MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: MediaMetz:main
Branches Tags
MediaMetz:main MediaMetz:blackboxai/credentials-management-and-testing MediaMetz:blackboxai/nginx-proxy-debug-mode
...
pull from: MediaMetz:blackboxai/nginx-proxy-debug-mode
Branches Tags
MediaMetz:main MediaMetz:blackboxai/credentials-management-and-testing MediaMetz:blackboxai/nginx-proxy-debug-mode

6 Commits
main ... blackboxai

Author SHA1 Message Date
wm
059f231154 feat: Add Flowise account setup script 2026-01-19 14:50:48 +01:00
wm
3436707ccf docs: Add Flowise example for --backend-port parameter 2026-01-19 14:31:23 +01:00
wm
f0c1ba00c1 feat: Add Flowise LXC installer 2026-01-18 23:11:54 +01:00
wm
bef60a39b1 feat: Add debug mode and NGINX proxy delete script 2026-01-18 22:35:29 +01:00
wm
15a9104a8e Setup NGINX Final 2026-01-18 18:17:40 +01:00
wm
c5d376d3ac Neue Option --opnsense-port für Flexibilität 2026-01-18 17:28:42 +01:00
7 changed files with 1866 additions and 98 deletions
Expand all files Collapse all files

249
FLOWISE_SETUP.md Normal file
View File

@@ -0,0 +1,249 @@
# Flowise LXC Installer
Dieses Script erstellt einen LXC-Container mit Docker, PostgreSQL (mit pgvector) und Flowise.
## Was ist Flowise?
[Flowise](https://flowiseai.com/) ist ein Open-Source Low-Code Tool zum Erstellen von LLM-Flows und AI-Agenten. Es bietet eine visuelle Drag-and-Drop-Oberfläche zum Erstellen von:
- Chatbots
- RAG (Retrieval Augmented Generation) Pipelines
- AI-Agenten mit Tools
- LangChain-basierte Workflows
## Voraussetzungen
- Proxmox VE mit LXC-Unterstützung
- Debian 12 Template
- Netzwerk-Bridge (default: vmbr0)
- Storage (default: local-zfs)
## Installation
```bash
# Minimale Konfiguration
bash install_flowise.sh
# Mit Debug-Ausgabe
bash install_flowise.sh --debug
# Mit benutzerdefinierten Credentials
bash install_flowise.sh \
--flowise-user admin \
--flowise-pass "MeinSicheresPasswort1"
# Mit allen Optionen
bash install_flowise.sh \
--cores 4 \
--memory 4096 \
--disk 50 \
--base-domain userman.de \
--flowise-user admin \
--debug
```
## Parameter
### Core-Optionen
| Parameter | Beschreibung | Standard |
|-----------|--------------|----------|
| `--ctid <id>` | Container ID (optional, wird automatisch generiert) | Auto |
| `--cores <n>` | CPU-Kerne | 4 |
| `--memory <mb>` | RAM in MB | 4096 |
| `--swap <mb>` | Swap in MB | 512 |
| `--disk <gb>` | Disk in GB | 50 |
| `--bridge <vmbrX>` | Netzwerk-Bridge | vmbr0 |
| `--storage <storage>` | Proxmox Storage | local-zfs |
| `--ip <dhcp\|CIDR>` | IP-Konfiguration | dhcp |
| `--vlan <id>` | VLAN-Tag | 90 |
| `--privileged` | Privilegierter Container | unprivileged |
| `--apt-proxy <url>` | APT-Proxy URL | - |
### Flowise-Optionen
| Parameter | Beschreibung | Standard |
|-----------|--------------|----------|
| `--base-domain <domain>` | Basis-Domain für FQDN | userman.de |
| `--flowise-user <user>` | Flowise Admin-Benutzername | admin |
| `--flowise-pass <pass>` | Flowise Admin-Passwort | Auto-generiert |
| `--debug` | Debug-Modus aktivieren | Aus |
## Ausgabe
### Normalmodus (ohne --debug)
Das Script gibt nur JSON auf stdout aus:
```json
{
"ctid": 768736637,
"hostname": "fw-1768736637",
"fqdn": "fw-1768736637.userman.de",
"ip": "192.168.45.136",
"vlan": 90,
"urls": {
"flowise_internal": "http://192.168.45.136:3000/",
"flowise_external": "https://fw-1768736637.userman.de"
},
"postgres": {
"host": "postgres",
"port": 5432,
"db": "flowise",
"user": "flowise",
"password": "GeneratedPassword1"
},
"flowise": {
"username": "admin",
"password": "GeneratedPassword2",
"secret_key": "64-char-hex-key"
},
"log_file": "/root/customer-installer/logs/fw-1768736637.log"
}
```
### Debug-Modus (mit --debug)
Zusätzlich werden Logs auf stderr ausgegeben.
## Erstellte Komponenten
### Docker-Container
1. **flowise-postgres** - PostgreSQL 16 mit pgvector Extension
2. **flowise** - Flowise AI Flow Builder
### Verzeichnisstruktur im Container
```
/opt/flowise-stack/
├── .env # Umgebungsvariablen
├── docker-compose.yml # Docker Compose Konfiguration
├── sql/
│ └── init_pgvector.sql # PostgreSQL Initialisierung
└── volumes/
├── postgres/data/ # PostgreSQL Daten
└── flowise-data/ # Flowise Daten (Flows, Credentials, etc.)
```
## Ports
| Service | Interner Port | Externer Port |
|---------|---------------|---------------|
| Flowise | 3000 | 3000 |
| PostgreSQL | 5432 | - (nur intern) |
## NGINX Reverse Proxy
Nach der Installation kann ein NGINX Reverse Proxy auf OPNsense eingerichtet werden:
```bash
bash setup_nginx_proxy.sh \
--ctid <CTID> \
--hostname fw-<TIMESTAMP> \
--fqdn fw-<TIMESTAMP>.userman.de \
--backend-ip <CT_IP> \
--backend-port 3000
```
## Unterschiede zu n8n-Installer
| Aspekt | n8n (install.sh) | Flowise (install_flowise.sh) |
|--------|------------------|------------------------------|
| Hostname-Präfix | `sb-` | `fw-` |
| Standard-Port | 5678 | 3000 |
| Authentifizierung | Email + Passwort | Username + Passwort |
| Container-Name | n8n | flowise |
| Datenverzeichnis | /opt/customer-stack | /opt/flowise-stack |
## Fehlerbehebung
### Container startet nicht
```bash
# Logs prüfen
pct exec <CTID> -- docker compose -f /opt/flowise-stack/docker-compose.yml logs
```
### Flowise nicht erreichbar
```bash
# Container-Status prüfen
pct exec <CTID> -- docker compose -f /opt/flowise-stack/docker-compose.yml ps
# Flowise-Logs prüfen
pct exec <CTID> -- docker logs flowise
```
### Datenbank-Verbindungsfehler
```bash
# PostgreSQL-Status prüfen
pct exec <CTID> -- docker logs flowise-postgres
```
## Account Setup Script
Nach der Installation muss der Administrator-Account über die Web-UI oder das Script erstellt werden.
### Verwendung
```bash
# Account erstellen
bash setup_flowise_account.sh \
--url https://fw-1768829679.userman.de \
--name "Admin User" \
--email admin@example.com \
--password "SecurePass1!"
# Mit Debug-Ausgabe
bash setup_flowise_account.sh --debug \
--url https://fw-1768829679.userman.de \
--name "Admin User" \
--email admin@example.com \
--password "SecurePass1!"
```
### Parameter
| Parameter | Beschreibung | Erforderlich |
|-----------|--------------|--------------|
| `--url <url>` | Flowise Base-URL | Ja |
| `--name <name>` | Administrator-Anzeigename | Ja |
| `--email <email>` | Administrator-E-Mail (Login) | Ja |
| `--password <pass>` | Administrator-Passwort | Ja |
| `--debug` | Debug-Modus aktivieren | Nein |
### Passwort-Anforderungen
- Mindestens 8 Zeichen
- Mindestens ein Kleinbuchstabe
- Mindestens ein Großbuchstabe
- Mindestens eine Ziffer
- Mindestens ein Sonderzeichen
### Ausgabe
```json
{
"success": true,
"url": "https://fw-1768829679.userman.de",
"email": "admin@example.com",
"name": "Admin User",
"message": "Account created successfully"
}
```
## Versionsverlauf
### install_flowise.sh
| Version | Änderungen |
|---------|------------|
| 1.0.0 | Initiale Version |
### setup_flowise_account.sh
| Version | Änderungen |
|---------|------------|
| 1.0.0 | Initiale Version |

