MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prototype2

Browse Source
This commit is contained in:
Wolfgang
2026-01-11 12:36:12 +01:00
parent 21d9eae530
commit a0cb72ecfb
2 changed files with 216 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files
install.sh
+98 -52
View File
@@ -11,7 +11,7 @@ Usage:
bash install.sh [options] bash install.sh [options]
Core options: Core options:
--ctid <id> Force CT ID (optional). If omitted, customer-safe CTID is generated. --ctid <id> Force CT ID (optional). If omitted, a customer-safe CTID is generated: (unix_time - 1000000000)
--cores <n> (default: 2) --cores <n> (default: 2)
--memory <mb> (default: 4096) --memory <mb> (default: 4096)
--swap <mb> (default: 512) --swap <mb> (default: 512)
@@ -19,11 +19,15 @@ Core options:
--bridge <vmbrX> (default: vmbr0) --bridge <vmbrX> (default: vmbr0)
--storage <storage> (default: local-zfs) --storage <storage> (default: local-zfs)
--ip <dhcp|CIDR> (default: dhcp) --ip <dhcp|CIDR> (default: dhcp)
--vlan <id> VLAN tag on net0 (default: 90). Use 0/empty to disable tagging. --vlan <id> VLAN tag for net0 (default: 90)
--domain <domain> Base domain for FQDN (default: userman.de)
--privileged Create privileged CT (default: unprivileged) --privileged Create privileged CT (default: unprivileged)
--base-domain <domain> e.g. userman.de (default: userman.de)
--help Show help --help Show help
Examples:
bash install.sh
bash install.sh --vlan 90 --ip dhcp
bash install.sh --ip 192.168.45.53/24 --vlan 90
EOF EOF
} }
@@ -37,9 +41,12 @@ BRIDGE="vmbr0"
STORAGE="local-zfs" STORAGE="local-zfs"
IPCFG="dhcp" IPCFG="dhcp"
VLAN="90" VLAN="90"
DOMAIN="userman.de"
UNPRIV="1" UNPRIV="1"
BASE_DOMAIN="userman.de"
# ---------------------------
# Arg parsing
# ---------------------------
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case "$1" in case "$1" in
--ctid) CTID="${2:-}"; shift 2 ;; --ctid) CTID="${2:-}"; shift 2 ;;
@@ -51,67 +58,73 @@ while [[ $# -gt 0 ]]; do
--storage) STORAGE="${2:-}"; shift 2 ;; --storage) STORAGE="${2:-}"; shift 2 ;;
--ip) IPCFG="${2:-}"; shift 2 ;; --ip) IPCFG="${2:-}"; shift 2 ;;
--vlan) VLAN="${2:-}"; shift 2 ;; --vlan) VLAN="${2:-}"; shift 2 ;;
--domain) DOMAIN="${2:-}"; shift 2 ;;
--privileged) UNPRIV="0"; shift 1 ;; --privileged) UNPRIV="0"; shift 1 ;;
--base-domain) BASE_DOMAIN="${2:-}"; shift 2 ;;
--help|-h) usage; exit 0 ;; --help|-h) usage; exit 0 ;;
*) die "Unknown option: $1 (use --help)" ;; *) die "Unknown option: $1 (use --help)" ;;
esac esac
done done
# Validate # Basic validation
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer" is_int "$CORES" || die "--cores must be integer"
[[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer" is_int "$MEMORY" || die "--memory must be integer"
[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer" is_int "$SWAP" || die "--swap must be integer"
[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer" is_int "$DISK" || die "--disk must be integer"
is_int "$VLAN" || die "--vlan must be integer"
[[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid" [[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid"
[[ -z "$VLAN" || "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (or empty)"
[[ -n "$BASE_DOMAIN" ]] || die "--base-domain must not be empty"
if [[ "$IPCFG" != "dhcp" ]]; then if [[ "$IPCFG" != "dhcp" ]]; then
