customer-installer/install.sh

#!/usr/bin/env bash
set -Eeuo pipefail

# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Log-Verzeichnis
LOG_DIR="${SCRIPT_DIR}/logs"
mkdir -p "${LOG_DIR}"

# Temporäre Log-Datei (wird später umbenannt nach Container-Hostname)
TEMP_LOG="${LOG_DIR}/install_$$.log"
FINAL_LOG=""

# Funktion zum Aufräumen bei Exit
cleanup_log() {
  # Wenn FINAL_LOG gesetzt ist, umbenennen
  if [[ -n "${FINAL_LOG}" && -f "${TEMP_LOG}" ]]; then
    mv "${TEMP_LOG}" "${FINAL_LOG}"
  fi
}
trap cleanup_log EXIT

# Alle Ausgaben in Log-Datei umleiten
# Bei DEBUG=1: auch auf stderr ausgeben (tee)
# Bei DEBUG=0: nur in Datei
if [[ "$DEBUG" == "1" ]]; then
  # Debug-Modus: Ausgabe auf stderr UND in Datei
  exec > >(tee -a "${TEMP_LOG}") 2>&1
else
  # Normal-Modus: Nur in Datei, stdout bleibt für JSON frei
  exec 3>&1  # stdout (fd 3) für JSON reservieren
  exec > "${TEMP_LOG}" 2>&1
fi

source "${SCRIPT_DIR}/libsupabase.sh"
setup_traps

usage() {
  cat >&2 <<'EOF'
Usage:
  bash install.sh [options]

Core options:
  --ctid <id>                 Force CT ID (optional). If omitted, a customer-safe CTID is generated.
  --cores <n>                 (default: unlimited)
  --memory <mb>               (default: 4096)
  --swap <mb>                 (default: 512)
  --disk <gb>                 (default: 50)
  --bridge <vmbrX>            (default: vmbr0)
  --storage <storage>         (default: local-zfs)
  --ip <dhcp|CIDR>            (default: dhcp)
  --vlan <id>                 VLAN tag for net0 (default: 90; set 0 to disable)
  --privileged                Create privileged CT (default: unprivileged)
  --apt-proxy <url>           Optional: APT proxy (e.g. http://192.168.45.2:3142) for Apt-Cacher NG

Domain / n8n options:
  --base-domain <domain>      (default: userman.de) -> FQDN becomes sb-<unix>.domain
  --n8n-owner-email <email>   (default: admin@<base-domain>)
  --n8n-owner-pass <pass>     Optional. If omitted, generated (policy compliant).
  --workflow-file <path>      Path to n8n workflow JSON file (default: RAGKI-BotPGVector.json)
  --ollama-model <model>      Ollama chat model (default: ministral-3:3b)
  --embedding-model <model>   Ollama embedding model (default: nomic-embed-text:latest)
  --debug                     Enable debug mode (show logs on stderr)
  --help                      Show help

PostgREST / Supabase options:
  --postgrest-port <port>     PostgREST port (default: 3000)

Notes:
- This script creates a Debian 12 LXC and provisions Docker + customer stack (Postgres/pgvector + n8n + PostgREST).
- PostgREST provides a REST API for PostgreSQL, compatible with Supabase Vector Store node in n8n.
- At the end it prints a JSON with credentials and URLs.
EOF
}

# Defaults
#APT_PROXY="http://192.168.45.2:3142"
DOCKER_REGISTRY_MIRROR="http://192.168.45.2:5000"
APT_PROXY=""
#DOCKER_REGISTRY_MIRROR=""
CTID=""
CORES="4"
MEMORY="4096"
SWAP="512"
DISK="50"
BRIDGE="vmbr0"
STORAGE="local-zfs"
IPCFG="dhcp"
VLAN="90"
UNPRIV="1"

BASE_DOMAIN="userman.de"
N8N_OWNER_EMAIL=""
N8N_OWNER_PASS=""
POSTGREST_PORT="3000"

# Workflow file (default: RAGKI-BotPGVector.json in script directory)
WORKFLOW_FILE="${SCRIPT_DIR}/RAGKI-BotPGVector.json"

