MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prototype2.4_add_user

Browse Source
This commit is contained in:
Wolfgang
2026-01-11 16:30:31 +01:00
parent 555d908dd2
commit 4372489bb6
2 changed files with 206 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

182
install.sh
View File

@@ -11,7 +11,7 @@ Usage:
bash install.sh [options]
Core options:
--ctid <id> Force CT ID (optional). If omitted, customer-safe CTID is generated (epoch-1000000000).
--ctid <id> Force CTID (optional)
--cores <n> (default: 2)
--memory <mb> (default: 4096)
--swap <mb> (default: 512)
@@ -19,14 +19,10 @@ Core options:
--bridge <vmbrX> (default: vmbr0)
--storage <storage> (default: local-zfs)
--ip <dhcp|CIDR> (default: dhcp)
--vlan <id> VLAN tag for net0 (default: 90)
--domain <domain> Base domain for FQDN (default: userman.de)
--vlan <id> (default: 90) (empty/0 disables tagging)
--domain <domain> (default: userman.de) -> FQDN=sb-<unix>.DOMAIN
--privileged Create privileged CT (default: unprivileged)
--help Show help
Examples:
bash install.sh
bash install.sh --storage local-zfs --bridge vmbr0 --ip dhcp --vlan 90
EOF
}
@@ -48,41 +44,47 @@ UNPRIV="1"
# ---------------------------
while [[ $# -gt 0 ]]; do
case "$1" in
--ctid) CTID="${2:-}"; shift 2 ;;
--cores) CORES="${2:-}"; shift 2 ;;
--memory) MEMORY="${2:-}"; shift 2 ;;
--swap) SWAP="${2:-}"; shift 2 ;;
--disk) DISK="${2:-}"; shift 2 ;;
--bridge) BRIDGE="${2:-}"; shift 2 ;;
--storage) STORAGE="${2:-}"; shift 2 ;;
--ip) IPCFG="${2:-}"; shift 2 ;;
--vlan) VLAN="${2:-}"; shift 2 ;;
--domain) DOMAIN="${2:-}"; shift 2 ;;
--ctid) CTID="${2:-}"; shift 2 ;;
--cores) CORES="${2:-}"; shift 2 ;;
--memory) MEMORY="${2:-}"; shift 2 ;;
--swap) SWAP="${2:-}"; shift 2 ;;
--disk) DISK="${2:-}"; shift 2 ;;
--bridge) BRIDGE="${2:-}"; shift 2 ;;
--storage) STORAGE="${2:-}"; shift 2 ;;
--ip) IPCFG="${2:-}"; shift 2 ;;
--vlan) VLAN="${2:-}"; shift 2 ;;
--domain) DOMAIN="${2:-}"; shift 2 ;;
--privileged) UNPRIV="0"; shift 1 ;;
--help|-h) usage; exit 0 ;;
--help|-h) usage; exit 0 ;;
*) die "Unknown option: $1 (use --help)" ;;
esac
done
# Basic validation
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer"
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer"
[[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer"
[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer"
[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer"
[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer"
[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer"
[[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid"
[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (e.g. 90)"
[[ -n "$DOMAIN" ]] || die "--domain must not be empty"
if [[ "$IPCFG" != "dhcp" ]]; then
[[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)"
fi
if [[ -n "${VLAN}" && "${VLAN}" != "0" ]]; then
[[ "${VLAN}" =~ ^[0-9]+$ ]] || die "--vlan must be integer or 0"
else
VLAN=""
fi
[[ -n "${DOMAIN}" ]] || die "--domain must not be empty"
info "Argument-Parsing OK"
# ---------------------------
# Preflight Proxmox
# ---------------------------
need_cmd pct pvesm pveam pvesh grep date openssl
need_cmd pct pvesm pveam pvesh grep date awk ip openssl
pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE"
pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
@@ -90,29 +92,24 @@ pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")"
info "Template OK: ${TEMPLATE}"
# Hostname based on unix time (as agreed)
EPOCH="$(date +%s)"
CT_HOSTNAME="sb-${EPOCH}"
# Hostname based on unix time
UNIX_TS="$(date +%s)"
CT_HOSTNAME="sb-${UNIX_TS}"
FQDN="${CT_HOSTNAME}.${DOMAIN}"
info "SCRIPT_DIR=${SCRIPT_DIR}"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "FQDN=${FQDN}"
# CTID selection
if [[ -n "$CTID" ]]; then
[[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer"
if pve_vmid_exists_cluster "$CTID"; then
