cameleer/cameleer-saas-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: cameleer:1ef0016965133144ef4cc92b100807b1712e89d4
Branches Tags
cameleer:main
...
compare: cameleer:main
Branches Tags
cameleer:main

8 Commits
1ef0016965 ... main

Author SHA1 Message Date
hsiegeln
0125694572 chore: ignore local install dir created by installers 
The install scripts default to ./cameleer/ for local install state.
Ignoring it prevents accidental commits of generated .env files,
TLS certs, and bootstrap data.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 09:43:26 +02:00
hsiegeln
f7a57edacc docs: update default registry to registry.cameleer.io and drop JWT row 
Updates the documented default registry from gitea.siegeln.net/cameleer
to registry.cameleer.io/cameleer in both CLAUDE.md and README.md, and
removes the now-obsolete CAMELEER_SERVER_SECURITY_JWTSECRET row from
the auto-generated secrets table to match the prior installer change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 09:43:26 +02:00
hsiegeln
7bb9ef3283 refactor: drop JWT secret env vars from installers and compose 
Removes CAMELEER_SERVER_SECURITY_JWTSECRET and
CAMELEER_SAAS_PROVISIONING_JWTSECRET — a better solution has been
adopted upstream, so the installers no longer need to generate or
forward a shared JWT secret.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 09:40:35 +02:00
hsiegeln
531a17397b fix: validate admin email format in SaaS mode 
Require user@domain.tld format (must contain @ and dot in domain).
Interactive mode loops until valid; silent mode exits with error.
Default changed from 'admin' to 'admin@<PUBLIC_HOST>' in SaaS mode.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-25 21:03:45 +02:00
hsiegeln
21ea9515a2 feat: unify admin identity — SAAS_ADMIN_USER is the email in SaaS mode 
Move deployment mode question before admin credentials so the installer
can validate email format in SaaS mode. Remove separate SAAS_ADMIN_EMAIL
— the admin user value IS the email address. In standalone mode, any
username is still accepted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-25 20:45:25 +02:00
hsiegeln
0da26160c6 feat: add SAAS_ADMIN_EMAIL to both installers 
Derive admin email from <ADMIN_USER>@<PUBLIC_HOST> by default.
Supports override via --admin-email CLI flag, SAAS_ADMIN_EMAIL env var,
or admin_email in cameleer.conf. Written to .env for bootstrap.
 2026-04-25 20:26:38 +02:00
hsiegeln
b2259328d3 feat: enforce email as primary user identity in SaaS mode 
Add SAAS_ADMIN_EMAIL env var (defaults to <user>@<host>). Pass to
bootstrap for admin user creation with primaryEmail. Update README
config reference and .env.example to document the email identity
requirement.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-25 20:23:15 +02:00
hsiegeln
8227483580 install.ps1 aktualisiert 2026-04-25 19:50:24 +02:00
8 changed files with 99 additions and 57 deletions
Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
# Local install state created by install.sh / install.ps1 (default --install-dir)
/cameleer/

2
CLAUDE.md
View File

@@ -31,7 +31,7 @@ Previously, SMTP env vars (`SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASS`, `
## Registry configuration ## Registry configuration
The installer supports pulling images from a custom Docker registry via `--registry`. Default: `gitea.siegeln.net/cameleer`. The installer supports pulling images from a custom Docker registry via `--registry`. Default: `registry.cameleer.io/cameleer`.
When a registry is configured, the installer writes `*_IMAGE` env vars to `.env` (e.g. `TRAEFIK_IMAGE`, `POSTGRES_IMAGE`, `CAMELEER_IMAGE`) which override the defaults baked into the compose templates. In SaaS mode, provisioning image refs (`CAMELEER_SAAS_PROVISIONING_*IMAGE`) are also set from the registry. When a registry is configured, the installer writes `*_IMAGE` env vars to `.env` (e.g. `TRAEFIK_IMAGE`, `POSTGRES_IMAGE`, `CAMELEER_IMAGE`) which override the defaults baked into the compose templates. In SaaS mode, provisioning image refs (`CAMELEER_SAAS_PROVISIONING_*IMAGE`) are also set from the registry.

