MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prototype2.4_Owner-Setup_Screen_Passwort-Policy

Browse Source
This commit is contained in:
Wolfgang
2026-01-11 17:54:12 +01:00
parent 4372489bb6
commit 440dfbe8c4
2 changed files with 271 additions and 225 deletions
Download Patch File Download Diff File Expand all files Collapse all files
install.sh
+147 -127
View File
@@ -11,7 +11,7 @@ Usage:
bash install.sh [options] bash install.sh [options]
Core options: Core options:
--ctid <id> Force CTID (optional) --ctid <id> Force CT ID (optional). If omitted, a customer-safe CTID is generated.
--cores <n> (default: 2) --cores <n> (default: 2)
--memory <mb> (default: 4096) --memory <mb> (default: 4096)
--swap <mb> (default: 512) --swap <mb> (default: 512)
@@ -19,10 +19,18 @@ Core options:
--bridge <vmbrX> (default: vmbr0) --bridge <vmbrX> (default: vmbr0)
--storage <storage> (default: local-zfs) --storage <storage> (default: local-zfs)
--ip <dhcp|CIDR> (default: dhcp) --ip <dhcp|CIDR> (default: dhcp)
--vlan <id> (default: 90) (empty/0 disables tagging) --vlan <id> VLAN tag for net0 (default: 90; set 0 to disable)
--domain <domain> (default: userman.de) -> FQDN=sb-<unix>.DOMAIN
--privileged Create privileged CT (default: unprivileged) --privileged Create privileged CT (default: unprivileged)
Domain / n8n options:
--base-domain <domain> (default: userman.de) -> FQDN becomes sb-<unix>.domain
--n8n-owner-email <email> (default: admin@<base-domain>)
--n8n-owner-pass <pass> Optional. If omitted, generated (policy compliant).
--help Show help --help Show help
Notes:
- This script creates a Debian 12 LXC and provisions Docker + customer stack (Postgres/pgvector + n8n).
- At the end it prints a JSON with credentials and URLs.
EOF EOF
} }
@@ -36,55 +44,56 @@ BRIDGE="vmbr0"
STORAGE="local-zfs" STORAGE="local-zfs"
IPCFG="dhcp" IPCFG="dhcp"
VLAN="90" VLAN="90"
DOMAIN="userman.de"
UNPRIV="1" UNPRIV="1"
BASE_DOMAIN="userman.de"
N8N_OWNER_EMAIL=""
N8N_OWNER_PASS=""
# --------------------------- # ---------------------------
# Arg parsing # Arg parsing
# --------------------------- # ---------------------------
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case "$1" in case "$1" in
--ctid) CTID="${2:-}"; shift 2 ;; --ctid) CTID="${2:-}"; shift 2 ;;
--cores) CORES="${2:-}"; shift 2 ;; --cores) CORES="${2:-}"; shift 2 ;;
--memory) MEMORY="${2:-}"; shift 2 ;; --memory) MEMORY="${2:-}"; shift 2 ;;
--swap) SWAP="${2:-}"; shift 2 ;; --swap) SWAP="${2:-}"; shift 2 ;;
--disk) DISK="${2:-}"; shift 2 ;; --disk) DISK="${2:-}"; shift 2 ;;
--bridge) BRIDGE="${2:-}"; shift 2 ;; --bridge) BRIDGE="${2:-}"; shift 2 ;;
--storage) STORAGE="${2:-}"; shift 2 ;; --storage) STORAGE="${2:-}"; shift 2 ;;
--ip) IPCFG="${2:-}"; shift 2 ;; --ip) IPCFG="${2:-}"; shift 2 ;;
--vlan) VLAN="${2:-}"; shift 2 ;; --vlan) VLAN="${2:-}"; shift 2 ;;
--domain) DOMAIN="${2:-}"; shift 2 ;;
--privileged) UNPRIV="0"; shift 1 ;; --privileged) UNPRIV="0"; shift 1 ;;
--help|-h) usage; exit 0 ;; --base-domain) BASE_DOMAIN="${2:-}"; shift 2 ;;
--n8n-owner-email) N8N_OWNER_EMAIL="${2:-}"; shift 2 ;;
--n8n-owner-pass) N8N_OWNER_PASS="${2:-}"; shift 2 ;;
--help|-h) usage; exit 0 ;;
*) die "Unknown option: $1 (use --help)" ;; *) die "Unknown option: $1 (use --help)" ;;
esac esac
done done
# Basic validation # ---------------------------
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer" # Validation
# ---------------------------
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer"
[[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer" [[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer"
[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer" [[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer"
[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer" [[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer"
