From 4372489bb6155b0c9af6879d82ac3abc634ecd1e Mon Sep 17 00:00:00 2001 From: Wolfgang Date: Sun, 11 Jan 2026 16:30:31 +0100 Subject: [PATCH] Prototype2.4_add_user --- install.sh | 182 +++++++++++++++++++++++++------------------- libsupabase.sh | 202 +++++++++++++++++++++++++------------------------ 2 files changed, 206 insertions(+), 178 deletions(-) diff --git a/install.sh b/install.sh index a23da27..6f3078b 100755 --- a/install.sh +++ b/install.sh @@ -11,7 +11,7 @@ Usage: bash install.sh [options] Core options: - --ctid Force CT ID (optional). If omitted, customer-safe CTID is generated (epoch-1000000000). + --ctid Force CTID (optional) --cores (default: 2) --memory (default: 4096) --swap (default: 512) @@ -19,14 +19,10 @@ Core options: --bridge (default: vmbr0) --storage (default: local-zfs) --ip (default: dhcp) - --vlan VLAN tag for net0 (default: 90) - --domain Base domain for FQDN (default: userman.de) + --vlan (default: 90) (empty/0 disables tagging) + --domain (default: userman.de) -> FQDN=sb-.DOMAIN --privileged Create privileged CT (default: unprivileged) --help Show help - -Examples: - bash install.sh - bash install.sh --storage local-zfs --bridge vmbr0 --ip dhcp --vlan 90 EOF } @@ -48,41 +44,47 @@ UNPRIV="1" # --------------------------- while [[ $# -gt 0 ]]; do case "$1" in - --ctid) CTID="${2:-}"; shift 2 ;; - --cores) CORES="${2:-}"; shift 2 ;; - --memory) MEMORY="${2:-}"; shift 2 ;; - --swap) SWAP="${2:-}"; shift 2 ;; - --disk) DISK="${2:-}"; shift 2 ;; - --bridge) BRIDGE="${2:-}"; shift 2 ;; - --storage) STORAGE="${2:-}"; shift 2 ;; - --ip) IPCFG="${2:-}"; shift 2 ;; - --vlan) VLAN="${2:-}"; shift 2 ;; - --domain) DOMAIN="${2:-}"; shift 2 ;; + --ctid) CTID="${2:-}"; shift 2 ;; + --cores) CORES="${2:-}"; shift 2 ;; + --memory) MEMORY="${2:-}"; shift 2 ;; + --swap) SWAP="${2:-}"; shift 2 ;; + --disk) DISK="${2:-}"; shift 2 ;; + --bridge) BRIDGE="${2:-}"; shift 2 ;; + --storage) STORAGE="${2:-}"; shift 2 ;; + --ip) IPCFG="${2:-}"; shift 2 ;; + --vlan) VLAN="${2:-}"; shift 2 ;; + --domain) DOMAIN="${2:-}"; shift 2 ;; --privileged) UNPRIV="0"; shift 1 ;; - --help|-h) usage; exit 0 ;; + --help|-h) usage; exit 0 ;; *) die "Unknown option: $1 (use --help)" ;; esac done # Basic validation -[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer" +[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer" [[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer" -[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer" -[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer" +[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer" +[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer" [[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid" -[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (e.g. 90)" -[[ -n "$DOMAIN" ]] || die "--domain must not be empty" if [[ "$IPCFG" != "dhcp" ]]; then [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)" fi +if [[ -n "${VLAN}" && "${VLAN}" != "0" ]]; then + [[ "${VLAN}" =~ ^[0-9]+$ ]] || die "--vlan must be integer or 0" +else + VLAN="" +fi + +[[ -n "${DOMAIN}" ]] || die "--domain must not be empty" + info "Argument-Parsing OK" # --------------------------- # Preflight Proxmox # --------------------------- -need_cmd pct pvesm pveam pvesh grep date openssl +need_cmd pct pvesm pveam pvesh grep date awk ip openssl pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE" pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE" @@ -90,29 +92,24 @@ pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE" TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")" info "Template OK: ${TEMPLATE}" -# Hostname based on unix time (as agreed) -EPOCH="$(date +%s)" -CT_HOSTNAME="sb-${EPOCH}" +# Hostname based on unix time +UNIX_TS="$(date +%s)" +CT_HOSTNAME="sb-${UNIX_TS}" FQDN="${CT_HOSTNAME}.