2025-02-24 11:22:43 +01:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
2026-01-06 13:28:12 +01:00
|
|
|
# Copyright (c) 2021-2026 community-scripts ORG
|
2025-02-24 11:22:43 +01:00
|
|
|
# Author: thost96 (thost96)
|
|
|
|
|
# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
|
several scripts: add additional github link in source (#12282)
* fix(error-handler): prevent silent() from re-enabling error handling during recovery
Root cause: silent() (core.func) unconditionally calls set -Eeuo pipefail
and trap 'error_handler' ERR after every command. When build_container()
intentionally disables error handling for its recovery section, any
intermediate call through silent()/ re-enables it. This causes the
grep/sed pipeline for missing_cmd extraction to trigger error_handler
(grep returns exit code 1 on no match + pipefail = fatal).
Fixes:
1. silent(): Save errexit state before disabling, only restore if it was
active. Callers that intentionally disabled error handling (e.g.
build_container recovery) are no longer silently re-enabled.
2. build.func: Add || true to missing_cmd grep pipeline as defense-in-depth
against pipeline failure propagation.
3. build.func: Add explicit set +Eeuo pipefail / trap - ERR after
post_update_to_api() call, before error classification grep/sed section.
4. build.func: Remove stale global combined_log variable from variables()
that used a different path format (/tmp/install-SESSION-combined.log)
than the actual local variable (/tmp/NSAPP-CTID-SESSION.log). The global
was never written to and caused confusion when error_handler displayed it.
* Update build.func
* chore(install): add Github source links to all setup_nodejs scripts
52 install scripts had a project website in '# Source:' but no GitHub
link. Merged the GitHub repo URL into the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Repos sourced from fetch_and_deploy_gh_release calls, get_latest_github_release
calls, or known project repos for npm/pip installed apps.
Two scripts (fumadocs, pve-scripts-local) had no Source line at all —
added one. Shinobi skipped (GitLab-only, no GitHub repo).
* chore(install): add Github source links to all fetch_and_deploy scripts
77 additional install scripts had fetch_and_deploy_gh_release calls but
no GitHub link in the Source header. Merged the primary app repo into
the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Where multiple fetch_and_deploy calls existed (app + dependency), the
primary app repo was selected:
- ersatztv: ErsatzTV/ErsatzTV (not ffmpeg)
- firefly: firefly-iii/firefly-iii (not data-importer)
- komga: gotson/komga (not kepubify dep)
- sabnzbd: sabnzbd/sabnzbd (not par2cmdline-turbo dep)
- signoz: SigNoz/signoz (not otel-collector)
- tunarr: chrisbenincasa/tunarr (not ffmpeg dep)
Also fixed cosmos-install.sh double https:// in Source URL.
Skipped: autocaliweb (source already on codeberg, GitHub repos are deps only)
* revert: restore misc/build.func and misc/core.func to main state
These error-handler fixes belong to fix/error-handler-recovery, not to
this sources-only branch.
* chore(ct,tools): sync Source headers with install/ and add Github links to addon scripts
2026-02-24 15:11:53 +01:00
|
|
|
# Source: https://www.authelia.com/ | Github: https://github.com/authelia/authelia
|
2025-02-24 11:22:43 +01:00
|
|
|
|
2025-03-24 14:20:56 +01:00
|
|
|
source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
|
2025-02-24 11:22:43 +01:00
|
|
|
color
|
|
|
|
|
verb_ip6
|
|
|
|
|
catch_errors
|
|
|
|
|
setting_up_container
|
|
|
|
|
network_check
|
|
|
|
|
update_os
|
|
|
|
|
|
2025-07-05 18:02:26 +02:00
|
|
|
fetch_and_deploy_gh_release "authelia" "authelia/authelia" "binary"
|
2025-02-24 11:22:43 +01:00
|
|
|
|
2026-01-23 21:54:23 +01:00
|
|
|
MAX_ATTEMPTS=3
|
|
|
|
|
attempt=0
|
|
|
|
|
while true; do
|
2026-01-24 18:20:53 +01:00
|
|
|
attempt=$((attempt + 1))
|
2026-01-23 21:54:23 +01:00
|
|
|
read -rp "${TAB3}Enter your domain or IP (ex. example.com or 192.168.1.100): " DOMAIN
|
|
|
|
|
if [[ -z "$DOMAIN" ]]; then
|
|
|
|
|
if ((attempt >= MAX_ATTEMPTS)); then
|
|
|
|
|
DOMAIN="${LOCAL_IP:-localhost}"
|
|
|
|
|
msg_warn "Using fallback: $DOMAIN"
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
msg_warn "Domain cannot be empty! (Attempt $attempt/$MAX_ATTEMPTS)"
|
|
|
|
|
elif [[ "$DOMAIN" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
|
|
|
|
|
valid_ip=true
|
several scripts: add additional github link in source (#12282)
* fix(error-handler): prevent silent() from re-enabling error handling during recovery
Root cause: silent() (core.func) unconditionally calls set -Eeuo pipefail
and trap 'error_handler' ERR after every command. When build_container()
intentionally disables error handling for its recovery section, any
intermediate call through silent()/ re-enables it. This causes the
grep/sed pipeline for missing_cmd extraction to trigger error_handler
(grep returns exit code 1 on no match + pipefail = fatal).
