jramos/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eec4c4b29876feef8d8d77900b9237f083384af8
homelab/scripts/fix_n8n_db_c_locale.sh.template
Jordan Ramos eec4c4b298 feat(security): implement template-based credential management for sensitive configurations 
Introduce template-based approach to prevent credential exposure in version control.
This security enhancement establishes a standard pattern for managing sensitive data
across the homelab repository.

Changes:
- Create services/homepage/services.yaml.template with env var placeholders
  * Replace 7 hardcoded credentials with ${VARIABLE_NAME} format
  * Add OPNSense, Proxmox, Plex, Radarr, Sonarr, Deluge placeholders
- Create scripts/fix_n8n_db_c_locale.sh.template with env var validation
  * Remove hardcoded PostgreSQL password
  * Add N8N_DB_PASSWORD environment variable requirement
  * Include security reminder to shred script after use
- Update .gitignore with explicit exclusions for sensitive files
  * Add services/homepage/services.yaml exclusion
  * Add scripts/fix_n8n_db_c_locale.sh exclusion
- Create services/homepage/README.md with comprehensive setup guide
  * Document environment variable usage (recommended method)
  * Provide API key acquisition instructions for all services
  * Include troubleshooting and security best practices
- Update scripts/README.md with template pattern documentation
  * Add fix_n8n_db_c_locale.sh template usage instructions
  * Create "Template-Based Script Pattern" section
  * Enhance security guidelines with shred usage

Template Pattern Benefits:
- Repository remains credential-free
- Templates serve as documentation
- Easy to recreate configs on new systems
- Supports CI/CD pipelines with secret injection

Security Validation:
- No API keys in staged files (verified)
- No passwords in staged files (verified)
- .gitignore properly excludes sensitive files
- Templates contain clear usage instructions

Related: n8n troubleshooting (CLAUDE_STATUS.md), Docker Compose migration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-02 19:49:28 -07:00

165 lines
5.4 KiB
Bash
Raw Blame History

#!/bin/bash
################################################################################
# n8n PostgreSQL Permission Fix Script - C.utf8 Locale Version (TEMPLATE)
#
# Purpose: Fix PostgreSQL 15+ permission issues for n8n database
# Root Cause: 1) PostgreSQL 15+ removed default CREATE permission from PUBLIC
# 2) Debian 12 minimal system only has C.utf8 locale available
# Solution: Create database with C.utf8 locale and proper ownership
#
# Environment: Debian 12, PostgreSQL 16, n8n LXC Container (CT 113)
#
# USAGE:
# 1. Copy this template: cp fix_n8n_db_c_locale.sh.template fix_n8n_db_c_locale.sh
# 2. Set environment variable: export N8N_DB_PASSWORD="your_secure_password"
# 3. Run the script: bash fix_n8n_db_c_locale.sh
# 4. Delete the script after use: shred -u fix_n8n_db_c_locale.sh
#
# SECURITY NOTE: This template uses environment variables to avoid hardcoding
# credentials in the repository. The actual script with embedded
# credentials is excluded from git via .gitignore
################################################################################
set -euo pipefail
DB_NAME="n8n_db"
DB_USER="n8n_user"
# IMPORTANT: Set this environment variable before running the script
# Example: export N8N_DB_PASSWORD="your_secure_password_here"
DB_PASSWORD="${N8N_DB_PASSWORD:-}"
if [[ -z "$DB_PASSWORD" ]]; then
echo "ERROR: N8N_DB_PASSWORD environment variable is not set"
echo "Please set it before running this script:"
echo " export N8N_DB_PASSWORD='your_secure_password'"
exit 1
fi
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
LOG_FILE="/var/log/n8n_db_fix_${TIMESTAMP}.log"
# Color codes
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log() {
echo -e "${BLUE}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" | tee -a "$LOG_FILE"
}
log_success() {
echo -e "${GREEN}[✓]${NC} $1" | tee -a "$LOG_FILE"
}
log_error() {
echo -e "${RED}[✗]${NC} $1" | tee -a "$LOG_FILE"
}
echo "================================================================================"
echo "n8n PostgreSQL Permission Fix - C.utf8 Locale Version"
echo "================================================================================"
echo ""
log "Stopping n8n service..."
systemctl stop n8n || true
sleep 3
log_success "n8n service stopped"
log "Dropping existing database (if any) and recreating with C.UTF-8 locale..."
sudo -u postgres psql <<SQL 2>&1 | tee -a "$LOG_FILE"
-- Terminate any existing connections
SELECT pg_terminate_backend(pg_stat_activity.pid)
FROM pg_stat_activity
WHERE pg_stat_activity.datname = '$DB_NAME'
AND pid <> pg_backend_pid();
-- Drop database if exists
DROP DATABASE IF EXISTS $DB_NAME;
-- Create database with C.utf8 locale (Debian 12 system locale)
CREATE DATABASE $DB_NAME
OWNER $DB_USER
ENCODING 'UTF8'
LC_COLLATE = 'C.utf8'
LC_CTYPE = 'C.utf8'
TEMPLATE template0;
-- Connect to the database
\c $DB_NAME
-- Grant all privileges on the public schema (PostgreSQL 15+ fix)
GRANT ALL ON SCHEMA public TO $DB_USER;
-- Grant all privileges on all current and future objects
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $DB_USER;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO $DB_USER;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO $DB_USER;
-- Set default privileges for future objects
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $DB_USER;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO $DB_USER;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO $DB_USER;
-- Verify database settings
SELECT datname, datcollate, datctype, pg_get_userbyid(datdba) as owner
FROM pg_database
WHERE datname = '$DB_NAME';
SQL
log_success "Database recreated with C.utf8 locale and proper permissions"
log "Testing database permissions..."
PGPASSWORD="$DB_PASSWORD" psql -h localhost -U $DB_USER -d $DB_NAME <<SQL 2>&1 | tee -a "$LOG_FILE"
-- Test table creation (this is what was failing before)
CREATE TABLE test_table (id SERIAL PRIMARY KEY, test_data VARCHAR(100));
INSERT INTO test_table (test_data) VALUES ('Permission test successful');
SELECT * FROM test_table;
DROP TABLE test_table;
-- Display current user and database
SELECT current_user, current_database();
SQL
if [[ $? -eq 0 ]]; then
log_success "Permission test PASSED - n8n_user can create tables"
else
log_error "Permission test FAILED"
exit 1
fi
log "Starting n8n service..."
systemctl start n8n
sleep 10
if systemctl is-active --quiet n8n; then
log_success "n8n service started successfully"
else
log_error "n8n service failed to start - check logs"
journalctl -u n8n -n 30
exit 1
fi
echo ""
echo "================================================================================"
log_success "n8n DATABASE FIX COMPLETED SUCCESSFULLY"
echo "================================================================================"
echo ""
echo "✅ Database created with:"
echo " - Locale: C.utf8 (Debian 12 system locale)"
echo " - Owner: n8n_user"
echo " - Permissions: Full CREATE access on public schema"
echo ""
echo "📋 Next Steps:"
echo " 1. Monitor service: systemctl status n8n"
echo " 2. Watch logs: journalctl -u n8n -f"
echo " 3. Test access: https://n8n.apophisnetworking.net"
echo ""
echo "📄 Log file: $LOG_FILE"
echo ""
echo "🔒 SECURITY: Remember to delete this script after use:"
echo " shred -u $(readlink -f "$0")"
echo "================================================================================"
Reference in New Issue View Git Blame Copy Permalink