Merge branch 'community-scripts:main' into step-ca

2026-02-24 21:47:26 +00:00 · 2026-02-08 18:35:15 +01:00
parent 81af9f5c13 c672875f40
commit 536ff20bc6
21 changed files with 444 additions and 999 deletions
--- a/install/checkmate-install.sh
+++ b/install/checkmate-install.sh
@@ -1,136 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
-# Source: https://github.com/bluewave-labs/Checkmate
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  build-essential \
-  openssl \
-  nginx
-msg_ok "Installed Dependencies"
-
-MONGO_VERSION="8.0" setup_mongodb
-NODE_VERSION="22" setup_nodejs
-fetch_and_deploy_gh_release "checkmate" "bluewave-labs/Checkmate"
-
-msg_info "Configuring Checkmate"
-JWT_SECRET="$(openssl rand -hex 32)"
-cat <<EOF >/opt/checkmate/server/.env
-CLIENT_HOST="http://${LOCAL_IP}"
-JWT_SECRET="${JWT_SECRET}"
-DB_CONNECTION_STRING="mongodb://localhost:27017/checkmate_db"
-TOKEN_TTL="99d"
-ORIGIN="${LOCAL_IP}"
-LOG_LEVEL="info"
-SERVER_HOST=0.0.0.0
-SERVER_PORT=52345
-EOF
-
-cat <<EOF >/opt/checkmate/client/.env.local
-VITE_APP_API_BASE_URL="/api/v1"
-UPTIME_APP_API_BASE_URL="/api/v1"
-VITE_APP_LOG_LEVEL="warn"
-EOF
-msg_ok "Configured Checkmate"
-
-msg_info "Installing Checkmate Server"
-cd /opt/checkmate/server
-$STD npm install
-$STD npm run build
-msg_ok "Installed Checkmate Server"
-
-msg_info "Installing Checkmate Client"
-cd /opt/checkmate/client
-$STD npm install
-VITE_APP_API_BASE_URL="/api/v1" UPTIME_APP_API_BASE_URL="/api/v1" VITE_APP_LOG_LEVEL="warn" $STD npm run build
-msg_ok "Installed Checkmate Client"
-
-msg_info "Creating Services"
-cat <<EOF >/etc/systemd/system/checkmate-server.service
-[Unit]
-Description=Checkmate Server
-After=network.target mongod.service
-
-[Service]
-Type=simple
-User=root
-WorkingDirectory=/opt/checkmate/server
-EnvironmentFile=/opt/checkmate/server/.env
-ExecStart=/usr/bin/npm start
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/checkmate-client.service
-[Unit]
-Description=Checkmate Client
-After=network.target
-
-[Service]
-Type=simple
-User=root
-WorkingDirectory=/opt/checkmate/client
-ExecStart=/usr/bin/npm run preview -- --host 127.0.0.1 --port 5173
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-$STD systemctl enable -q --now checkmate-server
-$STD systemctl enable -q --now checkmate-client
-msg_ok "Created Services"
-
-msg_info "Configuring Nginx Reverse Proxy"
-cat <<EOF >/etc/nginx/sites-available/checkmate
-server {
-  listen 80 default_server;
-  server_name _;
-  
-  client_max_body_size 100M;
-
-  # Client UI
-  location / {
-    proxy_pass http://127.0.0.1:5173;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade \$http_upgrade;
-    proxy_set_header Connection "upgrade";
-    proxy_set_header Host \$host;
-    proxy_set_header X-Real-IP \$remote_addr;
-    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-  }
-
-  # API Server
-  location /api/v1/ {
-    proxy_pass http://127.0.0.1:52345/api/v1/;
-    proxy_http_version 1.1;
-    proxy_set_header Host \$host;
-    proxy_set_header X-Real-IP \$remote_addr;