[[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)" [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.53/24)"
fi fi
[[ -n "${DOMAIN}" ]] || die "--domain must not be empty"
info "Argument-Parsing OK" info "Argument-Parsing OK"
need_cmd pct pvesm pveam date awk grep sed # ---------------------------
# Preflight Proxmox
# ---------------------------
need_cmd pct pvesm pveam date
# Preflight
pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE" pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE"
pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE" pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")" TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")"
info "Template OK: ${TEMPLATE}" info "Template OK: ${TEMPLATE}"
# Hostname (wie gehabt) # Hostname based on unix time (as agreed)
CT_HOSTNAME="sb-$(date +%s)" UNIXTS="$(date +%s)"
CT_HOSTNAME="sb-${UNIXTS}"
FQDN="${CT_HOSTNAME}.${DOMAIN}"
# CTID selection # CTID selection
if [[ -n "$CTID" ]]; then if [[ -n "$CTID" ]]; then
[[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer" is_int "$CTID" || die "--ctid must be integer"
if pct status "$CTID" >/dev/null 2>&1; then # nur lokal check (cluster-check war dir zu unzuverlässig)
die "Forced CTID=${CTID} already exists locally" if pct status "${CTID}" >/dev/null 2>&1; then
die "Forced CTID=${CTID} already exists on this node"
fi fi
else else
CTID="$(pve_select_customer_ctid)" CTID="$(pve_select_customer_ctid)"
fi fi
# FQDN ableiten (ohne extra Option; du weißt es erst nach Erstellung -> passt so)
FQDN="${CT_HOSTNAME}.${BASE_DOMAIN}"
info "CTID selected: ${CTID}" info "CTID selected: ${CTID}"
info "SCRIPT_DIR=${SCRIPT_DIR}" info "SCRIPT_DIR=${SCRIPT_DIR}"
info "CT_HOSTNAME=${CT_HOSTNAME}" info "CT_HOSTNAME=${CT_HOSTNAME}"
info "FQDN=${FQDN}" info "FQDN=${FQDN}"
info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB" info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB"
info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN:-0} unprivileged=${UNPRIV}" info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}"
# ---------------------------
# Step 5: Create CT # Step 5: Create CT
# ---------------------------
NET0="$(pve_build_net0 "$BRIDGE" "$IPCFG" "$VLAN")" NET0="$(pve_build_net0 "$BRIDGE" "$IPCFG" "$VLAN")"
ROOTFS="${STORAGE}:${DISK}" ROOTFS="${STORAGE}:${DISK}"
FEATURES="nesting=1,keyctl=1,fuse=1" FEATURES="nesting=1,keyctl=1,fuse=1"
info "Step 5: Create CT" info "Step 5: Create CT"
info "Creating CT ${CTID} (${CT_HOSTNAME}) from ${TEMPLATE}" info "Creating CT ${CTID} (${CT_HOSTNAME}) from ${TEMPLATE}"
pct create "${CTID}" "${TEMPLATE}" \ pct create "${CTID}" "${TEMPLATE}" \
--hostname "${CT_HOSTNAME}" \ --hostname "${CT_HOSTNAME}" \
--cores "${CORES}" \ --cores "${CORES}" \
@@ -134,13 +147,22 @@ info "Step 5 OK: LXC erstellt + IP ermittelt"
info "CT_HOSTNAME=${CT_HOSTNAME}" info "CT_HOSTNAME=${CT_HOSTNAME}"
info "CT_IP=${CT_IP}" info "CT_IP=${CT_IP}"
# Step 6: Docker + locales + base dirs # ---------------------------
# Step 6: Provision inside CT (Docker + Locales + Base)
# ---------------------------
info "Step 6: Provisioning im CT (Docker + Locales + Base)" info "Step 6: Provisioning im CT (Docker + Locales + Base)"
# Base packages (include locales early, damit perl nicht meckert)
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release locales"
# Docker repo (Debian 12/bookworm) # locales setzen (de_DE.UTF-8)
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen || true"
