Prototype2.2-n8n-Rechte-Problem

install.sh

@@ -11,23 +11,19 @@ Usage:
   bash install.sh [options]
 
 Core options:
-  --ctid <id>                 Force CT ID (optional). If omitted, a customer-safe CTID is generated: (unix_time - 1000000000)
+  --ctid <id>                 Force CT ID (optional). If omitted, a customer-safe CTID is generated.
   --cores <n>                 (default: 2)
   --memory <mb>               (default: 4096)
   --swap <mb>                 (default: 512)
   --disk <gb>                 (default: 50)
   --bridge <vmbrX>            (default: vmbr0)
+  --vlan <id>                 VLAN tag on net0 (default: 90)
   --storage <storage>         (default: local-zfs)
   --ip <dhcp|CIDR>            (default: dhcp)
-  --vlan <id>                 VLAN tag for net0 (default: 90)
-  --domain <domain>           Base domain for FQDN (default: userman.de)
   --privileged                Create privileged CT (default: unprivileged)
+  --fqdn-suffix <domain>      (default: userman.de) -> FQDN becomes sb-<time>.<domain>
   --help                      Show help
 
-Examples:
-  bash install.sh
-  bash install.sh --vlan 90 --ip dhcp
-  bash install.sh --ip 192.168.45.53/24 --vlan 90
 EOF
 }
 
@@ -38,11 +34,11 @@ MEMORY="4096"
 SWAP="512"
 DISK="50"
 BRIDGE="vmbr0"
+VLAN="90"
 STORAGE="local-zfs"
 IPCFG="dhcp"
-VLAN="90"
-DOMAIN="userman.de"
 UNPRIV="1"
+FQDN_SUFFIX="userman.de"
 
 # ---------------------------
 # Arg parsing
@@ -55,54 +51,50 @@ while [[ $# -gt 0 ]]; do
     --swap) SWAP="${2:-}"; shift 2 ;;
     --disk) DISK="${2:-}"; shift 2 ;;
     --bridge) BRIDGE="${2:-}"; shift 2 ;;
+    --vlan) VLAN="${2:-}"; shift 2 ;;
     --storage) STORAGE="${2:-}"; shift 2 ;;
     --ip) IPCFG="${2:-}"; shift 2 ;;
-    --vlan) VLAN="${2:-}"; shift 2 ;;
-    --domain) DOMAIN="${2:-}"; shift 2 ;;
+    --fqdn-suffix) FQDN_SUFFIX="${2:-}"; shift 2 ;;
     --privileged) UNPRIV="0"; shift 1 ;;
     --help|-h) usage; exit 0 ;;
     *) die "Unknown option: $1 (use --help)" ;;
   esac
 done
 
-# Basic validation
-is_int "$CORES"  || die "--cores must be integer"
-is_int "$MEMORY" || die "--memory must be integer"
-is_int "$SWAP"   || die "--swap must be integer"
-is_int "$DISK"   || die "--disk must be integer"
-is_int "$VLAN"   || die "--vlan must be integer"
+# Validation
+[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer"
+[[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer"
+[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer"
+[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer"
 [[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid"
+[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer"
 
 if [[ "$IPCFG" != "dhcp" ]]; then
-  [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.53/24)"
+  [[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)"
 fi
 
-[[ -n "${DOMAIN}" ]] || die "--domain must not be empty"
-
 info "Argument-Parsing OK"
 
 # ---------------------------
 # Preflight Proxmox
 # ---------------------------
-need_cmd pct pvesm pveam date
+need_cmd pct pvesm pveam pvesh python3 grep date
 
 pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE"
-pve_bridge_exists "$BRIDGE"   || die "Bridge not found: $BRIDGE"
+pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
 
 TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")"
 info "Template OK: ${TEMPLATE}"
 
-# Hostname based on unix time (as agreed)
-UNIXTS="$(date +%s)"
-CT_HOSTNAME="sb-${UNIXTS}"
-FQDN="${CT_HOSTNAME}.${DOMAIN}"
+# Hostname based on unix time (agreed)
+CT_HOSTNAME="sb-$(date +%s)"
+FQDN="${CT_HOSTNAME}.${FQDN_SUFFIX}"
 
 # CTID selection
 if [[ -n "$CTID" ]]; then
-  is_int "$CTID" || die "--ctid must be integer"
-  # nur lokal check (cluster-check war dir zu unzuverlässig)
-  if pct status "${CTID}" >/dev/null 2>&1; then
-    die "Forced CTID=${CTID} already exists on this node"
+  [[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer"
+  if pve_vmid_exists_cluster "$CTID"; then
+    die "Forced CTID=${CTID} already exists in cluster"
   fi
 else
   CTID="$(pve_select_customer_ctid)"
@@ -124,7 +116,6 @@ FEATURES="nesting=1,keyctl=1,fuse=1"
 
 info "Step 5: Create CT"
 info "Creating CT ${CTID} (${CT_HOSTNAME}) from ${TEMPLATE}"
-
 pct create "${CTID}" "${TEMPLATE}" \
   --hostname "${CT_HOSTNAME}" \
   --cores "${CORES}" \
@@ -152,15 +143,14 @@ info "CT_IP=${CT_IP}"
 # ---------------------------
 info "Step 6: Provisioning im CT (Docker + Locales + Base)"
 