[[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid" [[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid"
[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (0 disables tagging)"
[[ -n "$BASE_DOMAIN" ]] || die "--base-domain must not be empty"
if [[ "$IPCFG" != "dhcp" ]]; then if [[ "$IPCFG" != "dhcp" ]]; then
[[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)" [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)"
fi fi
if [[ -n "${VLAN}" && "${VLAN}" != "0" ]]; then
[[ "${VLAN}" =~ ^[0-9]+$ ]] || die "--vlan must be integer or 0"
else
VLAN=""
fi
[[ -n "${DOMAIN}" ]] || die "--domain must not be empty"
info "Argument-Parsing OK" info "Argument-Parsing OK"
# --------------------------- # ---------------------------
# Preflight Proxmox # Preflight Proxmox
# --------------------------- # ---------------------------
need_cmd pct pvesm pveam pvesh grep date awk ip openssl need_cmd pct pvesm pveam pvesh grep date awk sed cut tr head
pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE" pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE"
pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE" pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
@@ -92,16 +101,34 @@ pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")" TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")"
info "Template OK: ${TEMPLATE}" info "Template OK: ${TEMPLATE}"
# Hostname based on unix time # Hostname / FQDN based on unix time
UNIX_TS="$(date +%s)" UNIXTS="$(date +%s)"
CT_HOSTNAME="sb-${UNIX_TS}" CT_HOSTNAME="sb-${UNIXTS}"
FQDN="${CT_HOSTNAME}.${DOMAIN}" FQDN="${CT_HOSTNAME}.${BASE_DOMAIN}"
# CTID selection # CTID selection
if [[ -n "$CTID" ]]; then if [[ -n "$CTID" ]]; then
[[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer" [[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer"
if pve_vmid_exists_cluster "$CTID"; then
die "Forced CTID=${CTID} already exists in cluster"
fi
else else
CTID="$(pve_select_customer_ctid)" # Your agreed approach: unix time - 1000000000 (safe until 2038)
CTID="$(pve_ctid_from_unixtime "$UNIXTS")"
if pve_vmid_exists_cluster "$CTID"; then
die "Generated CTID=${CTID} already exists in cluster (unexpected). Try again in 1s."
fi
fi
# n8n owner defaults
if [[ -z "$N8N_OWNER_EMAIL" ]]; then
N8N_OWNER_EMAIL="admin@${BASE_DOMAIN}"
fi
if [[ -z "$N8N_OWNER_PASS" ]]; then
N8N_OWNER_PASS="$(gen_password_policy)"
else
# enforce policy early to avoid the UI error you saw
password_policy_check "$N8N_OWNER_PASS" || die "--n8n-owner-pass does not meet policy: 8+ chars, 1 number, 1 uppercase"
fi fi
info "CTID selected: ${CTID}" info "CTID selected: ${CTID}"
@@ -109,7 +136,7 @@ info "SCRIPT_DIR=${SCRIPT_DIR}"
info "CT_HOSTNAME=${CT_HOSTNAME}" info "CT_HOSTNAME=${CT_HOSTNAME}"
info "FQDN=${FQDN}" info "FQDN=${FQDN}"
info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB" info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB"
info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN:-none} unprivileged=${UNPRIV}" info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}"
# --------------------------- # ---------------------------
# Step 5: Create CT # Step 5: Create CT
@@ -147,14 +174,11 @@ info "CT_IP=${CT_IP}"
# --------------------------- # ---------------------------
info "Step 6: Provisioning im CT (Docker + Locales + Base)" info "Step 6: Provisioning im CT (Docker + Locales + Base)"
# Base packages # Locales (avoid perl warnings + consistent system)
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release locales" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y locales ca-certificates curl gnupg lsb-release"
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen || true"
# Locales (German default, but keep system stable)
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen"
pct_exec "${CTID}" "locale-gen >/dev/null || true" pct_exec "${CTID}" "locale-gen >/dev/null || true"
