Proxmox Infrastruktur - Vollstaendige Konfiguration

Enthaelt:
- Docker Compose mit allen Services (Nextcloud, Vaultwarden, n8n, etc.)
- nginx Reverse Proxy Konfiguration mit Rate Limiting
- WireGuard VPN Template
- Backup und Health-Check Scripts
- Deployment Script
- Ausfuehrliche Dokumentation und Troubleshooting Guide

Services:
- Isolierte Netzwerke pro Service
- Resource Limits (CPU/Memory)
- Health Checks
- Logging Konfiguration

Sicherheit:
- .env Template ohne Secrets
- Rate Limiting auf nginx
- TLS 1.2+ only
- Security Headers

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/backup.sh

@@ -0,0 +1,144 @@
+#!/bin/bash
+# ============================================
+# Proxmox Infrastruktur Backup Script
+# ============================================
+# Ausfuehrung: ./backup.sh [service|all]
+# Cronjob: 0 3 * * * /opt/scripts/backup.sh all >> /var/log/backup.log 2>&1
+
+set -euo pipefail
+
+BACKUP_DIR="/opt/backups"
+DATE=$(date +%Y%m%d_%H%M%S)
+RETENTION_DAYS=7
+
+# Farben fuer Output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+log_info() { echo -e "${GREEN}[INFO]${NC} $(date '+%Y-%m-%d %H:%M:%S') $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $(date '+%Y-%m-%d %H:%M:%S') $1"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $(date '+%Y-%m-%d %H:%M:%S') $1"; }
+
+# Backup-Verzeichnis erstellen
+mkdir -p "$BACKUP_DIR"
+
+backup_nextcloud() {
+    log_info "Starte Nextcloud Backup..."
+    local backup_file="$BACKUP_DIR/nextcloud_$DATE.tar.gz"
+
+    # Maintenance Mode aktivieren
+    docker exec nextcloud php occ maintenance:mode --on || true
+
+    # Daten sichern
+    tar -czf "$backup_file" \
+        -C /opt/docker/nextcloud \
+        data db \
+        2>/dev/null
+
+    # Maintenance Mode deaktivieren
+    docker exec nextcloud php occ maintenance:mode --off || true
+
+    log_info "Nextcloud Backup erstellt: $backup_file ($(du -h "$backup_file" | cut -f1))"
+}
+
+backup_vaultwarden() {
+    log_info "Starte Vaultwarden Backup..."
+    local backup_file="$BACKUP_DIR/vaultwarden_$DATE.tar.gz"
+
+    tar -czf "$backup_file" \
+        -C /opt/docker \
+        vaultwarden \
+        2>/dev/null
+
+    log_info "Vaultwarden Backup erstellt: $backup_file ($(du -h "$backup_file" | cut -f1))"
+}
+
+backup_gitea() {
+    log_info "Starte Gitea Backup..."
+    local backup_file="$BACKUP_DIR/gitea_$DATE.tar.gz"
+
+    # Gitea internen Backup-Befehl nutzen
+    docker exec -u git gitea gitea dump -c /data/gitea/conf/app.ini -f /data/gitea-dump.zip || true
+
+    # Dump und Daten sichern
+    tar -czf "$backup_file" \
+        -C /opt/docker/gitea \
+        . \
+        2>/dev/null
+
+    log_info "Gitea Backup erstellt: $backup_file ($(du -h "$backup_file" | cut -f1))"
+}
+
+backup_n8n() {
+    log_info "Starte n8n Backup..."
+    local backup_file="$BACKUP_DIR/n8n_$DATE.tar.gz"
+
+    tar -czf "$backup_file" \
+        -C /opt/docker \
+        n8n \
+        2>/dev/null
+
+    log_info "n8n Backup erstellt: $backup_file ($(du -h "$backup_file" | cut -f1))"
+}
+
+backup_audiobookshelf() {
+    log_info "Starte Audiobookshelf Backup..."
+    local backup_file="$BACKUP_DIR/audiobookshelf_$DATE.tar.gz"
+
+    # Nur Config und Metadata, nicht die Audiobooks selbst
+    tar -czf "$backup_file" \
+        -C /opt/docker/audiobookshelf \
+        config metadata \
+        2>/dev/null
+
+    log_info "Audiobookshelf Backup erstellt: $backup_file ($(du -h "$backup_file" | cut -f1))"
+}
+
+backup_configs() {
+    log_info "Starte Config Backup..."
+    local backup_file="$BACKUP_DIR/configs_$DATE.tar.gz"
+
+    tar -czf "$backup_file" \
+        /opt/docker/docker-compose.yml \
+        /opt/docker/gitea/docker-compose.yml \
+        /etc/wireguard/wg0.conf \
+        2>/dev/null || true
+
+    log_info "Config Backup erstellt: $backup_file"
+}
+
+cleanup_old_backups() {
+    log_info "Loesche Backups aelter als $RETENTION_DAYS Tage..."
+    find "$BACKUP_DIR" -name "*.tar.gz" -mtime +$RETENTION_DAYS -delete
+    log_info "Cleanup abgeschlossen"
+}
+
+backup_all() {
+    log_info "========== VOLLSTAENDIGES BACKUP GESTARTET =========="
+    backup_nextcloud
+    backup_vaultwarden
+    backup_gitea
+    backup_n8n
+    backup_audiobookshelf
+    backup_configs
+    cleanup_old_backups
+    log_info "========== BACKUP ABGESCHLOSSEN =========="
+    log_info "Backup-Groesse gesamt: $(du -sh "$BACKUP_DIR" | cut -f1)"
+}
+
+# Hauptprogramm
+case "${1:-all}" in
+    nextcloud)      backup_nextcloud ;;
+    vaultwarden)    backup_vaultwarden ;;
+    gitea)          backup_gitea ;;
+    n8n)            backup_n8n ;;
+    audiobookshelf) backup_audiobookshelf ;;
+    configs)        backup_configs ;;
+    all)            backup_all ;;
+    *)
+        echo "Verwendung: $0 [nextcloud|vaultwarden|gitea|n8n|audiobookshelf|configs|all]"
+        exit 1
+        ;;
+esac