262
NGINX_PROXY_SETUP.md Normal file
View File

@@ -0,0 +1,262 @@
# OPNsense NGINX Reverse Proxy Setup
Dieses Script automatisiert die Konfiguration eines NGINX Reverse Proxys auf OPNsense für n8n-Instanzen.
## Voraussetzungen
- OPNsense Firewall mit NGINX Plugin
- API-Zugang zu OPNsense (API Key + Secret)
- Wildcard-Zertifikat für die Domain (z.B. *.userman.de)
## Installation
Das Script befindet sich im Repository unter `setup_nginx_proxy.sh`.
## Verwendung
### Proxy einrichten
```bash
# Minimale Konfiguration
bash setup_nginx_proxy.sh \
--ctid 768736636 \
--hostname sb-1768736636 \
--fqdn sb-1768736636.userman.de \
--backend-ip 192.168.45.135
# Mit Debug-Ausgabe
bash setup_nginx_proxy.sh --debug \
--ctid 768736636 \
--hostname sb-1768736636 \
--fqdn sb-1768736636.userman.de \
--backend-ip 192.168.45.135
# Mit benutzerdefiniertem Backend-Port
bash setup_nginx_proxy.sh \
--ctid 768736636 \
--hostname sb-1768736636 \
--fqdn sb-1768736636.userman.de \
--backend-ip 192.168.45.135 \
--backend-port 8080
```
### Proxy löschen
```bash
# Proxy für eine CTID löschen
bash delete_nginx_proxy.sh --ctid 768736636
# Mit Debug-Ausgabe
bash delete_nginx_proxy.sh --debug --ctid 768736636
# Dry-Run (zeigt was gelöscht würde, ohne zu löschen)
bash delete_nginx_proxy.sh --dry-run --ctid 768736636
# Mit expliziter FQDN
bash delete_nginx_proxy.sh --ctid 768736636 --fqdn sb-1768736636.userman.de
```
### Hilfsfunktionen
```bash
# API-Verbindung testen
bash setup_nginx_proxy.sh --test-connection --debug
# Verfügbare Zertifikate auflisten
bash setup_nginx_proxy.sh --list-certificates --debug
```
## Parameter
### Erforderliche Parameter (für Proxy-Setup)
| Parameter | Beschreibung | Beispiel |
|-----------|--------------|----------|
| `--ctid <id>` | Container ID (wird als Beschreibung verwendet) | `768736636` |
| `--hostname <name>` | Hostname des Containers | `sb-1768736636` |
| `--fqdn <domain>` | Vollständiger Domainname | `sb-1768736636.userman.de` |
| `--backend-ip <ip>` | IP-Adresse des Backends | `192.168.45.135` |
### Optionale Parameter
| Parameter | Beschreibung | Standard |
|-----------|--------------|----------|
| `--backend-port <port>` | Backend-Port | `5678` |
| `--opnsense-host <ip>` | OPNsense IP oder Hostname | `192.168.45.1` |
| `--opnsense-port <port>` | OPNsense WebUI/API Port | `4444` |
| `--certificate-uuid <uuid>` | UUID des SSL-Zertifikats | Auto-Detect |
| `--debug` | Debug-Modus aktivieren | Aus |
| `--help` | Hilfe anzeigen | - |
### Spezielle Befehle
| Parameter | Beschreibung |
|-----------|--------------|
| `--test-connection` | API-Verbindung testen und beenden |
| `--list-certificates` | Verfügbare Zertifikate auflisten und beenden |
## Ausgabe
### Normalmodus (ohne --debug)
Das Script gibt nur JSON auf stdout aus:
```json
{
"success": true,
"ctid": "768736636",
"fqdn": "sb-1768736636.userman.de",
"backend": "192.168.45.135:5678",
"nginx": {
"upstream_server_uuid": "81f5f15b-978c-4839-b794-5ddb9f1c964e",
"upstream_uuid": "5fe99a9f-35fb-4141-9b89-238333604a0d",
"location_uuid": "5c3cc080-385a-4800-964d-ab01f33d45a8",
"http_server_uuid": "946489aa-7212-41b3-93e2-4972f6a26d4e"
}
}
```
Bei Fehlern:
```json
{"error": "Fehlerbeschreibung"}
```
### Debug-Modus (mit --debug)
Zusätzlich werden Logs auf stderr ausgegeben:
```
[2026-01-18 17:57:04] INFO: Script Version: 1.0.8
[2026-01-18 17:57:04] INFO: Configuration:
[2026-01-18 17:57:04] INFO: CTID: 768736636
[2026-01-18 17:57:04] INFO: Hostname: sb-1768736636
...
```
## Erstellte NGINX-Komponenten
Das Script erstellt folgende Komponenten in OPNsense:
1. **Upstream Server** - Backend-Server mit IP und Port
2. **Upstream** - Load-Balancer-Gruppe (verweist auf Upstream Server)
3. **Location** - URL-Pfad-Konfiguration mit WebSocket-Support
4. **HTTP Server** - Virtueller Host mit HTTPS und Zertifikat
### Verknüpfungskette
```
HTTP Server (sb-1768736636.userman.de:443)
└── Location (/)
└── Upstream (768736636)
└── Upstream Server (192.168.45.135:5678)
```
## Umgebungsvariablen
Das Script kann auch über Umgebungsvariablen konfiguriert werden:
```bash
export OPNSENSE_HOST="192.168.45.1"
export OPNSENSE_PORT="4444"
export OPNSENSE_API_KEY="your-api-key"
export OPNSENSE_API_SECRET="your-api-secret"
export CERTIFICATE_UUID="your-cert-uuid"
export DEBUG="1"
bash setup_nginx_proxy.sh --ctid 768736636 ...
```
## Delete Script Parameter
### Erforderliche Parameter
| Parameter | Beschreibung | Beispiel |
|-----------|--------------|----------|
| `--ctid <id>` | Container ID (zum Finden der Komponenten) | `768736636` |
### Optionale Parameter
| Parameter | Beschreibung | Standard |
|-----------|--------------|----------|
| `--fqdn <domain>` | FQDN zum Finden des HTTP Servers | Auto-Detect |
| `--opnsense-host <ip>` | OPNsense IP oder Hostname | `192.168.45.1` |
| `--opnsense-port <port>` | OPNsense WebUI/API Port | `4444` |
| `--dry-run` | Zeigt was gelöscht würde, ohne zu löschen | Aus |
| `--debug` | Debug-Modus aktivieren | Aus |
### Delete Script Ausgabe
```json
{
"success": true,
"dry_run": false,
"ctid": "768736636",
"deleted_count": 4,
"failed_count": 0,
"components": {
"http_server": "deleted",
"location": "deleted",
"upstream": "deleted",
"upstream_server": "deleted"
},
"reconfigure": "ok"
}
```
### Löschreihenfolge
Das Script löscht die Komponenten in der richtigen Reihenfolge (von außen nach innen):
1. **HTTP Server** - Virtueller Host
2. **Location** - URL-Pfad-Konfiguration
3. **Upstream** - Load-Balancer-Gruppe
4. **Upstream Server** - Backend-Server
## Fehlerbehebung
### API-Verbindungsfehler
```bash
# Verbindung testen
bash setup_nginx_proxy.sh --test-connection --debug
```
### Zertifikat nicht gefunden
```bash
# Verfügbare Zertifikate auflisten
bash setup_nginx_proxy.sh --list-certificates --debug
# Zertifikat manuell angeben
bash setup_nginx_proxy.sh --certificate-uuid "695a8b67b35ae" ...
```
### Berechtigungsfehler (403)
Der API-Benutzer benötigt folgende Berechtigungen in OPNsense:
- `NGINX: Settings`
- `NGINX: Service`
- `System: Trust: Certificates` (optional, für Auto-Detect)
## Versionsverlauf
### setup_nginx_proxy.sh
| Version | Änderungen |
|---------|------------|
| 1.0.9 | Dokumentation für Flowise-Unterstützung (--backend-port) |
| 1.0.8 | HTTP Server Suche nach servername statt description |
| 1.0.7 | Listen-Adressen auf Port 80/443 gesetzt |
| 1.0.6 | Listen-Adressen hinzugefügt |
| 1.0.5 | verify_client und access_log_format hinzugefügt |
| 1.0.4 | Korrektes API-Format (httpserver statt http_server) |
| 1.0.3 | Vereinfachte HTTP Server Konfiguration |
| 1.0.0 | Initiale Version |
### delete_nginx_proxy.sh
| Version | Änderungen |
|---------|------------|
| 1.0.2 | Verbesserte Debug-Ausgabe für Suche nach Komponenten |
| 1.0.1 | Fix: Arithmetik-Fehler bei Counter-Inkrementierung behoben |
| 1.0.0 | Initiale Version |