pct_exec "${CTID}" "locale-gen >/dev/null"
pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8"
pct_exec "${CTID}" "printf 'LANG=de_DE.UTF-8\nLC_ALL=de_DE.UTF-8\n' > /etc/default/locale"
# Docker official repo (Debian 12 / bookworm)
pct_exec "${CTID}" "install -m 0755 -d /etc/apt/keyrings" pct_exec "${CTID}" "install -m 0755 -d /etc/apt/keyrings"
pct_exec "${CTID}" "curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" pct_exec "${CTID}" "curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
pct_exec "${CTID}" "chmod a+r /etc/apt/keyrings/docker.gpg" pct_exec "${CTID}" "chmod a+r /etc/apt/keyrings/docker.gpg"
@@ -148,34 +170,39 @@ pct_exec "${CTID}" "echo \"deb [arch=\$(dpkg --print-architecture) signed-by=/et
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin" pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
# locales fix (de_DE.UTF-8) # Create stack directories
pct_fix_locales "${CTID}" "de_DE.UTF-8" pct_exec "${CTID}" "mkdir -p /opt/customer-stack/sql /opt/customer-stack/volumes/postgres/data /opt/customer-stack/volumes/n8n-data"
pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/postgres/data /opt/customer-stack/volumes/n8n-data /opt/customer-stack/sql"
info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt" info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt"
info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)" info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)"
# Step 7: stack deploy # ---------------------------
# Step 7: Stack finalisieren + Secrets + Up + Checks
# ---------------------------
info "Step 7: Stack finalisieren + Secrets + Up + Checks" info "Step 7: Stack finalisieren + Secrets + Up + Checks"
# Secrets (ohne tr broken pipe) # secrets
PG_DB="customer" PG_DB="customer"
PG_USER="customer" PG_USER="customer"
PG_PASSWORD="$(gen_urlsafe 24)" PG_PASSWORD="$(gen_hex 16)" # 32 hex chars
N8N_ENCRYPTION_KEY="$(gen_hex 32)" # 64 hex chars N8N_ENCRYPTION_KEY="$(gen_hex 32)" # 64 hex chars
# URL / Cookies # n8n URL config:
# Wenn du später via OPNsense/NGINX TLS machst, setze PROTOCOL=https und SECURE_COOKIE=true. # intern bleibt http://CT_IP:5678
# Hier leiten wir's anhand FQDN ab (du nutzt HTTPS extern). # extern geplant via OPNsense reverse proxy: https://FQDN
N8N_PROTOCOL="http"
N8N_SECURE_COOKIE="false"
N8N_PORT="5678" N8N_PORT="5678"
N8N_PROTOCOL="http"
N8N_HOST="${CT_IP}" N8N_HOST="${CT_IP}"
N8N_EDITOR_BASE_URL="https://${FQDN}/" N8N_EDITOR_BASE_URL="https://${FQDN}/"
WEBHOOK_URL="https://${FQDN}/" WEBHOOK_URL="https://${FQDN}/"
N8N_SECURE_COOKIE="false"
# In /opt/customer-stack schreiben # Telemetrie / Background Calls aus
N8N_DIAGNOSTICS_ENABLED="false"
N8N_VERSION_NOTIFICATIONS_ENABLED="false"
N8N_TEMPLATES_ENABLED="false"
# write .env (in CT)
pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV' pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV'
PG_DB=${PG_DB} PG_DB=${PG_DB}
PG_USER=${PG_USER} PG_USER=${PG_USER}
@@ -190,19 +217,18 @@ N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE}
N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY} N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
# Telemetrie/Background Calls aus (n8n docs) N8N_DIAGNOSTICS_ENABLED=${N8N_DIAGNOSTICS_ENABLED}
N8N_DIAGNOSTICS_ENABLED=false N8N_VERSION_NOTIFICATIONS_ENABLED=${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_VERSION_NOTIFICATIONS_ENABLED=false N8N_TEMPLATES_ENABLED=${N8N_TEMPLATES_ENABLED}
