Prototype2.4_add_user

2026-01-11 16:30:31 +01:00
parent 555d908dd2
commit 4372489bb6
2 changed files with 206 additions and 178 deletions
--- a/libsupabase.sh
+++ b/libsupabase.sh
@@ -1,18 +1,19 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail

-# ----------------------------
-# Logging (ALLES nach STDERR!)
-# ----------------------------
-_ts() { date '+%F %T'; }
+# ---------------------------
+# Logging (ALLES nach stderr)
+# ---------------------------
+_ts() { date +"%F %T"; }

-log()  { echo "[$(_ts)] $*" >&2; }
-info() { log "INFO: $*"; }
-warn() { log "WARN: $*"; }
-die()  { log "ERROR: $*"; exit 1; }
+info() { echo "[$(_ts)] INFO: $*" >&2; }
+warn() { echo "[$(_ts)] WARN: $*" >&2; }
+err()  { echo "[$(_ts)] ERROR: $*" >&2; }
+
+die() { err "$*"; exit 1; }

 setup_traps() {
-  trap 'die "Failed at line ${LINENO}: ${BASH_COMMAND} (exit=$?)"' ERR
+  trap 'rc=$?; err "Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=${rc})"; exit ${rc}' ERR
 }

 need_cmd() {
@@ -22,130 +23,133 @@ need_cmd() {
  done
 }

-# ----------------------------
+# ---------------------------
 # Proxmox helpers
-# ----------------------------
+# ---------------------------
 pve_storage_exists() {
-  local st="$1"
-  pvesm status --storage "$st" >/dev/null 2>&1
+  local st="${1:?storage}"
+  pvesm status -content rootdir,vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$st"
 }

 pve_bridge_exists() {
-  local br="$1"
-  [[ -d "/sys/class/net/${br}/bridge" ]]
+  local br="${1:?bridge}"
+  ip link show "$br" >/dev/null 2>&1
 }

-# Return list of all VMIDs in the cluster (CT + VM), one per line.
-# No pipelines to "tail" etc. in-script -> avoids broken pipe.
-pve_cluster_vmids() {
-  need_cmd pvesh python3
-  local json
-  json="$(pvesh get /cluster/resources --type vm --output-format json 2>/dev/null || true)"
-  [[ -n "$json" ]] || return 0
-
-  python3 - <<'PY' <<<"$json"
-import json, sys
-try:
-    data = json.loads(sys.stdin.read())
-except Exception:
-    sys.exit(0)
-for r in data:
-    vmid = r.get("vmid")
-    if isinstance(vmid, int):
-        print(vmid)
-PY
-}
-
-pve_vmid_exists_cluster() {
-  local vmid="$1"
-  [[ "$vmid" =~ ^[0-9]+$ ]] || return 1
-  pve_cluster_vmids | awk -v id="$vmid" '$1==id{found=1} END{exit found?0:1}'
-}
-
-# Customer-safe CTID:
-# epoch - 1000000000  => e.g. 1768138201 -> 768138201
-pve_select_customer_ctid() {
-  need_cmd date
-  local base
-  base="$(date +%s)"
-  local ctid=$((base - 1000000000))
-
-  # ensure integer + not used
-  while pve_vmid_exists_cluster "$ctid"; do
-    ctid=$((ctid + 1))
-  done
-  echo "$ctid"
-}
-
-# Ensure Debian 12 template exists and return "storage:vztmpl/<file>" on STDOUT ONLY.
+# Ensure Debian 12 template exists.
+# IMPORTANT: stdout MUST be ONLY the template path.
 pve_template_ensure_debian12() {
-  need_cmd pveam awk grep
-  local preferred_store="$1"
-  local tpl="debian-12-standard_12.12-1_amd64.tar.zst"
-  local store="$preferred_store"
+  local preferred_storage="${1:?storage}"
+  local tmpl="debian-12-standard_12.12-1_amd64.tar.zst"
+  local tmpl_path=""

-  # Some storages (e.g. local-zfs) don't support templates in pveam.
-  if ! pveam list "$store" >/dev/null 2>&1; then
-    warn "pveam storage '$store' not available for templates; falling back to 'local'"
-    store="local"
+  # pveam templates are stored on storages that have 'vztmpl' content type.
+  # Many setups only allow 'local' for templates.
+  if pveam available -section system 2>/dev/null | awk '{print $2}' | grep -qx "$tmpl"; then
+    :
+  else
+    warn "Could not verify template list via pveam available; continuing anyway."
  fi

