scripts/fix_n8n_db_c_locale.sh.template

#!/bin/bash
################################################################################
# n8n PostgreSQL Permission Fix Script - C.utf8 Locale Version (TEMPLATE)
#
# Purpose: Fix PostgreSQL 15+ permission issues for n8n database
# Root Cause: 1) PostgreSQL 15+ removed default CREATE permission from PUBLIC
#             2) Debian 12 minimal system only has C.utf8 locale available
# Solution: Create database with C.utf8 locale and proper ownership
#
# Environment: Debian 12, PostgreSQL 16, n8n LXC Container (CT 113)
#
# USAGE:
#   1. Copy this template: cp fix_n8n_db_c_locale.sh.template fix_n8n_db_c_locale.sh
#   2. Set environment variable: export N8N_DB_PASSWORD="your_secure_password"
#   3. Run the script: bash fix_n8n_db_c_locale.sh
#   4. Delete the script after use: shred -u fix_n8n_db_c_locale.sh
#
# SECURITY NOTE: This template uses environment variables to avoid hardcoding
#                credentials in the repository. The actual script with embedded
#                credentials is excluded from git via .gitignore
################################################################################

set -euo pipefail

DB_NAME="n8n_db"
DB_USER="n8n_user"

# IMPORTANT: Set this environment variable before running the script
# Example: export N8N_DB_PASSWORD="your_secure_password_here"
DB_PASSWORD="${N8N_DB_PASSWORD:-}"

if [[ -z "$DB_PASSWORD" ]]; then
    echo "ERROR: N8N_DB_PASSWORD environment variable is not set"
    echo "Please set it before running this script:"
    echo "  export N8N_DB_PASSWORD='your_secure_password'"
    exit 1
fi

TIMESTAMP=$(date +%Y%m%d_%H%M%S)
LOG_FILE="/var/log/n8n_db_fix_${TIMESTAMP}.log"

# Color codes
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log() {
    echo -e "${BLUE}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" | tee -a "$LOG_FILE"
}

log_success() {
    echo -e "${GREEN}[✓]${NC} $1" | tee -a "$LOG_FILE"
}

log_error() {
    echo -e "${RED}[✗]${NC} $1" | tee -a "$LOG_FILE"
}

echo "================================================================================"
echo "n8n PostgreSQL Permission Fix - C.utf8 Locale Version"
echo "================================================================================"
echo ""

log "Stopping n8n service..."
systemctl stop n8n || true
sleep 3
log_success "n8n service stopped"

log "Dropping existing database (if any) and recreating with C.UTF-8 locale..."
sudo -u postgres psql <<SQL 2>&1 | tee -a "$LOG_FILE"
-- Terminate any existing connections
SELECT pg_terminate_backend(pg_stat_activity.pid)
FROM pg_stat_activity
WHERE pg_stat_activity.datname = '$DB_NAME'
  AND pid <> pg_backend_pid();

-- Drop database if exists
DROP DATABASE IF EXISTS $DB_NAME;

-- Create database with C.utf8 locale (Debian 12 system locale)
CREATE DATABASE $DB_NAME
    OWNER $DB_USER
    ENCODING 'UTF8'
    LC_COLLATE = 'C.utf8'
    LC_CTYPE = 'C.utf8'
    TEMPLATE template0;

-- Connect to the database
\c $DB_NAME

-- Grant all privileges on the public schema (PostgreSQL 15+ fix)
GRANT ALL ON SCHEMA public TO $DB_USER;

-- Grant all privileges on all current and future objects
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $DB_USER;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO $DB_USER;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO $DB_USER;

-- Set default privileges for future objects
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $DB_USER;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO $DB_USER;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO $DB_USER;

-- Verify database settings
SELECT datname, datcollate, datctype, pg_get_userbyid(datdba) as owner
FROM pg_database
WHERE datname = '$DB_NAME';
SQL

log_success "Database recreated with C.utf8 locale and proper permissions"

log "Testing database permissions..."
PGPASSWORD="$DB_PASSWORD" psql -h localhost -U $DB_USER -d $DB_NAME <<SQL 2>&1 | tee -a "$LOG_FILE"
-- Test table creation (this is what was failing before)
CREATE TABLE test_table (id SERIAL PRIMARY KEY, test_data VARCHAR(100));
INSERT INTO test_table (test_data) VALUES ('Permission test successful');
SELECT * FROM test_table;
DROP TABLE test_table;