# Ollama API settings (hardcoded for local setup)
OLLAMA_HOST="192.168.45.3"
OLLAMA_PORT="11434"
OLLAMA_URL="http://${OLLAMA_HOST}:${OLLAMA_PORT}"

# Ollama models (can be overridden via CLI)
OLLAMA_MODEL="ministral-3:3b"
EMBEDDING_MODEL="nomic-embed-text:latest"

# ---------------------------
# Arg parsing
# ---------------------------
while [[ $# -gt 0 ]]; do
  case "$1" in
    --ctid) CTID="${2:-}"; shift 2 ;;
    --apt-proxy) APT_PROXY="${2:-}"; shift 2 ;;
    --cores) CORES="${2:-}"; shift 2 ;;
    --memory) MEMORY="${2:-}"; shift 2 ;;
    --swap) SWAP="${2:-}"; shift 2 ;;
    --disk) DISK="${2:-}"; shift 2 ;;
    --bridge) BRIDGE="${2:-}"; shift 2 ;;
    --storage) STORAGE="${2:-}"; shift 2 ;;
    --ip) IPCFG="${2:-}"; shift 2 ;;
    --vlan) VLAN="${2:-}"; shift 2 ;;
    --privileged) UNPRIV="0"; shift 1 ;;
    --base-domain) BASE_DOMAIN="${2:-}"; shift 2 ;;
    --n8n-owner-email) N8N_OWNER_EMAIL="${2:-}"; shift 2 ;;
    --n8n-owner-pass) N8N_OWNER_PASS="${2:-}"; shift 2 ;;
    --workflow-file) WORKFLOW_FILE="${2:-}"; shift 2 ;;
    --ollama-model) OLLAMA_MODEL="${2:-}"; shift 2 ;;
    --embedding-model) EMBEDDING_MODEL="${2:-}"; shift 2 ;;
    --postgrest-port) POSTGREST_PORT="${2:-}"; shift 2 ;;
    --debug) DEBUG="1"; export DEBUG; shift 1 ;;
    --help|-h) usage; exit 0 ;;
    *) die "Unknown option: $1 (use --help)" ;;
  esac
done

# ---------------------------
# Validation
# ---------------------------
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer"
[[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer"
[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer"
[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer"
[[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid"
[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (0 disables tagging)"
[[ -n "$BASE_DOMAIN" ]] || die "--base-domain must not be empty"

if [[ "$IPCFG" != "dhcp" ]]; then
  [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)"
fi

if [[ -n "${APT_PROXY}" ]]; then
  [[ "${APT_PROXY}" =~ ^http://[^/]+:[0-9]+$ ]] || die "--apt-proxy must look like http://IP:PORT (example: http://192.168.45.2:3142)"
fi

# Validate workflow file exists
if [[ ! -f "${WORKFLOW_FILE}" ]]; then
  die "Workflow file not found: ${WORKFLOW_FILE}"
fi

info "Argument-Parsing OK"
info "Workflow file: ${WORKFLOW_FILE}"
info "Ollama model: ${OLLAMA_MODEL}"
info "Embedding model: ${EMBEDDING_MODEL}"

if [[ -n "${APT_PROXY}" ]]; then
  info "APT proxy enabled: ${APT_PROXY}"
else
  info "APT proxy disabled"
fi


# ---------------------------
# Preflight Proxmox
# ---------------------------
need_cmd pct pvesm pveam pvesh grep date awk sed cut tr head

pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE"
pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"

TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")"
info "Template OK: ${TEMPLATE}"

# Hostname / FQDN based on unix time
UNIXTS="$(date +%s)"
CT_HOSTNAME="sb-${UNIXTS}"
FQDN="${CT_HOSTNAME}.${BASE_DOMAIN}"