die "Forced CTID=${CTID} already exists in cluster"
fi
else
CTID="$(pve_select_customer_ctid)"
fi
[[ -n "$CTID" ]] || die "CTID selection failed (empty)"
info "CTID selected: ${CTID}"
info "SCRIPT_DIR=${SCRIPT_DIR}"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "FQDN=${FQDN}"
info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB"
info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}"
info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN:-none} unprivileged=${UNPRIV}"
# ---------------------------
# Step 5: Create CT
@@ -142,6 +139,7 @@ CT_IP="$(pct_wait_for_ip "${CTID}" || true)"
[[ -n "${CT_IP}" ]] || die "Could not determine CT IP after start"
info "Step 5 OK: LXC erstellt + IP ermittelt"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "CT_IP=${CT_IP}"
# ---------------------------
@@ -149,12 +147,14 @@ info "CT_IP=${CT_IP}"
# ---------------------------
info "Step 6: Provisioning im CT (Docker + Locales + Base)"
# Base packages
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release locales"
# Locales (fix warning + set DE)
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen || true"
pct_exec "${CTID}" "locale-gen >/dev/null 2>&1 || true"
# Locales (German default, but keep system stable)
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen"
pct_exec "${CTID}" "locale-gen >/dev/null || true"
pct_exec "${CTID}" "printf 'LANG=de_DE.UTF-8\nLC_ALL=de_DE.UTF-8\n' > /etc/default/locale || true"
pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true"
# Docker official repo (Debian 12 / bookworm)
@@ -165,8 +165,8 @@ pct_exec "${CTID}" "echo \"deb [arch=\$(dpkg --print-architecture) signed-by=/et
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
# Base dirs
pct_exec "${CTID}" "mkdir -p /opt/customer-stack /opt/customer-stack/volumes /opt/customer-stack/sql"
# Create stack directories
pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes /opt/customer-stack/sql"
info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt"
info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)"
@@ -176,24 +176,31 @@ info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Heal
# ---------------------------
info "Step 7: Stack finalisieren + Secrets + Up + Checks"
# Secrets (host-side generation, no broken pipelines)
# Secrets (NO tr pipes)
PG_DB="customer"
PG_USER="customer"
PG_PASSWORD="$(rand_pw_32)"
PG_PASSWORD="$(gen_hex 16)"
N8N_ENCRYPTION_KEY="$(gen_hex 32)"
# Owner account (as requested)
N8N_USER_MANAGEMENT_DISABLED="false"
N8N_DEFAULT_USER_EMAIL="admin@${DOMAIN}"
N8N_DEFAULT_USER_PASSWORD="$(gen_hex 12)" # hex => safe, no special chars issues
# URLs
N8N_PORT="5678"
N8N_PROTOCOL="http"
N8N_HOST="${CT_IP}"
N8N_EDITOR_BASE_URL="https://${FQDN}/"
WEBHOOK_URL="https://${FQDN}/"
N8N_SECURE_COOKIE="false"
N8N_ENCRYPTION_KEY="$(rand_hex_32)"
# Telemetry off (as you want)
# Telemetry/background calls off (n8n docs)
N8N_DIAGNOSTICS_ENABLED="false"
N8N_VERSION_NOTIFICATIONS_ENABLED="false"
N8N_TEMPLATES_ENABLED="false"
# Write .env
# Write .env inside CT
pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV'
PG_DB=${PG_DB}
PG_USER=${PG_USER}
@@ -208,19 +215,18 @@ N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE}
N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
# Telemetrie/Background Calls aus (n8n docs)
# Owner bootstrap
N8N_USER_MANAGEMENT_DISABLED=${N8N_USER_MANAGEMENT_DISABLED}
N8N_DEFAULT_USER_EMAIL=${N8N_DEFAULT_USER_EMAIL}
N8N_DEFAULT_USER_PASSWORD=${N8N_DEFAULT_USER_PASSWORD}
# Telemetrie/Background Calls aus
N8N_DIAGNOSTICS_ENABLED=${N8N_DIAGNOSTICS_ENABLED}
N8N_VERSION_NOTIFICATIONS_ENABLED=${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_TEMPLATES_ENABLED=${N8N_TEMPLATES_ENABLED}
ENV"
# SQL init for pgvector
pct_exec "${CTID}" "cat > /opt/customer-stack/sql/init_pgvector.sql <<'SQL'
CREATE EXTENSION IF NOT EXISTS vector;