Fixes:
1. silent(): Save errexit state before disabling, only restore if it was
active. Callers that intentionally disabled error handling (e.g.
build_container recovery) are no longer silently re-enabled.
2. build.func: Add || true to missing_cmd grep pipeline as defense-in-depth
against pipeline failure propagation.
3. build.func: Add explicit set +Eeuo pipefail / trap - ERR after
post_update_to_api() call, before error classification grep/sed section.
4. build.func: Remove stale global combined_log variable from variables()
that used a different path format (/tmp/install-SESSION-combined.log)
than the actual local variable (/tmp/NSAPP-CTID-SESSION.log). The global
was never written to and caused confusion when error_handler displayed it.
* Update build.func
* chore(install): add Github source links to all setup_nodejs scripts
52 install scripts had a project website in '# Source:' but no GitHub
link. Merged the GitHub repo URL into the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Repos sourced from fetch_and_deploy_gh_release calls, get_latest_github_release
calls, or known project repos for npm/pip installed apps.
Two scripts (fumadocs, pve-scripts-local) had no Source line at all —
added one. Shinobi skipped (GitLab-only, no GitHub repo).
* chore(install): add Github source links to all fetch_and_deploy scripts
77 additional install scripts had fetch_and_deploy_gh_release calls but
no GitHub link in the Source header. Merged the primary app repo into
the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Where multiple fetch_and_deploy calls existed (app + dependency), the
primary app repo was selected:
- ersatztv: ErsatzTV/ErsatzTV (not ffmpeg)
- firefly: firefly-iii/firefly-iii (not data-importer)
- komga: gotson/komga (not kepubify dep)
- sabnzbd: sabnzbd/sabnzbd (not par2cmdline-turbo dep)
- signoz: SigNoz/signoz (not otel-collector)
- tunarr: chrisbenincasa/tunarr (not ffmpeg dep)
Also fixed cosmos-install.sh double https:// in Source URL.
Skipped: autocaliweb (source already on codeberg, GitHub repos are deps only)
* revert: restore misc/build.func and misc/core.func to main state
These error-handler fixes belong to fix/error-handler-recovery, not to
this sources-only branch.
* chore(ct,tools): sync Source headers with install/ and add Github links to addon scripts
2026-02-24 15:11:53 +01:00
|
|
|
IFS='.' read -ra octets <<<"$DOMAIN"
|
2026-01-23 21:54:23 +01:00
|
|
|
for octet in "${octets[@]}"; do
|
|
|
|
|
if ((octet > 255)); then
|
|
|
|
|
valid_ip=false
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
if $valid_ip; then
|
|
|
|
|
break
|
|
|
|
|
else
|
|
|
|
|
msg_warn "Invalid IP address!"
|
|
|
|
|
fi
|
|
|
|
|
elif [[ "$DOMAIN" =~ ^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$ ]]; then
|
|
|
|
|
break
|
|
|
|
|
else
|
|
|
|
|
msg_warn "Invalid domain format!"
|
|
|
|
|
fi
|
|
|
|
|
done
|
2025-02-24 11:22:43 +01:00
|
|
|
msg_info "Setting Authelia up"
|
|
|
|
|
touch /etc/authelia/emails.txt
|
2025-03-24 14:20:56 +01:00
|
|
|
JWT_SECRET=$(openssl rand -hex 64)
|
|
|
|
|
SESSION_SECRET=$(openssl rand -hex 64)
|
|
|
|
|
STORAGE_KEY=$(openssl rand -hex 64)
|
2026-01-24 23:22:50 +01:00
|
|
|
|
|
|
|
|
if [[ "$DOMAIN" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
|
|
|
|
|
AUTHELIA_URL="https://${DOMAIN}:9091"
|
|
|
|
|
else
|
|
|
|
|
AUTHELIA_URL="https://auth.${DOMAIN}"
|
|
|
|
|
fi
|
several scripts: add additional github link in source (#12282)
* fix(error-handler): prevent silent() from re-enabling error handling during recovery
Root cause: silent() (core.func) unconditionally calls set -Eeuo pipefail
and trap 'error_handler' ERR after every command. When build_container()
intentionally disables error handling for its recovery section, any
intermediate call through silent()/ re-enables it. This causes the
grep/sed pipeline for missing_cmd extraction to trigger error_handler
(grep returns exit code 1 on no match + pipefail = fatal).
Fixes:
1. silent(): Save errexit state before disabling, only restore if it was
active. Callers that intentionally disabled error handling (e.g.
build_container recovery) are no longer silently re-enabled.
2. build.func: Add || true to missing_cmd grep pipeline as defense-in-depth
against pipeline failure propagation.