-- Display current user and database
SELECT current_user, current_database();
SQL

if [[ $? -eq 0 ]]; then
    log_success "Permission test PASSED - n8n_user can create tables"
else
    log_error "Permission test FAILED"
    exit 1
fi

log "Starting n8n service..."
systemctl start n8n
sleep 10

if systemctl is-active --quiet n8n; then
    log_success "n8n service started successfully"
else
    log_error "n8n service failed to start - check logs"
    journalctl -u n8n -n 30
    exit 1
fi

echo ""
echo "================================================================================"
log_success "n8n DATABASE FIX COMPLETED SUCCESSFULLY"
echo "================================================================================"
echo ""
echo "✅ Database created with:"
echo "   - Locale: C.utf8 (Debian 12 system locale)"
echo "   - Owner: n8n_user"
echo "   - Permissions: Full CREATE access on public schema"
echo ""
echo "📋 Next Steps:"
echo "   1. Monitor service: systemctl status n8n"
echo "   2. Watch logs: journalctl -u n8n -f"
echo "   3. Test access: https://n8n.apophisnetworking.net"
echo ""
echo "📄 Log file: $LOG_FILE"
echo ""
echo "🔒 SECURITY: Remember to delete this script after use:"
echo "   shred -u $(readlink -f "$0")"
echo "================================================================================"
feat(security): implement template-based credential management for sensitive configurations Introduce template-based approach to prevent credential exposure in version control. This security enhancement establishes a standard pattern for managing sensitive data across the homelab repository. Changes: - Create services/homepage/services.yaml.template with env var placeholders * Replace 7 hardcoded credentials with ${VARIABLE_NAME} format * Add OPNSense, Proxmox, Plex, Radarr, Sonarr, Deluge placeholders - Create scripts/fix_n8n_db_c_locale.sh.template with env var validation * Remove hardcoded PostgreSQL password * Add N8N_DB_PASSWORD environment variable requirement * Include security reminder to shred script after use - Update .gitignore with explicit exclusions for sensitive files * Add services/homepage/services.yaml exclusion * Add scripts/fix_n8n_db_c_locale.sh exclusion - Create services/homepage/README.md with comprehensive setup guide * Document environment variable usage (recommended method) * Provide API key acquisition instructions for all services * Include troubleshooting and security best practices - Update scripts/README.md with template pattern documentation * Add fix_n8n_db_c_locale.sh template usage instructions * Create "Template-Based Script Pattern" section * Enhance security guidelines with shred usage Template Pattern Benefits: - Repository remains credential-free - Templates serve as documentation - Easy to recreate configs on new systems - Supports CI/CD pipelines with secret injection Security Validation: - No API keys in staged files (verified) - No passwords in staged files (verified) - .gitignore properly excludes sensitive files - Templates contain clear usage instructions Related: n8n troubleshooting (CLAUDE_STATUS.md), Docker Compose migration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-02 19:49:28 -07:00			`#!/bin/bash`
			`################################################################################`
			`# n8n PostgreSQL Permission Fix Script - C.utf8 Locale Version (TEMPLATE)`
			`#`
			`# Purpose: Fix PostgreSQL 15+ permission issues for n8n database`
			`# Root Cause: 1) PostgreSQL 15+ removed default CREATE permission from PUBLIC`
			`# 2) Debian 12 minimal system only has C.utf8 locale available`
			`# Solution: Create database with C.utf8 locale and proper ownership`
			`#`
			`# Environment: Debian 12, PostgreSQL 16, n8n LXC Container (CT 113)`
			`#`
			`# USAGE:`
			`# 1. Copy this template: cp fix_n8n_db_c_locale.sh.template fix_n8n_db_c_locale.sh`
			`# 2. Set environment variable: export N8N_DB_PASSWORD="your_secure_password"`
			`# 3. Run the script: bash fix_n8n_db_c_locale.sh`
			`# 4. Delete the script after use: shred -u fix_n8n_db_c_locale.sh`
			`#`
			`# SECURITY NOTE: This template uses environment variables to avoid hardcoding`
			`# credentials in the repository. The actual script with embedded`
			`# credentials is excluded from git via .gitignore`
			`################################################################################`

			`set -euo pipefail`

			`DB_NAME="n8n_db"`
			`DB_USER="n8n_user"`

			`# IMPORTANT: Set this environment variable before running the script`
			`# Example: export N8N_DB_PASSWORD="your_secure_password_here"`
			`DB_PASSWORD="${N8N_DB_PASSWORD:-}"`

			`if [[ -z "$DB_PASSWORD" ]]; then`
			`echo "ERROR: N8N_DB_PASSWORD environment variable is not set"`
			`echo "Please set it before running this script:"`
			`echo " export N8N_DB_PASSWORD='your_secure_password'"`
			`exit 1`
			`fi`

			`TIMESTAMP=$(date +%Y%m%d_%H%M%S)`
			`LOG_FILE="/var/log/n8n_db_fix_${TIMESTAMP}.log"`