-    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-  }
-}
-EOF
-
-ln -sf /etc/nginx/sites-available/checkmate /etc/nginx/sites-enabled/checkmate
-rm -f /etc/nginx/sites-enabled/default
-$STD nginx -t
-$STD systemctl reload nginx
-msg_ok "Configured Nginx Reverse Proxy"
-
-motd_ssh
-customize
-cleanup_lxc
--- a/install/nextexplorer-install.sh
+++ b/install/nextexplorer-install.sh
@@ -3,7 +3,7 @@
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: vhsdream
 # License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
-# Source: https://github.com/vikramsoni2/nextExplorer
+# Source: https://github.com/nxzai/nextExplorer

 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
@@ -26,7 +26,7 @@ msg_ok "Installed Dependencies"

 NODE_VERSION="24" setup_nodejs

-fetch_and_deploy_gh_release "nextExplorer" "vikramsoni2/nextExplorer" "tarball" "latest" "/opt/nextExplorer"
+fetch_and_deploy_gh_release "nextExplorer" "nxzai/nextExplorer" "tarball" "latest" "/opt/nextExplorer"

 msg_info "Building nextExplorer"
 APP_DIR="/opt/nextExplorer/app"
--- a/install/nginx-ui-install.sh
+++ b/install/nginx-ui-install.sh
@@ -1,99 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
-# Source: https://nginxui.com
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  nginx \
-  logrotate
-msg_ok "Installed Dependencies"
-
-fetch_and_deploy_gh_release "nginx-ui" "0xJacky/nginx-ui" "prebuild" "latest" "/opt/nginx-ui" "nginx-ui-linux-64.tar.gz"
-
-msg_info "Installing Nginx UI"
-cp /opt/nginx-ui/nginx-ui /usr/local/bin/nginx-ui
-chmod +x /usr/local/bin/nginx-ui
-rm -rf /opt/nginx-ui
-msg_ok "Installed Nginx UI"
-
-msg_info "Configuring Nginx UI"
-mkdir -p /usr/local/etc/nginx-ui
-cat <<EOF >/usr/local/etc/nginx-ui/app.ini
-[server]
-HttpHost = 0.0.0.0
-HttpPort = 9000
-RunMode = release
-JwtSecret = $(openssl rand -hex 32)
-
-[nginx]
-AccessLogPath = /var/log/nginx/access.log
-ErrorLogPath = /var/log/nginx/error.log
-ConfigDir = /etc/nginx
-PIDPath = /run/nginx.pid
-TestConfigCmd = nginx -t
-ReloadCmd = nginx -s reload
-RestartCmd = systemctl restart nginx
-
-[app]
-PageSize = 10
-
-[cert]
-Email =
-CADir =
-RenewalInterval = 7
-RecursiveNameservers =
-EOF
-msg_ok "Configured Nginx UI"
-
-msg_info "Creating Service"
-cat <<EOF >/etc/systemd/system/nginx-ui.service
-[Unit]
-Description=Another WebUI for Nginx
-Documentation=https://nginxui.com
-After=network.target nginx.service
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/nginx-ui --config /usr/local/etc/nginx-ui/app.ini
-RuntimeDirectory=nginx-ui
-WorkingDirectory=/var/run/nginx-ui
-Restart=on-failure
-TimeoutStopSec=5
-KillMode=mixed
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl daemon-reload
-msg_ok "Created Service"
-
-msg_info "Creating Initial Admin User"
-systemctl start nginx-ui
-sleep 3
-systemctl stop nginx-ui
-sleep 1
-/usr/local/bin/nginx-ui reset-password --config /usr/local/etc/nginx-ui/app.ini &>/tmp/nginx-ui-reset.log || true
-ADMIN_PASS=$(grep -oP 'Password: \K\S+' /tmp/nginx-ui-reset.log || echo "admin")