# Log-Datei nach Container-Hostname benennen
FINAL_LOG="${LOG_DIR}/${CT_HOSTNAME}.log"

# CTID selection
if [[ -n "$CTID" ]]; then
  [[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer"
  if pve_vmid_exists_cluster "$CTID"; then
    die "Forced CTID=${CTID} already exists in cluster"
  fi
else
  # Your agreed approach: unix time - 1000000000 (safe until 2038)
  CTID="$(pve_ctid_from_unixtime "$UNIXTS")"
  if pve_vmid_exists_cluster "$CTID"; then
    die "Generated CTID=${CTID} already exists in cluster (unexpected). Try again in 1s."
  fi
fi

# n8n owner defaults
if [[ -z "$N8N_OWNER_EMAIL" ]]; then
  N8N_OWNER_EMAIL="admin@${BASE_DOMAIN}"
fi
if [[ -z "$N8N_OWNER_PASS" ]]; then
  N8N_OWNER_PASS="$(gen_password_policy)"
else
  # enforce policy early to avoid the UI error you saw
  password_policy_check "$N8N_OWNER_PASS" || die "--n8n-owner-pass does not meet policy: 8+ chars, 1 number, 1 uppercase"
fi

info "CTID selected: ${CTID}"
info "SCRIPT_DIR=${SCRIPT_DIR}"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "FQDN=${FQDN}"
info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB"
info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}"

# ---------------------------
# Step 5: Create CT
# ---------------------------
NET0="$(pve_build_net0 "$BRIDGE" "$IPCFG" "$VLAN")"
ROOTFS="${STORAGE}:${DISK}"
FEATURES="nesting=1,keyctl=1,fuse=1"

info "Step 5: Create CT"
info "Creating CT ${CTID} (${CT_HOSTNAME}) from ${TEMPLATE}"
pct create "${CTID}" "${TEMPLATE}" \
  --hostname "${CT_HOSTNAME}" \
  --cores "${CORES}" \
  --memory "${MEMORY}" \
  --swap "${SWAP}" \
  --net0 "${NET0}" \
  --rootfs "${ROOTFS}" \
  --unprivileged "${UNPRIV}" \
  --features "${FEATURES}" \
  --start 0 \
  --onboot yes

info "CT created (not started). Next step: start CT + wait for IP"
info "Starting CT ${CTID}"
pct start "${CTID}"

CT_IP="$(pct_wait_for_ip "${CTID}" || true)"
[[ -n "${CT_IP}" ]] || die "Could not determine CT IP after start"

info "Step 5 OK: LXC erstellt + IP ermittelt"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "CT_IP=${CT_IP}"

# ---------------------------
# Step 6: Provision inside CT (Docker + Locales + Base)
# ---------------------------
info "Step 6: Provisioning im CT (Docker + Locales + Base)"

# Optional: APT proxy (Apt-Cacher NG)
if [[ -n "${APT_PROXY}" ]]; then
  pct_exec "${CTID}" "cat > /etc/apt/apt.conf.d/00aptproxy <<'EOF'
Acquire::http::Proxy \"${APT_PROXY}\";
#Acquire::https::Proxy \"DIRECT\";
Acquire::https::Proxy \"${APT_PROXY}\";
EOF"
 pct_exec "$CTID" "apt-config dump | grep -i proxy || true"
fi

# Minimal base packages
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release"

# Locales (avoid perl warnings + consistent system)
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y locales ca-certificates curl gnupg lsb-release"
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen || true"
pct_exec "${CTID}" "locale-gen >/dev/null || true"
pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true"

# Docker official repo (Debian 12 / bookworm)
pct_exec "${CTID}" "install -m 0755 -d /etc/apt/keyrings"
pct_exec "${CTID}" "curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
pct_exec "${CTID}" "chmod a+r /etc/apt/keyrings/docker.gpg"
pct_exec "${CTID}" "echo \"deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \$(. /etc/os-release && echo \$VERSION_CODENAME) stable\" > /etc/apt/sources.list.d/docker.list"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"

# Create stack directories
pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/postgres/data /opt/customer-stack/volumes/n8n-data /opt/customer-stack/sql"
# IMPORTANT: n8n runs as node (uid 1000) => fix permissions
pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data"



info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt"
info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)"