scripts/deploy.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# ============================================
+# Proxmox Infrastruktur Deployment Script
+# ============================================
+# Erstinstallation oder Update der kompletten Infrastruktur
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
+
+# Root-Check
+if [ "$EUID" -ne 0 ]; then
+    log_error "Bitte als root ausfuehren"
+    exit 1
+fi
+
+log_info "=========================================="
+log_info " Proxmox Infrastruktur Deployment"
+log_info "=========================================="
+
+# Verzeichnisse erstellen
+log_info "Erstelle Verzeichnisse..."
+mkdir -p /opt/docker/{nextcloud/{data,db},vaultwarden,n8n,audiobookshelf/{audiobooks,podcasts,config,metadata},websites/{html,conf},api,gitea}
+mkdir -p /opt/backups
+mkdir -p /opt/scripts
+
+# .env pruefen
+if [ ! -f /opt/docker/.env ]; then
+    log_warn ".env Datei nicht gefunden!"
+    log_info "Erstelle Template..."
+    cat > /opt/docker/.env << 'EOF'
+# Proxmox Infrastruktur - Environment Variables
+NEXTCLOUD_DB_PASSWORD=CHANGE_ME_$(openssl rand -hex 8)
+NEXTCLOUD_DB_ROOT_PASSWORD=CHANGE_ME_$(openssl rand -hex 8)
+VAULTWARDEN_ADMIN_TOKEN=$(openssl rand -base64 48)
+N8N_USER=admin
+N8N_PASSWORD=CHANGE_ME_$(openssl rand -hex 8)
+EOF
+    log_warn "WICHTIG: Bearbeite /opt/docker/.env und ersetze die Passwoerter!"
+    log_warn "Dann erneut ausfuehren."
+    exit 1
+fi
+
+# Docker installieren (falls nicht vorhanden)
+if ! command -v docker &> /dev/null; then
+    log_info "Installiere Docker..."
+    curl -fsSL https://get.docker.com | sh
+    systemctl enable docker
+    systemctl start docker
+fi
+
+# Docker Compose pruefen
+if ! docker compose version &> /dev/null; then
+    log_error "Docker Compose nicht gefunden!"
+    exit 1
+fi
+
+# Scripts kopieren
+log_info "Kopiere Scripts..."
+cp -f scripts/*.sh /opt/scripts/ 2>/dev/null || true
+chmod +x /opt/scripts/*.sh 2>/dev/null || true
+
+# Docker Compose kopieren
+log_info "Kopiere Docker Compose..."
+cp -f docker/docker-compose.yml /opt/docker/
+
+# Container starten
+log_info "Starte Container..."
+cd /opt/docker
+docker compose pull
+docker compose up -d
+
+# Status pruefen
+log_info "Warte auf Container-Start..."
+sleep 10
+
+docker compose ps
+
+log_info "=========================================="
+log_info " Deployment abgeschlossen!"
+log_info "=========================================="
+log_info ""
+log_info "Naechste Schritte:"
+log_info "  1. Nextcloud einrichten: http://$(hostname -I | awk '{print $1}'):8081"
+log_info "  2. Vaultwarden Admin: http://$(hostname -I | awk '{print $1}'):8083/admin"
+log_info "  3. Gitea einrichten: http://$(hostname -I | awk '{print $1}'):3000"
+log_info ""
+log_info "Health Check: /opt/scripts/health-check.sh"
+log_info "Backup: /opt/scripts/backup.sh all"

