diff --git a/CLAUDE.md b/CLAUDE.md index 93575bf..5a713d8 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -44,7 +44,7 @@ bash delete_nginx_proxy.sh --ctid [--dry-run] [--debug] 6. **n8n owner setup** – tries CLI command first, falls back to REST API `/rest/owner/setup` 7. **RAG workflow setup** (`n8n_setup_rag_workflow` in `libsupabase.sh`) – logs into n8n API, creates PostgreSQL + Ollama credentials, processes workflow JSON (replaces credential IDs via Python), imports and activates workflow 8. **Workflow auto-reload** – copies `templates/reload-workflow.sh` + `templates/n8n-workflow-reload.service` into CT; systemd service re-imports workflow on every LXC restart -9. **NGINX proxy** – optionally calls `setup_nginx_proxy.sh` (not in repo) to configure OPNsense reverse proxy +9. **NGINX proxy** – calls `setup_nginx_proxy.sh` to configure OPNsense reverse proxy (upstream server → upstream → location → HTTP server → reconfigure) 10. **JSON output** – compact JSON on original stdout (fd 3); credentials also saved to `credentials/.json` ### Key Files @@ -53,6 +53,7 @@ bash delete_nginx_proxy.sh --ctid [--dry-run] [--debug] |------|---------| | `install.sh` | Main orchestrator – argument parsing, LXC lifecycle, stack deployment | | `libsupabase.sh` | Shared library – Proxmox helpers, password/JWT generators, n8n REST API functions | +| `setup_nginx_proxy.sh` | Creates OPNsense NGINX components (upstream server → upstream → location → HTTP server); auto-detects wildcard cert for userman.de; supports `--list-certificates` and `--test-connection` | | `delete_nginx_proxy.sh` | Removes OPNsense NGINX components (HTTP server, location, upstream) by CTID | | `templates/docker-compose.yml` | Reference template (actual compose is written inline by `install.sh`) | | `templates/reload-workflow.sh` | Deployed into CT; re-imports n8n workflow on restart using saved credentials from `.env` | diff --git a/README.md b/README.md index cdff73c..8fcfe40 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ Proxmox LXC (Debian 12) installer/ ├── install.sh # Haupt-Installer ├── libsupabase.sh # Gemeinsame Bibliothek (Proxmox, n8n API, Generatoren) +├── setup_nginx_proxy.sh # OPNsense NGINX-Proxy einrichten ├── delete_nginx_proxy.sh # OPNsense NGINX-Proxy löschen ├── RAGKI-BotPGVector.json # Standard n8n RAG-Workflow-Template ├── templates/ @@ -94,6 +95,21 @@ bash install.sh \ --workflow-file RAGKI-BotPGVector.json \ --debug +# OPNsense NGINX-Proxy einrichten +bash setup_nginx_proxy.sh \ + --ctid \ + --hostname sb- \ + --fqdn sb-.userman.de \ + --backend-ip \ + --backend-port 5678 \ + [--certificate-uuid ] + +# Verfügbare Zertifikate auflisten +bash setup_nginx_proxy.sh --list-certificates --debug + +# API-Verbindung testen +bash setup_nginx_proxy.sh --test-connection --debug + # NGINX-Proxy für eine Instanz löschen bash delete_nginx_proxy.sh --ctid [--dry-run] [--debug] ``` @@ -127,7 +143,7 @@ Im Normalbetrieb (`DEBUG=0`) gibt `install.sh` ein kompaktes JSON auf stdout aus ✅ produktiv einsetzbar ✅ RAG-Workflow (Chat + PDF-Upload) automatisch deployed ✅ Workflow-Auto-Reload bei LXC-Neustart -🟡 Reverse Proxy Automatisierung (setup_nginx_proxy.sh) separat +✅ OPNsense NGINX Reverse Proxy vollständig automatisiert --- diff --git a/setup_nginx_proxy.sh b/setup_nginx_proxy.sh new file mode 100755 index 0000000..41b4209 --- /dev/null +++ b/setup_nginx_proxy.sh @@ -0,0 +1,771 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# ============================================================================= +# OPNsense NGINX Reverse Proxy Setup Script +# ============================================================================= +# Dieses Script konfiguriert einen NGINX Reverse Proxy auf OPNsense +# für eine neue n8n-Instanz über die OPNsense API. +# ============================================================================= + +SCRIPT_VERSION="1.0.8" + +# Debug mode: 0 = nur JSON, 1 = Logs auf stderr +DEBUG="${DEBUG:-0}" +export DEBUG + +# Logging functions +log_ts() { date "+[%F %T]"; } +info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; } +warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; } +die() { + if [[ "$DEBUG" == "1" ]]; then + echo "$(log_ts) ERROR: $*" >&2 + else + echo "{\"error\": \"$*\"}" + fi + exit 1 +} + +# ============================================================================= +# Default