# ---------------------------
# Step 7: Stack finalisieren + Secrets + Up + Checks
# ---------------------------
info "Step 7: Stack finalisieren + Secrets + Up + Checks"

# Secrets
PG_DB="customer"
PG_USER="customer"
PG_PASSWORD="$(gen_password_policy)"
N8N_ENCRYPTION_KEY="$(gen_hex_64)"

# External URL is HTTPS via OPNsense reverse proxy (but container internally is http)
N8N_PORT="5678"
N8N_PROTOCOL="http"
N8N_HOST="${CT_IP}"
N8N_EDITOR_BASE_URL="https://${FQDN}/"
WEBHOOK_URL="https://${FQDN}/"

# If you are behind HTTPS reverse proxy, secure cookies can be true.
# But until proxy is in place, false avoids login trouble.
N8N_SECURE_COOKIE="false"

# Generate JWT secret for PostgREST (32 bytes = 256 bit)
JWT_SECRET="$(openssl rand -base64 32 | tr -d '\n')"

# For proper JWT, we need header.payload.signature format
# Let's create proper JWTs
JWT_HEADER="$(echo -n '{"alg":"HS256","typ":"JWT"}' | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')"
ANON_PAYLOAD="$(echo -n '{"role":"anon","iss":"supabase","iat":1700000000,"exp":2000000000}' | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')"
SERVICE_PAYLOAD="$(echo -n '{"role":"service_role","iss":"supabase","iat":1700000000,"exp":2000000000}' | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')"

ANON_SIGNATURE="$(echo -n "${JWT_HEADER}.${ANON_PAYLOAD}" | openssl dgst -sha256 -hmac "${JWT_SECRET}" -binary | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')"
SERVICE_SIGNATURE="$(echo -n "${JWT_HEADER}.${SERVICE_PAYLOAD}" | openssl dgst -sha256 -hmac "${JWT_SECRET}" -binary | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')"

ANON_KEY="${JWT_HEADER}.${ANON_PAYLOAD}.${ANON_SIGNATURE}"
SERVICE_ROLE_KEY="${JWT_HEADER}.${SERVICE_PAYLOAD}.${SERVICE_SIGNATURE}"

info "Generated JWT Secret and API Keys for PostgREST"

# Write .env into CT
pct_push_text "${CTID}" "/opt/customer-stack/.env" "$(cat <<EOF
PG_DB=${PG_DB}
PG_USER=${PG_USER}
PG_PASSWORD=${PG_PASSWORD}

N8N_PORT=${N8N_PORT}
N8N_PROTOCOL=${N8N_PROTOCOL}
N8N_HOST=${N8N_HOST}
N8N_EDITOR_BASE_URL=${N8N_EDITOR_BASE_URL}
WEBHOOK_URL=${WEBHOOK_URL}
N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE}

N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}

# Telemetrie/Background Calls aus
N8N_DIAGNOSTICS_ENABLED=false
N8N_VERSION_NOTIFICATIONS_ENABLED=false
N8N_TEMPLATES_ENABLED=false

# PostgREST / Supabase API
POSTGREST_PORT=${POSTGREST_PORT}
JWT_SECRET=${JWT_SECRET}
ANON_KEY=${ANON_KEY}
SERVICE_ROLE_KEY=${SERVICE_ROLE_KEY}
EOF
)"

# init sql for pgvector + Supabase Vector Store schema
pct_push_text "${CTID}" "/opt/customer-stack/sql/init_pgvector.sql" "$(cat <<'SQL'
-- Enable extensions
CREATE EXTENSION IF NOT EXISTS vector;
CREATE EXTENSION IF NOT EXISTS pg_trgm;

-- Create schema for API
CREATE SCHEMA IF NOT EXISTS api;

-- Create documents table for Vector Store (n8n PGVector Store compatible)
CREATE TABLE IF NOT EXISTS public.documents (
  id BIGSERIAL PRIMARY KEY,
  text TEXT,
  metadata JSONB,
  embedding VECTOR(768)  -- nomic-embed-text uses 768 dimensions
);