scripts/health-check.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+# ============================================
+# Proxmox Infrastruktur Health Check Script
+# ============================================
+# Ausfuehrung: ./health-check.sh
+# Cronjob: */5 * * * * /opt/scripts/health-check.sh >> /var/log/health-check.log 2>&1
+
+set -uo pipefail
+
+# Farben fuer Output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+FAILED=0
+
+check_service() {
+    local name=$1
+    local url=$2
+    local expected=${3:-200}
+
+    response=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 "$url" 2>/dev/null || echo "000")
+
+    if [ "$response" = "$expected" ]; then
+        echo -e "${GREEN}[OK]${NC} $name - HTTP $response"
+    else
+        echo -e "${RED}[FAIL]${NC} $name - HTTP $response (erwartet: $expected)"
+        FAILED=$((FAILED + 1))
+    fi
+}
+
+check_container() {
+    local name=$1
+
+    if docker ps --format '{{.Names}}' | grep -q "^${name}$"; then
+        status=$(docker inspect --format='{{.State.Health.Status}}' "$name" 2>/dev/null || echo "no-healthcheck")
+        if [ "$status" = "healthy" ] || [ "$status" = "no-healthcheck" ]; then
+            echo -e "${GREEN}[OK]${NC} Container $name - Running ($status)"
+        else
+            echo -e "${YELLOW}[WARN]${NC} Container $name - $status"
+        fi
+    else
+        echo -e "${RED}[FAIL]${NC} Container $name - Not running"
+        FAILED=$((FAILED + 1))
+    fi
+}
+
+check_disk() {
+    local path=$1
+    local threshold=${2:-90}
+
+    usage=$(df "$path" | tail -1 | awk '{print $5}' | tr -d '%')
+
+    if [ "$usage" -lt "$threshold" ]; then
+        echo -e "${GREEN}[OK]${NC} Disk $path - ${usage}% verwendet"
+    else
+        echo -e "${RED}[FAIL]${NC} Disk $path - ${usage}% verwendet (Grenze: ${threshold}%)"
+        FAILED=$((FAILED + 1))
+    fi
+}
+
+check_wireguard() {
+    if wg show wg0 &>/dev/null; then
+        latest_handshake=$(wg show wg0 latest-handshakes | awk '{print $2}')
+        current_time=$(date +%s)
+        diff=$((current_time - latest_handshake))
+
+        if [ "$diff" -lt 180 ]; then
+            echo -e "${GREEN}[OK]${NC} WireGuard - Verbunden (Handshake vor ${diff}s)"
+        else
+            echo -e "${YELLOW}[WARN]${NC} WireGuard - Letzter Handshake vor ${diff}s"
+        fi
+    else
+        echo -e "${RED}[FAIL]${NC} WireGuard - Nicht aktiv"
+        FAILED=$((FAILED + 1))
+    fi
+}
+
+echo "=========================================="
+echo " Proxmox Infrastruktur Health Check"
+echo " $(date '+%Y-%m-%d %H:%M:%S')"
+echo "=========================================="
+echo ""
+
+echo "--- Container Status ---"
+check_container "nextcloud"
+check_container "nextcloud-db"
+check_container "vaultwarden"
+check_container "n8n"
+check_container "audiobookshelf"
+check_container "websites"
+check_container "api-server"
+check_container "gitea"
+echo ""
+
+echo "--- Service Endpoints (Intern) ---"
+check_service "Nextcloud" "http://localhost:8081/status.php"
+check_service "Vaultwarden" "http://localhost:8083/alive"
+check_service "n8n" "http://localhost:5678/healthz"
+check_service "Websites" "http://localhost:8082/"
+check_service "API" "http://localhost:8000/health"
+check_service "Gitea" "http://localhost:3000/api/healthz"
+echo ""
+
+echo "--- Netzwerk ---"
+check_wireguard
+echo ""
+
+echo "--- Disk Usage ---"
+check_disk "/" 85
+check_disk "/opt/docker" 90
+echo ""
+
+echo "=========================================="
+if [ $FAILED -eq 0 ]; then
+    echo -e "${GREEN}Alle Checks bestanden!${NC}"
+    exit 0
+else
+    echo -e "${RED}$FAILED Check(s) fehlgeschlagen!${NC}"
+    exit 1
+fi