Configuration +# ============================================================================= +# OPNsense kann über Hostname ODER IP angesprochen werden +# Port 4444 ist der Standard-Port für die OPNsense WebUI/API +OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}" +OPNSENSE_PORT="${OPNSENSE_PORT:-4444}" +OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}" +OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}" + +# Wildcard-Zertifikat UUID (muss in OPNsense nachgeschlagen werden) +# Kann über --certificate-uuid oder Umgebungsvariable gesetzt werden +CERTIFICATE_UUID="${CERTIFICATE_UUID:-}" + +# ============================================================================= +# Usage +# ============================================================================= +usage() { + cat >&2 <<'EOF' +Usage: + bash setup_nginx_proxy.sh [options] + +Required options (for proxy setup): + --ctid Container ID (used as description) + --hostname Hostname (e.g., sb-1768736636) + --fqdn Full domain name (e.g., sb-1768736636.userman.de) + --backend-ip Backend IP address (e.g., 192.168.45.135) + --backend-port Backend port (default: 5678) + +Optional: + --opnsense-host OPNsense IP or hostname (default: 192.168.45.1) + --opnsense-port OPNsense WebUI/API port (default: 4444) + --certificate-uuid UUID of the SSL certificate in OPNsense + --list-certificates List available certificates and exit + --test-connection Test API connection and exit + --debug Enable debug mode + --help Show this help + +Examples: + # List certificates: + bash setup_nginx_proxy.sh --list-certificates --debug + + # Test API connection: + bash setup_nginx_proxy.sh --test-connection --debug + + # Setup proxy: + bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \ + --fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135 + + # With custom OPNsense IP: + bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates +EOF +} + +# ============================================================================= +# Default values for arguments +# ============================================================================= +CTID="" +HOSTNAME="" +FQDN="" +BACKEND_IP="" +BACKEND_PORT="5678" +LIST_CERTIFICATES="0" +TEST_CONNECTION="0" + +# ============================================================================= +# Argument parsing +# ============================================================================= +while [[ $# -gt 0 ]]; do + case "$1" in + --ctid) CTID="${2:-}"; shift 2 ;; + --hostname) HOSTNAME="${2:-}"; shift 2 ;; + --fqdn) FQDN="${2:-}"; shift 2 ;; + --backend-ip) BACKEND_IP="${2:-}"; shift 2 ;; + --backend-port) BACKEND_PORT="${2:-}"; shift 2 ;; + --opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;; + --opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;; + --certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;; + --list-certificates) LIST_CERTIFICATES="1"; shift 1 ;; + --test-connection) TEST_CONNECTION="1"; shift 1 ;; + --debug) DEBUG="1"; export DEBUG; shift 1 ;; + --help|-h) usage; exit 0 ;; + *) die "Unknown option: $1 (use --help)" ;; + esac +done + +# ============================================================================= +# API Base URL (nach Argument-Parsing setzen!) +# ============================================================================= +API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api" + +# ============================================================================= +# API Helper Functions (MÜSSEN VOR list_certificates definiert werden!) +# ============================================================================= + +# Make API request to OPNsense +api_request() { + local method="$1" + local endpoint="$2" + local data="${3:-}" + + local url="${API_BASE}${endpoint}" + local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}" + + info "API ${method} ${url}" + + local response + local http_code + + if [[ -n "$data" ]]; then + response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \ + -u "${auth}" \ + -H "Content-Type: application/json" \ + -d "${data}" \ + "${url}" 2>&1) + else + response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \ + -u "${auth}" \ + "${url}" 2>&1) + fi + + # Extract HTTP code from last line + http_code=$(echo "$response" | tail -n1) + response=$(echo "$response" | sed '$d') + + # Check for permission