-- Create index for vector similarity search
CREATE INDEX IF NOT EXISTS documents_embedding_idx ON public.documents 
USING ivfflat (embedding vector_cosine_ops)
WITH (lists = 100);

-- Create the match_documents function for similarity search (Supabase/LangChain compatible)
CREATE OR REPLACE FUNCTION public.match_documents(
  query_embedding VECTOR(768),
  match_count INT DEFAULT 5,
  filter JSONB DEFAULT '{}'
)
RETURNS TABLE (
  id BIGINT,
  content TEXT,
  metadata JSONB,
  similarity FLOAT
)
LANGUAGE plpgsql
AS $$
BEGIN
  RETURN QUERY
  SELECT
    d.id,
    d.content,
    d.metadata,
    1 - (d.embedding <=> query_embedding) AS similarity
  FROM public.documents d
  WHERE (filter = '{}' OR d.metadata @> filter)
  ORDER BY d.embedding <=> query_embedding
  LIMIT match_count;
END;
$$;

-- Grant permissions for PostgREST roles
-- Create roles if they don't exist
DO $$
BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'anon') THEN
    CREATE ROLE anon NOLOGIN;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'service_role') THEN
    CREATE ROLE service_role NOLOGIN;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'authenticator') THEN
    CREATE ROLE authenticator NOINHERIT LOGIN PASSWORD 'authenticator_password';
  END IF;
END
$$;

-- Grant permissions
GRANT USAGE ON SCHEMA public TO anon, service_role;
GRANT ALL ON ALL TABLES IN SCHEMA public TO anon, service_role;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO anon, service_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO anon, service_role;

-- Allow authenticator to switch to these roles
GRANT anon TO authenticator;
GRANT service_role TO authenticator;

-- Set default privileges for future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO anon, service_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO anon, service_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO anon, service_role;
SQL
)"

# docker-compose.yml
pct_push_text "${CTID}" "/opt/customer-stack/docker-compose.yml" "$(cat <<'YML'
services:
  postgres:
    image: pgvector/pgvector:pg16
    container_name: customer-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${PG_DB}
      POSTGRES_USER: ${PG_USER}
      POSTGRES_PASSWORD: ${PG_PASSWORD}
    volumes:
      - ./volumes/postgres/data:/var/lib/postgresql/data
      - ./sql:/docker-entrypoint-initdb.d:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${PG_USER} -d ${PG_DB} || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 20
    networks:
      - customer-net

  postgrest:
    image: postgrest/postgrest:latest
    container_name: customer-postgrest
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    ports:
      - "${POSTGREST_PORT}:3000"
    environment:
      PGRST_DB_URI: postgres://${PG_USER}:${PG_PASSWORD}@postgres:5432/${PG_DB}
      PGRST_DB_SCHEMA: public
      PGRST_DB_ANON_ROLE: anon
      PGRST_JWT_SECRET: ${JWT_SECRET}
      PGRST_DB_USE_LEGACY_GUCS: "false"
    networks:
      - customer-net

  n8n:
    image: n8nio/n8n:latest
    container_name: n8n
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
      postgrest:
        condition: service_started
    ports:
      - "${N8N_PORT}:5678"
    environment:
      # --- Web / Cookies / URL ---
      N8N_PORT: 5678
      N8N_PROTOCOL: ${N8N_PROTOCOL}
      N8N_HOST: ${N8N_HOST}
      N8N_EDITOR_BASE_URL: ${N8N_EDITOR_BASE_URL}
      WEBHOOK_URL: ${WEBHOOK_URL}
      N8N_SECURE_COOKIE: ${N8N_SECURE_COOKIE}

      # --- Disable telemetry / background calls ---
      N8N_DIAGNOSTICS_ENABLED: ${N8N_DIAGNOSTICS_ENABLED}
      N8N_VERSION_NOTIFICATIONS_ENABLED: ${N8N_VERSION_NOTIFICATIONS_ENABLED}
      N8N_TEMPLATES_ENABLED: ${N8N_TEMPLATES_ENABLED}