N8N_TEMPLATES_ENABLED=false
ENV" ENV"
# pgvector init # init sql
pct_exec "${CTID}" "cat > /opt/customer-stack/sql/init_pgvector.sql <<'SQL' pct_exec "${CTID}" "cat > /opt/customer-stack/sql/init_pgvector.sql <<'SQL'
CREATE EXTENSION IF NOT EXISTS vector; CREATE EXTENSION IF NOT EXISTS vector;
CREATE EXTENSION IF NOT EXISTS pgcrypto; CREATE EXTENSION IF NOT EXISTS pgcrypto;
SQL" SQL"
# docker-compose.yml # docker-compose.yml (in CT)
pct_exec "${CTID}" "cat > /opt/customer-stack/docker-compose.yml <<'YML' pct_exec "${CTID}" "cat > /opt/customer-stack/docker-compose.yml <<'YML'
services: services:
postgres: postgres:
@@ -217,7 +243,7 @@ services:
- ./volumes/postgres/data:/var/lib/postgresql/data - ./volumes/postgres/data:/var/lib/postgresql/data
- ./sql:/docker-entrypoint-initdb.d:ro - ./sql:/docker-entrypoint-initdb.d:ro
healthcheck: healthcheck:
test: [\"CMD-SHELL\", \"pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1\"] test: ['CMD-SHELL', 'pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1']
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 20 retries: 20
@@ -232,7 +258,7 @@ services:
postgres: postgres:
condition: service_healthy condition: service_healthy
ports: ports:
- \"\${N8N_PORT}:5678\" - '\${N8N_PORT}:5678'
environment: environment:
N8N_PORT: 5678 N8N_PORT: 5678
N8N_PROTOCOL: \${N8N_PROTOCOL} N8N_PROTOCOL: \${N8N_PROTOCOL}
@@ -250,9 +276,10 @@ services:
GENERIC_TIMEZONE: Europe/Berlin GENERIC_TIMEZONE: Europe/Berlin
TZ: Europe/Berlin TZ: Europe/Berlin
N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY} N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY}
# Telemetrie/Background Calls aus (n8n docs) # Telemetrie/Background Calls aus
N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED} N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED}
N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED} N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED}
N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED} N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED}
@@ -267,7 +294,7 @@ networks:
driver: bridge driver: bridge
YML" YML"
# Pull + Up + Status/Checks # Deploy
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d"
pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps" pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps"
@@ -276,3 +303,22 @@ info "Step 7 OK: Stack deployed"
info "n8n intern: http://${CT_IP}:5678/" info "n8n intern: http://${CT_IP}:5678/"
info "n8n extern (geplant via OPNsense): https://${FQDN}" info "n8n extern (geplant via OPNsense): https://${FQDN}"
info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)." info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)."
# ---------------------------
# JSON Output (NUR stdout)
# ---------------------------
# Damit kann n8n/SSH node direkt JSON parsen.
# Alles andere ist in stderr geloggt.
echo -n "{"
print_json_kv "ctid" "${CTID}"; echo -n ","
print_json_kv "hostname" "${CT_HOSTNAME}"; echo -n ","
print_json_kv "fqdn" "${FQDN}"; echo -n ","
print_json_kv "ip" "${CT_IP}"; echo -n ","
print_json_kv "n8n_internal_url" "http://${CT_IP}:5678/"; echo -n ","
print_json_kv "n8n_external_url" "https://${FQDN}/"; echo -n ","
print_json_kv "pg_db" "${PG_DB}"; echo -n ","
print_json_kv "pg_user" "${PG_USER}"; echo -n ","