${DOMAIN}" -info "SCRIPT_DIR=${SCRIPT_DIR}" -info "CT_HOSTNAME=${CT_HOSTNAME}" -info "FQDN=${FQDN}" # CTID selection if [[ -n "$CTID" ]]; then [[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer" - if pve_vmid_exists_cluster "$CTID"; then - die "Forced CTID=${CTID} already exists in cluster" - fi else CTID="$(pve_select_customer_ctid)" fi -[[ -n "$CTID" ]] || die "CTID selection failed (empty)" info "CTID selected: ${CTID}" - +info "SCRIPT_DIR=${SCRIPT_DIR}" +info "CT_HOSTNAME=${CT_HOSTNAME}" +info "FQDN=${FQDN}" info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB" -info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}" +info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN:-none} unprivileged=${UNPRIV}" # --------------------------- # Step 5: Create CT @@ -142,6 +139,7 @@ CT_IP="$(pct_wait_for_ip "${CTID}" || true)" [[ -n "${CT_IP}" ]] || die "Could not determine CT IP after start" info "Step 5 OK: LXC erstellt + IP ermittelt" +info "CT_HOSTNAME=${CT_HOSTNAME}" info "CT_IP=${CT_IP}" # --------------------------- @@ -149,12 +147,14 @@ info "CT_IP=${CT_IP}" # --------------------------- info "Step 6: Provisioning im CT (Docker + Locales + Base)" +# Base packages pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release locales" -# Locales (fix warning + set DE) -pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen || true" -pct_exec "${CTID}" "locale-gen >/dev/null 2>&1 || true" +# Locales (German default, but keep system stable) +pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen" +pct_exec "${CTID}" "locale-gen >/dev/null || true" +pct_exec "${CTID}" "printf 'LANG=de_DE.UTF-8\nLC_ALL=de_DE.UTF-8\n' > /etc/default/locale || true" pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true" # Docker official repo (Debian 12 / bookworm) @@ -165,8 +165,8 @@ pct_exec "${CTID}" "echo \"deb [arch=\$(dpkg --print-architecture) signed-by=/et pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin" -# Base dirs -pct_exec "${CTID}" "mkdir -p /opt/customer-stack /opt/customer-stack/volumes /opt/customer-stack/sql" +# Create stack directories +pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes /opt/customer-stack/sql" info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt" info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)" @@ -176,24 +176,31 @@ info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Heal # --------------------------- info "Step 7: Stack finalisieren + Secrets + Up + Checks" -# Secrets (host-side generation, no broken pipelines) +# Secrets (NO tr pipes) PG_DB="customer" PG_USER="customer" -PG_PASSWORD="$(rand_pw_32)" +PG_PASSWORD="$(gen_hex 16)" +N8N_ENCRYPTION_KEY="$(gen_hex 32)" + +# Owner account (as requested) +N8N_USER_MANAGEMENT_DISABLED="false" +N8N_DEFAULT_USER_EMAIL="admin@${DOMAIN}" +N8N_DEFAULT_USER_PASSWORD="$(gen_hex 12)" # hex => safe, no special chars issues + +# URLs N8N_PORT="5678" N8N_PROTOCOL="http" N8N_HOST="${CT_IP}" N8N_EDITOR_BASE_URL="https://${FQDN}/" WEBHOOK_URL="https://${FQDN}/" N8N_SECURE_COOKIE="false" -N8N_ENCRYPTION_KEY="$(rand_hex_32)" -# Telemetry off (as you want) +# Telemetry/background calls off (n8n docs) N8N_DIAGNOSTICS_ENABLED="false" N8N_VERSION_NOTIFICATIONS_ENABLED="false" N8N_TEMPLATES_ENABLED="false" -# Write .env +# Write .env inside CT pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV' PG_DB=${PG_DB} PG_USER=${PG_USER} @@ -208,19 +215,18 @@ N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE} N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY} -# Telemetrie/Background Calls aus (n8n docs) +# Owner bootstrap +N8N_USER_MANAGEMENT_DISABLED=${N8N_USER_MANAGEMENT_DISABLED} +N8N_DEFAULT_USER_EMAIL=${N8N_DEFAULT_USER_EMAIL} +N8N_DEFAULT_USER_PASSWORD=${N8N_DEFAULT_USER_PASSWORD} + +# Telemetrie/Background Calls aus N8N_DIAGNOSTICS_ENABLED=${N8N_DIAGNOSTICS_ENABLED} N8N_VERSION_NOTIFICATIONS_ENABLED=${N8N_VERSION_NOTIFICATIONS_ENABLED} N8N_TEMPLATES_ENABLED=${N8N_TEMPLATES_ENABLED} ENV" -# SQL init for pgvector -pct_exec "${CTID}" "cat > /opt/customer-stack/sql/init_pgvector.sql <<'SQL' -CREATE EXTENSION IF NOT EXISTS vector; -CREATE EXTENSION IF NOT EXISTS pgcrypto; -SQL" - -# docker-compose.yml +# docker-compose.yml inside CT pct_exec "${CTID}" "cat > /opt/customer-stack/docker-compose.yml <<'YML' services: postgres: @@ -235,7 +241,7 @@ services: - ./volumes/postgres/data:/var/lib/postgresql/data - ./sql:/docker-entrypoint-initdb.d:ro healthcheck: - test: [\"CMD-SHELL\", \"pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1\"] + test: ['CMD-SHELL', 'pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1'] interval: 10s timeout: 5s retries: 20 @@ -250,7 +256,7 @@ services: postgres: condition: service_healthy ports: - - \"\${N8N_PORT}:5678\" + - '\${N8N_PORT}:5678' environment: N8N_PORT: 5678 N8N_PROTOCOL: \${N8N_PROTOCOL} @@ -259,6 +265,17 @@ services: WEBHOOK_URL: \${WEBHOOK_URL} N8N_SECURE_COOKIE: \${N8N_SECURE_COOKIE} + # Owner bootstrap + N8N_USER_MANAGEMENT_DISABLED: \${N8N_USER_MANAGEMENT_DISABLED} + N8N_DEFAULT_USER_EMAIL: \${N8N_DEFAULT_USER_EMAIL} + N8N_DEFAULT_USER_PASSWORD: \${N8N_DEFAULT_USER_PASSWORD} + + # Telemetry/background calls off + N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED} + N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED} + N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED} + + # DB DB_TYPE: postgresdb DB_POSTGRESDB_HOST: postgres DB_POSTGRESDB_PORT: 5432 @@ -266,15 +283,13 @@ services: DB_POSTGRESDB_USER: \${PG_USER} DB_POSTGRESDB_PASSWORD: \${PG_PASSWORD} + # TZ GENERIC_TIMEZONE: Europe/Berlin TZ: Europe/Berlin + # Encryption N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY} - # Telemetry / background calls off - N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED} - N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED} - N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED} volumes: - ./volumes/n8n-data:/home/node/.n8n networks: @@ -285,43 +300,52 @@ networks: driver: bridge YML" -# Permissions fix to prevent n8n restart loop (EACCES on /home/node/.n8n/config) +# Fix permissions for n8n volume (prevents restart loop EACCES) pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/n8n-data /opt/customer-stack/volumes/postgres/data" pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data" -# Deploy +# Bring up stack pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps" info "Step 7 OK: Stack deployed" -info "n8n intern: http://${CT_IP}:${N8N_PORT}/" +info "n8n intern: http://${CT_IP}:5678/" info "n8n extern (geplant via OPNsense): https://${FQDN}" info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)." # --------------------------- -# FINAL