      # --- DB (Postgres) ---
      DB_TYPE: postgresdb
      DB_POSTGRESDB_HOST: postgres
      DB_POSTGRESDB_PORT: 5432
      DB_POSTGRESDB_DATABASE: ${PG_DB}
      DB_POSTGRESDB_USER: ${PG_USER}
      DB_POSTGRESDB_PASSWORD: ${PG_PASSWORD}

      # --- Basics ---
      GENERIC_TIMEZONE: Europe/Berlin
      TZ: Europe/Berlin

      N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY}

    volumes:
      - ./volumes/n8n-data:/home/node/.n8n
    networks:
      - customer-net

networks:
  customer-net:
    driver: bridge
YML
)"

# Make sure permissions are correct (again, after file writes)
pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data"

# Proxy
if [[ -n "${APT_PROXY}" ]]; then
pct_exec "$CTID" "mkdir -p /etc/docker"

pct_exec "$CTID" "cat > /etc/docker/daemon.json <<EOF
{
  \"registry-mirrors\": [\"${DOCKER_REGISTRY_MIRROR}\"]
}
EOF"

pct_exec "$CTID" "systemctl restart docker"
pct_exec "$CTID" "systemctl is-active docker"
pct_exec "$CTID" "docker info | grep -A2 -i 'Registry Mirrors'"
fi

# Pull + up
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps"

# --- Owner account creation (robust way) ---
# n8n shows the setup screen if no user exists.
# We create the owner via CLI inside the container.
pct_exec "${CTID}" "cd /opt/customer-stack && docker exec -u node n8n n8n --help >/dev/null 2>&1 || true"

# Try modern command first (works in current n8n builds); if it fails, we leave setup screen (but you'll see it in logs).
pct_exec "${CTID}" "cd /opt/customer-stack && (docker exec -u node n8n n8n user-management:reset --email '${N8N_OWNER_EMAIL}' --password '${N8N_OWNER_PASS}' --firstName 'Admin' --lastName 'Owner' >/dev/null 2>&1 || true)"

info "Step 7 OK: Stack deployed"

# ---------------------------
# Step 8: Setup Owner Account via REST API (fallback)
# ---------------------------
info "Step 8: Setting up owner account via REST API..."

# Wait for n8n to be ready
sleep 5

# Try REST API setup (works if user-management:reset didn't work)
pct_exec "${CTID}" "curl -sS -X POST 'http://127.0.0.1:5678/rest/owner/setup' \
  -H 'Content-Type: application/json' \
  -d '{\"email\":\"${N8N_OWNER_EMAIL}\",\"firstName\":\"Admin\",\"lastName\":\"Owner\",\"password\":\"${N8N_OWNER_PASS}\"}' || true"

info "Step 8 OK: Owner account setup attempted"

# ---------------------------
# Step 9: Final URLs and Output
# ---------------------------
info "Step 9: Generating final output..."

# Final URLs
N8N_INTERNAL_URL="http://${CT_IP}:5678/"
N8N_EXTERNAL_URL="https://${FQDN}"
POSTGREST_URL="http://${CT_IP}:${POSTGREST_PORT}"
# Supabase URL format for n8n credential (PostgREST acts as Supabase API)
# IMPORTANT: n8n runs inside Docker, so it needs the Docker-internal URL!
SUPABASE_URL="http://postgrest:3000"
SUPABASE_URL_EXTERNAL="http://${CT_IP}:${POSTGREST_PORT}"

# Chat URL (webhook URL for the chat trigger - will be available after workflow activation)
CHAT_WEBHOOK_URL="https://${FQDN}/webhook/rag-chat-webhook/chat"
CHAT_INTERNAL_URL="http://${CT_IP}:5678/webhook/rag-chat-webhook/chat"

