MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prototype2.4_Owner-Setup_Screen_Passwort-Policy

Browse Source
This commit is contained in:
Wolfgang
2026-01-11 17:54:12 +01:00
parent 4372489bb6
commit 440dfbe8c4
2 changed files with 271 additions and 225 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
libsupabase.sh
View File

@@ -1,19 +1,13 @@
#!/usr/bin/env bash
set -Eeuo pipefail
# ---------------------------
# Logging (ALLES nach stderr)
# ---------------------------
_ts() { date +"%F %T"; }
info() { echo "[$(_ts)] INFO: $*" >&2; }
warn() { echo "[$(_ts)] WARN: $*" >&2; }
err() { echo "[$(_ts)] ERROR: $*" >&2; }
die() { err "$*"; exit 1; }
log_ts() { date "+[%F %T]"; }
info() { echo "$(log_ts) INFO: $*" >&2; }
warn() { echo "$(log_ts) WARN: $*" >&2; }
die() { echo "$(log_ts) ERROR: $*" >&2; exit 1; }
setup_traps() {
trap 'rc=$?; err "Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=${rc})"; exit ${rc}' ERR
trap 'rc=$?; [[ $rc -ne 0 ]] && echo "$(log_ts) ERROR: Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=$rc)" >&2; exit $rc' ERR
}
need_cmd() {
@@ -23,133 +17,165 @@ need_cmd() {
done
}
# ---------------------------
# Proxmox helpers
# ---------------------------
# ----- Proxmox helpers -----
pve_storage_exists() {
local st="${1:?storage}"
pvesm status -content rootdir,vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$st"
local s="$1"
pvesm status | awk 'NR>1{print $1}' | grep -qx "$s"
}
pve_bridge_exists() {
local br="${1:?bridge}"
ip link show "$br" >/dev/null 2>&1
local b="$1"
ip link show "$b" >/dev/null 2>&1
}
# Ensure Debian 12 template exists.
# IMPORTANT: stdout MUST be ONLY the template path.
# Return ONLY template path on stdout. Logs go to stderr.
pve_template_ensure_debian12() {
local preferred_storage="${1:?storage}"
local storage="$1"
local tmpl="debian-12-standard_12.12-1_amd64.tar.zst"
local tmpl_path=""
local cache="/var/lib/vz/template/cache/${tmpl}"
# pveam templates are stored on storages that have 'vztmpl' content type.
# Many setups only allow 'local' for templates.
if pveam available -section system 2>/dev/null | awk '{print $2}' | grep -qx "$tmpl"; then
:
else
warn "Could not verify template list via pveam available; continuing anyway."
# pveam templates must be on "local" (dir storage), not on zfs
local tstore="$storage"
if ! pveam available -section system >/dev/null 2>&1; then
warn "pveam not working? continuing"
fi
# Decide template storage: prefer given storage if it supports vztmpl; else fallback to 'local'
if pvesm status -content vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$preferred_storage"; then
:
else
warn "pveam storage '${preferred_storage}' not available for templates; falling back to 'local'"
preferred_storage="local"
# heuristic: if storage isn't usable for templates, fallback to local
# Most Proxmox setups use 'local' for templates.
if ! pvesm status | awk 'NR>1{print $1,$2}' | grep -q "^${tstore} "; then
warn "pveam storage '${tstore}' not found; falling back to 'local'"
tstore="local"
fi
# Download if missing
if ! pvesm list "${preferred_storage}" 2>/dev/null | awk '{print $1}' | grep -q "vztmpl/${tmpl}$"; then
info "Downloading CT template to ${preferred_storage}: ${tmpl}"
pveam download "${preferred_storage}" "${tmpl}" >/dev/null
else
info "CT template already present on ${preferred_storage}: ${tmpl}"
# If storage exists but isn't a dir storage for templates, pveam will fail -> fallback
if ! pveam list "${tstore}" >/dev/null 2>&1; then
warn "pveam storage '${tstore}' not available for templates; falling back to 'local'"
tstore="local"
fi
tmpl_path="${preferred_storage}:vztmpl/${tmpl}"
echo "${tmpl_path}"
if [[ ! -f "$cache" ]]; then
info "Downloading CT template to ${tstore}: ${tmpl}"
pveam download "${tstore}" "${tmpl}" >&2
fi
echo "${tstore}:vztmpl/${tmpl}"