-echo -e "Nginx-UI Credentials\nUsername: admin\nPassword: $ADMIN_PASS" >~/nginx-ui.creds
-rm -f /tmp/nginx-ui-reset.log
-msg_ok "Created Initial Admin User"
-
-msg_info "Starting Service"
-systemctl enable -q --now nginx-ui
-rm -rf /etc/nginx/sites-enabled/default
-msg_ok "Started Service"
-
-motd_ssh
-customize
-cleanup_lxc
--- a/install/nightscout-install.sh
+++ b/install/nightscout-install.sh
@@ -1,69 +0,0 @@
-#!/usr/bin/env bash
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: aendel
-# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
-# Source: https://github.com/nightscout/cgm-remote-monitor
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  build-essential \
-  libssl-dev \
-  openssl
-msg_ok "Installed Dependencies"
-
-MONGO_VERSION="8.0" setup_mongodb
-NODE_VERSION="22" setup_nodejs
-fetch_and_deploy_gh_release "nightscout" "nightscout/cgm-remote-monitor" "source"
-
-msg_info "Installing Nightscout"
-$STD npm install --prefix /opt/nightscout
-msg_ok "Installed Nightscout"
-
-msg_info "Creating Service"
-useradd -s /bin/bash -m nightscout
-chown -R nightscout:nightscout /opt/nightscout
-API_SECRET=$(openssl rand -hex 16)
-cat <<EOF >/opt/nightscout/my.env
-MONGO_CONNECTION=mongodb://127.0.0.1:27017/nightscout
-BASE_URL=http://localhost:1337
-API_SECRET=${API_SECRET}
-DISPLAY_UNITS=mg/dl
-ENABLE=careportal boluscalc food bwp cage sage iage iob cob basal ar2 rawbg pushover bgi pump openaps pvb linear custom
-INSECURE_USE_HTTP=true
-EOF
-chown nightscout:nightscout /opt/nightscout/my.env
-cat <<EOF >/etc/systemd/system/nightscout.service
-[Unit]
-Description=Nightscout CGM Service
-After=network.target mongodb.service
-
-[Service]
-Type=simple
-User=nightscout
-WorkingDirectory=/opt/nightscout
-EnvironmentFile=/opt/nightscout/my.env
-ExecStart=/usr/bin/npm start
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now nightscout
-msg_ok "Created Service"
-
-{
-  echo "Nightscout Credentials"
-  echo "API_SECRET: ${API_SECRET}"
-} >> ~/nightscout.creds
-
-motd_ssh
-customize
-cleanup_lxc
--- a/install/opencloud-install.sh
+++ b/install/opencloud-install.sh
@@ -1,210 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: vhsdream
-# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
-# Source: https://opencloud.eu
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-read -r -p "${TAB3}Enter the hostname of your OpenCloud server (eg cloud.domain.tld): " oc_host
-if [[ "$oc_host" ]]; then
-  OC_HOST="$oc_host"
-fi
-read -r -p "${TAB3}Enter the hostname of your Collabora server (eg collabora.domain.tld): " collabora_host
-if [[ "$collabora_host" ]]; then
-  COLLABORA_HOST="$collabora_host"
-fi
-read -r -p "${TAB3}Enter the hostname of your WOPI server (eg wopiserver.domain.tld): " wopi_host
-if [[ "$wopi_host" ]]; then
-  WOPI_HOST="$wopi_host"
-fi
-
-# Collabora online - this is broken because it adds the Component and apt doesn't like that
-# setup_deb822_repo \
-#   "collaboraonline" \
-#   "https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg" \