			`# Color codes`
			`RED='\033[0;31m'`
			`GREEN='\033[0;32m'`
			`YELLOW='\033[1;33m'`
			`BLUE='\033[0;34m'`
			`NC='\033[0m'`

			`log() {`
			`echo -e "${BLUE}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" \| tee -a "$LOG_FILE"`
			`}`

			`log_success() {`
			`echo -e "${GREEN}[✓]${NC} $1" \| tee -a "$LOG_FILE"`
			`}`

			`log_error() {`
			`echo -e "${RED}[✗]${NC} $1" \| tee -a "$LOG_FILE"`
			`}`

			`echo "================================================================================"`
			`echo "n8n PostgreSQL Permission Fix - C.utf8 Locale Version"`
			`echo "================================================================================"`
			`echo ""`

			`log "Stopping n8n service..."`
			`systemctl stop n8n \|\| true`
			`sleep 3`
			`log_success "n8n service stopped"`

			`log "Dropping existing database (if any) and recreating with C.UTF-8 locale..."`
			`sudo -u postgres psql <<SQL 2>&1 \| tee -a "$LOG_FILE"`
			`-- Terminate any existing connections`
			`SELECT pg_terminate_backend(pg_stat_activity.pid)`
			`FROM pg_stat_activity`
			`WHERE pg_stat_activity.datname = '$DB_NAME'`
			`AND pid <> pg_backend_pid();`

			`-- Drop database if exists`
			`DROP DATABASE IF EXISTS $DB_NAME;`

			`-- Create database with C.utf8 locale (Debian 12 system locale)`
			`CREATE DATABASE $DB_NAME`
			`OWNER $DB_USER`
			`ENCODING 'UTF8'`
			`LC_COLLATE = 'C.utf8'`
			`LC_CTYPE = 'C.utf8'`
			`TEMPLATE template0;`

			`-- Connect to the database`
			`\c $DB_NAME`

			`-- Grant all privileges on the public schema (PostgreSQL 15+ fix)`
			`GRANT ALL ON SCHEMA public TO $DB_USER;`

			`-- Grant all privileges on all current and future objects`
			`GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $DB_USER;`
			`GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO $DB_USER;`
			`GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO $DB_USER;`

			`-- Set default privileges for future objects`
			`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $DB_USER;`
			`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO $DB_USER;`
			`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO $DB_USER;`

			`-- Verify database settings`
			`SELECT datname, datcollate, datctype, pg_get_userbyid(datdba) as owner`
			`FROM pg_database`
			`WHERE datname = '$DB_NAME';`
			`SQL`

			`log_success "Database recreated with C.utf8 locale and proper permissions"`

			`log "Testing database permissions..."`
			`PGPASSWORD="$DB_PASSWORD" psql -h localhost -U $DB_USER -d $DB_NAME <<SQL 2>&1 \| tee -a "$LOG_FILE"`
			`-- Test table creation (this is what was failing before)`
			`CREATE TABLE test_table (id SERIAL PRIMARY KEY, test_data VARCHAR(100));`
			`INSERT INTO test_table (test_data) VALUES ('Permission test successful');`
			`SELECT * FROM test_table;`
			`DROP TABLE test_table;`

			`-- Display current user and database`
			`SELECT current_user, current_database();`
			`SQL`

			`if [[ $? -eq 0 ]]; then`
			`log_success "Permission test PASSED - n8n_user can create tables"`
			`else`
			`log_error "Permission test FAILED"`
			`exit 1`
			`fi`

			`log "Starting n8n service..."`
			`systemctl start n8n`
			`sleep 10`

			`if systemctl is-active --quiet n8n; then`
			`log_success "n8n service started successfully"`
			`else`
			`log_error "n8n service failed to start - check logs"`
			`journalctl -u n8n -n 30`
			`exit 1`
			`fi`

			`echo ""`
			`echo "================================================================================"`
			`log_success "n8n DATABASE FIX COMPLETED SUCCESSFULLY"`
			`echo "================================================================================"`
			`echo ""`
			`echo "✅ Database created with:"`
			`echo " - Locale: C.utf8 (Debian 12 system locale)"`
			`echo " - Owner: n8n_user"`
			`echo " - Permissions: Full CREATE access on public schema"`
			`echo ""`
			`echo "📋 Next Steps:"`
			`echo " 1. Monitor service: systemctl status n8n"`
			`echo " 2. Watch logs: journalctl -u n8n -f"`
			`echo " 3. Test access: https://n8n.apophisnetworking.net"`
			`echo ""`
			`echo "📄 Log file: $LOG_FILE"`
			`echo ""`
			`echo "🔒 SECURITY: Remember to delete this script after use:"`
			`echo " shred -u $(readlink -f "$0")"`
			`echo "================================================================================"`