389
delete_nginx_proxy.sh Normal file
View File

@@ -0,0 +1,389 @@
#!/usr/bin/env bash
set -Eeuo pipefail
# =============================================================================
# OPNsense NGINX Reverse Proxy Delete Script
# =============================================================================
# Dieses Script löscht einen NGINX Reverse Proxy auf OPNsense
# für eine n8n-Instanz über die OPNsense API.
# =============================================================================
SCRIPT_VERSION="1.0.2"
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG
# Logging functions
log_ts() { date "+[%F %T]"; }
info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; }
warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; }
die() {
if [[ "$DEBUG" == "1" ]]; then
echo "$(log_ts) ERROR: $*" >&2
else
echo "{\"error\": \"$*\"}"
fi
exit 1
}
# =============================================================================
# Default Configuration
# =============================================================================
OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"
OPNSENSE_PORT="${OPNSENSE_PORT:-4444}"
OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"
# =============================================================================
# Usage
# =============================================================================
usage() {
cat >&2 <<'EOF'
Usage:
bash delete_nginx_proxy.sh [options]
Required options:
--ctid <id> Container ID (used to find components by description)
Optional:
--fqdn <domain> Full domain name (to find HTTP Server by servername)
--opnsense-host <ip> OPNsense IP or hostname (default: 192.168.45.1)
--opnsense-port <port> OPNsense WebUI/API port (default: 4444)
--dry-run Show what would be deleted without actually deleting
--debug Enable debug mode
--help Show this help
Examples:
# Delete proxy by CTID:
bash delete_nginx_proxy.sh --ctid 768736636
# Delete proxy with debug output:
bash delete_nginx_proxy.sh --debug --ctid 768736636
# Dry run (show what would be deleted):
bash delete_nginx_proxy.sh --dry-run --ctid 768736636
# Delete by CTID and FQDN:
bash delete_nginx_proxy.sh --ctid 768736636 --fqdn sb-1768736636.userman.de
EOF
}
# =============================================================================
# Default values for arguments
# =============================================================================
CTID=""
FQDN=""
DRY_RUN="0"
# =============================================================================
# Argument parsing
# =============================================================================
while [[ $# -gt 0 ]]; do
case "$1" in
--ctid) CTID="${2:-}"; shift 2 ;;
--fqdn) FQDN="${2:-}"; shift 2 ;;
--opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
--opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;;
--dry-run) DRY_RUN="1"; shift 1 ;;
--debug) DEBUG="1"; export DEBUG; shift 1 ;;
--help|-h) usage; exit 0 ;;
*) die "Unknown option: $1 (use --help)" ;;
esac
done
# =============================================================================
# API Base URL
# =============================================================================
API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api"
# =============================================================================
# API Helper Functions
# =============================================================================
# Make API request to OPNsense
api_request() {
local method="$1"
local endpoint="$2"
local data="${3:-}"
local url="${API_BASE}${endpoint}"
local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}"
info "API ${method} ${url}"
local response
if [[ -n "$data" ]]; then
response=$(curl -s -k -X "${method}" \
-u "${auth}" \
-H "Content-Type: application/json" \
-d "${data}" \
"${url}" 2>&1)
else
response=$(curl -s -k -X "${method}" \
-u "${auth}" \
"${url}" 2>&1)
fi
echo "$response"
}
# Search for items by description
search_by_description() {
local search_endpoint="$1"
local description="$2"
local response
response=$(api_request "GET" "${search_endpoint}")
info "Search response for ${search_endpoint}: ${response:0:500}..."
# Extract all UUIDs where description matches
local uuid
uuid=$(echo "$response" | python3 -c "
import json, sys
desc = sys.argv[1] if len(sys.argv) > 1 else ''
try:
data = json.load(sys.stdin)
rows = data.get('rows', [])
for row in rows:
row_desc = row.get('description', '')
if row_desc == desc:
print(row.get('uuid', ''))
sys.exit(0)
except Exception as e:
print(f'Error: {e}', file=sys.stderr)
" "${description}" 2>/dev/null || true)
info "Found UUID for description '${description}': ${uuid:-none}"
echo "$uuid"
}
# Search for HTTP Server by servername
search_http_server_by_servername() {
local servername="$1"
local response
response=$(api_request "GET" "/nginx/settings/searchHttpServer")
info "HTTP Server search response: ${response:0:500}..."
# Extract UUID where servername matches
local uuid
uuid=$(echo "$response" | python3 -c "
import json, sys
sname = sys.argv[1] if len(sys.argv) > 1 else ''
try:
data = json.load(sys.stdin)
rows = data.get('rows', [])
for row in rows:
row_sname = row.get('servername', '')
if row_sname == sname:
print(row.get('uuid', ''))
sys.exit(0)
except Exception as e:
print(f'Error: {e}', file=sys.stderr)
" "${servername}" 2>/dev/null || true)
info "Found HTTP Server UUID for servername '${servername}': ${uuid:-none}"
echo "$uuid"
}
# =============================================================================
# Delete Functions
# =============================================================================
delete_item() {
local item_type="$1"
local uuid="$2"
local endpoint="$3"
if [[ -z "$uuid" ]]; then
info "No ${item_type} found to delete"
return 0
fi
if [[ "$DRY_RUN" == "1" ]]; then
info "[DRY-RUN] Would delete ${item_type}: ${uuid}"
echo "dry-run"
return 0
fi
info "Deleting ${item_type}: ${uuid}"
local response
response=$(api_request "POST" "${endpoint}/${uuid}")
local result
result=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('result','unknown'))" 2>/dev/null || echo "unknown")
if [[ "$result" == "deleted" ]]; then
info "${item_type} deleted successfully"
echo "deleted"
else
warn "Failed to delete ${item_type}: ${response}"
echo "failed"
fi
}
# =============================================================================
# Validation
# =============================================================================
[[ -n "$CTID" ]] || die "--ctid is required"
info "Script Version: ${SCRIPT_VERSION}"
info "Configuration:"
info " CTID: ${CTID}"
info " FQDN: ${FQDN:-auto-detect}"
info " OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
info " Dry Run: ${DRY_RUN}"
# =============================================================================
# Main
# =============================================================================
main() {
info "Starting NGINX Reverse Proxy deletion for CTID ${CTID}..."
local description="${CTID}"
local deleted_count=0
local failed_count=0
# Results tracking
local http_server_result="not_found"
local location_result="not_found"
local upstream_result="not_found"
local upstream_server_result="not_found"
# Step 1: Find and delete HTTP Server
info "Step 1: Finding HTTP Server..."
local http_server_uuid=""
# Try to find by FQDN first
if [[ -n "$FQDN" ]]; then
http_server_uuid=$(search_http_server_by_servername "${FQDN}")
fi
# If not found by FQDN, try common patterns
if [[ -z "$http_server_uuid" ]]; then
# Try sb-<ctid>.userman.de pattern
http_server_uuid=$(search_http_server_by_servername "sb-${CTID}.userman.de")
fi
if [[ -z "$http_server_uuid" ]]; then
# Try sb-1<ctid>.userman.de pattern (with leading 1)
http_server_uuid=$(search_http_server_by_servername "sb-1${CTID}.userman.de")
fi
if [[ -n "$http_server_uuid" ]]; then
http_server_result=$(delete_item "HTTP Server" "$http_server_uuid" "/nginx/settings/delHttpServer")
if [[ "$http_server_result" == "deleted" || "$http_server_result" == "dry-run" ]]; then
deleted_count=$((deleted_count + 1))
else
failed_count=$((failed_count + 1))
fi
else
info "No HTTP Server found for CTID ${CTID}"
fi
# Step 2: Find and delete Location
info "Step 2: Finding Location..."
local location_uuid
location_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}")
if [[ -n "$location_uuid" ]]; then
location_result=$(delete_item "Location" "$location_uuid" "/nginx/settings/delLocation")
if [[ "$location_result" == "deleted" || "$location_result" == "dry-run" ]]; then
deleted_count=$((deleted_count + 1))
else
failed_count=$((failed_count + 1))
fi
else
info "No Location found for CTID ${CTID}"
fi
# Step 3: Find and delete Upstream
info "Step 3: Finding Upstream..."
local upstream_uuid
upstream_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}")
if [[ -n "$upstream_uuid" ]]; then
upstream_result=$(delete_item "Upstream" "$upstream_uuid" "/nginx/settings/delUpstream")
if [[ "$upstream_result" == "deleted" || "$upstream_result" == "dry-run" ]]; then
deleted_count=$((deleted_count + 1))
else
failed_count=$((failed_count + 1))
fi
else
info "No Upstream found for CTID ${CTID}"
fi
# Step 4: Find and delete Upstream Server
info "Step 4: Finding Upstream Server..."
local upstream_server_uuid
upstream_server_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}")
if [[ -n "$upstream_server_uuid" ]]; then
upstream_server_result=$(delete_item "Upstream Server" "$upstream_server_uuid" "/nginx/settings/delUpstreamServer")
if [[ "$upstream_server_result" == "deleted" || "$upstream_server_result" == "dry-run" ]]; then
deleted_count=$((deleted_count + 1))
else
failed_count=$((failed_count + 1))
fi
else
info "No Upstream Server found for CTID ${CTID}"
fi
# Step 5: Apply configuration (if not dry-run and something was deleted)
local reconfigure_result="skipped"
if [[ "$DRY_RUN" != "1" && $deleted_count -gt 0 ]]; then
info "Step 5: Applying NGINX configuration..."
local response
response=$(api_request "POST" "/nginx/service/reconfigure" "{}")
local status
status=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown")
if [[ "$status" == "ok" ]]; then
info "NGINX configuration applied successfully"
reconfigure_result="ok"
else
warn "NGINX reconfigure status: ${status}"
reconfigure_result="failed"
fi
elif [[ "$DRY_RUN" == "1" ]]; then
info "[DRY-RUN] Would apply NGINX configuration"
reconfigure_result="dry-run"
fi
# Output result as JSON
local success="true"
[[ $failed_count -gt 0 ]] && success="false"
local result
result=$(cat <<EOF
{
"success": ${success},
"dry_run": $([[ "$DRY_RUN" == "1" ]] && echo "true" || echo "false"),
"ctid": "${CTID}",
"deleted_count": ${deleted_count},
"failed_count": ${failed_count},
"components": {
"http_server": "${http_server_result}",
"location": "${location_result}",
"upstream": "${upstream_result}",
"upstream_server": "${upstream_server_result}"
},
"reconfigure": "${reconfigure_result}"
}
EOF
)
if [[ "$DEBUG" == "1" ]]; then
echo "$result"
else
# Compact JSON
echo "$result" | python3 -c "import json,sys; print(json.dumps(json.load(sys.stdin)))" 2>/dev/null || echo "$result"
fi
}
main