print_json_kv "pg_password" "${PG_PASSWORD}"; echo -n ","
print_json_kv "n8n_encryption_key" "${N8N_ENCRYPTION_KEY}"
echo "}"
libsupabase.sh
+118 -111
View File
@@ -1,26 +1,22 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# libsupabase.sh
set -Eeuo pipefail set -Eeuo pipefail
# --------------------------- # ---------- logging (ALLES nach STDERR) ----------
# Logging / Errors / Traps
# ---------------------------
_ts() { date '+%F %T'; } _ts() { date '+%F %T'; }
# log to stderr (wichtig: damit Funktions-Rückgaben via stdout sauber bleiben) _log() {
log() { echo "[$(_ts)] $*" >&2; } local level="$1"; shift
info() { log "INFO: $*"; } # stderr, damit stdout sauber bleibt (für JSON am Ende)
warn() { log "WARN: $*"; } echo "[$(_ts)] ${level}: $*" >&2
die() { log "ERROR: $*"; exit 1; }
on_error() {
local lineno="$1"
local cmd="$2"
local code="$3"
die "Failed at line ${lineno}: ${cmd} (exit=${code})"
} }
info() { _log "INFO" "$*"; }
warn() { _log "WARN" "$*"; }
err() { _log "ERROR" "$*"; }
setup_traps() { die() {
trap 'on_error "$LINENO" "$BASH_COMMAND" "$?"' ERR err "$*"
exit 1
} }
need_cmd() { need_cmd() {
@@ -30,38 +26,51 @@ need_cmd() {
done done
} }
# --------------------------- on_error() {
# Safe secret generators (NO tr|head pipelines) local lineno="$1" cmd="$2" code="$3"
# --------------------------- err "Failed at line ${lineno}: ${cmd} (exit=${code})"
# Hex secret, length = bytes*2 chars exit 1
gen_hex() {
local bytes="${1:-32}"
if command -v openssl >/dev/null 2>&1; then
openssl rand -hex "$bytes"
return 0
fi
# fallback python
python3 - <<PY
import secrets
print(secrets.token_hex($bytes))
PY
} }
# URL-safe token with approx length setup_traps() {
gen_urlsafe() { trap 'on_error "${LINENO}" "${BASH_COMMAND}" "$?"' ERR
local nbytes="${1:-32}"
python3 - <<PY
import secrets
print(secrets.token_urlsafe($nbytes))
PY
} }
# --------------------------- # ---------- helpers ----------
# Proxmox helpers is_int() { [[ "${1:-}" =~ ^[0-9]+$ ]]; }
# ---------------------------
# pct exec wrapper
# - setzt Locale für apt/Perl stabil auf C.UTF-8 während Provisioning
pct_exec() {
local ctid="$1"; shift
need_cmd pct
# shellcheck disable=SC2029
pct exec "${ctid}" -- bash -lc "export LANG=C.UTF-8 LC_ALL=C.UTF-8; $*"
}
# wait for IP via pct (DHCP)
pct_wait_for_ip() {
local ctid="$1"
need_cmd pct awk grep
local i ip
for i in {1..60}; do
# pct exec ip addr ist zuverlässiger als pct config parsing
ip="$(pct exec "${ctid}" -- bash -lc "ip -4 -o addr show scope global | awk '{print \$4}' | head -n1 | cut -d/ -f1" 2>/dev/null || true)"
if [[ -n "${ip}" ]]; then
echo "${ip}"
return 0
fi
sleep 1
done
return 1
}
# Proxmox checks
pve_storage_exists() { pve_storage_exists() {
local st="$1" local st="$1"
pvesm status --storage "$st" >/dev/null 2>&1 need_cmd pvesm
pvesm status --storage "${st}" >/dev/null 2>&1
} }
pve_bridge_exists() { pve_bridge_exists() {
@@ -69,100 +78,98 @@ pve_bridge_exists() {
[[ -d "/sys/class/net/${br}/bridge" ]] [[ -d "/sys/class/net/${br}/bridge" ]]
} }
# Build net0 string (supports optional VLAN tag)
pve_build_net0() {
local bridge="$1"
local ipcfg="$2" # dhcp OR CIDR
local vlan="${3:-}" # optional integer
local net="name=eth0,bridge=${bridge}"
if [[ -n "${vlan}" ]]; then
is_int "${vlan}" || die "--vlan must be integer"
net="${net},tag=${vlan}"
fi
if [[ "${ipcfg}" == "dhcp" ]]; then
net="${net},ip=dhcp"
else
net="${net},ip=${ipcfg}"
fi
echo "${net}"