-#   "https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb/Release" \
-#   "./" \
-#   "main"
-
-msg_info "Installing Collabora Online"
-curl -fsSL https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg -o /etc/apt/keyrings/collaboraonline-release-keyring.gpg
-cat <<EOF >/etc/apt/sources.list.d/colloboraonline.sources
-Types: deb
-URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb
-Suites: ./
-Signed-By: /etc/apt/keyrings/collaboraonline-release-keyring.gpg
-EOF
-$STD apt-get update
-$STD apt-get install -y coolwsd code-brand
-systemctl stop coolwsd
-mkdir -p /etc/systemd/system/coolwsd.service.d
-cat <<EOF >/etc/systemd/system/coolwsd.service.d/override.conf
-[Unit]
-Before=opencloud-wopi.service
-EOF
-systemctl daemon-reload
-COOLPASS="$(openssl rand -base64 36)"
-$STD sudo -u cool coolconfig set-admin-password --user=admin --password="$COOLPASS"
-echo "$COOLPASS" >~/.coolpass
-msg_ok "Installed Collabora Online"
-
-# OpenCloud
-fetch_and_deploy_gh_release "opencloud" "opencloud-eu/opencloud" "singlefile" "v5.0.1" "/usr/bin" "opencloud-*-linux-amd64"
-
-msg_info "Configuring OpenCloud"
-DATA_DIR="/var/lib/opencloud/"
-CONFIG_DIR="/etc/opencloud"
-ENV_FILE="${CONFIG_DIR}/opencloud.env"
-mkdir -p "$DATA_DIR" "$CONFIG_DIR"/assets/apps
-
-curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/csp.yaml -o "$CONFIG_DIR"/csp.yaml
-curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/proxy.yaml -o "$CONFIG_DIR"/proxy.yaml.bak
-
-cat <<EOF >"$ENV_FILE"
-OC_URL=https://${OC_HOST}
-OC_INSECURE=false
-IDM_CREATE_DEMO_USERS=false
-OC_LOG_LEVEL=warning
-OC_CONFIG_DIR=${CONFIG_DIR}
-OC_BASE_DATA_PATH=${DATA_DIR}
-STORAGE_SYSTEM_OC_ROOT=${DATA_DIR}/storage/metadata
-
-## Web
-WEB_ASSET_CORE_PATH=${CONFIG_DIR}/web/assets
-WEB_ASSET_APPS_PATH=${CONFIG_DIR}/web/assets/apps
-WEB_UI_CONFIG_FILE=${CONFIG_DIR}/web/config.json
-# WEB_ASSET_THEMES_PATH=${CONFIG_DIR}/web/assets/themes
-# WEB_UI_THEME_PATH=
-
-## Frontend
-FRONTEND_DISABLE_RADICALE=true
-FRONTEND_GROUPWARE_ENABLED=false
-GRAPH_INCLUDE_OCM_SHAREES=true
-
-## Proxy
-PROXY_TLS=false
-PROXY_CSP_CONFIG_FILE_LOCATION=${CONFIG_DIR}/csp.yaml
-
-## Collaboration - requires VALID TLS
-COLLABORA_DOMAIN=${COLLABORA_HOST}
-COLLABORATION_APP_NAME="CollaboraOnline"
-COLLABORATION_APP_PRODUCT="Collabora"
-COLLABORATION_APP_ADDR=https://${COLLABORA_HOST}
-COLLABORATION_APP_INSECURE=false
-COLLABORATION_HTTP_ADDR=0.0.0.0:9300
-COLLABORATION_WOPI_SRC=https://${WOPI_HOST}
-COLLABORATION_JWT_SECRET=
-
-## Notifications - Email settings
-# NOTIFICATIONS_SMTP_HOST=
-# NOTIFICATIONS_SMTP_PORT=
-# NOTIFICATIONS_SMTP_SENDER=
-# NOTIFICATIONS_SMTP_USERNAME=
-# NOTIFICATIONS_SMTP_PASSWORD=
-# NOTIFICATIONS_SMTP_AUTHENTICATION=login
-## Encryption method. Possible values are 'starttls', 'ssltls' and 'none'
-# NOTIFICATIONS_SMTP_ENCRYPTION=starttls
-## Allow insecure connections. Defaults to false.
-# NOTIFICATIONS_SMTP_INSECURE=false
-
-## Start additional services at runtime
-## Examples: notifications, antivirus etc.
-## Do not uncomment unless configured above.