87
delete_stopped_lxcs.sh
View File

@@ -1,52 +1,69 @@
#!/bin/bash #!/bin/bash
# delete_stopped_lxc.sh - Löscht alle gestoppten LXC Container auf PVE
# Skript zum Löschen aller gestoppten LXCs auf dem lokalen Proxmox-Node set -e
# Verwendet pct destroy und berücksichtigt nur den lokalen Node
# Überprüfen, ob das Skript als Root ausgeführt wird # Farben für Output
if [ "$(id -u)" -ne 0 ]; then RED='\033[0;31m'
echo "Dieses Skript muss als Root ausgeführt werden." >&2 GREEN='\033[0;32m'
exit 1 YELLOW='\033[1;33m'
fi NC='\033[0m' # No Color
# Überprüfen, ob pct verfügbar ist echo -e "${YELLOW}=== Gestoppte LXC Container finden ===${NC}\n"
if ! command -v pct &> /dev/null; then
echo "pct ist nicht installiert. Bitte installieren Sie es zuerst." >&2
exit 1
fi
# Alle gestoppten LXCs auf dem lokalen Node abrufen # Array für gestoppte Container
echo "Suche nach gestoppten LXCs auf diesem Node..." declare -a STOPPED_CTS
stopped_lxcs=$(pct list | awk '$2 == "stopped" {print $1}')
if [ -z "$stopped_lxcs" ]; then # Alle Container durchgehen und gestoppte finden
echo "Keine gestoppten LXCs auf diesem Node gefunden." while read -r line; do
VMID=$(echo "$line" | awk '{print $1}')
STATUS=$(echo "$line" | awk '{print $2}')
NAME=$(echo "$line" | awk '{print $3}')
if [[ "$STATUS" == "stopped" ]]; then
STOPPED_CTS+=("$VMID:$NAME")
echo -e " ${RED}[STOPPED]${NC} CT $VMID - $NAME"
fi
done < <(pct list | tail -n +2)
# Prüfen ob gestoppte Container gefunden wurden
if [[ ${#STOPPED_CTS[@]} -eq 0 ]]; then
echo -e "\n${GREEN}Keine gestoppten Container gefunden.${NC}"
exit 0 exit 0
fi fi
echo "Gefundene gestoppte LXCs auf diesem Node:" echo -e "\n${YELLOW}Gefunden: ${#STOPPED_CTS[@]} gestoppte Container${NC}\n"
echo "$stopped_lxcs" | while read -r lxc_id; do
lxc_name=$(pct config $lxc_id | grep '^hostname:' | awk '{print $2}')
echo " $lxc_id - $lxc_name"
done
# Bestätigung einholen # Bestätigung anfordern
read -p "Möchten Sie diese LXCs wirklich löschen? (y/n): " confirm read -p "Möchten Sie ALLE gestoppten Container unwiderruflich löschen? (ja/nein): " CONFIRM
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
echo "Löschvorgang abgebrochen." if [[ "$CONFIRM" != "ja" ]]; then
echo -e "${GREEN}Abgebrochen. Keine Container wurden gelöscht.${NC}"
exit 0 exit 0
fi fi
# LXCs löschen # Zweite Bestätigung
echo "Lösche gestoppte LXCs..." read -p "Sind Sie WIRKLICH sicher? Tippen Sie 'LÖSCHEN' ein: " CONFIRM2
for lxc_id in $stopped_lxcs; do
echo "Lösche LXC $lxc_id..." if [[ "$CONFIRM2" != "LÖSCHEN" ]]; then
pct destroy $lxc_id echo -e "${GREEN}Abgebrochen. Keine Container wurden gelöscht.${NC}"
if [ $? -eq 0 ]; then exit 0
echo "LXC $lxc_id erfolgreich gelöscht." fi
echo -e "\n${RED}=== Lösche Container ===${NC}\n"
# Container löschen
for CT in "${STOPPED_CTS[@]}"; do
VMID="${CT%%:*}"
NAME="${CT##*:}"
echo -n "Lösche CT $VMID ($NAME)... "
if pct destroy "$VMID" --purge 2>/dev/null; then
echo -e "${GREEN}OK${NC}"
else else
echo "Fehler beim Löschen von LXC $lxc_id." >&2 echo -e "${RED}FEHLER${NC}"
fi fi
done done
echo "Vorgang abgeschlossen." echo -e "\n${GREEN}=== Fertig ===${NC}"