OUTPUT: JSON (STDOUT) +# FINAL: JSON output for automation # --------------------------- -# This MUST be machine-readable: no logs here. +# Output on stdout ONLY (so you can capture it cleanly) cat <&2; } -info() { log "INFO: $*"; } -warn() { log "WARN: $*"; } -die() { log "ERROR: $*"; exit 1; } +info() { echo "[$(_ts)] INFO: $*" >&2; } +warn() { echo "[$(_ts)] WARN: $*" >&2; } +err() { echo "[$(_ts)] ERROR: $*" >&2; } + +die() { err "$*"; exit 1; } setup_traps() { - trap 'die "Failed at line ${LINENO}: ${BASH_COMMAND} (exit=$?)"' ERR + trap 'rc=$?; err "Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=${rc})"; exit ${rc}' ERR } need_cmd() { @@ -22,130 +23,133 @@ need_cmd() { done } -# ---------------------------- +# --------------------------- # Proxmox helpers -# ---------------------------- +# --------------------------- pve_storage_exists() { - local st="$1" - pvesm status --storage "$st" >/dev/null 2>&1 + local st="${1:?storage}" + pvesm status -content rootdir,vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$st" } pve_bridge_exists() { - local br="$1" - [[ -d "/sys/class/net/${br}/bridge" ]] + local br="${1:?bridge}" + ip link show "$br" >/dev/null 2>&1 } -# Return list of all VMIDs in the cluster (CT + VM), one per line. -# No pipelines to "tail" etc. in-script -> avoids broken pipe. -pve_cluster_vmids() { - need_cmd pvesh python3 - local json - json="$(pvesh get /cluster/resources --type vm --output-format json 2>/dev/null || true)" - [[ -n "$json" ]] || return 0 - - python3 - <<'PY' <<<"$json" -import json, sys -try: - data = json.loads(sys.stdin.read()) -except Exception: - sys.exit(0) -for r in data: - vmid = r.get("vmid") - if isinstance(vmid, int): - print(vmid) -PY -} - -pve_vmid_exists_cluster() { - local vmid="$1" - [[ "$vmid" =~ ^[0-9]+$ ]] || return 1 - pve_cluster_vmids | awk -v id="$vmid" '$1==id{found=1} END{exit found?0:1}' -} - -# Customer-safe CTID: -# epoch - 1000000000 => e.g. 1768138201 -> 768138201 -pve_select_customer_ctid() { - need_cmd date - local base - base="$(date +%s)" - local ctid=$((base - 1000000000)) - - # ensure integer + not used - while pve_vmid_exists_cluster "$ctid"; do - ctid=$((ctid + 1)) - done - echo "$ctid" -} - -# Ensure Debian 12 template exists and return "storage:vztmpl/" on STDOUT ONLY. +# Ensure Debian 12 template exists. +# IMPORTANT: stdout MUST be ONLY the template path. pve_template_ensure_debian12() { - need_cmd pveam awk grep - local preferred_store="$1" - local tpl="debian-12-standard_12.12-1_amd64.tar.zst" - local store="$preferred_store" + local preferred_storage="${1:?storage}" + local tmpl="debian-12-standard_12.12-1_amd64.tar.zst" + local tmpl_path="" - # Some storages (e.g. local-zfs) don't support templates in pveam. - if ! pveam list "$store" >/dev/null 2>&1; then - warn "pveam storage '$store' not available for templates; falling back to 'local'" - store="local" + # pveam templates are stored on storages that have 'vztmpl' content type. + # Many setups only allow 'local' for templates. + if pveam available -section system 2>/dev/null | awk '{print $2}' | grep -qx "$tmpl"; then + : + else + warn "Could not verify template list via pveam available; continuing anyway." fi - # Make sure template exists; download if missing - if ! pveam list "$store" 2>/dev/null | awk '{print $2}' | grep -qx "$tpl"; then - info "Downloading CT template to ${store}: ${tpl}" - pveam update >/dev/null 2>&1 || true - pveam