-# OC_ADD_RUN_SERVICES="notifications"
-
-## OpenID - via web browser
-## uncomment for OpenID in general
-# OC_EXCLUDE_RUN_SERVICES=idp
-# OC_OIDC_ISSUER=<your auth URL>
-# IDP_DOMAIN=<your auth URL>
-# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
-# PROXY_OIDC_REWRITE_WELLKNOWN=true
-# PROXY_USER_OIDC_CLAIM=preferred_username
-# PROXY_USER_CS3_CLAIM=username
-## automatically create accounts
-# PROXY_AUTOPROVISION_ACCOUNTS=true
-# WEB_OIDC_SCOPE=openid profile email groups
-# GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
-#
-## uncomment below if using PocketID
-# WEB_OIDC_CLIENT_ID=<generated in PocketID>
-# WEB_OIDC_METADATA_URL=<your auth URL>/.well-known/openid-configuration
-
-## Full Text Search - Apache Tika
-## Requires a separate install of Tika - see https://community-scripts.github.io/ProxmoxVE/scripts?id=apache-tika
-# SEARCH_EXTRACTOR_TYPE=tika
-# FRONTEND_FULL_TEXT_SEARCH_ENABLED=true
-# SEARCH_EXTRACTOR_TIKA_TIKA_URL=<your-tika-url>
-
-## External storage test - Only NFS v4.2+ is supported
-## User files
-# STORAGE_USERS_POSIX_ROOT=<path-to-your-bind_mount>
-EOF
-
-cat <<EOF >/etc/systemd/system/opencloud.service
-[Unit]
-Description=OpenCloud server
-After=network-online.target
-
-[Service]
-Type=simple
-User=opencloud
-Group=opencloud
-EnvironmentFile=${ENV_FILE}
-ExecStart=/usr/bin/opencloud server
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/opencloud-wopi.service
-[Unit]
-Description=OpenCloud WOPI Server
-Wants=coolwsd.service
-After=opencloud.service coolwsd.service
-
-[Service]
-Type=simple
-User=opencloud
-Group=opencloud
-EnvironmentFile=${ENV_FILE}
-ExecStartPre=/bin/sleep 10
-ExecStart=/usr/bin/opencloud collaboration server
-Restart=always
-KillSignal=SIGKILL
-KillMode=mixed
-TimeoutStopSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-$STD sudo -u cool coolconfig set ssl.enable false
-$STD sudo -u cool coolconfig set ssl.termination true
-$STD sudo -u cool coolconfig set ssl.ssl_verification true
-sed -i "s|CSP2\"/>|CSP2\">frame-ancestors https://${OC_HOST}</content_security_policy>|" /etc/coolwsd/coolwsd.xml
-useradd -r -M -s /usr/sbin/nologin opencloud
-chown -R opencloud:opencloud "$CONFIG_DIR" "$DATA_DIR"
-sudo -u opencloud opencloud init --config-path "$CONFIG_DIR" --insecure no
-OPENCLOUD_SECRET="$(sed -n '/jwt/p' "$CONFIG_DIR"/opencloud.yaml | awk '{print $2}')"
-sed -i "s/JWT_SECRET=/&${OPENCLOUD_SECRET//&/\\&}/" "$ENV_FILE"
-msg_ok "Configured OpenCloud"
-
-msg_info "Starting services"
-systemctl enable -q --now coolwsd opencloud
-sleep 5
-systemctl enable -q --now opencloud-wopi
-msg_ok "Started services"
-
-motd_ssh
-customize
-cleanup_lxc
--- a/install/zitadel-install.sh
+++ b/install/zitadel-install.sh
@@ -0,0 +1,324 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: dave-yap (dave-yap) | Co-Author: remz1337
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://zitadel.com/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+# Configuration variables