}
# Template ensure (stdout darf NUR den Template-Pfad liefern!)
pve_template_ensure_debian12() { pve_template_ensure_debian12() {
# Gibt NUR den template-string auf stdout zurück local preferred_store="$1"
# Logs gehen auf stderr (info/warn), damit TEMPLATE nicht "vermüllt". local tpl="debian-12-standard_12.12-1_amd64.tar.zst"
local desired="debian-12-standard_12.12-1_amd64.tar.zst"
local store="$1"
need_cmd pveam awk grep need_cmd pveam awk grep
# prüfen, ob storage für templates geeignet ist local store="${preferred_store}"
if ! pveam list "$store" >/dev/null 2>&1; then
# pveam kann oft nur "local"
if ! pveam list "${store}" >/dev/null 2>&1; then
warn "pveam storage '${store}' not available for templates; falling back to 'local'" warn "pveam storage '${store}' not available for templates; falling back to 'local'"
store="local" store="local"
fi fi
# update list
pveam update >/dev/null 2>&1 || true pveam update >/dev/null 2>&1 || true
# vorhanden? # download if missing
if ! pveam list "$store" | awk '{print $2}' | grep -qx "$desired"; then if ! pveam list "${store}" 2>/dev/null | awk '{print $2}' | grep -qx "${tpl}"; then
# check available list info "Downloading CT template to ${store}: ${tpl}"
if pveam available | awk '{print $2}' | grep -qx "$desired"; then pveam download "${store}" "${tpl}" >/dev/null
info "Downloading CT template to ${store}: ${desired}"
pveam download "$store" "$desired" >/dev/null
else
die "Template not available via pveam: ${desired}"
fi
else
# optional: trotzdem loggen
:
fi fi
echo "${store}:vztmpl/${desired}" echo "${store}:vztmpl/${tpl}"
} }
pve_build_net0() { # ---- CTID selection (customer-safe): (unix_time - 1_000_000_000) ----
local bridge="$1" # Keine Cluster-Abfrage mehr nötig. Nur lokale Node-Check, + increment falls belegt.
local ipcfg="$2"
local vlan="${3:-}"
local base="name=eth0,bridge=${bridge},ip=${ipcfg}"
if [[ -n "${vlan}" && "${vlan}" != "0" ]]; then
base="${base},tag=${vlan}"
fi
echo "$base"
}
# CTID nach "Unixzeit - 1e9" (Kundensicher bis 2038) + lokale Kollisionsprüfung
pve_select_customer_ctid() { pve_select_customer_ctid() {
need_cmd date pct awk sort tail need_cmd pct date
local base local base
base="$(($(date +%s) - 1000000000))" base="$(($(date +%s) - 1000000000))"
# Falls lokal belegt, hochzählen bis frei # falls negative (sollte nicht passieren), fallback
local ctid="$base" if (( base < 100 )); then
while pct status "$ctid" >/dev/null 2>&1; do base=100000
fi
local ctid="${base}"
# nur lokal prüfen (pct list ist node-lokal)
while pct status "${ctid}" >/dev/null 2>&1; do
ctid="$((ctid + 1))" ctid="$((ctid + 1))"
done done
echo "$ctid"
echo "${ctid}"
} }
pct_wait_for_ip() { # Secrets ohne tr/head Pipes (kein Broken pipe)
local ctid="$1" gen_hex() {
local tries="${2:-60}" local nbytes="$1"
local i=0 is_int "${nbytes}" || die "gen_hex expects integer bytes"
need_cmd openssl
need_cmd pct awk grep openssl rand -hex "${nbytes}"
while (( i < tries )); do
# pct exec ip -4 addr show dev eth0 → robust bei DHCP
local ip=""
ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show dev eth0 | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
if [[ -n "$ip" ]]; then
echo "$ip"
return 0
fi
sleep 1
((i++))
done
return 1
} }
pct_exec() { # JSON escaper (minimal, reicht für unsere Werte)
local ctid="$1"; shift json_escape() {
pct exec "$ctid" -- bash -lc "$*" local s="${1:-}"
s="${s//\\/\\\\}"
s="${s//\"/\\\"}"
s="${s//$'\n'/\\n}"
s="${s//$'\r'/\\r}"
s="${s//$'\t'/\\t}"
echo -n "${s}"
} }
# Locale fix (Debian 12) # Print a JSON object (stdout). Use at the VERY end.
pct_fix_locales() { print_json_kv() {
local ctid="$1" # args: key value
local locale="${2:-de_DE.UTF-8}" local k="$1" v="$2"
pct_exec "$ctid" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y" echo -n "\"$(json_escape "$k")\":\"$(json_escape "$v")\""
pct_exec "$ctid" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y locales"
pct_exec "$ctid" "sed -i 's/^# *${locale} UTF-8/${locale} UTF-8/' /etc/locale.gen || true"
pct_exec "$ctid" "locale-gen ${locale} >/dev/null"
pct_exec "$ctid" "update-locale LANG=${locale} LC_ALL=${locale}"
} }