7
README.md
View File

@@ -84,9 +84,11 @@ Settings can be provided via CLI flags, environment variables, config file (`cam
| Setting | CLI Flag | Env Var | Config Key | Default | | Setting | CLI Flag | Env Var | Config Key | Default |
|---------|----------|---------|------------|---------| |---------|----------|---------|------------|---------|
| Admin username | `--admin-user` | `SAAS_ADMIN_USER` | `admin_user` | `admin` | | Admin login | `--admin-user` | `SAAS_ADMIN_USER` | `admin_user` | `admin` (standalone) / `admin@<PUBLIC_HOST>` (SaaS) |
| Admin password | `--admin-password` | `SAAS_ADMIN_PASS` | `admin_password` | auto-generated | | Admin password | `--admin-password` | `SAAS_ADMIN_PASS` | `admin_password` | auto-generated |
In SaaS mode, `SAAS_ADMIN_USER` must be an email address — it is used as both the Logto username and primaryEmail. The installer validates email format in SaaS mode and auto-appends `@<PUBLIC_HOST>` if the `@` is missing. In standalone mode, any username is accepted.
In standalone mode, the env vars are `SERVER_ADMIN_USER` / `SERVER_ADMIN_PASS`. In standalone mode, the env vars are `SERVER_ADMIN_USER` / `SERVER_ADMIN_PASS`.
### TLS Certificates ### TLS Certificates
@@ -133,7 +135,7 @@ The Docker socket is required for tenant provisioning (SaaS mode) — the platfo
| Setting | CLI Flag | Env Var | Config Key | Default | | Setting | CLI Flag | Env Var | Config Key | Default |
|---------|----------|---------|------------|---------| |---------|----------|---------|------------|---------|
| Registry | `--registry` | `REGISTRY` | `registry` | `gitea.siegeln.net/cameleer` | | Registry | `--registry` | `REGISTRY` | `registry` | `registry.cameleer.io/cameleer` |
| Registry username | `--registry-user` | `REGISTRY_USER` | `registry_user` | — | | Registry username | `--registry-user` | `REGISTRY_USER` | `registry_user` | — |
| Registry token | `--registry-token` | `REGISTRY_TOKEN` | `registry_token` | — | | Registry token | `--registry-token` | `REGISTRY_TOKEN` | `registry_token` | — |
| Image version | `--version` | `VERSION` | `version` | `latest` | | Image version | `--version` | `VERSION` | `version` | `latest` |
@@ -170,7 +172,6 @@ These are generated automatically and never need to be set manually:
| Secret | Env Var | Description | | Secret | Env Var | Description |
|--------|---------|-------------| |--------|---------|-------------|
| JWT signing secret | `CAMELEER_SERVER_SECURITY_JWTSECRET` | Shared secret for JWT token signing across provisioned tenant servers |
| Bootstrap token | `BOOTSTRAP_TOKEN` | Server initialization token (standalone mode only) | | Bootstrap token | `BOOTSTRAP_TOKEN` | Server initialization token (standalone mode only) |
--- ---