download "$store" "$tpl" >/dev/null + # Decide template storage: prefer given storage if it supports vztmpl; else fallback to 'local' + if pvesm status -content vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$preferred_storage"; then + : + else + warn "pveam storage '${preferred_storage}' not available for templates; falling back to 'local'" + preferred_storage="local" fi - # IMPORTANT: only echo the template ref on STDOUT - echo "${store}:vztmpl/${tpl}" + # Download if missing + if ! pvesm list "${preferred_storage}" 2>/dev/null | awk '{print $1}' | grep -q "vztmpl/${tmpl}$"; then + info "Downloading CT template to ${preferred_storage}: ${tmpl}" + pveam download "${preferred_storage}" "${tmpl}" >/dev/null + else + info "CT template already present on ${preferred_storage}: ${tmpl}" + fi + + tmpl_path="${preferred_storage}:vztmpl/${tmpl}" + echo "${tmpl_path}" } -# Build net0 string, supports VLAN tag +# Build net0 string with optional VLAN tag and ip config. +# IPCFG: "dhcp" or "X.X.X.X/YY" +# VLAN: empty or integer pve_build_net0() { - local bridge="$1" - local ipcfg="$2" + local bridge="${1:?bridge}" + local ipcfg="${2:?ipcfg}" local vlan="${3:-}" - local base="name=eth0,bridge=${bridge},ip=${ipcfg}" - if [[ -n "$vlan" ]]; then - echo "${base},tag=${vlan}" + local net="name=eth0,bridge=${bridge}" + + if [[ "${ipcfg}" == "dhcp" ]]; then + net+=",ip=dhcp" else - echo "${base}" + net+=",ip=${ipcfg}" fi + + if [[ -n "${vlan}" ]]; then + net+=",tag=${vlan}" + fi + + echo "${net}" } -# Wait for IPv4 on eth0 +# Wait for DHCP IP pct_wait_for_ip() { - need_cmd pct awk cut head sleep - local ctid="$1" - local tries="${2:-60}" + local ctid="${1:?ctid}" + local tries=60 - local i ip - for i in $(seq 1 "$tries"); do - ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show dev eth0 2>/dev/null | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)" - if [[ -n "$ip" ]]; then - echo "$ip" + while (( tries-- > 0 )); do + # Prefer pct exec hostname -I; fallback to ip -4 addr + local ip="" + ip="$(pct exec "${ctid}" -- bash -lc "hostname -I 2>/dev/null | awk '{print \$1}'" 2>/dev/null || true)" + if [[ -z "${ip}" ]]; then + ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)" + fi + if [[ -n "${ip}" ]]; then + echo "${ip}" return 0 fi sleep 1 done + return 1 } pct_exec() { - local ctid="$1"; shift - pct exec "$ctid" -- bash -lc "$*" + local ctid="${1:?ctid}" + shift + # run inside CT + pct exec "${ctid}" -- bash -lc "$*" } -# Generate secrets without pipelines that trigger broken-pipe noise -rand_hex_32() { - need_cmd openssl - openssl rand -hex 32 +# --------------------------- +# CTID strategy (your decision) +# Use: (unix_time - 1_000_000_000) => safe until 2038 +# --------------------------- +pve_select_customer_ctid() { + local now + now="$(date +%s)" + local ctid=$(( now - 1000000000 )) + # Guard: must be positive integer + (( ctid > 0 )) || die "Computed CTID is invalid: ${ctid}" + echo "${ctid}" } -rand_pw_32() { - need_cmd openssl - # URL-safe-ish - openssl rand -base64 32 | tr -d '\n' | tr '/+' 'Aa' | cut -c1-32 +# --------------------------- +# Secrets (NO tr pipes) +# --------------------------- +gen_hex() { + local nbytes="${1:-32}" + # openssl rand -hex N -> 2N hex chars, no pipes, no 'tr' + openssl rand -hex "${nbytes}" +} + +# JSON escaping minimal for our known safe values (hex + simple strings) +json_escape() { + local s="$1" + s="${s//\\/\\\\}" + s="${s//\"/\\\"}" + s="${s//$'\n'/\\n}" + echo -n "$s" }