CREATE EXTENSION IF NOT EXISTS pgcrypto;
SQL"
# docker-compose.yml
# docker-compose.yml inside CT
pct_exec "${CTID}" "cat > /opt/customer-stack/docker-compose.yml <<'YML'
services:
postgres:
@@ -235,7 +241,7 @@ services:
- ./volumes/postgres/data:/var/lib/postgresql/data
- ./sql:/docker-entrypoint-initdb.d:ro
healthcheck:
test: [\"CMD-SHELL\", \"pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1\"]
test: ['CMD-SHELL', 'pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1']
interval: 10s
timeout: 5s
retries: 20
@@ -250,7 +256,7 @@ services:
postgres:
condition: service_healthy
ports:
- \"\${N8N_PORT}:5678\"
- '\${N8N_PORT}:5678'
environment:
N8N_PORT: 5678
N8N_PROTOCOL: \${N8N_PROTOCOL}
@@ -259,6 +265,17 @@ services:
WEBHOOK_URL: \${WEBHOOK_URL}
N8N_SECURE_COOKIE: \${N8N_SECURE_COOKIE}
# Owner bootstrap
N8N_USER_MANAGEMENT_DISABLED: \${N8N_USER_MANAGEMENT_DISABLED}
N8N_DEFAULT_USER_EMAIL: \${N8N_DEFAULT_USER_EMAIL}
N8N_DEFAULT_USER_PASSWORD: \${N8N_DEFAULT_USER_PASSWORD}
# Telemetry/background calls off
N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED}
N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED}
# DB
DB_TYPE: postgresdb
DB_POSTGRESDB_HOST: postgres
DB_POSTGRESDB_PORT: 5432
@@ -266,15 +283,13 @@ services:
DB_POSTGRESDB_USER: \${PG_USER}
DB_POSTGRESDB_PASSWORD: \${PG_PASSWORD}
# TZ
GENERIC_TIMEZONE: Europe/Berlin
TZ: Europe/Berlin
# Encryption
N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY}
# Telemetry / background calls off
N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED}
N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED}
volumes:
- ./volumes/n8n-data:/home/node/.n8n
networks:
@@ -285,43 +300,52 @@ networks:
driver: bridge
YML"
# Permissions fix to prevent n8n restart loop (EACCES on /home/node/.n8n/config)
# Fix permissions for n8n volume (prevents restart loop EACCES)
pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/n8n-data /opt/customer-stack/volumes/postgres/data"
pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data"
# Deploy
# Bring up stack
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps"
info "Step 7 OK: Stack deployed"
info "n8n intern: http://${CT_IP}:${N8N_PORT}/"
info "n8n intern: http://${CT_IP}:5678/"
info "n8n extern (geplant via OPNsense): https://${FQDN}"
info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)."
# ---------------------------
# FINAL OUTPUT: JSON (STDOUT)
# FINAL: JSON output for automation
# ---------------------------
# This MUST be machine-readable: no logs here.
# Output on stdout ONLY (so you can capture it cleanly)
cat <<JSON
{
"ctid": ${CTID},
"hostname": "${CT_HOSTNAME}",
"fqdn": "${FQDN}",
"ip": "${CT_IP}",
"vlan": ${VLAN},
"n8n": {
"internal_url": "http://${CT_IP}:${N8N_PORT}/",
"external_url": "https://${FQDN}",
"port": ${N8N_PORT},
"encryption_key": "${N8N_ENCRYPTION_KEY}"
"ctid": "${CTID}",
"hostname": "$(json_escape "${CT_HOSTNAME}")",
"fqdn": "$(json_escape "${FQDN}")",
"ip": "$(json_escape "${CT_IP}")",
"network": {
"bridge": "$(json_escape "${BRIDGE}")",
"vlan": "$(json_escape "${VLAN:-}")",
"ipcfg": "$(json_escape "${IPCFG}")"
},
"urls": {
"n8n_internal": "http://$(json_escape "${CT_IP}"):5678/",
"n8n_external": "https://$(json_escape "${FQDN}")"
},
"postgres": {
"db": "${PG_DB}",
"user": "${PG_USER}",
"password": "${PG_PASSWORD}",
"host_in_docker": "postgres",
"db": "$(json_escape "${PG_DB}")",
"user": "$(json_escape "${PG_USER}")",
"password": "$(json_escape "${PG_PASSWORD}")",
"host": "postgres",
"port": 5432
},
"n8n": {
"encryption_key": "$(json_escape "${N8N_ENCRYPTION_KEY}")",
"default_user_email": "$(json_escape "${N8N_DEFAULT_USER_EMAIL}")",
"default_user_password": "$(json_escape "${N8N_DEFAULT_USER_PASSWORD}")",
"secure_cookie": "$(json_escape "${N8N_SECURE_COOKIE}")",
"telemetry_disabled": true
}
}
JSON

202
libsupabase.sh
View File