69
install.ps1
View File

@@ -100,6 +100,7 @@ $script:cfg = @{
PublicProtocol = $PublicProtocol PublicProtocol = $PublicProtocol
AdminUser = $AdminUser AdminUser = $AdminUser
AdminPass = $AdminPassword AdminPass = $AdminPassword
TlsMode = $TlsMode TlsMode = $TlsMode
CertFile = $CertFile CertFile = $CertFile
KeyFile = $KeyFile KeyFile = $KeyFile
@@ -271,6 +272,7 @@ function Load-ConfigFile {
'public_protocol' { if (-not $script:cfg.PublicProtocol) { $script:cfg.PublicProtocol = $val } } 'public_protocol' { if (-not $script:cfg.PublicProtocol) { $script:cfg.PublicProtocol = $val } }
'admin_user' { if (-not $script:cfg.AdminUser) { $script:cfg.AdminUser = $val } } 'admin_user' { if (-not $script:cfg.AdminUser) { $script:cfg.AdminUser = $val } }
'admin_password' { if (-not $script:cfg.AdminPass) { $script:cfg.AdminPass = $val } } 'admin_password' { if (-not $script:cfg.AdminPass) { $script:cfg.AdminPass = $val } }
'tls_mode' { if (-not $script:cfg.TlsMode) { $script:cfg.TlsMode = $val } } 'tls_mode' { if (-not $script:cfg.TlsMode) { $script:cfg.TlsMode = $val } }
'cert_file' { if (-not $script:cfg.CertFile) { $script:cfg.CertFile = $val } } 'cert_file' { if (-not $script:cfg.CertFile) { $script:cfg.CertFile = $val } }
'key_file' { if (-not $script:cfg.KeyFile) { $script:cfg.KeyFile = $val } } 'key_file' { if (-not $script:cfg.KeyFile) { $script:cfg.KeyFile = $val } }
@@ -303,6 +305,7 @@ function Load-EnvOverrides {
if (-not $c.PublicProtocol) { $c.PublicProtocol = $_ENV_PUBLIC_PROTOCOL } if (-not $c.PublicProtocol) { $c.PublicProtocol = $_ENV_PUBLIC_PROTOCOL }
if (-not $c.AdminUser) { $c.AdminUser = $env:SAAS_ADMIN_USER } if (-not $c.AdminUser) { $c.AdminUser = $env:SAAS_ADMIN_USER }
if (-not $c.AdminPass) { $c.AdminPass = $env:SAAS_ADMIN_PASS } if (-not $c.AdminPass) { $c.AdminPass = $env:SAAS_ADMIN_PASS }
if (-not $c.TlsMode) { $c.TlsMode = $_ENV_TLS_MODE } if (-not $c.TlsMode) { $c.TlsMode = $_ENV_TLS_MODE }
if (-not $c.CertFile) { $c.CertFile = $_ENV_CERT_FILE } if (-not $c.CertFile) { $c.CertFile = $_ENV_CERT_FILE }
if (-not $c.KeyFile) { $c.KeyFile = $_ENV_KEY_FILE } if (-not $c.KeyFile) { $c.KeyFile = $_ENV_KEY_FILE }
@@ -447,17 +450,41 @@ function Run-SimplePrompts {
Write-Host '' Write-Host ''
Write-Host '--- Simple Installation ---' -ForegroundColor Cyan Write-Host '--- Simple Installation ---' -ForegroundColor Cyan
Write-Host '' Write-Host ''
$c.InstallDir = Prompt-Value 'Install directory' (Coalesce $c.InstallDir $DEFAULT_INSTALL_DIR) $c.InstallDir = Prompt-Value 'Install directory' (Coalesce $c.InstallDir $DEFAULT_INSTALL_DIR)
$c.PublicHost = Prompt-Value 'Public hostname' (Coalesce $c.PublicHost 'localhost') $c.PublicHost = Prompt-Value 'Public hostname' (Coalesce $c.PublicHost 'localhost')
$c.AdminUser = Prompt-Value 'Admin username' (Coalesce $c.AdminUser $DEFAULT_ADMIN_USER)
Write-Host ''
Write-Host ' Deployment mode:'
Write-Host ' [1] Multi-tenant SaaS -- manage platform, provision tenants on demand'
Write-Host ' [2] Single-tenant -- one server instance, local auth, no identity provider'
Write-Host ''
$deployChoice = Read-Host ' Select mode [1]'
if ($deployChoice -eq '2') { $c.DeploymentMode = 'standalone' } else { $c.DeploymentMode = 'saas' }
Write-Host ''
if ($c.DeploymentMode -eq 'saas') {
$defaultEmail = Coalesce $c.AdminUser "admin@$($c.PublicHost)"
if ($defaultEmail -and $defaultEmail -notmatch '@.+\..+') {
$defaultEmail = "admin@$($c.PublicHost)"
}
while ($true) {
$c.AdminUser = Prompt-Value 'Admin email' $defaultEmail
if ($c.AdminUser -match '^[^@]+@[^@]+\.[^@]+$') { break }
Write-Host ' Invalid email address. Must be a valid email (e.g. admin@company.com).' -ForegroundColor Red
$c.AdminUser = $null
$defaultEmail = $null
}
} else {
$c.AdminUser = Prompt-Value 'Admin username' (Coalesce $c.AdminUser $DEFAULT_ADMIN_USER)
}
if (Prompt-YesNo 'Auto-generate admin password?' 'y') { if (Prompt-YesNo 'Auto-generate admin password?' 'y') {
$c.AdminPass = '' $c.AdminPass = ''
} else { } else {
$c.AdminPass = Prompt-Password 'Admin password' $c.AdminPass = Prompt-Password 'Admin password'
} }
Write-Host '' Write-Host ''
if (Prompt-YesNo 'Use custom TLS certificates? (no = self-signed)') { if (Prompt-YesNo 'Use custom TLS certificates? (no = self-signed)') {
$c.TlsMode = 'custom' $c.TlsMode = 'custom'
@@ -469,7 +496,7 @@ function Run-SimplePrompts {
} else { } else {
$c.TlsMode = 'self-signed' $c.TlsMode = 'self-signed'
} }
Write-Host '' Write-Host ''
$c.MonitoringNetwork = Prompt-Value 'Monitoring network name (empty = skip)' '' $c.MonitoringNetwork = Prompt-Value 'Monitoring network name (empty = skip)' ''