+ZITADEL_DIR="/opt/zitadel"
+LOGIN_DIR="/opt/login"
+CONFIG_DIR="/etc/zitadel"
+ZITADEL_USER="zitadel"
+ZITADEL_GROUP="zitadel"
+DB_NAME="zitadel"
+DB_USER="zitadel"
+DB_PASSWORD="$(openssl rand -base64 32 | tr -d '=/+' | head -c 32)"
+POSTGRES_ADMIN_PASSWORD="$(openssl rand -base64 32 | tr -d '=/+' | head -c 32)"
+MASTERKEY="$(openssl rand -base64 32 | tr -d '=/+' | head -c 32)"
+API_PORT="8080"
+LOGIN_PORT="3000"
+
+# Detect server IP address
+SERVER_IP=$(hostname -I | awk '{print $1}')
+
+msg_info "Installing Dependencies (Patience)"
+$STD apt install -y ca-certificates
+msg_ok "Installed Dependecies"
+
+# Create zitadel user
+msg_info "Creating zitadel system user"
+groupadd --system "${ZITADEL_GROUP}"
+useradd --system --gid "${ZITADEL_GROUP}" --shell /bin/bash --home-dir "${ZITADEL_DIR}" "${ZITADEL_USER}"
+msg_ok "Created zitadel system user"
+
+fetch_and_deploy_gh_release "zitadel" "zitadel/zitadel" "prebuild" "latest" "${ZITADEL_DIR}" "zitadel-linux-amd64.tar.gz"
+chown -R "${ZITADEL_USER}:${ZITADEL_GROUP}" "${ZITADEL_DIR}"
+
+fetch_and_deploy_gh_release "login" "zitadel/zitadel" "prebuild" "latest" "${LOGIN_DIR}" "zitadel-login.tar.gz"
+chown -R "${ZITADEL_USER}:${ZITADEL_GROUP}" "${LOGIN_DIR}"
+
+NODE_VERSION="24" setup_nodejs
+
+PG_VERSION="17" setup_postgresql
+
+setup_go
+
+msg_info "Configuring Postgresql"
+$STD sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '${POSTGRES_ADMIN_PASSWORD}';"
+msg_ok "Configured PostgreSQL"
+
+msg_info "Installing Zitadel"
+cd "${ZITADEL_DIR}"
+mkdir -p ${CONFIG_DIR}
+echo "${MASTERKEY}" > ${CONFIG_DIR}/.masterkey
+
+# Update config.yaml for network access
+cat > "${CONFIG_DIR}/config.yaml" <<EOF
+ExternalSecure: false
+ExternalDomain: ${SERVER_IP}
+ExternalPort: ${API_PORT}
+
+TLS:
+  Enabled: false
+
+Log:
+  Level: info
+  Formatter:
+    Format: text
+
+Database:
+  Postgres:
+    Database: ${DB_NAME}
+    Host: localhost
+    Port: 5432
+    AwaitInitialConn: 5m
+    MaxOpenConns: 20
+    MaxIdleConns: 20
+    ConnMaxLifetime: 60m
+    ConnMaxIdleTime: 10m
+    User:
+      Username: ${DB_USER}
+      Password: ${DB_PASSWORD}
+      SSL:
+        Mode: disable
+    Admin:
+      Username: postgres
+      Password: ${POSTGRES_ADMIN_PASSWORD}
+      SSL:
+        Mode: disable
+
+FirstInstance:
+  LoginClientPatPath: login-client.pat
+  PatPath: admin.pat
+  InstanceName: ZITADEL
+  DefaultLanguage: en
+  Org:
+    LoginClient:
+      Machine:
+        Username: login-client
+        Name: Automatically Initialized IAM Login Client
+      Pat:
+        ExpirationDate: 2099-01-01T00:00:00Z
+    Machine:
+      Machine:
+        Username: admin
+        Name: Automatically Initialized IAM admin Client
+      Pat:
+        ExpirationDate: 2099-01-01T00:00:00Z
+    Human:
+      Username: zitadel-admin@zitadel.localhost
+      Password: Password1!