@@ -1,18 +1,19 @@
#!/usr/bin/env bash
set -Eeuo pipefail
# ----------------------------
# Logging (ALLES nach STDERR!)
# ----------------------------
_ts() { date '+%F %T'; }
# ---------------------------
# Logging (ALLES nach stderr)
# ---------------------------
_ts() { date +"%F %T"; }
log() { echo "[$(_ts)] $*" >&2; }
info() { log "INFO: $*"; }
warn() { log "WARN: $*"; }
die() { log "ERROR: $*"; exit 1; }
info() { echo "[$(_ts)] INFO: $*" >&2; }
warn() { echo "[$(_ts)] WARN: $*" >&2; }
err() { echo "[$(_ts)] ERROR: $*" >&2; }
die() { err "$*"; exit 1; }
setup_traps() {
trap 'die "Failed at line ${LINENO}: ${BASH_COMMAND} (exit=$?)"' ERR
trap 'rc=$?; err "Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=${rc})"; exit ${rc}' ERR
}
need_cmd() {
@@ -22,130 +23,133 @@ need_cmd() {
done
}
# ----------------------------
# ---------------------------
# Proxmox helpers
# ----------------------------
# ---------------------------
pve_storage_exists() {
local st="$1"
pvesm status --storage "$st" >/dev/null 2>&1
local st="${1:?storage}"
pvesm status -content rootdir,vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$st"
}
pve_bridge_exists() {
local br="$1"
[[ -d "/sys/class/net/${br}/bridge" ]]
local br="${1:?bridge}"
ip link show "$br" >/dev/null 2>&1
}
# Return list of all VMIDs in the cluster (CT + VM), one per line.
# No pipelines to "tail" etc. in-script -> avoids broken pipe.
pve_cluster_vmids() {
need_cmd pvesh python3
local json
json="$(pvesh get /cluster/resources --type vm --output-format json 2>/dev/null || true)"
[[ -n "$json" ]] || return 0
python3 - <<'PY' <<<"$json"
import json, sys
try:
data = json.loads(sys.stdin.read())
except Exception:
sys.exit(0)
for r in data:
vmid = r.get("vmid")
if isinstance(vmid, int):
print(vmid)
PY
}
pve_vmid_exists_cluster() {
local vmid="$1"
[[ "$vmid" =~ ^[0-9]+$ ]] || return 1
pve_cluster_vmids | awk -v id="$vmid" '$1==id{found=1} END{exit found?0:1}'
}
# Customer-safe CTID:
# epoch - 1000000000 => e.g. 1768138201 -> 768138201
pve_select_customer_ctid() {
need_cmd date
local base
base="$(date +%s)"
local ctid=$((base - 1000000000))
# ensure integer + not used
while pve_vmid_exists_cluster "$ctid"; do
ctid=$((ctid + 1))
done
echo "$ctid"
}
# Ensure Debian 12 template exists and return "storage:vztmpl/<file>" on STDOUT ONLY.
# Ensure Debian 12 template exists.
# IMPORTANT: stdout MUST be ONLY the template path.
pve_template_ensure_debian12() {
need_cmd pveam awk grep
local preferred_store="$1"
local tpl="debian-12-standard_12.12-1_amd64.tar.zst"
local store="$preferred_store"
local preferred_storage="${1:?storage}"
local tmpl="debian-12-standard_12.12-1_amd64.tar.zst"
local tmpl_path=""
# Some storages (e.g. local-zfs) don't support templates in pveam.
if ! pveam list "$store" >/dev/null 2>&1; then
warn "pveam storage '$store' not available for templates; falling back to 'local'"
store="local"
# pveam templates are stored on storages that have 'vztmpl' content type.
# Many setups only allow 'local' for templates.
if pveam available -section system 2>/dev/null | awk '{print $2}' | grep -qx "$tmpl"; then
:
else
warn "Could not verify template list via pveam available; continuing anyway."
