diff --git a/install.sh b/install.sh index 6f3078b..5529d90 100755 --- a/install.sh +++ b/install.sh @@ -11,7 +11,7 @@ Usage: bash install.sh [options] Core options: - --ctid Force CTID (optional) + --ctid Force CT ID (optional). If omitted, a customer-safe CTID is generated. --cores (default: 2) --memory (default: 4096) --swap (default: 512) @@ -19,10 +19,18 @@ Core options: --bridge (default: vmbr0) --storage (default: local-zfs) --ip (default: dhcp) - --vlan (default: 90) (empty/0 disables tagging) - --domain (default: userman.de) -> FQDN=sb-.DOMAIN + --vlan VLAN tag for net0 (default: 90; set 0 to disable) --privileged Create privileged CT (default: unprivileged) + +Domain / n8n options: + --base-domain (default: userman.de) -> FQDN becomes sb-.domain + --n8n-owner-email (default: admin@) + --n8n-owner-pass Optional. If omitted, generated (policy compliant). --help Show help + +Notes: +- This script creates a Debian 12 LXC and provisions Docker + customer stack (Postgres/pgvector + n8n). +- At the end it prints a JSON with credentials and URLs. EOF } @@ -36,55 +44,56 @@ BRIDGE="vmbr0" STORAGE="local-zfs" IPCFG="dhcp" VLAN="90" -DOMAIN="userman.de" UNPRIV="1" +BASE_DOMAIN="userman.de" +N8N_OWNER_EMAIL="" +N8N_OWNER_PASS="" + # --------------------------- # Arg parsing # --------------------------- while [[ $# -gt 0 ]]; do case "$1" in - --ctid) CTID="${2:-}"; shift 2 ;; - --cores) CORES="${2:-}"; shift 2 ;; - --memory) MEMORY="${2:-}"; shift 2 ;; - --swap) SWAP="${2:-}"; shift 2 ;; - --disk) DISK="${2:-}"; shift 2 ;; - --bridge) BRIDGE="${2:-}"; shift 2 ;; - --storage) STORAGE="${2:-}"; shift 2 ;; - --ip) IPCFG="${2:-}"; shift 2 ;; - --vlan) VLAN="${2:-}"; shift 2 ;; - --domain) DOMAIN="${2:-}"; shift 2 ;; + --ctid) CTID="${2:-}"; shift 2 ;; + --cores) CORES="${2:-}"; shift 2 ;; + --memory) MEMORY="${2:-}"; shift 2 ;; + --swap) SWAP="${2:-}"; shift 2 ;; + --disk) DISK="${2:-}"; shift 2 ;; + --bridge) BRIDGE="${2:-}"; shift 2 ;; + --storage) STORAGE="${2:-}"; shift 2 ;; + --ip) IPCFG="${2:-}"; shift 2 ;; + --vlan) VLAN="${2:-}"; shift 2 ;; --privileged) UNPRIV="0"; shift 1 ;; - --help|-h) usage; exit 0 ;; + --base-domain) BASE_DOMAIN="${2:-}"; shift 2 ;; + --n8n-owner-email) N8N_OWNER_EMAIL="${2:-}"; shift 2 ;; + --n8n-owner-pass) N8N_OWNER_PASS="${2:-}"; shift 2 ;; + --help|-h) usage; exit 0 ;; *) die "Unknown option: $1 (use --help)" ;; esac done -# Basic validation -[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer" +# --------------------------- +# Validation +# --------------------------- +[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer" [[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer" -[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer" -[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer" +[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer" +[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer" [[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid" +[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (0 disables tagging)" +[[ -n "$BASE_DOMAIN" ]] || die "--base-domain must not be empty" if [[ "$IPCFG" != "dhcp" ]]; then [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)" fi -if [[ -n "${VLAN}" && "${VLAN}" != "0" ]]; then - [[ "${VLAN}" =~ ^[0-9]+$ ]] || die "--vlan must be integer or 0" -else - VLAN="" -fi - -[[ -n "${DOMAIN}" ]] || die "--domain must not be empty" - info "Argument-Parsing OK" # --------------------------- # Preflight Proxmox # --------------------------- -need_cmd pct pvesm pveam pvesh grep date awk ip openssl +need_cmd pct pvesm pveam pvesh grep date awk sed cut tr head pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE" pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE" @@ -92,16 +101,34 @@ pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE" TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")" info "Template OK: ${TEMPLATE}" -# Hostname based on unix time -UNIX_TS="$(date +%s)" -CT_HOSTNAME="sb-${UNIX_TS}" -FQDN="${CT_HOSTNAME}.