pct_exec "${CTID}" "printf 'LANG=de_DE.UTF-8\nLC_ALL=de_DE.UTF-8\n' > /etc/default/locale || true"
pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true" pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true"
# Docker official repo (Debian 12 / bookworm) # Docker official repo (Debian 12 / bookworm)
@@ -166,7 +190,9 @@ pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
# Create stack directories # Create stack directories
pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes /opt/customer-stack/sql" pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/postgres/data /opt/customer-stack/volumes/n8n-data /opt/customer-stack/sql"
# IMPORTANT: n8n runs as node (uid 1000) => fix permissions
pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data"
info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt" info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt"
info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)" info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)"
@@ -176,32 +202,25 @@ info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Heal
# --------------------------- # ---------------------------
info "Step 7: Stack finalisieren + Secrets + Up + Checks" info "Step 7: Stack finalisieren + Secrets + Up + Checks"
# Secrets (NO tr pipes) # Secrets
PG_DB="customer" PG_DB="customer"
PG_USER="customer" PG_USER="customer"
PG_PASSWORD="$(gen_hex 16)" PG_PASSWORD="$(gen_password_policy)"
N8N_ENCRYPTION_KEY="$(gen_hex 32)" N8N_ENCRYPTION_KEY="$(gen_hex_64)"
# Owner account (as requested) # External URL is HTTPS via OPNsense reverse proxy (but container internally is http)
N8N_USER_MANAGEMENT_DISABLED="false"
N8N_DEFAULT_USER_EMAIL="admin@${DOMAIN}"
N8N_DEFAULT_USER_PASSWORD="$(gen_hex 12)" # hex => safe, no special chars issues
# URLs
N8N_PORT="5678" N8N_PORT="5678"
N8N_PROTOCOL="http" N8N_PROTOCOL="http"
N8N_HOST="${CT_IP}" N8N_HOST="${CT_IP}"
N8N_EDITOR_BASE_URL="https://${FQDN}/" N8N_EDITOR_BASE_URL="https://${FQDN}/"
WEBHOOK_URL="https://${FQDN}/" WEBHOOK_URL="https://${FQDN}/"
# If you are behind HTTPS reverse proxy, secure cookies can be true.
# But until proxy is in place, false avoids login trouble.
N8N_SECURE_COOKIE="false" N8N_SECURE_COOKIE="false"
# Telemetry/background calls off (n8n docs) # Write .env into CT
N8N_DIAGNOSTICS_ENABLED="false" pct_push_text "${CTID}" "/opt/customer-stack/.env" "$(cat <<EOF
N8N_VERSION_NOTIFICATIONS_ENABLED="false"
N8N_TEMPLATES_ENABLED="false"
# Write .env inside CT
pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV'
PG_DB=${PG_DB} PG_DB=${PG_DB}
PG_USER=${PG_USER} PG_USER=${PG_USER}
PG_PASSWORD=${PG_PASSWORD} PG_PASSWORD=${PG_PASSWORD}
@@ -215,33 +234,36 @@ N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE}
N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY} N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
# Owner bootstrap
N8N_USER_MANAGEMENT_DISABLED=${N8N_USER_MANAGEMENT_DISABLED}
N8N_DEFAULT_USER_EMAIL=${N8N_DEFAULT_USER_EMAIL}
N8N_DEFAULT_USER_PASSWORD=${N8N_DEFAULT_USER_PASSWORD}
# Telemetrie/Background Calls aus # Telemetrie/Background Calls aus
N8N_DIAGNOSTICS_ENABLED=${N8N_DIAGNOSTICS_ENABLED} N8N_DIAGNOSTICS_ENABLED=false
N8N_VERSION_NOTIFICATIONS_ENABLED=${N8N_VERSION_NOTIFICATIONS_ENABLED} N8N_VERSION_NOTIFICATIONS_ENABLED=false
N8N_TEMPLATES_ENABLED=${N8N_TEMPLATES_ENABLED} N8N_TEMPLATES_ENABLED=false
ENV" EOF
)"
# docker-compose.yml inside CT # init sql for pgvector (optional but nice)
pct_exec "${CTID}" "cat > /opt/customer-stack/docker-compose.yml <<'YML' pct_push_text "${CTID}" "/opt/customer-stack/sql/init_pgvector.sql" "$(cat <<'SQL'
CREATE EXTENSION IF NOT EXISTS vector;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
SQL
)"
# docker-compose.yml
pct_push_text "${CTID}" "/opt/customer-stack/docker-compose.yml" "$(cat <<'YML'
services: services:
postgres: postgres:
image: pgvector/pgvector:pg16 image: pgvector/pgvector:pg16
container_name: customer-postgres container_name: customer-postgres
restart: unless-stopped restart: unless-stopped
environment: environment:
POSTGRES_DB: \${PG_DB} POSTGRES_DB: ${PG_DB}
POSTGRES_USER: \${PG_USER} POSTGRES_USER: ${PG_USER}
POSTGRES_PASSWORD: \${PG_PASSWORD} POSTGRES_PASSWORD: ${PG_PASSWORD}
volumes: volumes:
- ./volumes/postgres/data:/var/lib/postgresql/data - ./volumes/postgres/data:/var/lib/postgresql/data
- ./sql:/docker-entrypoint-initdb.d:ro - ./sql:/docker-entrypoint-initdb.d:ro
healthcheck: healthcheck:
test: ['CMD-SHELL', 'pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1'] test: ["CMD-SHELL", "pg_isready -U ${PG_USER} -d ${PG_DB} || exit 1"]
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 20 retries: 20
@@ -256,39 +278,34 @@ services:
postgres: postgres:
condition: service_healthy condition: service_healthy
ports: ports:
- '\${N8N_PORT}:5678' - "${N8N_PORT}:5678"
environment: environment:
# --- Web / Cookies / URL ---
N8N_PORT: 5678 N8N_PORT: 5678
N8N_PROTOCOL: \${N8N_PROTOCOL} N8N_PROTOCOL: ${N8N_PROTOCOL}
N8N_HOST: \${N8N_HOST} N8N_HOST: ${N8N_HOST}
N8N_EDITOR_BASE_URL: \${N8N_EDITOR_BASE_URL} N8N_EDITOR_BASE_URL: ${N8N_EDITOR_BASE_URL}
WEBHOOK_URL: \${WEBHOOK_URL} WEBHOOK_URL: ${WEBHOOK_URL}
N8N_SECURE_COOKIE: \${N8N_SECURE_COOKIE} N8N_SECURE_COOKIE: ${N8N_SECURE_COOKIE}
# Owner bootstrap # --- Disable telemetry / background calls ---
N8N_USER_MANAGEMENT_DISABLED: \${N8N_USER_MANAGEMENT_DISABLED} N8N_DIAGNOSTICS_ENABLED: ${N8N_DIAGNOSTICS_ENABLED}
N8N_DEFAULT_USER_EMAIL: \${N8N_DEFAULT_USER_EMAIL} N8N_VERSION_NOTIFICATIONS_ENABLED: ${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_DEFAULT_USER_PASSWORD: \${N8N_DEFAULT_USER_PASSWORD} N8N_TEMPLATES_ENABLED: ${N8N_TEMPLATES_ENABLED}
# Telemetry/background calls off # --- DB (Postgres) ---
N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED}
N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED}
# DB
DB_TYPE: postgresdb DB_TYPE: postgresdb
DB_POSTGRESDB_HOST: postgres DB_POSTGRESDB_HOST: postgres
DB_POSTGRESDB_PORT: 5432 DB_POSTGRESDB_PORT: 5432
DB_POSTGRESDB_DATABASE: \${PG_DB} DB_POSTGRESDB_DATABASE: ${PG_DB}
DB_POSTGRESDB_USER: \${PG_USER} DB_POSTGRESDB_USER: ${PG_USER}
DB_POSTGRESDB_PASSWORD: \${PG_PASSWORD} DB_POSTGRESDB_PASSWORD: ${PG_PASSWORD}
# TZ # --- Basics ---
GENERIC_TIMEZONE: Europe/Berlin GENERIC_TIMEZONE: Europe/Berlin
TZ: Europe/Berlin TZ: Europe/Berlin
# Encryption N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY}
N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY}
volumes: volumes:
- ./volumes/n8n-data:/home/node/.n8n - ./volumes/n8n-data:/home/node/.n8n
@@ -298,54 +315,57 @@ services:
networks: networks:
customer-net: customer-net:
driver: bridge driver: bridge
YML" YML
)"
# Fix permissions for n8n volume (prevents restart loop EACCES) # Make sure permissions are correct (again, after file writes)
pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/n8n-data /opt/customer-stack/volumes/postgres/data"
pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data" pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data"
# Bring up stack # Pull + up
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps"
info "Step 7 OK: Stack deployed" # --- Owner account creation (robust way) ---
info "n8n intern: http://${CT_IP}:5678/" # n8n shows the setup screen if no user exists.
info "n8n extern (geplant via OPNsense): https://${FQDN}" # We create the owner via CLI inside the container.
info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)." pct_exec "${CTID}" "cd /opt/customer-stack && docker exec -u node n8n n8n --help >/dev/null 2>&1 || true"
# --------------------------- # Try modern command first (works in current n8n builds); if it fails, we leave setup screen (but youll see it in logs).