}
# Build net0 string with optional VLAN tag and ip config.
# IPCFG: "dhcp" or "X.X.X.X/YY"
# VLAN: empty or integer
# Build net0 string (with optional vlan tag)
pve_build_net0() {
local bridge="${1:?bridge}"
local ipcfg="${2:?ipcfg}"
local vlan="${3:-}"
local bridge="$1"
local ipcfg="$2"
local vlan="${3:-0}"
local net="name=eth0,bridge=${bridge}"
local mac
mac="$(gen_mac)"
if [[ "${ipcfg}" == "dhcp" ]]; then
local net="name=eth0,bridge=${bridge},hwaddr=${mac}"
if [[ "$vlan" != "0" ]]; then
net+=",tag=${vlan}"
fi
if [[ "$ipcfg" == "dhcp" ]]; then
net+=",ip=dhcp"
else
net+=",ip=${ipcfg}"
fi
if [[ -n "${vlan}" ]]; then
net+=",tag=${vlan}"
fi
echo "${net}"
echo "$net"
}
# Wait for DHCP IP
# Wait for IP from pct; returns first IPv4
pct_wait_for_ip() {
local ctid="${1:?ctid}"
local tries=60
while (( tries-- > 0 )); do
# Prefer pct exec hostname -I; fallback to ip -4 addr
local ip=""
ip="$(pct exec "${ctid}" -- bash -lc "hostname -I 2>/dev/null | awk '{print \$1}'" 2>/dev/null || true)"
if [[ -z "${ip}" ]]; then
ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
fi
if [[ -n "${ip}" ]]; then
echo "${ip}"
local ctid="$1"
local i ip
for i in $(seq 1 40); do
ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
if [[ -n "$ip" ]]; then
echo "$ip"
return 0
fi
sleep 1
done
return 1
}
pct_exec() {
local ctid="${1:?ctid}"
shift
# run inside CT
pct exec "${ctid}" -- bash -lc "$*"
local ctid="$1"; shift
pct exec "$ctid" -- bash -lc "$*"
}
# ---------------------------
# CTID strategy (your decision)
# Use: (unix_time - 1_000_000_000) => safe until 2038
# ---------------------------
pve_select_customer_ctid() {
local now
now="$(date +%s)"
local ctid=$(( now - 1000000000 ))
# Guard: must be positive integer
(( ctid > 0 )) || die "Computed CTID is invalid: ${ctid}"
echo "${ctid}"
# Push a text file into CT without SCP
pct_push_text() {
local ctid="$1"
local dest="$2"
local content="$3"
pct exec "$ctid" -- bash -lc "cat > '$dest' <<'EOF'
${content}
EOF"
}
# ---------------------------
# Secrets (NO tr pipes)
# ---------------------------
gen_hex() {
local nbytes="${1:-32}"
# openssl rand -hex N -> 2N hex chars, no pipes, no 'tr'
openssl rand -hex "${nbytes}"
# Cluster VMID existence check (best effort)
# Uses pvesh cluster resources. If API not available, returns false (and caller can choose another approach).
pve_vmid_exists_cluster() {
local vmid="$1"
pvesh get /cluster/resources --output-format json 2>/dev/null \
| python3 - <<'PY' "$vmid" || exit 0
import json,sys
vmid=sys.argv[1]
try:
data=json.load(sys.stdin)
except Exception:
sys.exit(0)
for r in data:
if str(r.get("vmid",""))==str(vmid):
sys.exit(1)
sys.exit(0)
PY
[[ $? -eq 1 ]]
}
# JSON escaping minimal for our known safe values (hex + simple strings)
json_escape() {
local s="$1"
s="${s//\\/\\\\}"
s="${s//\"/\\\"}"
s="${s//$'\n'/\\n}"
echo -n "$s"
# Your agreed CTID scheme: unix time - 1,000,000,000
pve_ctid_from_unixtime() {
local ts="$1"
echo $(( ts - 1000000000 ))
}
# ----- Generators / policies -----
# Avoid "tr: Broken pipe" by not piping random through tr|head.
gen_hex_64() {
# 64 hex chars = 32 bytes
openssl rand -hex 32
}
gen_mac() {
# locally administered unicast: 02:xx:xx:xx:xx:xx
printf '02:%02x:%02x:%02x:%02x:%02x\n' \
"$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))"
}
password_policy_check() {
local p="$1"
[[ ${#p} -ge 8 ]] || return 1
[[ "$p" =~ [0-9] ]] || return 1
[[ "$p" =~ [A-Z] ]] || return 1
return 0
}
gen_password_policy() {
# generate until it matches policy (no broken pipes, deterministic enough)
local p
while true; do
# 18 chars, base64-ish but remove confusing chars
p="$(openssl rand -base64 18 | tr -d '/+=' | cut -c1-16)"
# ensure at least one uppercase and number
p="${p}A1"
password_policy_check "$p" && { echo "$p"; return 0; }
done
}
emit_json() {
# prints to stdout only; keep logs on stderr
cat
}