 443 `
                   -HostHeader $RoaQrHost `
                   -SslFlags 1    # SNI enabled
    Write-Host "  [OK] Binding HTTPS adăugat cu SNI" -ForegroundColor Green
}

# Creare web.config cu proxy rule
$RoaQrWebConfig = @"
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Proxy to LXC 103 Traefik" stopProcessing="true">
          <match url="(.*)" />
          <action type="Rewrite" url="https://$($LXC103_IP)/{R:1}" />
          <serverVariables>
            <set name="HTTP_X_FORWARDED_PROTO" value="https" />
            <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
          </serverVariables>
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>
"@

Set-Content -Path "$RoaQrPath\web.config" -Value $RoaQrWebConfig -Encoding UTF8
Write-Host "  [OK] web.config creat pentru $RoaQrHost" -ForegroundColor Green

# ============================================================
# SITE 2: *.roa.romfast.ro (wildcard)
# ============================================================

$RoaAppsName = "roa-apps"
$RoaAppsHost = "*.roa.romfast.ro"
$RoaAppsPath = "C:\inetpub\roa-apps"

Write-Host "`nCreare site wildcard: $RoaAppsHost" -ForegroundColor Cyan

# Creare director
New-Item -Path $RoaAppsPath -ItemType Directory -Force | Out-Null

# Creare site IIS (HTTP)
if (-not (Get-Website -Name $RoaAppsName -ErrorAction SilentlyContinue)) {
    New-Website -Name $RoaAppsName `
                -PhysicalPath $RoaAppsPath `
                -HostHeader $RoaAppsHost `
                -Port 80
    Write-Host "  [OK] Site $RoaAppsName creat pe port 80" -ForegroundColor Green
} else {
    Write-Host "  [INFO] Site $RoaAppsName deja existent" -ForegroundColor Yellow
}

# Adaugă binding HTTPS cu SNI (wildcard funcționează din IIS 10 cu SNI)
$existingHttps = Get-WebBinding -Name $RoaAppsName -Protocol "https" -ErrorAction SilentlyContinue
if (-not $existingHttps) {
    New-WebBinding -Name $RoaAppsName `
                   -Protocol https `
                   -Port 443 `
                   -HostHeader $RoaAppsHost `
                   -SslFlags 1    # SNI enabled - obligatoriu pentru wildcard
    Write-Host "  [OK] Binding HTTPS wildcard adăugat cu SNI" -ForegroundColor Green
}

# Creare web.config cu proxy rule (identic cu roa-qr)
$RoaAppsWebConfig = @"
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Proxy to LXC 103 Traefik" stopProcessing="true">
          <match url="(.*)" />
          <action type="Rewrite" url="https://$($LXC103_IP)/{R:1}" />
          <serverVariables>
            <set name="HTTP_X_FORWARDED_PROTO" value="https" />
            <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
          </serverVariables>
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>
"@

Set-Content -Path "$RoaAppsPath\web.config" -Value $RoaAppsWebConfig -Encoding UTF8
Write-Host "  [OK] web.config creat pentru *.roa.romfast.ro" -ForegroundColor Green

# ============================================================
# STATUS FINAL
# ============================================================

Write-Host "`n=== STATUS SITE-URI IIS ===" -ForegroundColor Cyan
Get-Website | Select-Object ID, Name, State,
    @{N='Bindings'; E={($_.Bindings.Collection | ForEach-Object { $_.bindingInformation }) -join ', '}} |
    Format-Table -AutoSize

Write-Host "`n=== PAȘI URMĂTORI ===" -ForegroundColor Yellow
Write-Host "1. Generează certificate SSL cu Win-ACME:"
Write-Host "   cd C:\Tools\win-acme"
Write-Host "   .\wacs.exe --source iis --siteid <ID_roa-qr> --accepttos --emailaddress $ADMIN_EMAIL"
Write-Host "   NOTĂ: Wildcard *.roa.romfast.ro necesita DNS challenge (nu HTTP-01)"
Write-Host ""
Write-Host "2. Dacă Win-ACME nu suportă DNS challenge pentru wildcard,"
Write-Host "   generează certificate individuale per subdomain la fiecare app nouă."
Write-Host ""
Write-Host "3. Aplică certificate în IIS Manager (SNI obligatoriu)."
Write-Host "4. iisreset"