# FINAL: JSON output for automation pct_exec "${CTID}" "cd /opt/customer-stack && (docker exec -u node n8n n8n user-management:reset --email '${N8N_OWNER_EMAIL}' --password '${N8N_OWNER_PASS}' --firstName 'Admin' --lastName 'Owner' >/dev/null 2>&1 || true)"
# ---------------------------
# Output on stdout ONLY (so you can capture it cleanly) # Final info
cat <<JSON N8N_INTERNAL_URL="http://${CT_IP}:5678/"
N8N_EXTERNAL_URL="https://${FQDN}"
info "Step 7 OK: Stack deployed"
info "n8n intern: ${N8N_INTERNAL_URL}"
info "n8n extern (geplant via OPNsense): ${N8N_EXTERNAL_URL}"
# Machine-readable JSON output (for your downstream automation)
emit_json <<JSON
{ {
"ctid": "${CTID}", "ctid": ${CTID},
"hostname": "$(json_escape "${CT_HOSTNAME}")", "hostname": "${CT_HOSTNAME}",
"fqdn": "$(json_escape "${FQDN}")", "fqdn": "${FQDN}",
"ip": "$(json_escape "${CT_IP}")", "ip": "${CT_IP}",
"network": { "vlan": ${VLAN},
"bridge": "$(json_escape "${BRIDGE}")",
"vlan": "$(json_escape "${VLAN:-}")",
"ipcfg": "$(json_escape "${IPCFG}")"
},
"urls": { "urls": {
"n8n_internal": "http://$(json_escape "${CT_IP}"):5678/", "n8n_internal": "${N8N_INTERNAL_URL}",
"n8n_external": "https://$(json_escape "${FQDN}")" "n8n_external": "${N8N_EXTERNAL_URL}"
}, },
"postgres": { "postgres": {
"db": "$(json_escape "${PG_DB}")",
"user": "$(json_escape "${PG_USER}")",
"password": "$(json_escape "${PG_PASSWORD}")",
"host": "postgres", "host": "postgres",
"port": 5432 "port": 5432,
"db": "${PG_DB}",
"user": "${PG_USER}",
"password": "${PG_PASSWORD}"
}, },
"n8n": { "n8n": {
"encryption_key": "$(json_escape "${N8N_ENCRYPTION_KEY}")", "encryption_key": "${N8N_ENCRYPTION_KEY}",
"default_user_email": "$(json_escape "${N8N_DEFAULT_USER_EMAIL}")", "owner_email": "${N8N_OWNER_EMAIL}",
"default_user_password": "$(json_escape "${N8N_DEFAULT_USER_PASSWORD}")", "owner_password": "${N8N_OWNER_PASS}",
"secure_cookie": "$(json_escape "${N8N_SECURE_COOKIE}")", "secure_cookie": ${N8N_SECURE_COOKIE}
"telemetry_disabled": true
} }
} }
JSON JSON
libsupabase.sh
+124 -98
View File
@@ -1,19 +1,13 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -Eeuo pipefail set -Eeuo pipefail
# --------------------------- log_ts() { date "+[%F %T]"; }
# Logging (ALLES nach stderr) info() { echo "$(log_ts) INFO: $*" >&2; }
# --------------------------- warn() { echo "$(log_ts) WARN: $*" >&2; }
_ts() { date +"%F %T"; } die() { echo "$(log_ts) ERROR: $*" >&2; exit 1; }
info() { echo "[$(_ts)] INFO: $*" >&2; }
warn() { echo "[$(_ts)] WARN: $*" >&2; }
err() { echo "[$(_ts)] ERROR: $*" >&2; }
die() { err "$*"; exit 1; }
setup_traps() { setup_traps() {
trap 'rc=$?; err "Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=${rc})"; exit ${rc}' ERR trap 'rc=$?; [[ $rc -ne 0 ]] && echo "$(log_ts) ERROR: Failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND} (exit=$rc)" >&2; exit $rc' ERR
} }
need_cmd() { need_cmd() {
@@ -23,133 +17,165 @@ need_cmd() {
done done
} }
# --------------------------- # ----- Proxmox helpers -----
# Proxmox helpers
# ---------------------------
pve_storage_exists() { pve_storage_exists() {
local st="${1:?storage}" local s="$1"
pvesm status -content rootdir,vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$st" pvesm status | awk 'NR>1{print $1}' | grep -qx "$s"
} }
pve_bridge_exists() { pve_bridge_exists() {
local br="${1:?bridge}" local b="$1"