# Upload Form URL (for document upload)
UPLOAD_FORM_URL="https://${FQDN}/form/rag-upload-form"
UPLOAD_FORM_INTERNAL_URL="http://${CT_IP}:5678/form/rag-upload-form"

info "n8n intern: ${N8N_INTERNAL_URL}"
info "n8n extern (geplant via OPNsense): ${N8N_EXTERNAL_URL}"
info "PostgREST API: ${POSTGREST_URL}"
info "Supabase Service Role Key: ${SERVICE_ROLE_KEY}"
info "Ollama URL: ${OLLAMA_URL}"
info "Chat Webhook URL (extern): ${CHAT_WEBHOOK_URL}"
info "Chat Webhook URL (intern): ${CHAT_INTERNAL_URL}"

# ---------------------------
# Step 10: Setup n8n Credentials + Import Workflow + Activate
# ---------------------------
info "Step 10: Setting up n8n credentials and importing RAG workflow..."

# Use the new robust n8n setup function from libsupabase.sh
# Parameters: ctid, email, password, pg_host, pg_port, pg_db, pg_user, pg_pass, ollama_url, ollama_model, embedding_model, workflow_file
if n8n_setup_rag_workflow "${CTID}" "${N8N_OWNER_EMAIL}" "${N8N_OWNER_PASS}" \
    "postgres" "5432" "${PG_DB}" "${PG_USER}" "${PG_PASSWORD}" \
    "${OLLAMA_URL}" "${OLLAMA_MODEL}" "${EMBEDDING_MODEL}" "${WORKFLOW_FILE}"; then
  info "Step 10 OK: n8n RAG workflow setup completed successfully"
else
  warn "Step 10: n8n workflow setup failed - manual setup may be required"
  info "Step 10: You can manually import the workflow via n8n UI"
fi

# ---------------------------
# Step 10a: Setup Workflow Auto-Reload on LXC Restart
# ---------------------------
info "Step 10a: Setting up workflow auto-reload on LXC restart..."

# Copy workflow template to container for auto-reload
info "Copying workflow template to container..."
if [[ -f "${WORKFLOW_FILE}" ]]; then
  # Read workflow file content
  WORKFLOW_CONTENT=$(cat "${WORKFLOW_FILE}")
  pct_push_text "${CTID}" "/opt/customer-stack/workflow-template.json" "${WORKFLOW_CONTENT}"
  info "Workflow template saved to /opt/customer-stack/workflow-template.json"
else
  warn "Workflow file not found: ${WORKFLOW_FILE}"
fi

# Copy reload script to container
info "Installing workflow reload script..."
RELOAD_SCRIPT_CONTENT=$(cat "${SCRIPT_DIR}/templates/reload-workflow.sh")
pct_push_text "${CTID}" "/opt/customer-stack/reload-workflow.sh" "${RELOAD_SCRIPT_CONTENT}"
pct_exec "${CTID}" "chmod +x /opt/customer-stack/reload-workflow.sh"
info "Reload script installed"

# Copy systemd service file to container
info "Installing systemd service for workflow auto-reload..."
SYSTEMD_SERVICE_CONTENT=$(cat "${SCRIPT_DIR}/templates/n8n-workflow-reload.service")
pct_push_text "${CTID}" "/etc/systemd/system/n8n-workflow-reload.service" "${SYSTEMD_SERVICE_CONTENT}"

# Enable and start systemd service
pct_exec "${CTID}" "systemctl daemon-reload"
pct_exec "${CTID}" "systemctl enable n8n-workflow-reload.service"
info "Systemd service enabled"

info "Step 10a OK: Workflow auto-reload configured"
info "The workflow will be automatically reloaded on every LXC restart"

# ---------------------------
# Step 11: Setup NGINX Reverse Proxy in OPNsense
# ---------------------------
info "Step 11: Setting up NGINX Reverse Proxy in OPNsense..."