@@ -480,14 +507,6 @@ function Run-SimplePrompts {
$c.RegistryToken = Prompt-Password 'Registry token/password' (Coalesce $c.RegistryToken '') $c.RegistryToken = Prompt-Password 'Registry token/password' (Coalesce $c.RegistryToken '')
} }
Write-Host ''
Write-Host ' Deployment mode:'
Write-Host ' [1] Multi-tenant SaaS -- manage platform, provision tenants on demand'
Write-Host ' [2] Single-tenant -- one server instance, local auth, no identity provider'
Write-Host ''
$deployChoice = Read-Host ' Select mode [1]'
if ($deployChoice -eq '2') { $c.DeploymentMode = 'standalone' } else { $c.DeploymentMode = 'saas' }
} }
function Run-ExpertPrompts { function Run-ExpertPrompts {
@@ -538,7 +557,15 @@ function Merge-Config {
if (-not $c.InstallDir) { $c.InstallDir = $DEFAULT_INSTALL_DIR } if (-not $c.InstallDir) { $c.InstallDir = $DEFAULT_INSTALL_DIR }
if (-not $c.PublicHost) { $c.PublicHost = 'localhost' } if (-not $c.PublicHost) { $c.PublicHost = 'localhost' }
if (-not $c.PublicProtocol) { $c.PublicProtocol = $DEFAULT_PUBLIC_PROTOCOL } if (-not $c.PublicProtocol) { $c.PublicProtocol = $DEFAULT_PUBLIC_PROTOCOL }
if (-not $c.AdminUser) { $c.AdminUser = $DEFAULT_ADMIN_USER } if ($c.DeploymentMode -eq 'saas') {
if (-not $c.AdminUser) { $c.AdminUser = "admin@$($c.PublicHost)" }
if ($c.AdminUser -notmatch '^[^@]+@[^@]+\.[^@]+$') {
Write-Host "ERROR: SAAS_ADMIN_USER must be a valid email address (e.g. admin@company.com), got: '$($c.AdminUser)'" -ForegroundColor Red
exit 1
}
} else {
if (-not $c.AdminUser) { $c.AdminUser = $DEFAULT_ADMIN_USER }
}
if (-not $c.TlsMode) { $c.TlsMode = $DEFAULT_TLS_MODE } if (-not $c.TlsMode) { $c.TlsMode = $DEFAULT_TLS_MODE }
if (-not $c.HttpPort) { $c.HttpPort = $DEFAULT_HTTP_PORT } if (-not $c.HttpPort) { $c.HttpPort = $DEFAULT_HTTP_PORT }
if (-not $c.HttpsPort) { $c.HttpsPort = $DEFAULT_HTTPS_PORT } if (-not $c.HttpsPort) { $c.HttpsPort = $DEFAULT_HTTPS_PORT }
@@ -631,7 +658,6 @@ function Generate-EnvFile {
$ts = (Get-Date -Format 'yyyy-MM-dd HH:mm:ss') + ' UTC' $ts = (Get-Date -Format 'yyyy-MM-dd HH:mm:ss') + ' UTC'
$bt = Generate-Password $bt = Generate-Password
$jwtSecret = Generate-Password
if ($c.DeploymentMode -eq 'standalone') { if ($c.DeploymentMode -eq 'standalone') {
$content = @" $content = @"
@@ -654,9 +680,6 @@ SERVER_ADMIN_USER=$($c.AdminUser)
# Bootstrap token # Bootstrap token
BOOTSTRAP_TOKEN=$bt BOOTSTRAP_TOKEN=$bt
# JWT signing secret (required by server, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$jwtSecret
# Docker # Docker
DOCKER_SOCKET=$($c.DockerSocket) DOCKER_SOCKET=$($c.DockerSocket)
DOCKER_GID=$gid DOCKER_GID=$gid
@@ -736,8 +759,6 @@ CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=$reg/cameleer-server:$($c.Version)
CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=$reg/cameleer-server-ui:$($c.Version) CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=$reg/cameleer-server-ui:$($c.Version)
CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=$reg/cameleer-runtime-base:$($c.Version) CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=$reg/cameleer-runtime-base:$($c.Version)
# JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$jwtSecret
"@ "@
$content += $provisioningBlock $content += $provisioningBlock
# Passwords appended with single-quoting for special character safety # Passwords appended with single-quoting for special character safety
@@ -1031,10 +1052,10 @@ ClickHouse: default / $($c.ClickhousePassword)
Admin Console: $($c.PublicProtocol)://$($c.PublicHost)/platform/ Admin Console: $($c.PublicProtocol)://$($c.PublicHost)/platform/
Admin User: $($c.AdminUser) Admin User: $($c.AdminUser)
Admin Password: $($c.AdminPass) Admin Password: $($c.AdminPass)
PostgreSQL: cameleer / $($c.PostgresPassword) PostgreSQL: cameleer / $($c.PostgresPassword)
ClickHouse: default / $($c.ClickhousePassword) ClickHouse: default / $($c.ClickhousePassword)
$logtoLine $logtoLine
"@ "@
} }
@@ -1485,10 +1506,6 @@ function Main {
Generate-Passwords Generate-Passwords
# Resolve to absolute path NOW. # Resolve to absolute path NOW.
# [System.IO.File]::WriteAllText uses .NET's Environment.CurrentDirectory,
# which differs from PowerShell's $PWD on Windows (e.g. resolves ./cameleer
# to C:\Users\Hendrik\cameleer instead of the script's working directory).
# GetUnresolvedProviderPathFromPSPath always uses PowerShell's current location.
$script:cfg.InstallDir = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath( $script:cfg.InstallDir = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath(
$script:cfg.InstallDir) $script:cfg.InstallDir)