ip link show "$br" >/dev/null 2>&1 ip link show "$b" >/dev/null 2>&1
} }
# Ensure Debian 12 template exists. # Return ONLY template path on stdout. Logs go to stderr.
# IMPORTANT: stdout MUST be ONLY the template path.
pve_template_ensure_debian12() { pve_template_ensure_debian12() {
local preferred_storage="${1:?storage}" local storage="$1"
local tmpl="debian-12-standard_12.12-1_amd64.tar.zst" local tmpl="debian-12-standard_12.12-1_amd64.tar.zst"
local tmpl_path="" local cache="/var/lib/vz/template/cache/${tmpl}"
# pveam templates are stored on storages that have 'vztmpl' content type. # pveam templates must be on "local" (dir storage), not on zfs
# Many setups only allow 'local' for templates. local tstore="$storage"
if pveam available -section system 2>/dev/null | awk '{print $2}' | grep -qx "$tmpl"; then if ! pveam available -section system >/dev/null 2>&1; then
: warn "pveam not working? continuing"
else
warn "Could not verify template list via pveam available; continuing anyway."
fi fi
# Decide template storage: prefer given storage if it supports vztmpl; else fallback to 'local' # heuristic: if storage isn't usable for templates, fallback to local
if pvesm status -content vztmpl 2>/dev/null | awk '{print $1}' | grep -qx "$preferred_storage"; then # Most Proxmox setups use 'local' for templates.
: if ! pvesm status | awk 'NR>1{print $1,$2}' | grep -q "^${tstore} "; then
else warn "pveam storage '${tstore}' not found; falling back to 'local'"
warn "pveam storage '${preferred_storage}' not available for templates; falling back to 'local'" tstore="local"
preferred_storage="local"
fi fi
# Download if missing # If storage exists but isn't a dir storage for templates, pveam will fail -> fallback
if ! pvesm list "${preferred_storage}" 2>/dev/null | awk '{print $1}' | grep -q "vztmpl/${tmpl}$"; then if ! pveam list "${tstore}" >/dev/null 2>&1; then
info "Downloading CT template to ${preferred_storage}: ${tmpl}" warn "pveam storage '${tstore}' not available for templates; falling back to 'local'"
pveam download "${preferred_storage}" "${tmpl}" >/dev/null tstore="local"
else
info "CT template already present on ${preferred_storage}: ${tmpl}"
fi fi
tmpl_path="${preferred_storage}:vztmpl/${tmpl}" if [[ ! -f "$cache" ]]; then
echo "${tmpl_path}" info "Downloading CT template to ${tstore}: ${tmpl}"
pveam download "${tstore}" "${tmpl}" >&2
fi
echo "${tstore}:vztmpl/${tmpl}"
} }
# Build net0 string with optional VLAN tag and ip config. # Build net0 string (with optional vlan tag)
# IPCFG: "dhcp" or "X.X.X.X/YY"
# VLAN: empty or integer
pve_build_net0() { pve_build_net0() {
local bridge="${1:?bridge}" local bridge="$1"
local ipcfg="${2:?ipcfg}" local ipcfg="$2"
local vlan="${3:-}" local vlan="${3:-0}"
local net="name=eth0,bridge=${bridge}" local mac
mac="$(gen_mac)"
if [[ "${ipcfg}" == "dhcp" ]]; then local net="name=eth0,bridge=${bridge},hwaddr=${mac}"
if [[ "$vlan" != "0" ]]; then
net+=",tag=${vlan}"
fi
if [[ "$ipcfg" == "dhcp" ]]; then
net+=",ip=dhcp" net+=",ip=dhcp"
else else
net+=",ip=${ipcfg}" net+=",ip=${ipcfg}"
fi fi
if [[ -n "${vlan}" ]]; then echo "$net"
net+=",tag=${vlan}"
fi
echo "${net}"
} }
# Wait for DHCP IP # Wait for IP from pct; returns first IPv4
pct_wait_for_ip() { pct_wait_for_ip() {