419
install_flowise.sh Normal file
View File

@@ -0,0 +1,419 @@
#!/usr/bin/env bash
set -Eeuo pipefail
# =============================================================================
# Flowise LXC Installer
# =============================================================================
# Erstellt einen LXC-Container mit Docker + Flowise + PostgreSQL
# =============================================================================
SCRIPT_VERSION="1.0.0"
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Log-Verzeichnis
LOG_DIR="${SCRIPT_DIR}/logs"
mkdir -p "${LOG_DIR}"
# Temporäre Log-Datei (wird später umbenannt nach Container-Hostname)
TEMP_LOG="${LOG_DIR}/install_flowise_$$.log"
FINAL_LOG=""
# Funktion zum Aufräumen bei Exit
cleanup_log() {
# Wenn FINAL_LOG gesetzt ist, umbenennen
if [[ -n "${FINAL_LOG}" && -f "${TEMP_LOG}" ]]; then
mv "${TEMP_LOG}" "${FINAL_LOG}"
fi
}
trap cleanup_log EXIT
# Alle Ausgaben in Log-Datei umleiten
# Bei DEBUG=1: auch auf stderr ausgeben (tee)
# Bei DEBUG=0: nur in Datei
if [[ "$DEBUG" == "1" ]]; then
# Debug-Modus: Ausgabe auf stderr UND in Datei
exec > >(tee -a "${TEMP_LOG}") 2>&1
else
# Normal-Modus: Nur in Datei, stdout bleibt für JSON frei
exec 3>&1 # stdout (fd 3) für JSON reservieren
exec > "${TEMP_LOG}" 2>&1
fi
source "${SCRIPT_DIR}/libsupabase.sh"
setup_traps
usage() {
cat >&2 <<'EOF'
Usage:
bash install_flowise.sh [options]
Core options:
--ctid <id> Force CT ID (optional). If omitted, a customer-safe CTID is generated.
--cores <n> (default: 4)
--memory <mb> (default: 4096)
--swap <mb> (default: 512)
--disk <gb> (default: 50)
--bridge <vmbrX> (default: vmbr0)
--storage <storage> (default: local-zfs)
--ip <dhcp|CIDR> (default: dhcp)
--vlan <id> VLAN tag for net0 (default: 90; set 0 to disable)
--privileged Create privileged CT (default: unprivileged)
--apt-proxy <url> Optional: APT proxy (e.g. http://192.168.45.2:3142) for Apt-Cacher NG
Domain / Flowise options:
--base-domain <domain> (default: userman.de) -> FQDN becomes fw-<unix>.domain
--flowise-user <user> (default: admin)
--flowise-pass <pass> Optional. If omitted, generated (policy compliant).
--debug Enable debug mode (show logs on stderr)
--help Show help
Notes:
- This script creates a Debian 12 LXC and provisions Docker + Flowise stack (Postgres + Flowise).
- At the end it prints a JSON with credentials and URLs.
EOF
}
# Defaults
DOCKER_REGISTRY_MIRROR="http://192.168.45.2:5000"
APT_PROXY=""
CTID=""
CORES="4"
MEMORY="4096"
SWAP="512"
DISK="50"
BRIDGE="vmbr0"
STORAGE="local-zfs"
IPCFG="dhcp"
VLAN="90"
UNPRIV="1"
BASE_DOMAIN="userman.de"
FLOWISE_USER="admin"
FLOWISE_PASS=""
# ---------------------------
# Arg parsing
# ---------------------------
while [[ $# -gt 0 ]]; do
case "$1" in
--ctid) CTID="${2:-}"; shift 2 ;;
--apt-proxy) APT_PROXY="${2:-}"; shift 2 ;;
--cores) CORES="${2:-}"; shift 2 ;;
--memory) MEMORY="${2:-}"; shift 2 ;;
--swap) SWAP="${2:-}"; shift 2 ;;
--disk) DISK="${2:-}"; shift 2 ;;
--bridge) BRIDGE="${2:-}"; shift 2 ;;
--storage) STORAGE="${2:-}"; shift 2 ;;
--ip) IPCFG="${2:-}"; shift 2 ;;
--vlan) VLAN="${2:-}"; shift 2 ;;
--privileged) UNPRIV="0"; shift 1 ;;
--base-domain) BASE_DOMAIN="${2:-}"; shift 2 ;;
--flowise-user) FLOWISE_USER="${2:-}"; shift 2 ;;
--flowise-pass) FLOWISE_PASS="${2:-}"; shift 2 ;;
--debug) DEBUG="1"; export DEBUG; shift 1 ;;
--help|-h) usage; exit 0 ;;
*) die "Unknown option: $1 (use --help)" ;;
esac
done
# ---------------------------
# Validation
# ---------------------------
[[ "$CORES" =~ ^[0-9]+$ ]] || die "--cores must be integer"
[[ "$MEMORY" =~ ^[0-9]+$ ]] || die "--memory must be integer"
[[ "$SWAP" =~ ^[0-9]+$ ]] || die "--swap must be integer"
[[ "$DISK" =~ ^[0-9]+$ ]] || die "--disk must be integer"
[[ "$UNPRIV" == "0" || "$UNPRIV" == "1" ]] || die "internal: UNPRIV invalid"
[[ "$VLAN" =~ ^[0-9]+$ ]] || die "--vlan must be integer (0 disables tagging)"
[[ -n "$BASE_DOMAIN" ]] || die "--base-domain must not be empty"
if [[ "$IPCFG" != "dhcp" ]]; then
[[ "$IPCFG" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]] || die "--ip must be dhcp or CIDR (e.g. 192.168.45.171/24)"
fi
if [[ -n "${APT_PROXY}" ]]; then
[[ "${APT_PROXY}" =~ ^http://[^/]+:[0-9]+$ ]] || die "--apt-proxy must look like http://IP:PORT (example: http://192.168.45.2:3142)"
fi
info "Script Version: ${SCRIPT_VERSION}"
info "Argument-Parsing OK"
if [[ -n "${APT_PROXY}" ]]; then
info "APT proxy enabled: ${APT_PROXY}"
else
info "APT proxy disabled"
fi
# ---------------------------
# Preflight Proxmox
# ---------------------------
need_cmd pct pvesm pveam pvesh grep date awk sed cut tr head
pve_storage_exists "$STORAGE" || die "Storage not found: $STORAGE"
pve_bridge_exists "$BRIDGE" || die "Bridge not found: $BRIDGE"
TEMPLATE="$(pve_template_ensure_debian12 "$STORAGE")"
info "Template OK: ${TEMPLATE}"
# Hostname / FQDN based on unix time (fw- prefix for Flowise)
UNIXTS="$(date +%s)"
CT_HOSTNAME="fw-${UNIXTS}"
FQDN="${CT_HOSTNAME}.${BASE_DOMAIN}"
# Log-Datei nach Container-Hostname benennen
FINAL_LOG="${LOG_DIR}/${CT_HOSTNAME}.log"
# CTID selection
if [[ -n "$CTID" ]]; then
[[ "$CTID" =~ ^[0-9]+$ ]] || die "--ctid must be integer"
if pve_vmid_exists_cluster "$CTID"; then
die "Forced CTID=${CTID} already exists in cluster"
fi
else
# unix time - 1000000000 (safe until 2038)
CTID="$(pve_ctid_from_unixtime "$UNIXTS")"
if pve_vmid_exists_cluster "$CTID"; then
die "Generated CTID=${CTID} already exists in cluster (unexpected). Try again in 1s."
fi
fi
# Flowise credentials defaults
if [[ -z "$FLOWISE_PASS" ]]; then
FLOWISE_PASS="$(gen_password_policy)"
else
password_policy_check "$FLOWISE_PASS" || die "--flowise-pass does not meet policy: 8+ chars, 1 number, 1 uppercase"
fi
info "CTID selected: ${CTID}"
info "SCRIPT_DIR=${SCRIPT_DIR}"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "FQDN=${FQDN}"
info "cores=${CORES} memory=${MEMORY}MB swap=${SWAP}MB disk=${DISK}GB"
info "bridge=${BRIDGE} storage=${STORAGE} ip=${IPCFG} vlan=${VLAN} unprivileged=${UNPRIV}"
# ---------------------------
# Step 1: Create CT
# ---------------------------
NET0="$(pve_build_net0 "$BRIDGE" "$IPCFG" "$VLAN")"
ROOTFS="${STORAGE}:${DISK}"
FEATURES="nesting=1,keyctl=1,fuse=1"
info "Step 1: Create CT"
info "Creating CT ${CTID} (${CT_HOSTNAME}) from ${TEMPLATE}"
pct create "${CTID}" "${TEMPLATE}" \
--hostname "${CT_HOSTNAME}" \
--cores "${CORES}" \
--memory "${MEMORY}" \
--swap "${SWAP}" \
--net0 "${NET0}" \
--rootfs "${ROOTFS}" \
--unprivileged "${UNPRIV}" \