# Check if setup_nginx_proxy.sh exists
if [[ -f "${SCRIPT_DIR}/setup_nginx_proxy.sh" ]]; then
  # Run the proxy setup script
  PROXY_RESULT=$(DEBUG="${DEBUG}" bash "${SCRIPT_DIR}/setup_nginx_proxy.sh" \
    --ctid "${CTID}" \
    --hostname "${CT_HOSTNAME}" \
    --fqdn "${FQDN}" \
    --backend-ip "${CT_IP}" \
    --backend-port "5678" \
    2>&1 || echo '{"success": false, "error": "Proxy setup failed"}')
  
  # Check if proxy setup was successful
  if echo "$PROXY_RESULT" | grep -q '"success": true'; then
    info "NGINX Reverse Proxy setup successful"
  else
    warn "NGINX Reverse Proxy setup may have failed: ${PROXY_RESULT}"
  fi
else
  warn "setup_nginx_proxy.sh not found, skipping proxy setup"
fi

info "Step 11 OK: Proxy setup completed"

# ---------------------------
# Final JSON Output
# ---------------------------
# Machine-readable JSON output (for your downstream automation)
# Kompaktes JSON in einer Zeile für einfaches Parsing
# Bei DEBUG=0: JSON auf fd 3 (ursprüngliches stdout) ausgeben
# Bei DEBUG=1: JSON normal auf stdout (geht auch ins Log)
JSON_OUTPUT="{\"ctid\":${CTID},\"hostname\":\"${CT_HOSTNAME}\",\"fqdn\":\"${FQDN}\",\"ip\":\"${CT_IP}\",\"vlan\":${VLAN},\"urls\":{\"n8n_internal\":\"${N8N_INTERNAL_URL}\",\"n8n_external\":\"${N8N_EXTERNAL_URL}\",\"postgrest\":\"${POSTGREST_URL}\",\"chat_webhook\":\"${CHAT_WEBHOOK_URL}\",\"chat_internal\":\"${CHAT_INTERNAL_URL}\",\"upload_form\":\"${UPLOAD_FORM_URL}\",\"upload_form_internal\":\"${UPLOAD_FORM_INTERNAL_URL}\"},\"postgres\":{\"host\":\"postgres\",\"port\":5432,\"db\":\"${PG_DB}\",\"user\":\"${PG_USER}\",\"password\":\"${PG_PASSWORD}\"},\"supabase\":{\"url\":\"${SUPABASE_URL}\",\"url_external\":\"${SUPABASE_URL_EXTERNAL}\",\"anon_key\":\"${ANON_KEY}\",\"service_role_key\":\"${SERVICE_ROLE_KEY}\",\"jwt_secret\":\"${JWT_SECRET}\"},\"ollama\":{\"url\":\"${OLLAMA_URL}\",\"model\":\"${OLLAMA_MODEL}\",\"embedding_model\":\"${EMBEDDING_MODEL}\"},\"n8n\":{\"encryption_key\":\"${N8N_ENCRYPTION_KEY}\",\"owner_email\":\"${N8N_OWNER_EMAIL}\",\"owner_password\":\"${N8N_OWNER_PASS}\",\"secure_cookie\":${N8N_SECURE_COOKIE}},\"log_file\":\"${FINAL_LOG}\"}"

if [[ "$DEBUG" == "1" ]]; then
  # Debug-Modus: JSON normal ausgeben (formatiert für Lesbarkeit)
  echo "$JSON_OUTPUT" | python3 -m json.tool 2>/dev/null || echo "$JSON_OUTPUT"
else
  # Normal-Modus: JSON auf ursprüngliches stdout (fd 3) - kompakt
  echo "$JSON_OUTPUT" >&3
fi

# ---------------------------
# Save credentials to file
# ---------------------------
CREDENTIALS_DIR="${SCRIPT_DIR}/credentials"
mkdir -p "${CREDENTIALS_DIR}"
CREDENTIALS_FILE="${CREDENTIALS_DIR}/${CT_HOSTNAME}.json"

# Save formatted credentials
echo "$JSON_OUTPUT" | python3 -m json.tool > "${CREDENTIALS_FILE}" 2>/dev/null || echo "$JSON_OUTPUT" > "${CREDENTIALS_FILE}"

info "Credentials saved to: ${CREDENTIALS_FILE}"
info "To update credentials later, use: bash update_credentials.sh --ctid ${CTID} --credentials-file ${CREDENTIALS_FILE}"