-# Base packages (include locales early, damit perl nicht meckert)
 pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
 pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release locales"
 
-# locales setzen (de_DE.UTF-8)
-pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen || true"
-pct_exec "${CTID}" "locale-gen >/dev/null"
-pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8"
-pct_exec "${CTID}" "printf 'LANG=de_DE.UTF-8\nLC_ALL=de_DE.UTF-8\n' > /etc/default/locale"
+# Ensure locale exists (de_DE + en_US to be safe), then set default locale file.
+pct_exec "${CTID}" "sed -i 's/^# \\(de_DE.UTF-8\\)/\\1/' /etc/locale.gen || true"
+pct_exec "${CTID}" "sed -i 's/^# \\(en_US.UTF-8\\)/\\1/' /etc/locale.gen || true"
+pct_exec "${CTID}" "locale-gen >/dev/null || true"
+pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true"
 
 # Docker official repo (Debian 12 / bookworm)
 pct_exec "${CTID}" "install -m 0755 -d /etc/apt/keyrings"
@@ -170,26 +160,22 @@ pct_exec "${CTID}" "echo \"deb [arch=\$(dpkg --print-architecture) signed-by=/et
 pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
 pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
 
-# Create stack directories
-pct_exec "${CTID}" "mkdir -p /opt/customer-stack/sql /opt/customer-stack/volumes/postgres/data /opt/customer-stack/volumes/n8n-data"
+# Base directories
+pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes /opt/customer-stack/sql"
 
 info "Step 6 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt"
-info "Next: Schritt 7 (finales docker-compose + Secrets + n8n/supabase up + Healthchecks)"
 
 # ---------------------------
 # Step 7: Stack finalisieren + Secrets + Up + Checks
 # ---------------------------
 info "Step 7: Stack finalisieren + Secrets + Up + Checks"
 
-# secrets
+# Generate secrets on host (safe, deterministic output), then write .env inside CT.
 PG_DB="customer"
 PG_USER="customer"
-PG_PASSWORD="$(gen_hex 16)"                 # 32 hex chars
-N8N_ENCRYPTION_KEY="$(gen_hex 32)"          # 64 hex chars
+PG_PASSWORD="$(_rand_b64url 24)"
+N8N_ENCRYPTION_KEY="$(_rand_hex 32)"
 
-# n8n URL config:
-# intern bleibt http://CT_IP:5678
-# extern geplant via OPNsense reverse proxy: https://FQDN
 N8N_PORT="5678"
 N8N_PROTOCOL="http"
 N8N_HOST="${CT_IP}"
@@ -197,13 +183,13 @@ N8N_EDITOR_BASE_URL="https://${FQDN}/"
 WEBHOOK_URL="https://${FQDN}/"
 N8N_SECURE_COOKIE="false"
 
-# Telemetrie / Background Calls aus
+# Telemetry / background calls off
 N8N_DIAGNOSTICS_ENABLED="false"
 N8N_VERSION_NOTIFICATIONS_ENABLED="false"
 N8N_TEMPLATES_ENABLED="false"
 
-# write .env (in CT)
-pct_exec "${CTID}" "cat > /opt/customer-stack/.env <<'ENV'
+# Write env
+pct exec "${CTID}" -- bash -lc "cat > /opt/customer-stack/.env <<'ENV'
 PG_DB=${PG_DB}
 PG_USER=${PG_USER}
 PG_PASSWORD=${PG_PASSWORD}
@@ -217,19 +203,20 @@ N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE}
 
 N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
 
+# Telemetrie/Background Calls aus (n8n docs)
 N8N_DIAGNOSTICS_ENABLED=${N8N_DIAGNOSTICS_ENABLED}
 N8N_VERSION_NOTIFICATIONS_ENABLED=${N8N_VERSION_NOTIFICATIONS_ENABLED}
 N8N_TEMPLATES_ENABLED=${N8N_TEMPLATES_ENABLED}
 ENV"
 
-# init sql
-pct_exec "${CTID}" "cat > /opt/customer-stack/sql/init_pgvector.sql <<'SQL'
+# Write init SQL (pgvector)
+pct exec "${CTID}" -- bash -lc "cat > /opt/customer-stack/sql/init_pgvector.sql <<'SQL'
 CREATE EXTENSION IF NOT EXISTS vector;
 CREATE EXTENSION IF NOT EXISTS pgcrypto;
 SQL"
 