--features "${FEATURES}" \
--start 0 \
--onboot yes
info "CT created (not started). Next step: start CT + wait for IP"
info "Starting CT ${CTID}"
pct start "${CTID}"
CT_IP="$(pct_wait_for_ip "${CTID}" || true)"
[[ -n "${CT_IP}" ]] || die "Could not determine CT IP after start"
info "Step 1 OK: LXC erstellt + IP ermittelt"
info "CT_HOSTNAME=${CT_HOSTNAME}"
info "CT_IP=${CT_IP}"
# ---------------------------
# Step 2: Provision inside CT (Docker + Locales + Base)
# ---------------------------
info "Step 2: Provisioning im CT (Docker + Locales + Base)"
# Optional: APT proxy (Apt-Cacher NG)
if [[ -n "${APT_PROXY}" ]]; then
pct_exec "${CTID}" "cat > /etc/apt/apt.conf.d/00aptproxy <<'EOF'
Acquire::http::Proxy \"${APT_PROXY}\";
Acquire::https::Proxy \"${APT_PROXY}\";
EOF"
pct_exec "$CTID" "apt-config dump | grep -i proxy || true"
fi
# Minimal base packages
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y ca-certificates curl gnupg lsb-release"
# Locales (avoid perl warnings + consistent system)
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y locales"
pct_exec "${CTID}" "sed -i 's/^# *de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/; s/^# *en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen || true"
pct_exec "${CTID}" "locale-gen >/dev/null || true"
pct_exec "${CTID}" "update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8 || true"
# Docker official repo (Debian 12 / bookworm)
pct_exec "${CTID}" "install -m 0755 -d /etc/apt/keyrings"
pct_exec "${CTID}" "curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
pct_exec "${CTID}" "chmod a+r /etc/apt/keyrings/docker.gpg"
pct_exec "${CTID}" "echo \"deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \$(. /etc/os-release && echo \$VERSION_CODENAME) stable\" > /etc/apt/sources.list.d/docker.list"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get update -y"
pct_exec "${CTID}" "export DEBIAN_FRONTEND=noninteractive; apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
# Create stack directories
pct_exec "${CTID}" "mkdir -p /opt/flowise-stack/volumes/postgres/data /opt/flowise-stack/volumes/flowise-data /opt/flowise-stack/sql"
info "Step 2 OK: Docker + Compose Plugin installiert, Locales gesetzt, Basis-Verzeichnisse erstellt"
# ---------------------------
# Step 3: Stack finalisieren + Secrets + Up + Checks
# ---------------------------
info "Step 3: Stack finalisieren + Secrets + Up + Checks"
# Secrets
PG_DB="flowise"
PG_USER="flowise"
PG_PASSWORD="$(gen_password_policy)"
FLOWISE_SECRETKEY="$(gen_hex_64)"
# Flowise configuration
FLOWISE_PORT="3000"
FLOWISE_HOST="${CT_IP}"
FLOWISE_EXTERNAL_URL="https://${FQDN}"
# Write .env into CT
pct_push_text "${CTID}" "/opt/flowise-stack/.env" "$(cat <<EOF
# PostgreSQL
PG_DB=${PG_DB}
PG_USER=${PG_USER}
PG_PASSWORD=${PG_PASSWORD}
# Flowise
FLOWISE_PORT=${FLOWISE_PORT}
FLOWISE_USERNAME=${FLOWISE_USER}
FLOWISE_PASSWORD=${FLOWISE_PASS}
FLOWISE_SECRETKEY_OVERWRITE=${FLOWISE_SECRETKEY}
# Database connection
DATABASE_TYPE=postgres
DATABASE_HOST=postgres
DATABASE_PORT=5432
DATABASE_NAME=${PG_DB}
DATABASE_USER=${PG_USER}
DATABASE_PASSWORD=${PG_PASSWORD}
# General
TZ=Europe/Berlin
EOF
)"
# init sql for pgvector (optional but useful for Flowise vector stores)
pct_push_text "${CTID}" "/opt/flowise-stack/sql/init_pgvector.sql" "$(cat <<'SQL'
CREATE EXTENSION IF NOT EXISTS vector;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
SQL
)"
# docker-compose.yml for Flowise
pct_push_text "${CTID}" "/opt/flowise-stack/docker-compose.yml" "$(cat <<'YML'
services:
postgres:
image: pgvector/pgvector:pg16
container_name: flowise-postgres
restart: unless-stopped
environment:
POSTGRES_DB: ${PG_DB}
POSTGRES_USER: ${PG_USER}
POSTGRES_PASSWORD: ${PG_PASSWORD}
volumes:
- ./volumes/postgres/data:/var/lib/postgresql/data
- ./sql:/docker-entrypoint-initdb.d:ro
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${PG_USER} -d ${PG_DB} || exit 1"]
interval: 10s
timeout: 5s
retries: 20
networks:
- flowise-net
flowise:
image: flowiseai/flowise:latest
container_name: flowise
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
ports:
- "${FLOWISE_PORT}:3000"
environment:
# --- Authentication ---
FLOWISE_USERNAME: ${FLOWISE_USERNAME}
FLOWISE_PASSWORD: ${FLOWISE_PASSWORD}
FLOWISE_SECRETKEY_OVERWRITE: ${FLOWISE_SECRETKEY_OVERWRITE}
# --- Database ---
DATABASE_TYPE: ${DATABASE_TYPE}
DATABASE_HOST: ${DATABASE_HOST}
DATABASE_PORT: ${DATABASE_PORT}
DATABASE_NAME: ${DATABASE_NAME}
DATABASE_USER: ${DATABASE_USER}
DATABASE_PASSWORD: ${DATABASE_PASSWORD}
# --- General ---
TZ: ${TZ}
# --- Logging ---
LOG_LEVEL: info
DEBUG: "false"
volumes:
- ./volumes/flowise-data:/root/.flowise
networks:
- flowise-net
networks:
flowise-net:
driver: bridge
YML
)"
# Docker Registry Mirror (if APT proxy is set)
if [[ -n "${APT_PROXY}" ]]; then
pct_exec "$CTID" "mkdir -p /etc/docker"
pct_exec "$CTID" "cat > /etc/docker/daemon.json <<EOF
{
\"registry-mirrors\": [\"${DOCKER_REGISTRY_MIRROR}\"]
}
EOF"
pct_exec "$CTID" "systemctl restart docker"
pct_exec "$CTID" "systemctl is-active docker"
pct_exec "$CTID" "docker info | grep -A2 -i 'Registry Mirrors'"
fi
# Pull + up
pct_exec "${CTID}" "cd /opt/flowise-stack && docker compose pull"
pct_exec "${CTID}" "cd /opt/flowise-stack && docker compose up -d"
pct_exec "${CTID}" "cd /opt/flowise-stack && docker compose ps"
# Wait for Flowise to be ready
info "Waiting for Flowise to be ready..."
sleep 10
# Final info
FLOWISE_INTERNAL_URL="http://${CT_IP}:${FLOWISE_PORT}/"
FLOWISE_EXTERNAL_URL="https://${FQDN}"
info "Step 3 OK: Stack deployed"
info "Flowise intern: ${FLOWISE_INTERNAL_URL}"
info "Flowise extern (geplant via OPNsense): ${FLOWISE_EXTERNAL_URL}"
# Machine-readable JSON output
JSON_OUTPUT="{\"ctid\":${CTID},\"hostname\":\"${CT_HOSTNAME}\",\"fqdn\":\"${FQDN}\",\"ip\":\"${CT_IP}\",\"vlan\":${VLAN},\"urls\":{\"flowise_internal\":\"${FLOWISE_INTERNAL_URL}\",\"flowise_external\":\"${FLOWISE_EXTERNAL_URL}\"},\"postgres\":{\"host\":\"postgres\",\"port\":5432,\"db\":\"${PG_DB}\",\"user\":\"${PG_USER}\",\"password\":\"${PG_PASSWORD}\"},\"flowise\":{\"username\":\"${FLOWISE_USER}\",\"password\":\"${FLOWISE_PASS}\",\"secret_key\":\"${FLOWISE_SECRETKEY}\"},\"log_file\":\"${FINAL_LOG}\"}"
if [[ "$DEBUG" == "1" ]]; then
# Debug-Modus: JSON normal ausgeben (formatiert für Lesbarkeit)
echo "$JSON_OUTPUT" | python3 -m json.tool 2>/dev/null || echo "$JSON_OUTPUT"
else
# Normal-Modus: JSON auf ursprüngliches stdout (fd 3) - kompakt
echo "$JSON_OUTPUT" >&3
fi