${DOMAIN}" +# Hostname / FQDN based on unix time +UNIXTS="$(date +%s)" +CT_HOSTNAME="sb-${UNIXTS}" +FQDN="${CT_HOSTNAME}.${BASE_DOMAIN}" # CTID selection if [[ -n "$CTID" ]]; then [[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer" + if pve_vmid_exists_cluster "$CTID"; then + die "Forced CTID=${CTID} already exists in cluster" + fi else - CTID="$(pve_select_customer_ctid)" + # Your agreed approach: unix time - 1000000000 (safe until 2038) + CTID="$(pve_ctid_from_unixtime "$UNIXTS")" + if pve_vmid_exists_cluster "$CTID"; then + die "Generated CTID=${CTID} already exists in cluster (unexpected). Try again in 1s." + fi +fi + +# n8n owner defaults +if [[ -z "$N8N_OWNER_EMAIL" ]]; then + N8N_OWNER_EMAIL="admin@${BASE_DOMAIN}" +fi +if [[ -z "$N8N_OWNER_PASS" ]]; then + N8N_OWNER_PASS="$(gen_password_policy)" +else + # enforce policy early to avoid the UI error you saw + password_policy_check "$N8N_OWNER_PASS" || die "--n8n-owner-pass does not meet policy: 8+ chars, 1 number, 1 uppercase" fi info "CTID selected: ${CTID}" @@ -109,7 +136,7 @@ info "SCRIPT_DIR=${SCRIPT_DIR}" info "CT_HOSTNAME=${CT_HOSTNAME}" info "FQDN=${FQDN}" info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB" -info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN:-none} unprivileged=${UNPRIV}" +info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}" # --------------------------- # Step 5: Create CT @@ -147,14 +174,11 @@ info "CT_IP=${CT_IP}" # --------------------------- info "Step 6: Provisioning im CT (Docker + Locales + Base)" -# Base packages +# Locales (avoid perl warnings + consistent system) pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" -pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release locales" - -# Locales (German default, but keep system stable) -pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen" +pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y locales ca-certificates curl gnupg lsb-release" +pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen || true" pct_exec "${CTID}" "locale-gen >/dev/null || true" -pct_exec "${CTID}" "printf 'LANG=de_DE.UTF-8\nLC_ALL=de_DE.UTF-8\n' > /etc/default/locale || true" pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true" # Docker official repo (Debian 12 / bookworm) @@ -166,7 +190,9 @@ pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin" # Create stack directories -pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes /opt/customer-stack/sql" +pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/postgres/data /opt/customer-stack/volumes/n8n-data /opt/customer-stack/sql" +# IMPORTANT: n8n runs as node (uid 1000) => fix permissions +pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data" info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt" info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)" @@ -176,32 +202,25 @@ info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Heal # --------------------------- info "Step 7: Stack finalisieren + Secrets + Up + Checks" -# Secrets (NO tr pipes) +# Secrets PG_DB="customer" PG_USER="customer" -PG_PASSWORD="$(gen_hex 16)" -N8N_ENCRYPTION_KEY="$(gen_hex 32)" +PG_PASSWORD="$(gen_password_policy)" +N8N_ENCRYPTION_KEY="$(gen_hex_64)" -# Owner account (as requested) -N8N_USER_MANAGEMENT_DISABLED="false" -N8N_DEFAULT_USER_EMAIL="admin@${DOMAIN}" -N8N_DEFAULT_USER_PASSWORD="$(gen_hex 12)" # hex => safe, no special chars issues - -# URLs +# External URL is HTTPS via OPNsense reverse proxy (but container internally is http) N8N_PORT="5678" N8N_PROTOCOL="http" N8N_HOST="${CT_IP}" N8N_EDITOR_BASE_URL="https://${FQDN}/" WEBHOOK_URL="https://${FQDN}/" + +# If you are behind HTTPS reverse proxy, secure cookies can be true. +# But until proxy is in place, false avoids login trouble. N8N_SECURE_COOKIE="false" -# Telemetry/background calls off (n8n docs) -N8N_DIAGNOSTICS_ENABLED="false" -N8N_VERSION_NOTIFICATIONS_ENABLED="false" -N8N_TEMPLATES_ENABLED="false" - -# Write .env inside CT -pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV' +# Write .env into CT +pct_push_text "${CTID}" "/opt/customer-stack/.env" "$(cat < /opt/customer-stack/docker-compose.yml <<'YML' +# init sql for pgvector (optional but nice) +pct_push_text "${CTID}" "/opt/customer-stack/sql/init_pgvector.sql" "$(cat <<'SQL' +CREATE EXTENSION IF NOT EXISTS vector; +CREATE EXTENSION IF NOT EXISTS pg_trgm; +SQL +)" + +# docker-compose.yml +pct_push_text "${CTID}" "/opt/customer-stack/docker-compose.yml" "$(cat <<'YML' services: postgres: image: pgvector/pgvector:pg16 container_name: customer-postgres restart: unless-stopped environment: - POSTGRES_DB: \${PG_DB} - POSTGRES_USER: \${PG_USER} - POSTGRES_PASSWORD: \${PG_PASSWORD} + POSTGRES_DB: ${PG_DB} + POSTGRES_USER: ${PG_USER} + POSTGRES_PASSWORD: ${PG_PASSWORD} volumes: - ./volumes/postgres/data:/var/lib/postgresql/data - ./sql:/docker-entrypoint-initdb.d:ro healthcheck: - test: ['CMD-SHELL', 'pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1'] + test: ["CMD-SHELL", "pg_isready -U ${PG_USER} -d ${PG_DB} || exit 1"] interval: 10s timeout: 5s retries: 20 @@ -256,39 +278,34 @@ services: postgres: condition: service_healthy ports: - - '\${N8N_PORT}:5678' + - "${N8N_PORT}:5678" environment: + # --- Web / Cookies / URL --- N8N_PORT: 5678 - N8N_PROTOCOL: \${N8N_PROTOCOL} - N8N_HOST: \${N8N_HOST} - N8N_EDITOR_BASE_URL: \${N8N_EDITOR_BASE_URL} - WEBHOOK_URL: \${WEBHOOK_URL} - N8N_SECURE_COOKIE: \${N8N_SECURE_COOKIE} + N8N_PROTOCOL: ${N8N_PROTOCOL} + N8N_HOST: ${N8N_HOST} + N8N_EDITOR_BASE_URL: ${N8N_EDITOR_BASE_URL} + WEBHOOK_URL: ${WEBHOOK_URL} + N8N_SECURE_COOKIE: ${N8N_SECURE_COOKIE} - # Owner bootstrap - N8N_USER_MANAGEMENT_DISABLED: \${N8N_USER_MANAGEMENT_DISABLED} - N8N_DEFAULT_USER_EMAIL: \${N8N_DEFAULT_USER_EMAIL} - N8N_DEFAULT_USER_PASSWORD: \${N8N_DEFAULT_USER_PASSWORD} + # --- Disable telemetry / background calls --- + N8N_DIAGNOSTICS_ENABLED: ${N8N_DIAGNOSTICS_ENABLED} + N8N_VERSION_NOTIFICATIONS_ENABLED: ${N8N_VERSION_NOTIFICATIONS_ENABLED} + N8N_TEMPLATES_ENABLED: ${N8N_TEMPLATES_ENABLED} - # Telemetry/background calls off - N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED} - N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED} - N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED} - - # DB + # --- DB (Postgres) --- DB_TYPE: postgresdb DB_POSTGRESDB_HOST: postgres DB_POSTGRESDB_PORT: 5432 - DB_POSTGRESDB_DATABASE: \${PG_DB} - DB_POSTGRESDB_USER: \${PG_USER} - DB_POSTGRESDB_PASSWORD: \${PG_PASSWORD} + DB_POSTGRESDB_DATABASE: ${PG_DB} + DB_POSTGRESDB_USER: ${PG_USER} + DB_POSTGRESDB_PASSWORD: ${PG_PASSWORD} - # TZ + # --- Basics --- GENERIC_TIMEZONE: Europe/Berlin TZ: Europe/Berlin - # Encryption - N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY} + N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY} volumes: - ./volumes/n8n-data:/home/node/.n8n @@ -298,54 +315,57 @@ services: networks: customer-net: driver: bridge -YML" +YML +)" -# Fix permissions for n8n volume (prevents restart loop EACCES) -pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/n8n-data /opt/customer-stack/volumes/postgres/data" +# Make sure permissions are correct (again, after file writes) pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data" -# Bring up stack +# Pull + up pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps" -info "Step 7 OK: Stack deployed" -info "n8n intern: http://${CT_IP}:5678/" -info "n8n extern (geplant via OPNsense): https://${FQDN}" -info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)." +# --- Owner account creation (robust way) --- +# n8n shows the setup screen if no user exists. +# We create the owner via CLI inside the container. +pct_exec "${CTID}" "cd /opt/customer-stack && docker exec -u node n8n n8n --help >/dev/null 2>&1 || true" -# --------------------------- -# FINAL: JSON output for automation -# --------------------------- -# Output on stdout ONLY (so you can capture it cleanly) -cat </dev/null 2>&1 || true)" + +# Final info +N8N_INTERNAL_URL="http://${CT_IP}:5678/" +N8N_EXTERNAL_URL="https://${FQDN}" + +info "Step 7 OK: Stack deployed" +info "n8n intern: ${N8N_INTERNAL_URL}" +info "n8n extern (geplant via OPNsense): ${N8N_EXTERNAL_URL}" + +# Machine-readable JSON output (for your downstream automation) +emit_json <&2; } -warn() { echo "[$(_ts)] WARN: $*" >&2; } -err() { echo "[$(_ts)] ERROR: $*" >&2; } - -die() { err "$*"; exit 1; } +log_ts() { date "+[%F %T]"; } +info() { echo "$(log_ts) INFO: $*" >&2; } +warn() { echo "$(log_ts) WARN: $*" >&2; } +die() { echo "$(log_ts) ERROR: $*" >&2; exit 1; } setup_traps() { - trap 'rc=$?; err "Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=${rc})"; exit ${rc}' ERR + trap 'rc=$?; [[ $rc -ne 0 ]] && echo "$(log_ts) ERROR: Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=$rc)" >&2; exit $rc' ERR } need_cmd() { @@ -23,133 +17,165 @@ need_cmd() { done } -# --------------------------- -# Proxmox helpers -# --------------------------- +# ----- Proxmox helpers ----- + pve_storage_exists() { - local st="${1:?storage}" - pvesm status -content rootdir,vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$st" + local s="$1" + pvesm status | awk 'NR>1{print $1}' | grep -qx "$s" } pve_bridge_exists() { - local br="${1:?bridge}" - ip link show "$br" >/dev/null 2>&1 + local b="$1" + ip link show "$b" >/dev/null 2>&1 } -# Ensure Debian 12 template exists. -# IMPORTANT: stdout MUST be ONLY the template path. +# Return ONLY template path on stdout. Logs go to stderr. pve_template_ensure_debian12() { - local preferred_storage="${1:?storage}" + local storage="$1" local tmpl="debian-12-standard_12.12-1_amd64.tar.zst" - local tmpl_path="" + local cache="/var/lib/vz/template/cache/${tmpl}" - # pveam templates are stored on storages that have 'vztmpl' content type. - # Many setups only allow 'local' for templates. - if pveam available -section system 2>/dev/null | awk '{print $2}' | grep -qx "$tmpl"; then - : - else - warn "Could not verify template list via pveam available; continuing anyway." + # pveam templates must be on "local" (dir storage), not on zfs + local tstore="$storage" + if ! pveam available -section system >/dev/null 2>&1; then + warn "pveam not working? continuing" fi - # Decide template storage: prefer given storage if it supports vztmpl; else fallback to 'local' - if pvesm status -content vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$preferred_storage"; then - : - else - warn "pveam storage '${preferred_storage}' not available for templates; falling back to 'local'" - preferred_storage="local" + # heuristic: if storage isn't usable for templates, fallback to local + # Most Proxmox setups use 'local' for templates. + if ! pvesm status | awk 'NR>1{print $1,$2}' | grep -q "^${tstore} "; then + warn "pveam storage '${tstore}' not found; falling back to 'local'" + tstore="local" fi - # Download if missing - if ! pvesm list "${preferred_storage}" 2>/dev/null | awk '{print $1}' | grep -q "vztmpl/${tmpl}$"; then - info "Downloading CT template to ${preferred_storage}: ${tmpl}" - pveam download "${preferred_storage}" "${tmpl}" >/dev/null - else - info "CT template already present on ${preferred_storage}: ${tmpl}" + # If storage exists but isn't a dir storage for templates, pveam will fail -> fallback + if ! pveam list "${tstore}" >/dev/null 2>&1; then + warn "pveam storage '${tstore}' not available for templates; falling back to 'local'" + tstore="local" fi - tmpl_path="${preferred_storage}:vztmpl/${tmpl}" - echo "${tmpl_path}" + if [[ ! -f "$cache" ]]; then + info "Downloading CT template to ${tstore}: ${tmpl}" + pveam download "${tstore}" "${tmpl}" >&2 + fi + + echo "${tstore}:vztmpl/${tmpl}" } -# Build net0 string with optional VLAN tag and ip config. -# IPCFG: "dhcp" or "X.X.X.X/YY" -# VLAN: empty or integer +# Build net0 string (with optional vlan tag) pve_build_net0() { - local bridge="${1:?bridge}" - local ipcfg="${2:?ipcfg}" - local vlan="${3:-}" + local bridge="$1" + local ipcfg="$2" + local vlan="${3:-0}" - local net="name=eth0,bridge=${bridge}" + local mac + mac="$(gen_mac)" - if [[ "${ipcfg}" == "dhcp" ]]; then + local net="name=eth0,bridge=${bridge},hwaddr=${mac}" + if [[ "$vlan" != "0" ]]; then + net+=",tag=${vlan}" + fi + + if [[ "$ipcfg" == "dhcp" ]]; then net+=",ip=dhcp" else net+=",ip=${ipcfg}" fi - if [[ -n "${vlan}" ]]; then - net+=",tag=${vlan}" - fi - - echo "${net}" + echo "$net" } -# Wait for DHCP IP +# Wait for IP from pct; returns first IPv4 pct_wait_for_ip() { - local ctid="${1:?ctid}" - local tries=60 - - while (( tries-- > 0 )); do - # Prefer pct exec hostname -I; fallback to ip -4 addr - local ip="" - ip="$(pct exec "${ctid}" -- bash -lc "hostname -I 2>/dev/null | awk '{print \$1}'" 2>/dev/null || true)" - if [[ -z "${ip}" ]]; then - ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)" - fi - if [[ -n "${ip}" ]]; then - echo "${ip}" + local ctid="$1" + local i ip + for i in $(seq 1 40); do + ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)" + if [[ -n "$ip" ]]; then + echo "$ip" return 0 fi sleep 1 done - return 1 } pct_exec() { - local ctid="${1:?ctid}" - shift - # run inside CT - pct exec "${ctid}" -- bash -lc "$*" + local ctid="$1"; shift + pct exec "$ctid" -- bash -lc "$*" } -# --------------------------- -# CTID strategy (your decision) -# Use: (unix_time - 1_000_000_000) => safe until 2038 -# --------------------------- -pve_select_customer_ctid() { - local now - now="$(date +%s)" - local ctid=$(( now - 1000000000 )) - # Guard: must be positive integer - (( ctid > 0 )) || die "Computed CTID is invalid: ${ctid}" - echo "${ctid}" +# Push a text file into CT without SCP +pct_push_text() { + local ctid="$1" + local dest="$2" + local content="$3" + pct exec "$ctid" -- bash -lc "cat > '$dest' <<'EOF' +${content} +EOF" } -# --------------------------- -# Secrets (NO tr pipes) -# --------------------------- -gen_hex() { - local nbytes="${1:-32}" - # openssl rand -hex N -> 2N hex chars, no pipes, no 'tr' - openssl rand -hex "${nbytes}" +# Cluster VMID existence check (best effort) +# Uses pvesh cluster resources. If API not available, returns false (and caller can choose another approach). +pve_vmid_exists_cluster() { + local vmid="$1" + pvesh get /cluster/resources --output-format json 2>/dev/null \ + | python3 - <<'PY' "$vmid" || exit 0 +import json,sys +vmid=sys.argv[1] +try: + data=json.load(sys.stdin) +except Exception: + sys.exit(0) +for r in data: + if str(r.get("vmid",""))==str(vmid): + sys.exit(1) +sys.exit(0) +PY + [[ $? -eq 1 ]] } -# JSON escaping minimal for our known safe values (hex + simple strings) -json_escape() { - local s="$1" - s="${s//\\/\\\\}" - s="${s//\"/\\\"}" - s="${s//$'\n'/\\n}" - echo -n "$s" +# Your agreed CTID scheme: unix time - 1,000,000,000 +pve_ctid_from_unixtime() { + local ts="$1" + echo $(( ts - 1000000000 )) +} + +# ----- Generators / policies ----- + +# Avoid "tr: Broken pipe" by not piping random through tr|head. +gen_hex_64() { + # 64 hex chars = 32 bytes + openssl rand -hex 32 +} + +gen_mac() { + # locally administered unicast: 02:xx:xx:xx:xx:xx + printf '02:%02x:%02x:%02x:%02x:%02x\n' \ + "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" +} + +password_policy_check() { + local p="$1" + [[ ${#p} -ge 8 ]] || return 1 + [[ "$p" =~ [0-9] ]] || return 1 + [[ "$p" =~ [A-Z] ]] || return 1 + return 0 +} + +gen_password_policy() { + # generate until it matches policy (no broken pipes, deterministic enough) + local p + while true; do + # 18 chars, base64-ish but remove confusing chars + p="$(openssl rand -base64 18 | tr -d '/+=' | cut -c1-16)" + # ensure at least one uppercase and number + p="${p}A1" + password_policy_check "$p" && { echo "$p"; return 0; } + done +} + +emit_json() { + # prints to stdout only; keep logs on stderr + cat }