-# docker-compose.yml (in CT)
-pct_exec "${CTID}" "cat > /opt/customer-stack/docker-compose.yml <<'YML'
+# Write docker-compose.yml (final)
+pct exec "${CTID}" -- bash -lc "cat > /opt/customer-stack/docker-compose.yml <<'YML'
 services:
   postgres:
     image: pgvector/pgvector:pg16
@@ -243,7 +230,7 @@ services:
       - ./volumes/postgres/data:/var/lib/postgresql/data
       - ./sql:/docker-entrypoint-initdb.d:ro
     healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1']
+      test: [\"CMD-SHELL\", \"pg_isready -U \${PG_USER} -d \${PG_DB} || exit 1\"]
       interval: 10s
       timeout: 5s
       retries: 20
@@ -258,7 +245,8 @@ services:
       postgres:
         condition: service_healthy
     ports:
-      - '\${N8N_PORT}:5678'
+      - \"\${N8N_PORT}:5678\"
+    user: \"1000:1000\"
     environment:
       N8N_PORT: 5678
       N8N_PROTOCOL: \${N8N_PROTOCOL}
@@ -279,7 +267,7 @@ services:
 
       N8N_ENCRYPTION_KEY: \${N8N_ENCRYPTION_KEY}
 
-      # Telemetrie/Background Calls aus
+      # Telemetry/Template/Versionschecks aus
       N8N_DIAGNOSTICS_ENABLED: \${N8N_DIAGNOSTICS_ENABLED}
       N8N_VERSION_NOTIFICATIONS_ENABLED: \${N8N_VERSION_NOTIFICATIONS_ENABLED}
       N8N_TEMPLATES_ENABLED: \${N8N_TEMPLATES_ENABLED}
@@ -294,7 +282,12 @@ networks:
     driver: bridge
 YML"
 
-# Deploy
+# ---- IMPORTANT FIX: permissions BEFORE up ----
+pct_exec "${CTID}" "mkdir -p /opt/customer-stack/volumes/n8n-data /opt/customer-stack/volumes/postgres/data"
+pct_exec "${CTID}" "chown -R 1000:1000 /opt/customer-stack/volumes/n8n-data"
+pct_exec "${CTID}" "chown -R 999:999 /opt/customer-stack/volumes/postgres/data || true"
+
+# Pull + up
 pct_exec "${CTID}" "cd /opt/customer-stack && docker compose pull"
 pct_exec "${CTID}" "cd /opt/customer-stack && docker compose up -d"
 pct_exec "${CTID}" "cd /opt/customer-stack && docker compose ps"
@@ -304,21 +297,16 @@ info "n8n intern: http://${CT_IP}:5678/"
 info "n8n extern (geplant via OPNsense): https://${FQDN}"
 info "Hinweis: Telemetrie/Template/Versionschecks sind deaktiviert (n8n docs)."
 
-# ---------------------------
-# JSON Output (NUR stdout)
-# ---------------------------
-# Damit kann n8n/SSH node direkt JSON parsen.
-# Alles andere ist in stderr geloggt.
-
-echo -n "{"
-print_json_kv "ctid" "${CTID}"; echo -n ","
-print_json_kv "hostname" "${CT_HOSTNAME}"; echo -n ","
-print_json_kv "fqdn" "${FQDN}"; echo -n ","
-print_json_kv "ip" "${CT_IP}"; echo -n ","
-print_json_kv "n8n_internal_url" "http://${CT_IP}:5678/"; echo -n ","
-print_json_kv "n8n_external_url" "https://${FQDN}/"; echo -n ","
-print_json_kv "pg_db" "${PG_DB}"; echo -n ","
-print_json_kv "pg_user" "${PG_USER}"; echo -n ","
-print_json_kv "pg_password" "${PG_PASSWORD}"; echo -n ","
-print_json_kv "n8n_encryption_key" "${N8N_ENCRYPTION_KEY}"
-echo "}"
+# Emit machine-readable JSON for automation (n8n can parse this)
+emit_result_json \
+  "CTID=${CTID}" \
+  "CT_HOSTNAME=${CT_HOSTNAME}" \
+  "CT_IP=${CT_IP}" \
+  "VLAN=${VLAN}" \
+  "FQDN=${FQDN}" \
+  "N8N_INTERNAL_URL=http://${CT_IP}:5678/" \
+  "N8N_EXTERNAL_URL=https://${FQDN}/" \
+  "PG_DB=${PG_DB}" \
+  "PG_USER=${PG_USER}" \
+  "PG_PASSWORD=${PG_PASSWORD}" \
+  "N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}"