254
setup_flowise_account.sh Normal file
View File

@@ -0,0 +1,254 @@
#!/usr/bin/env bash
set -Eeuo pipefail
# =============================================================================
# Flowise Account Setup Script
# =============================================================================
# Erstellt den Administrator-Account für eine neue Flowise-Instanz
# über die Flowise API (/api/v1/organization/setup)
# =============================================================================
SCRIPT_VERSION="1.0.0"
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG
# Logging functions
log_ts() { date "+[%F %T]"; }
info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; }
warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; }
die() {
if [[ "$DEBUG" == "1" ]]; then
echo "$(log_ts) ERROR: $*" >&2
else
echo "{\"error\": \"$*\"}"
fi
exit 1
}
# =============================================================================
# Usage
# =============================================================================
usage() {
cat >&2 <<'EOF'
Usage:
bash setup_flowise_account.sh [options]
Required options:
--url <url> Flowise base URL (e.g., https://fw-1768829679.userman.de)
--name <name> Administrator display name
--email <email> Administrator email (used as login)
--password <password> Administrator password (8+ chars, upper, lower, digit, special)
Optional:
--debug Enable debug mode (show logs on stderr)
--help Show this help
Password requirements:
- At least 8 characters
- At least one lowercase letter
- At least one uppercase letter
- At least one digit
- At least one special character
Examples:
# Setup account:
bash setup_flowise_account.sh \
--url https://fw-1768829679.userman.de \
--name "Admin User" \
--email admin@example.com \
--password "SecurePass1!"
# With debug output:
bash setup_flowise_account.sh --debug \
--url https://fw-1768829679.userman.de \
--name "Admin User" \
--email admin@example.com \
--password "SecurePass1!"
EOF
}
# =============================================================================
# Default values
# =============================================================================
FLOWISE_URL=""
ADMIN_NAME=""
ADMIN_EMAIL=""
ADMIN_PASSWORD=""
# =============================================================================
# Argument parsing
# =============================================================================
while [[ $# -gt 0 ]]; do
case "$1" in
--url) FLOWISE_URL="${2:-}"; shift 2 ;;
--name) ADMIN_NAME="${2:-}"; shift 2 ;;
--email) ADMIN_EMAIL="${2:-}"; shift 2 ;;
--password) ADMIN_PASSWORD="${2:-}"; shift 2 ;;
--debug) DEBUG="1"; export DEBUG; shift 1 ;;
--help|-h) usage; exit 0 ;;
*) die "Unknown option: $1 (use --help)" ;;
esac
done
# =============================================================================
# Validation
# =============================================================================
[[ -n "$FLOWISE_URL" ]] || die "--url is required"
[[ -n "$ADMIN_NAME" ]] || die "--name is required"
[[ -n "$ADMIN_EMAIL" ]] || die "--email is required"
[[ -n "$ADMIN_PASSWORD" ]] || die "--password is required"
# Validate email format
[[ "$ADMIN_EMAIL" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]] || die "Invalid email format: $ADMIN_EMAIL"
# Validate password policy (Flowise requirements)
validate_password() {
local p="$1"
[[ ${#p} -ge 8 ]] || return 1
[[ "$p" =~ [a-z] ]] || return 1
[[ "$p" =~ [A-Z] ]] || return 1
[[ "$p" =~ [0-9] ]] || return 1
[[ "$p" =~ [^a-zA-Z0-9] ]] || return 1
return 0
}
validate_password "$ADMIN_PASSWORD" || die "Password does not meet requirements: 8+ chars, lowercase, uppercase, digit, special character"
# Remove trailing slash from URL
FLOWISE_URL="${FLOWISE_URL%/}"
info "Script Version: ${SCRIPT_VERSION}"
info "Configuration:"
info " URL: ${FLOWISE_URL}"
info " Name: ${ADMIN_NAME}"
info " Email: ${ADMIN_EMAIL}"
info " Password: ********"
# =============================================================================
# Check if Flowise is reachable
# =============================================================================
info "Checking if Flowise is reachable..."
# Try to reach the organization-setup page
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k "${FLOWISE_URL}/organization-setup" 2>/dev/null || echo "000")
if [[ "$HTTP_CODE" == "000" ]]; then
die "Cannot connect to Flowise at ${FLOWISE_URL}"
elif [[ "$HTTP_CODE" == "404" ]]; then
warn "Organization setup page not found (404). Account may already exist."
fi
info "Flowise is reachable (HTTP ${HTTP_CODE})"
# =============================================================================
# Create Account via API
# =============================================================================
info "Creating administrator account..."
# Prepare JSON payload
# Note: Flowise expects specific field names
JSON_PAYLOAD=$(cat <<EOF
{
"name": "${ADMIN_NAME}",
"email": "${ADMIN_EMAIL}",
"password": "${ADMIN_PASSWORD}"
}
EOF
)
info "Sending request to ${FLOWISE_URL}/api/v1/organization/setup"
# Make API request
RESPONSE=$(curl -s -k -X POST \
-H "Content-Type: application/json" \
-d "${JSON_PAYLOAD}" \
-w "\n%{http_code}" \
"${FLOWISE_URL}/api/v1/organization/setup" 2>&1)
# Extract HTTP code from last line
HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
info "HTTP Response Code: ${HTTP_CODE}"
info "Response Body: ${RESPONSE_BODY}"
# =============================================================================
# Handle Response
# =============================================================================
if [[ "$HTTP_CODE" == "200" || "$HTTP_CODE" == "201" ]]; then
info "Account created successfully!"
# Output result as JSON
if [[ "$DEBUG" == "1" ]]; then
cat <<EOF
{
"success": true,
"url": "${FLOWISE_URL}",
"email": "${ADMIN_EMAIL}",
"name": "${ADMIN_NAME}",
"message": "Account created successfully"
}
EOF
else
echo "{\"success\":true,\"url\":\"${FLOWISE_URL}\",\"email\":\"${ADMIN_EMAIL}\",\"name\":\"${ADMIN_NAME}\",\"message\":\"Account created successfully\"}"
fi
elif [[ "$HTTP_CODE" == "400" ]]; then
# Check if account already exists
if echo "$RESPONSE_BODY" | grep -qi "already exists\|already setup\|already registered"; then
warn "Account may already exist"
if [[ "$DEBUG" == "1" ]]; then
cat <<EOF
{
"success": false,
"url": "${FLOWISE_URL}",
"email": "${ADMIN_EMAIL}",
"error": "Account already exists",
"response": ${RESPONSE_BODY}
}
EOF
else
echo "{\"success\":false,\"url\":\"${FLOWISE_URL}\",\"email\":\"${ADMIN_EMAIL}\",\"error\":\"Account already exists\"}"
fi
exit 1
else
die "Bad request (400): ${RESPONSE_BODY}"
fi
elif [[ "$HTTP_CODE" == "404" ]]; then
# Try alternative endpoints
info "Trying alternative endpoint /api/v1/signup..."
RESPONSE=$(curl -s -k -X POST \
-H "Content-Type: application/json" \
-d "${JSON_PAYLOAD}" \
-w "\n%{http_code}" \
"${FLOWISE_URL}/api/v1/signup" 2>&1)
HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
if [[ "$HTTP_CODE" == "200" || "$HTTP_CODE" == "201" ]]; then
info "Account created successfully via /api/v1/signup!"
if [[ "$DEBUG" == "1" ]]; then
cat <<EOF
{
"success": true,
"url": "${FLOWISE_URL}",
"email": "${ADMIN_EMAIL}",
"name": "${ADMIN_NAME}",
"message": "Account created successfully"
}
EOF
else
echo "{\"success\":true,\"url\":\"${FLOWISE_URL}\",\"email\":\"${ADMIN_EMAIL}\",\"name\":\"${ADMIN_NAME}\",\"message\":\"Account created successfully\"}"
fi
else
die "API endpoint not found. Tried /api/v1/organization/setup and /api/v1/signup. Response: ${RESPONSE_BODY}"
fi
else
die "Unexpected response (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
fi