+      PasswordChangeRequired: false
+
+DefaultInstance:
+  Features:
+    LoginV2:
+      BaseURI: http://${SERVER_IP}:${LOGIN_PORT}/ui/v2/login
+EOF
+chown "${ZITADEL_USER}:${ZITADEL_GROUP}" "${CONFIG_DIR}/config.yaml"
+
+# Initialize database as zitadel user (no masterkey needed for init)
+$STD ./zitadel init --config ${CONFIG_DIR}/config.yaml
+
+# Run setup phase as zitadel user (with masterkey and steps)
+$STD ./zitadel setup --config ${CONFIG_DIR}/config.yaml --steps ${CONFIG_DIR}/config.yaml --masterkey "${MASTERKEY}"
+
+#Read client token
+CLIENT_PAT=$(cat ${ZITADEL_DIR}/login-client.pat)
+
+# Update Login V2 login.env file
+cat > "${CONFIG_DIR}/login.env" <<EOF
+NEXT_PUBLIC_BASE_PATH=/ui/v2/login
+EMAIL_VERIFICATION=false
+ZITADEL_API_URL=http://${SERVER_IP}:${API_PORT}
+ZITADEL_SERVICE_USER_TOKEN_FILE=../../login-client.pat
+ZITADEL_SERVICE_USER_TOKEN=${CLIENT_PAT}
+EOF
+chown "${ZITADEL_USER}:${ZITADEL_GROUP}" "${CONFIG_DIR}/login.env"
+
+# Update package.json to bind to 0.0.0.0 instead of 127.0.0.1
+#sed -i 's/"prod": "cd \.\/\.next\/standalone && HOSTNAME=127\.0\.0\.1/"prod": "cd .\/\.next\/standalone \&\& HOSTNAME=0.0.0.0/g' "${LOGIN_DIR}/apps/login/package.json"
+
+# Create api.env file
+cat > "${CONFIG_DIR}/api.env" <<EOF
+ZITADEL_MASTERKEY=${MASTERKEY}
+ZITADEL_DATABASE_POSTGRES_HOST=localhost
+ZITADEL_DATABASE_POSTGRES_PORT=5432
+ZITADEL_DATABASE_POSTGRES_DATABASE=${DB_NAME}
+ZITADEL_DATABASE_POSTGRES_USER_USERNAME=${DB_USER}
+ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=${DB_PASSWORD}
+ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
+ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres
+ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=${POSTGRES_ADMIN_PASSWORD}
+ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
+ZITADEL_EXTERNALSECURE=false
+EOF
+
+# Set secure permissions
+chmod 600 "${CONFIG_DIR}/api.env"
+chown "${ZITADEL_USER}:${ZITADEL_GROUP}" "${CONFIG_DIR}/api.env"
+msg_ok "Installed Zitadel"
+
+msg_info "Creating Services"
+# Create API service
+cat > /etc/systemd/system/zitadel-api.service <<EOF
+[Unit]
+Description=ZITADEL API Server
+After=network.target postgresql.service
+Requires=postgresql.service
+
+[Service]
+Type=simple
+User=${ZITADEL_USER}
+Group=${ZITADEL_GROUP}
+WorkingDirectory=${ZITADEL_DIR}
+EnvironmentFile=${CONFIG_DIR}/api.env
+Environment="PATH=/usr/local/bin:/usr/local/go/bin:/usr/bin:/bin"
+ExecStart=${ZITADEL_DIR}/zitadel start --config ${CONFIG_DIR}/config.yaml --masterkey \${ZITADEL_MASTERKEY}
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create Login V2 service
+cat > /etc/systemd/system/zitadel-login.service <<EOF
+[Unit]
+Description=ZITADEL Login V2 Service
+After=network.target zitadel-api.service
+Requires=zitadel-api.service
+
+[Service]
+Type=simple
+User=${ZITADEL_USER}
+Group=${ZITADEL_GROUP}
+WorkingDirectory=${LOGIN_DIR}/apps/login
+EnvironmentFile=${CONFIG_DIR}/login.env
+Environment="PATH=/usr/local/bin:/usr/bin:/bin"
+Environment="NODE_ENV=production"
+ExecStart=node ${LOGIN_DIR}/apps/login/server.js
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Reload systemd
+systemctl daemon-reload
+
+# Enable and start API service
+systemctl enable -q --now zitadel-api.service
+
+# Wait for API to start
+sleep 10
+
+# Enable and start Login service
+systemctl enable -q --now zitadel-login.service
+msg_ok "Created Services"
+
+msg_info "Saving Credentials"
+# Create credentials file
+cat > "${CONFIG_DIR}/INSTALLATION_INFO.txt" <<EOF
+################################################################################
+# ZITADEL Installation Information
+# Generated: $(date)
+################################################################################
+
+SERVER INFORMATION:
+-------------------
+Server IP: ${SERVER_IP}
+API Port: ${API_PORT}
+Login Port: ${LOGIN_PORT}
+
+ACCESS URLS:
+------------
+Management Console: http://${SERVER_IP}:${API_PORT}/ui/console
+Login V2 UI: http://${SERVER_IP}:${LOGIN_PORT}/ui/v2/login
+API Endpoint: http://${SERVER_IP}:${API_PORT}
+
+DEFAULT ADMIN CREDENTIALS:
+--------------------------
+Username: zitadel-admin@zitadel.localhost
+Password: Password1!