fi
# Make sure template exists; download if missing
if ! pveam list "$store" 2>/dev/null | awk '{print $2}' | grep -qx "$tpl"; then
info "Downloading CT template to ${store}: ${tpl}"
pveam update >/dev/null 2>&1 || true
pveam download "$store" "$tpl" >/dev/null
# Decide template storage: prefer given storage if it supports vztmpl; else fallback to 'local'
if pvesm status -content vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$preferred_storage"; then
:
else
warn "pveam storage '${preferred_storage}' not available for templates; falling back to 'local'"
preferred_storage="local"
fi
# IMPORTANT: only echo the template ref on STDOUT
echo "${store}:vztmpl/${tpl}"
# Download if missing
if ! pvesm list "${preferred_storage}" 2>/dev/null | awk '{print $1}' | grep -q "vztmpl/${tmpl}$"; then
info "Downloading CT template to ${preferred_storage}: ${tmpl}"
pveam download "${preferred_storage}" "${tmpl}" >/dev/null
else
info "CT template already present on ${preferred_storage}: ${tmpl}"
fi
tmpl_path="${preferred_storage}:vztmpl/${tmpl}"
echo "${tmpl_path}"
}
# Build net0 string, supports VLAN tag
# Build net0 string with optional VLAN tag and ip config.
# IPCFG: "dhcp" or "X.X.X.X/YY"
# VLAN: empty or integer
pve_build_net0() {
local bridge="$1"
local ipcfg="$2"
local bridge="${1:?bridge}"
local ipcfg="${2:?ipcfg}"
local vlan="${3:-}"
local base="name=eth0,bridge=${bridge},ip=${ipcfg}"
if [[ -n "$vlan" ]]; then
echo "${base},tag=${vlan}"
local net="name=eth0,bridge=${bridge}"
if [[ "${ipcfg}" == "dhcp" ]]; then
net+=",ip=dhcp"
else
echo "${base}"
net+=",ip=${ipcfg}"
fi
if [[ -n "${vlan}" ]]; then
net+=",tag=${vlan}"
fi
echo "${net}"
}
# Wait for IPv4 on eth0
# Wait for DHCP IP
pct_wait_for_ip() {
need_cmd pct awk cut head sleep
local ctid="$1"
local tries="${2:-60}"
local ctid="${1:?ctid}"
local tries=60
local i ip
for i in $(seq 1 "$tries"); do
ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show dev eth0 2>/dev/null | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
if [[ -n "$ip" ]]; then
echo "$ip"
while (( tries-- > 0 )); do
# Prefer pct exec hostname -I; fallback to ip -4 addr
local ip=""
ip="$(pct exec "${ctid}" -- bash -lc "hostname -I 2>/dev/null | awk '{print \$1}'" 2>/dev/null || true)"
if [[ -z "${ip}" ]]; then
ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
fi
if [[ -n "${ip}" ]]; then
echo "${ip}"
return 0
fi
sleep 1
done
return 1
}
pct_exec() {
local ctid="$1"; shift
pct exec "$ctid" -- bash -lc "$*"
local ctid="${1:?ctid}"
shift
# run inside CT
pct exec "${ctid}" -- bash -lc "$*"
}
# Generate secrets without pipelines that trigger broken-pipe noise
rand_hex_32() {
need_cmd openssl
openssl rand -hex 32
# ---------------------------
# CTID strategy (your decision)
# Use: (unix_time - 1_000_000_000) => safe until 2038
# ---------------------------
pve_select_customer_ctid() {
local now
now="$(date +%s)"
local ctid=$(( now - 1000000000 ))
# Guard: must be positive integer
(( ctid > 0 )) || die "Computed CTID is invalid: ${ctid}"
echo "${ctid}"
}
rand_pw_32() {
need_cmd openssl
# URL-safe-ish
openssl rand -base64 32 | tr -d '\n' | tr '/+' 'Aa' | cut -c1-32
# ---------------------------
# Secrets (NO tr pipes)
# ---------------------------
gen_hex() {
local nbytes="${1:-32}"
# openssl rand -hex N -> 2N hex chars, no pipes, no 'tr'
openssl rand -hex "${nbytes}"
}
# JSON escaping minimal for our known safe values (hex + simple strings)
json_escape() {
local s="$1"
s="${s//\\/\\\\}"
s="${s//\"/\\\"}"
s="${s//$'\n'/\\n}"
echo -n "$s"
}