304
setup_nginx_proxy.sh
View File

@@ -8,6 +8,8 @@ set -Eeuo pipefail
# für eine neue n8n-Instanz über die OPNsense API. # für eine neue n8n-Instanz über die OPNsense API.
# ============================================================================= # =============================================================================
SCRIPT_VERSION="1.0.9"
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr # Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}" DEBUG="${DEBUG:-0}"
export DEBUG export DEBUG
@@ -29,7 +31,9 @@ die() {
# Default Configuration # Default Configuration
# ============================================================================= # =============================================================================
# OPNsense kann über Hostname ODER IP angesprochen werden # OPNsense kann über Hostname ODER IP angesprochen werden
# Port 4444 ist der Standard-Port für die OPNsense WebUI/API
OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}" OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"
OPNSENSE_PORT="${OPNSENSE_PORT:-4444}"
OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}" OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}" OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"
@@ -54,6 +58,7 @@ Required options (for proxy setup):
Optional: Optional:
--opnsense-host <ip> OPNsense IP or hostname (default: 192.168.45.1) --opnsense-host <ip> OPNsense IP or hostname (default: 192.168.45.1)
--opnsense-port <port> OPNsense WebUI/API port (default: 4444)
--certificate-uuid <uuid> UUID of the SSL certificate in OPNsense --certificate-uuid <uuid> UUID of the SSL certificate in OPNsense
--list-certificates List available certificates and exit --list-certificates List available certificates and exit
--test-connection Test API connection and exit --test-connection Test API connection and exit
@@ -67,10 +72,15 @@ Examples:
# Test API connection: # Test API connection:
bash setup_nginx_proxy.sh --test-connection --debug bash setup_nginx_proxy.sh --test-connection --debug
# Setup proxy: # Setup proxy for n8n (default port 5678):
bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \ bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \
--fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135 --fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135
# Setup proxy for Flowise (port 3000):
bash setup_nginx_proxy.sh --ctid 768736637 --hostname fw-1768736637 \
--fqdn fw-1768736637.userman.de --backend-ip 192.168.45.136 \
--backend-port 3000
# With custom OPNsense IP: # With custom OPNsense IP:
bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates
EOF EOF
@@ -98,6 +108,7 @@ while [[ $# -gt 0 ]]; do
--backend-ip) BACKEND_IP="${2:-}"; shift 2 ;; --backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;
--backend-port) BACKEND_PORT="${2:-}"; shift 2 ;; --backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;
--opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;; --opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
--opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;;
--certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;; --certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;
--list-certificates) LIST_CERTIFICATES="1"; shift 1 ;; --list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;
--test-connection) TEST_CONNECTION="1"; shift 1 ;; --test-connection) TEST_CONNECTION="1"; shift 1 ;;
@@ -110,7 +121,7 @@ done
# ============================================================================= # =============================================================================
# API Base URL (nach Argument-Parsing setzen!) # API Base URL (nach Argument-Parsing setzen!)
# ============================================================================= # =============================================================================
API_BASE="https://${OPNSENSE_HOST}/api" API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api"
# ============================================================================= # =============================================================================
# API Helper Functions (MÜSSEN VOR list_certificates definiert werden!) # API Helper Functions (MÜSSEN VOR list_certificates definiert werden!)
@@ -128,28 +139,94 @@ api_request() {
info "API ${method} ${url}" info "API ${method} ${url}"
local response local response
local http_code
if [[ -n "$data" ]]; then if [[ -n "$data" ]]; then
response=$(curl -s -k -X "${method}" \ response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
-u "${auth}" \ -u "${auth}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "${data}" \ -d "${data}" \
"${url}" 2>&1) "${url}" 2>&1)
else else
response=$(curl -s -k -X "${method}" \ response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
-u "${auth}" \ -u "${auth}" \
"${url}" 2>&1) "${url}" 2>&1)
fi fi
# Extract HTTP code from last line
http_code=$(echo "$response" | tail -n1)
response=$(echo "$response" | sed '$d')
# Check for permission errors
if [[ "$http_code" == "401" ]]; then
warn "API Error 401: Unauthorized - Check API key and secret"
elif [[ "$http_code" == "403" ]]; then
warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}"
elif [[ "$http_code" == "404" ]]; then
warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist"
elif [[ "$http_code" -ge 400 ]]; then
warn "API Error ${http_code} for ${endpoint}"
fi
echo "$response" echo "$response"
} }
# Check API response for errors and return status
# Usage: if check_api_response "$response" "endpoint_name"; then ... fi
check_api_response() {
local response="$1"
local endpoint_name="$2"
# Check for JSON error responses
local status
status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok")
if [[ "$status" == "403" ]]; then
die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges"
elif [[ "$status" == "401" ]]; then
die "Authentication failed for ${endpoint_name}. Check your API key and secret."
fi
# Check for validation errors
local validation_error
validation_error=$(echo "$response" | python3 -c "
import json,sys
try:
d=json.load(sys.stdin)
if 'validations' in d and d['validations']:
for field, errors in d['validations'].items():
print(f'{field}: {errors}')
except:
pass
" 2>/dev/null || true)
if [[ -n "$validation_error" ]]; then
warn "Validation errors: ${validation_error}"
return 1
fi
# Check for result status
local result
result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown")
if [[ "$result" == "failed" ]]; then
local message
message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error")
warn "API operation failed: ${message}"
return 1
fi
return 0
}
# Search for existing item by description # Search for existing item by description
# OPNsense NGINX API uses "search<Type>" format, e.g., searchUpstreamServer
search_by_description() { search_by_description() {
local endpoint="$1" local search_endpoint="$1"
local description="$2" local description="$2"
local response local response
response=$(api_request "GET" "${endpoint}/search") response=$(api_request "GET" "${search_endpoint}")
# Extract UUID where description matches # Extract UUID where description matches
echo "$response" | python3 -c " echo "$response" | python3 -c "
@@ -166,29 +243,22 @@ except:
" 2>/dev/null || true " 2>/dev/null || true
} }
# Find certificate by Common Name (CN) # Search for existing HTTP Server by servername
find_certificate_by_cn() { # HTTP Servers don't have a description field, they use servername
local cn_pattern="$1" search_http_server_by_servername() {
local servername="$1"
local response local response
response=$(api_request "GET" "/trust/cert/search") response=$(api_request "GET" "/nginx/settings/searchHttpServer")
# Extract UUID where CN contains the pattern (for wildcard certs) # Extract UUID where servername matches
echo "$response" | python3 -c " echo "$response" | python3 -c "
import json, sys import json, sys
pattern = '${cn_pattern}'
try: try:
data = json.load(sys.stdin) data = json.load(sys.stdin)
rows = data.get('rows', []) rows = data.get('rows', [])
for row in rows: for row in rows:
cn = row.get('cn', '') if row.get('servername', '') == '${servername}':
descr = row.get('descr', '')
# Match wildcard or exact domain
if pattern in cn or pattern in descr:
print(row.get('uuid', ''))
sys.exit(0)
# Also check for wildcard pattern
if cn.startswith('*.') and pattern.endswith(cn[2:]):
print(row.get('uuid', '')) print(row.get('uuid', ''))
sys.exit(0) sys.exit(0)
except: except:
@@ -196,36 +266,115 @@ except:
" 2>/dev/null || true " 2>/dev/null || true
} }
# Find certificate by Common Name (CN) or Description
# Returns the certificate ID used by NGINX API (not the full UUID)
find_certificate_by_cn() {
local cn_pattern="$1"
# First, get the certificate list from the HTTP Server schema
# This gives us the correct certificate IDs that NGINX expects
local response
response=$(api_request "GET" "/nginx/settings/getHttpServer")
# Extract certificate ID where description contains the pattern
echo "$response" | python3 -c "
import json, sys
pattern = '${cn_pattern}'.lower()
try:
data = json.load(sys.stdin)
certs = data.get('httpserver', {}).get('certificate', {})
for cert_id, cert_info in certs.items():
if cert_id: # Skip empty key
value = cert_info.get('value', '').lower()
if pattern in value:
print(cert_id)
sys.exit(0)
except Exception as e:
print(f'Error: {e}', file=sys.stderr)
" 2>/dev/null || true
}
# ============================================================================= # =============================================================================
# Utility Functions # Utility Functions
# ============================================================================= # =============================================================================
# Test API connection # Test API connection
test_connection() { test_connection() {
info "Testing API connection to OPNsense at ${OPNSENSE_HOST}..." info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
echo "Testing various API endpoints..."
echo ""
# Test 1: Firmware status (general API access)
echo "1. Testing /core/firmware/status..."
local response local response
response=$(api_request "GET" "/core/firmware/status") response=$(api_request "GET" "/core/firmware/status")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'status' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then echo " ✓ Firmware API: OK"
echo "✓ API connection successful to ${OPNSENSE_HOST}"
echo "Response: $(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d, indent=2)[:500])" 2>/dev/null || echo "$response")"
return 0
else else
echo "✗ API connection failed to ${OPNSENSE_HOST}" echo " ✗ Firmware API: FAILED"
echo "Response: $response" echo " Response: $response"
return 1
fi fi
# Test 2: NGINX settings (required for this script)
echo ""
echo "2. Testing /nginx/settings/searchHttpServer..."
response=$(api_request "GET" "/nginx/settings/searchHttpServer")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ NGINX HTTP Server API: OK"
local count
count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
echo " Found ${count} HTTP Server(s)"
else
echo " ✗ NGINX HTTP Server API: FAILED"
echo " Response: $response"
fi
# Test 3: NGINX upstream servers
echo ""
echo "3. Testing /nginx/settings/searchUpstreamServer..."
response=$(api_request "GET" "/nginx/settings/searchUpstreamServer")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ NGINX Upstream Server API: OK"
local count
count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
echo " Found ${count} Upstream Server(s)"
else
echo " ✗ NGINX Upstream Server API: FAILED"
echo " Response: $response"
fi
# Test 4: Trust/Certificates (optional)
echo ""
echo "4. Testing /trust/cert/search (optional)..."
response=$(api_request "GET" "/trust/cert/search")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ Trust/Cert API: OK"
else
local status
status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown")
if [[ "$status" == "403" ]]; then
echo " ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)"
echo " Note: You can still use --certificate-uuid to specify the certificate manually"
else
echo " ✗ Trust/Cert API: FAILED"
echo " Response: $response"
fi
fi
echo ""
echo "Connection test complete."
return 0
} }
# List available certificates # List available certificates
list_certificates() { list_certificates() {
info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}..." info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
local response local response
response=$(api_request "GET" "/trust/cert/search") response=$(api_request "GET" "/trust/cert/search")
echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}):" echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}:${OPNSENSE_PORT}):"
echo "============================================================" echo "============================================================"
echo "$response" | python3 -c " echo "$response" | python3 -c "
import json, sys import json, sys
@@ -272,12 +421,13 @@ fi
[[ -n "$FQDN" ]] || die "--fqdn is required" [[ -n "$FQDN" ]] || die "--fqdn is required"
[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required" [[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"
info "Script Version: ${SCRIPT_VERSION}"
info "Configuration:" info "Configuration:"
info " CTID: ${CTID}" info " CTID: ${CTID}"
info " Hostname: ${HOSTNAME}" info " Hostname: ${HOSTNAME}"
info " FQDN: ${FQDN}" info " FQDN: ${FQDN}"
info " Backend: ${BACKEND_IP}:${BACKEND_PORT}" info " Backend: ${BACKEND_IP}:${BACKEND_PORT}"
info " OPNsense: ${OPNSENSE_HOST}" info " OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}" info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"
# ============================================================================= # =============================================================================
@@ -294,8 +444,10 @@ create_upstream_server() {
# Check if upstream server already exists # Check if upstream server already exists
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}") existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}")
# Note: OPNsense API expects specific values
# no_use: empty string means "use this server" (not "0")
local data local data
data=$(cat <<EOF data=$(cat <<EOF
{ {
@@ -306,8 +458,7 @@ create_upstream_server() {
"priority": "1", "priority": "1",
"max_conns": "", "max_conns": "",
"max_fails": "", "max_fails": "",
"fail_timeout": "", "fail_timeout": ""
"no_use": "0"
} }
} }
EOF EOF
@@ -320,7 +471,21 @@ EOF
else else
info "Creating new Upstream Server..." info "Creating new Upstream Server..."
response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data") response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true) info "API Response: ${response}"
# OPNsense returns {"uuid":"xxx"} or {"result":"saved","uuid":"xxx"}
existing_uuid=$(echo "$response" | python3 -c "
import json,sys
try:
d = json.load(sys.stdin)
# Try different response formats
uuid = d.get('uuid', '')
if not uuid and 'rows' in d:
# Sometimes returns in rows format
uuid = d['rows'][0].get('uuid', '') if d['rows'] else ''
print(uuid)
except Exception as e:
print('', file=sys.stderr)
" 2>/dev/null || true)
fi fi
info "Upstream Server UUID: ${existing_uuid}" info "Upstream Server UUID: ${existing_uuid}"
@@ -336,7 +501,7 @@ create_upstream() {
# Check if upstream already exists # Check if upstream already exists
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}") existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}")
local data local data
data=$(cat <<EOF data=$(cat <<EOF
@@ -379,7 +544,7 @@ create_location() {
# Check if location already exists # Check if location already exists
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/location" "${description}") existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}")
local data local data
data=$(cat <<EOF data=$(cat <<EOF
@@ -439,9 +604,9 @@ create_http_server() {
info "Step 4: Creating HTTP Server..." info "Step 4: Creating HTTP Server..."
# Check if HTTP server already exists # Check if HTTP server already exists (by servername, not description)
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}") existing_uuid=$(search_http_server_by_servername "${server_name}")
# Determine certificate configuration # Determine certificate configuration
local cert_config="" local cert_config=""
@@ -457,37 +622,49 @@ create_http_server() {
info "Using ACME/Let's Encrypt for certificate" info "Using ACME/Let's Encrypt for certificate"
fi fi
# HTTP Server configuration
# Note: API uses "httpserver" not "http_server"
# Required fields based on API schema
# listen_http_address: "80" and listen_https_address: "443" for standard ports
local data local data
data=$(cat <<EOF if [[ -n "$cert_uuid" ]]; then
data=$(cat <<EOF
{ {
"http_server": { "httpserver": {
"description": "${description}",
"servername": "${server_name}", "servername": "${server_name}",
"listen_http_address": "", "listen_http_address": "80",
"listen_http_port": "", "listen_https_address": "443",
"listen_https_address": "",
"listen_https_port": "443",
"locations": "${location_uuid}", "locations": "${location_uuid}",
"rewrites": "", "certificate": "${cert_uuid}",
"root": "", "verify_client": "off",
${cert_config} "access_log_format": "main",
"ca": "",
"verify_client": "",
"access_log_format": "",
"enable_acme_plugin": "${acme_config}",
"charset": "",
"https_only": "1", "https_only": "1",
"block_nonpublic_data": "0", "http2": "1",
"naxsi_extensive_log": "0", "sendfile": "1"
"sendfile": "1",
"security_header": "",
"limit_request_connections": "",
"limit_request_connections_burst": "",
"limit_request_connections_nodelay": "0"
} }
} }
EOF EOF
) )
else
# Without certificate, enable ACME support
data=$(cat <<EOF
{
"httpserver": {
"servername": "${server_name}",
"listen_http_address": "80",
"listen_https_address": "443",
"locations": "${location_uuid}",
"enable_acme_support": "1",
"verify_client": "off",
"access_log_format": "main",
"https_only": "1",
"http2": "1",
"sendfile": "1"
}
}
EOF
)
fi
local response local response
if [[ -n "$existing_uuid" ]]; then if [[ -n "$existing_uuid" ]]; then
@@ -496,7 +673,8 @@ EOF
else else
info "Creating new HTTP Server..." info "Creating new HTTP Server..."
response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data") response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true) info "API Response: ${response}"
existing_uuid=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('uuid',''))" 2>/dev/null || true)
fi fi
info "HTTP Server UUID: ${existing_uuid}" info "HTTP Server UUID: ${existing_uuid}"