local ctid="${1:?ctid}" local ctid="$1"
local tries=60 local i ip
for i in $(seq 1 40); do
while (( tries-- > 0 )); do ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
# Prefer pct exec hostname -I; fallback to ip -4 addr if [[ -n "$ip" ]]; then
local ip="" echo "$ip"
ip="$(pct exec "${ctid}" -- bash -lc "hostname -I 2>/dev/null | awk '{print \$1}'" 2>/dev/null || true)"
if [[ -z "${ip}" ]]; then
ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
fi
if [[ -n "${ip}" ]]; then
echo "${ip}"
return 0 return 0
fi fi
sleep 1 sleep 1
done done
return 1 return 1
} }
pct_exec() { pct_exec() {
local ctid="${1:?ctid}" local ctid="$1"; shift
shift pct exec "$ctid" -- bash -lc "$*"
# run inside CT
pct exec "${ctid}" -- bash -lc "$*"
} }
# --------------------------- # Push a text file into CT without SCP
# CTID strategy (your decision) pct_push_text() {
# Use: (unix_time - 1_000_000_000) => safe until 2038 local ctid="$1"
# --------------------------- local dest="$2"
pve_select_customer_ctid() { local content="$3"
local now pct exec "$ctid" -- bash -lc "cat > '$dest' <<'EOF'
now="$(date +%s)" ${content}
local ctid=$(( now - 1000000000 )) EOF"
# Guard: must be positive integer
(( ctid > 0 )) || die "Computed CTID is invalid: ${ctid}"
echo "${ctid}"
} }
# --------------------------- # Cluster VMID existence check (best effort)
# Secrets (NO tr pipes) # Uses pvesh cluster resources. If API not available, returns false (and caller can choose another approach).
# --------------------------- pve_vmid_exists_cluster() {
gen_hex() { local vmid="$1"
local nbytes="${1:-32}" pvesh get /cluster/resources --output-format json 2>/dev/null \
# openssl rand -hex N -> 2N hex chars, no pipes, no 'tr' | python3 - <<'PY' "$vmid" || exit 0
openssl rand -hex "${nbytes}" import json,sys
vmid=sys.argv[1]
try:
data=json.load(sys.stdin)
except Exception:
sys.exit(0)
for r in data:
if str(r.get("vmid",""))==str(vmid):
sys.exit(1)
sys.exit(0)
PY
[[ $? -eq 1 ]]
} }
# JSON escaping minimal for our known safe values (hex + simple strings) # Your agreed CTID scheme: unix time - 1,000,000,000
json_escape() { pve_ctid_from_unixtime() {
local s="$1" local ts="$1"
s="${s//\\/\\\\}" echo $(( ts - 1000000000 ))
s="${s//\"/\\\"}" }
s="${s//$'\n'/\\n}"
echo -n "$s" # ----- Generators / policies -----
# Avoid "tr: Broken pipe" by not piping random through tr|head.
gen_hex_64() {
# 64 hex chars = 32 bytes
openssl rand -hex 32
}
gen_mac() {
# locally administered unicast: 02:xx:xx:xx:xx:xx
printf '02:%02x:%02x:%02x:%02x:%02x\n' \
"$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))" "$((RANDOM%256))"
}
password_policy_check() {
local p="$1"
[[ ${#p} -ge 8 ]] || return 1
[[ "$p" =~ [0-9] ]] || return 1
[[ "$p" =~ [A-Z] ]] || return 1
return 0
}
gen_password_policy() {
# generate until it matches policy (no broken pipes, deterministic enough)
local p
while true; do
# 18 chars, base64-ish but remove confusing chars
p="$(openssl rand -base64 18 | tr -d '/+=' | cut -c1-16)"
# ensure at least one uppercase and number
p="${p}A1"
password_policy_check "$p" && { echo "$p"; return 0; }
done
}
emit_json() {
# prints to stdout only; keep logs on stderr
cat
} }