-  # Make sure template exists; download if missing
-  if ! pveam list "$store" 2>/dev/null | awk '{print $2}' | grep -qx "$tpl"; then
-    info "Downloading CT template to ${store}: ${tpl}"
-    pveam update >/dev/null 2>&1 || true
-    pveam download "$store" "$tpl" >/dev/null
+  # Decide template storage: prefer given storage if it supports vztmpl; else fallback to 'local'
+  if pvesm status -content vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$preferred_storage"; then
+    :
+  else
+    warn "pveam storage '${preferred_storage}' not available for templates; falling back to 'local'"
+    preferred_storage="local"
  fi

-  # IMPORTANT: only echo the template ref on STDOUT
-  echo "${store}:vztmpl/${tpl}"
+  # Download if missing
+  if ! pvesm list "${preferred_storage}" 2>/dev/null | awk '{print $1}' | grep -q "vztmpl/${tmpl}$"; then
+    info "Downloading CT template to ${preferred_storage}: ${tmpl}"
+    pveam download "${preferred_storage}" "${tmpl}" >/dev/null
+  else
+    info "CT template already present on ${preferred_storage}: ${tmpl}"
+  fi
+
+  tmpl_path="${preferred_storage}:vztmpl/${tmpl}"
+  echo "${tmpl_path}"
 }

-# Build net0 string, supports VLAN tag
+# Build net0 string with optional VLAN tag and ip config.
+# IPCFG: "dhcp" or "X.X.X.X/YY"
+# VLAN: empty or integer
 pve_build_net0() {
-  local bridge="$1"
-  local ipcfg="$2"
+  local bridge="${1:?bridge}"
+  local ipcfg="${2:?ipcfg}"
  local vlan="${3:-}"

-  local base="name=eth0,bridge=${bridge},ip=${ipcfg}"
-  if [[ -n "$vlan" ]]; then
-    echo "${base},tag=${vlan}"
+  local net="name=eth0,bridge=${bridge}"
+
+  if [[ "${ipcfg}" == "dhcp" ]]; then
+    net+=",ip=dhcp"
  else
-    echo "${base}"
+    net+=",ip=${ipcfg}"
  fi
+
+  if [[ -n "${vlan}" ]]; then
+    net+=",tag=${vlan}"
+  fi
+
+  echo "${net}"
 }

-# Wait for IPv4 on eth0
+# Wait for DHCP IP
 pct_wait_for_ip() {
-  need_cmd pct awk cut head sleep
-  local ctid="$1"
-  local tries="${2:-60}"
+  local ctid="${1:?ctid}"
+  local tries=60

-  local i ip
-  for i in $(seq 1 "$tries"); do
-    ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show dev eth0 2>/dev/null | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
-    if [[ -n "$ip" ]]; then
-      echo "$ip"
+  while (( tries-- > 0 )); do
+    # Prefer pct exec hostname -I; fallback to ip -4 addr
+    local ip=""
+    ip="$(pct exec "${ctid}" -- bash -lc "hostname -I 2>/dev/null | awk '{print \$1}'" 2>/dev/null || true)"
+    if [[ -z "${ip}" ]]; then
+      ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
+    fi
+    if [[ -n "${ip}" ]]; then
+      echo "${ip}"
      return 0
    fi
    sleep 1
  done
+
  return 1
 }

 pct_exec() {
-  local ctid="$1"; shift
-  pct exec "$ctid" -- bash -lc "$*"
+  local ctid="${1:?ctid}"
+  shift
+  # run inside CT
+  pct exec "${ctid}" -- bash -lc "$*"
 }

-# Generate secrets without pipelines that trigger broken-pipe noise
-rand_hex_32() {
-  need_cmd openssl
-  openssl rand -hex 32
+# ---------------------------
+# CTID strategy (your decision)
+# Use: (unix_time - 1_000_000_000)  => safe until 2038
+# ---------------------------
+pve_select_customer_ctid() {
+  local now
+  now="$(date +%s)"
+  local ctid=$(( now - 1000000000 ))
+  # Guard: must be positive integer
+  (( ctid > 0 )) || die "Computed CTID is invalid: ${ctid}"
+  echo "${ctid}"
 }

-rand_pw_32() {
-  need_cmd openssl
-  # URL-safe-ish
-  openssl rand -base64 32 | tr -d '\n' | tr '/+' 'Aa' | cut -c1-32
+# ---------------------------
+# Secrets (NO tr pipes)
+# ---------------------------
+gen_hex() {
+  local nbytes="${1:-32}"
+  # openssl rand -hex N -> 2N hex chars, no pipes, no 'tr'
+  openssl rand -hex "${nbytes}"
+}
+
+# JSON escaping minimal for our known safe values (hex + simple strings)
+json_escape() {
+  local s="$1"
+  s="${s//\\/\\\\}"
+  s="${s//\"/\\\"}"
+  s="${s//$'\n'/\\n}"
+  echo -n "$s"
 }