3. build.func: Add explicit set +Eeuo pipefail / trap - ERR after
post_update_to_api() call, before error classification grep/sed section.
4. build.func: Remove stale global combined_log variable from variables()
that used a different path format (/tmp/install-SESSION-combined.log)
than the actual local variable (/tmp/NSAPP-CTID-SESSION.log). The global
was never written to and caused confusion when error_handler displayed it.
* Update build.func
* chore(install): add Github source links to all setup_nodejs scripts
52 install scripts had a project website in '# Source:' but no GitHub
link. Merged the GitHub repo URL into the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Repos sourced from fetch_and_deploy_gh_release calls, get_latest_github_release
calls, or known project repos for npm/pip installed apps.
Two scripts (fumadocs, pve-scripts-local) had no Source line at all —
added one. Shinobi skipped (GitLab-only, no GitHub repo).
* chore(install): add Github source links to all fetch_and_deploy scripts
77 additional install scripts had fetch_and_deploy_gh_release calls but
no GitHub link in the Source header. Merged the primary app repo into
the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Where multiple fetch_and_deploy calls existed (app + dependency), the
primary app repo was selected:
- ersatztv: ErsatzTV/ErsatzTV (not ffmpeg)
- firefly: firefly-iii/firefly-iii (not data-importer)
- komga: gotson/komga (not kepubify dep)
- sabnzbd: sabnzbd/sabnzbd (not par2cmdline-turbo dep)
- signoz: SigNoz/signoz (not otel-collector)
- tunarr: chrisbenincasa/tunarr (not ffmpeg dep)
Also fixed cosmos-install.sh double https:// in Source URL.
Skipped: autocaliweb (source already on codeberg, GitHub repos are deps only)
* revert: restore misc/build.func and misc/core.func to main state
These error-handler fixes belong to fix/error-handler-recovery, not to
this sources-only branch.
* chore(ct,tools): sync Source headers with install/ and add Github links to addon scripts
2026-02-24 15:11:53 +01:00
|
|
|
echo "$AUTHELIA_URL" >/etc/authelia/.authelia_url
|
2026-01-24 23:22:50 +01:00
|
|
|
|
2025-02-24 11:22:43 +01:00
|
|
|
cat <<EOF >/etc/authelia/users.yml
|
|
|
|
|
users:
|
|
|
|
|
authelia:
|
|
|
|
|
disabled: false
|
|
|
|
|
displayname: "Authelia Admin"
|
2025-02-24 13:40:09 +01:00
|
|
|
password: "\$argon2id\$v=19\$m=65536,t=3,p=4\$ZBopMzXrzhHXPEZxRDVT2w\$SxWm96DwhOsZyn34DLocwQEIb4kCDsk632PuiMdZnig"
|
2025-02-24 11:22:43 +01:00
|
|
|
groups: []
|
|
|
|
|
EOF
|
|
|
|
|
cat <<EOF >/etc/authelia/configuration.yml
|
|
|
|
|
authentication_backend:
|
|
|
|
|
file:
|
|
|
|
|
path: /etc/authelia/users.yml
|
|
|
|
|
access_control:
|
|
|
|
|
default_policy: one_factor
|
|
|
|
|
session:
|
|
|
|
|
secret: "${SESSION_SECRET}"
|
|
|
|
|
name: 'authelia_session'
|
|
|
|
|
same_site: 'lax'
|
|
|
|
|
inactivity: '5m'
|
|
|
|
|
expiration: '1h'
|
|
|
|
|
remember_me: '1M'
|
|
|
|
|
cookies:
|
|
|
|
|
- domain: "${DOMAIN}"
|
2026-01-24 23:22:50 +01:00
|
|
|
authelia_url: "${AUTHELIA_URL}"
|
2025-02-24 11:22:43 +01:00
|
|
|
storage:
|
|
|
|
|
encryption_key: "${STORAGE_KEY}"
|
|
|
|
|
local:
|
|
|
|
|
path: /etc/authelia/db.sqlite
|
|
|
|
|
identity_validation:
|
|
|
|
|
reset_password:
|
|
|
|
|
jwt_secret: "${JWT_SECRET}"
|
|
|
|
|
jwt_lifespan: '5 minutes'
|
|
|
|
|
jwt_algorithm: 'HS256'
|
|
|
|
|
notifier:
|
|
|
|
|
filesystem:
|
|
|
|
|
filename: /etc/authelia/emails.txt
|
|
|
|
|
EOF
|
2025-04-02 18:52:38 +02:00
|
|
|
touch /etc/authelia/emails.txt
|
|
|
|
|
chown -R authelia:authelia /etc/authelia
|
2025-02-24 11:22:43 +01:00
|
|
|
systemctl enable -q --now authelia
|
|
|
|
|
msg_ok "Authelia Setup completed"
|
|
|
|
|
|
|
|
|
|
motd_ssh
|
|
|
|
|
customize
|
2025-11-22 17:27:13 +01:00
|
|
|
cleanup_lxc
|