+
+IMPORTANT: Change this password immediately after first login!
+
+DATABASE CREDENTIALS:
+---------------------
+Database Name: ${DB_NAME}
+Database User: ${DB_USER}
+Database Password: ${DB_PASSWORD}
+PostgreSQL Admin Password: ${POSTGRES_ADMIN_PASSWORD}
+
+SECURITY:
+---------
+Master Key: ${MASTERKEY}
+
+IMPORTANT: Keep these credentials secure and backup this file!
+
+VERIFICATION:
+-------------
+1. Check API health:
+   curl http://${SERVER_IP}:${API_PORT}/debug/healthz
+2. Access Management Console:
+   http://${SERVER_IP}:${API_PORT}/ui/console
+3. Login with admin credentials above
+
+DATABASE INFORMATION:
+--------------------
+The database and user are automatically created by ZITADEL on first startup.
+ZITADEL uses the admin credentials to create:
+  - Database: ${DB_NAME}
+  - User: ${DB_USER}
+  - Schemas: eventstore, projections, system
+
+PRODUCTION NOTES:
+-----------------
+1. This installation uses HTTP (not HTTPS) for simplicity
+2. For production with HTTPS:
+   - Set ExternalSecure: true in config.yaml
+   - Configure TLS certificates
+   - Update firewall rules for port 443
+3. Change all default passwords immediately
+4. Set up regular database backups
+5. Configure proper monitoring and alerting
+6. Review and harden PostgreSQL security settings
+
+BACKUP COMMANDS:
+----------------
+Database backup:
+  PGPASSWORD=${DB_PASSWORD} pg_dump -h localhost -U ${DB_USER} ${DB_NAME} > zitadel_backup_\$(date +%Y%m%d).sql
+
+Database restore:
+  PGPASSWORD=${DB_PASSWORD} psql -h localhost -U ${DB_USER} ${DB_NAME} < zitadel_backup_YYYYMMDD.sql
+
+################################################################################
+EOF
+chmod 600 "${CONFIG_DIR}/INSTALLATION_INFO.txt"
+chown "${ZITADEL_USER}:${ZITADEL_GROUP}" "${CONFIG_DIR}/INSTALLATION_INFO.txt"
+cp ${ZITADEL_DIR}/admin.pat ${CONFIG_DIR}/admin.pat.BAK
+cp ${ZITADEL_DIR}/login-client.pat ${CONFIG_DIR}/login-client.pat.BAK
+msg_ok "Saved Credentials"
+
+msg_info "Create zitadel-rerun.sh"
+cat <<EOF >~/zitadel-rerun.sh
+systemctl stop zitadel
+timeout --kill-after=5s 15s zitadel setup --masterkeyFile ${CONFIG_DIR}/.masterkey --config ${CONFIG_DIR}/config.yaml"
+systemctl restart zitadel
+EOF
+msg_ok "Bash script for rerunning Zitadel after changing Zitadel config.yaml"
+
+motd_ssh
+customize
+cleanup_lxc