errors + if [[ "$http_code" == "401" ]]; then + warn "API Error 401: Unauthorized - Check API key and secret" + elif [[ "$http_code" == "403" ]]; then + warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}" + elif [[ "$http_code" == "404" ]]; then + warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist" + elif [[ "$http_code" -ge 400 ]]; then + warn "API Error ${http_code} for ${endpoint}" + fi + + echo "$response" +} + +# Check API response for errors and return status +# Usage: if check_api_response "$response" "endpoint_name"; then ... fi +check_api_response() { + local response="$1" + local endpoint_name="$2" + + # Check for JSON error responses + local status + status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok") + + if [[ "$status" == "403" ]]; then + die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges" + elif [[ "$status" == "401" ]]; then + die "Authentication failed for ${endpoint_name}. Check your API key and secret." + fi + + # Check for validation errors + local validation_error + validation_error=$(echo "$response" | python3 -c " +import json,sys +try: + d=json.load(sys.stdin) + if 'validations' in d and d['validations']: + for field, errors in d['validations'].items(): + print(f'{field}: {errors}') +except: + pass +" 2>/dev/null || true) + + if [[ -n "$validation_error" ]]; then + warn "Validation errors: ${validation_error}" + return 1 + fi + + # Check for result status + local result + result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown") + + if [[ "$result" == "failed" ]]; then + local message + message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error") + warn "API operation failed: ${message}" + return 1 + fi + + return 0 +} + +# Search for existing item by description +# OPNsense NGINX API uses "search" format, e.g., searchUpstreamServer +search_by_description() { + local search_endpoint="$1" + local description="$2" + + local response + response=$(api_request "GET" "${search_endpoint}") + + # Extract UUID where description matches + echo "$response" | python3 -c " +import json, sys +try: + data = json.load(sys.stdin) + rows = data.get('rows', []) + for row in rows: + if row.get('description', '') == '${description}': + print(row.get('uuid', '')) + sys.exit(0) +except: + pass +" 2>/dev/null || true +} + +# Search for existing HTTP Server by servername +# HTTP Servers don't have a description field, they use servername +search_http_server_by_servername() { + local servername="$1" + + local response + response=$(api_request "GET" "/nginx/settings/searchHttpServer") + + # Extract UUID where servername matches + echo "$response" | python3 -c " +import json, sys +try: + data = json.load(sys.stdin) + rows = data.get('rows', []) + for row in rows: + if row.get('servername', '') == '${servername}': + print(row.get('uuid', '')) + sys.exit(0) +except: + pass +" 2>/dev/null || true +} + +# Find certificate by Common Name (CN) or Description +# Returns the certificate ID used by NGINX API (not the full UUID) +find_certificate_by_cn() { + local cn_pattern="$1" + + # First, get the certificate list from the HTTP Server schema + # This gives us the correct certificate IDs that NGINX expects + local response + response=$(api_request "GET" "/nginx/settings/getHttpServer") + + # Extract certificate ID where description contains the pattern + echo "$response" | python3 -c " +import json, sys +pattern = '${cn_pattern}'.lower() +try: + data = json.load(sys.stdin) + certs = data.get('httpserver', {}).get('certificate', {}) + for cert_id, cert_info in certs.items(): + if cert_id: # Skip empty key + value = cert_info.get('value', '').lower() + if pattern in value: + print(cert_id) + sys.exit(0) +except Exception as e: + print(f'Error: {e}', file=sys.stderr) +" 2>/dev/null || true +} + +# ============================================================================= +# Utility Functions +# ============================================================================= + +# Test API connection +test_connection() { + info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..." + + echo "Testing various API endpoints..." + echo "" + + # Test 1: Firmware status (general API access) + echo "1. Testing /core/firmware/status..." + local response + response=$(api_request "GET" "/core/firmware/status") + if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then + echo " ✓ Firmware API: OK" + else + echo " ✗ Firmware API: FAILED" + echo " Response: $response" + fi + + # Test 2: NGINX settings (required for this script) + echo "" + echo "2. Testing /nginx/settings/searchHttpServer..." + response=$(api_request "GET" "/nginx/settings/searchHttpServer") + if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then + echo " ✓ NGINX HTTP Server API: OK" + local count + count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?") + echo " Found ${count} HTTP Server(s)" + else + echo " ✗ NGINX HTTP Server API: FAILED" + echo " Response: $response" + fi + + # Test 3: NGINX upstream servers + echo "" + echo "3. Testing /nginx/settings/searchUpstreamServer..." + response=$(api_request "GET" "/nginx/settings/searchUpstreamServer") + if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then + echo " ✓ NGINX Upstream Server API: OK" + local count + count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?") + echo " Found ${count} Upstream Server(s)" + else + echo " ✗ NGINX Upstream Server API: FAILED" + echo " Response: $response" + fi + + # Test 4: Trust/Certificates (optional) + echo "" + echo "4. Testing /trust/cert/search (optional)..." + response=$(api_request "GET" "/trust/cert/search") + if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then + echo " ✓ Trust/Cert API: OK" + else + local status + status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown") + if [[ "$status" == "403" ]]; then + echo " ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)" + echo " Note: You can still use --certificate-uuid to specify the certificate manually" + else + echo " ✗ Trust/Cert API: FAILED" + echo " Response: $response" + fi + fi + + echo "" + echo "Connection test complete." + return 0 +} + +# List available certificates +list_certificates() { + info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..." + + local response + response=$(api_request "GET" "/trust/cert/search") + + echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}:${OPNSENSE_PORT}):" + echo "============================================================" + echo "$response" | python3 -c " +import json, sys +try: + data = json.load(sys.stdin) + rows = data.get('rows', []) + if not rows: + print('No certificates found.') + print('Raw response:', data) + for row in rows: + uuid = row.get('uuid', 'N/A') + descr = row.get('descr', 'N/A') + cn = row.get('cn', 'N/A') + print(f'UUID: {uuid}') + print(f' Description: {descr}') + print(f' Common Name: {cn}') + print() +except Exception as e: + print(f'Error parsing response: {e}', file=sys.stderr) + print(f'Raw response: {sys.stdin.read()}', file=sys.stderr) + sys.exit(1) +" 2>&1 +} + +# ============================================================================= +# Handle special commands first (before validation) +# ============================================================================= + +if [[ "$TEST_CONNECTION" == "1" ]]; then + test_connection + exit $? +fi + +if [[ "$LIST_CERTIFICATES" == "1" ]]; then + list_certificates + exit 0 +fi + +# ============================================================================= +# Validation (nur für Proxy-Setup) +# ============================================================================= +[[ -n "$CTID" ]] || die "--ctid is required" +[[ -n "$HOSTNAME" ]] || die "--hostname is required" +[[ -n "$FQDN" ]] || die "--fqdn is required" +[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required" + +info "Script Version: ${SCRIPT_VERSION}" +info "Configuration:" +info " CTID: ${CTID}" +info " Hostname: ${HOSTNAME}" +info " FQDN: ${FQDN}" +info " Backend: ${BACKEND_IP}:${BACKEND_PORT}" +info " OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}" +info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}" + +# ============================================================================= +# NGINX Configuration Steps +# ============================================================================= + +# Step 1: Create or update Upstream Server +create_upstream_server() { + local description="$1" + local server_ip="$2" + local server_port="$3" + + info "Step 1: Creating Upstream Server..." + + # Check if upstream server already exists + local existing_uuid + existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}") + + # Note: OPNsense API expects specific values + # no_use: empty string means "use this server" (not "0") + local data + data=$(cat </dev/null || true) + fi + + info "Upstream Server UUID: ${existing_uuid}" + echo "$existing_uuid" +} + +# Step 2: Create or update Upstream +create_upstream() { + local description="$1" + local server_uuid="$2" + + info "Step 2: Creating Upstream..." + + # Check if upstream already exists + local existing_uuid + existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}") + + local data + data=$(cat </dev/null || true) + fi + + info "Upstream UUID: ${existing_uuid}" + echo "$existing_uuid" +} + +# Step 3: Create or update Location +create_location() { + local description="$1" + local upstream_uuid="$2" + + info "Step 3: Creating Location..." + + # Check if location already exists + local existing_uuid + existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}") + + local data + data=$(cat </dev/null || true) + fi + + info "Location UUID: ${existing_uuid}" + echo "$existing_uuid" +} + +# Step 4: Create or update HTTP Server +create_http_server() { + local description="$1" + local server_name="$2" + local location_uuid="$3" + local cert_uuid="$4" + + info "Step 4: Creating HTTP Server..." + + # Check if HTTP server already exists (by servername, not description) + local existing_uuid + existing_uuid=$(search_http_server_by_servername "${server_name}") + + # Determine certificate configuration + local cert_config="" + local acme_config="0" + + if [[ -n "$cert_uuid" ]]; then + cert_config="\"certificate\": \"${cert_uuid}\"," + acme_config="0" + info "Using existing certificate: ${cert_uuid}" + else + cert_config="\"certificate\": \"\"," + acme_config="1" + info "Using ACME/Let's Encrypt for certificate" + fi + + # HTTP Server configuration + # Note: API uses "httpserver" not "http_server" + # Required fields based on API schema + # listen_http_address: "80" and listen_https_address: "443" for standard ports + local data + if [[ -n "$cert_uuid" ]]; then + data=$(cat </dev/null || true) + fi + + info "HTTP Server UUID: ${existing_uuid}" + echo "$existing_uuid" +} + +# Step 5: Apply configuration +apply_config() { + info "Step 5: Applying NGINX configuration..." + + local response + response=$(api_request "POST" "/nginx/service/reconfigure" "{}") + + info "Reconfigure response: ${response}" + + # Check if successful + local status + status=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown") + + if [[ "$status" == "ok" ]]; then + info "NGINX configuration applied successfully" + return 0 + else + warn "NGINX reconfigure status: ${status}" + return 1 + fi +} + +# ============================================================================= +# Main +# ============================================================================= +main() { + info "Starting NGINX Reverse Proxy setup for CTID ${CTID}..." + + # Use CTID as description for all components + local description="${CTID}" + + # Step 1: Create Upstream Server + local upstream_server_uuid + upstream_server_uuid=$(create_upstream_server "${description}" "${BACKEND_IP}" "${BACKEND_PORT}") + [[ -n "$upstream_server_uuid" ]] || die "Failed to create Upstream Server" + + # Step 2: Create Upstream + local upstream_uuid + upstream_uuid=$(create_upstream "${description}" "${upstream_server_uuid}") + [[ -n "$upstream_uuid" ]] || die "Failed to create Upstream" + + # Step 3: Create Location + local location_uuid + location_uuid=$(create_location "${description}" "${upstream_uuid}") + [[ -n "$location_uuid" ]] || die "Failed to create Location" + + # Auto-detect certificate if not provided + local cert_uuid="${CERTIFICATE_UUID}" + if [[ -z "$cert_uuid" ]]; then + info "Auto-detecting wildcard certificate for userman.de..." + cert_uuid=$(find_certificate_by_cn "userman.de") + if [[ -n "$cert_uuid" ]]; then + info "Found certificate: ${cert_uuid}" + else + warn "No wildcard certificate found, will use ACME/Let's Encrypt" + fi + fi + + # Step 4: Create HTTP Server + local http_server_uuid + http_server_uuid=$(create_http_server "${description}" "${FQDN}" "${location_uuid}" "${cert_uuid}") + [[ -n "$http_server_uuid" ]] || die "Failed to create HTTP Server" + + # Step 5: Apply configuration + apply_config || warn "Configuration may need manual verification" + + # Output result as JSON + local result + result=$(cat </dev/null || echo "$result" + fi +} + +main