70
install.sh
View File

@@ -56,6 +56,7 @@ AUTH_HOST=""
PUBLIC_PROTOCOL="" PUBLIC_PROTOCOL=""
ADMIN_USER="" ADMIN_USER=""
ADMIN_PASS="" ADMIN_PASS=""
TLS_MODE="" TLS_MODE=""
CERT_FILE="" CERT_FILE=""
KEY_FILE="" KEY_FILE=""
@@ -168,6 +169,7 @@ parse_args() {
--public-protocol) PUBLIC_PROTOCOL="$2"; shift ;; --public-protocol) PUBLIC_PROTOCOL="$2"; shift ;;
--admin-user) ADMIN_USER="$2"; shift ;; --admin-user) ADMIN_USER="$2"; shift ;;
--admin-password) ADMIN_PASS="$2"; shift ;; --admin-password) ADMIN_PASS="$2"; shift ;;
--tls-mode) TLS_MODE="$2"; shift ;; --tls-mode) TLS_MODE="$2"; shift ;;
--cert-file) CERT_FILE="$2"; shift ;; --cert-file) CERT_FILE="$2"; shift ;;
--key-file) KEY_FILE="$2"; shift ;; --key-file) KEY_FILE="$2"; shift ;;
@@ -262,6 +264,7 @@ load_config_file() {
public_protocol) [ -z "$PUBLIC_PROTOCOL" ] && PUBLIC_PROTOCOL="$value" ;; public_protocol) [ -z "$PUBLIC_PROTOCOL" ] && PUBLIC_PROTOCOL="$value" ;;
admin_user) [ -z "$ADMIN_USER" ] && ADMIN_USER="$value" ;; admin_user) [ -z "$ADMIN_USER" ] && ADMIN_USER="$value" ;;
admin_password) [ -z "$ADMIN_PASS" ] && ADMIN_PASS="$value" ;; admin_password) [ -z "$ADMIN_PASS" ] && ADMIN_PASS="$value" ;;
tls_mode) [ -z "$TLS_MODE" ] && TLS_MODE="$value" ;; tls_mode) [ -z "$TLS_MODE" ] && TLS_MODE="$value" ;;
cert_file) [ -z "$CERT_FILE" ] && CERT_FILE="$value" ;; cert_file) [ -z "$CERT_FILE" ] && CERT_FILE="$value" ;;
key_file) [ -z "$KEY_FILE" ] && KEY_FILE="$value" ;; key_file) [ -z "$KEY_FILE" ] && KEY_FILE="$value" ;;
@@ -292,6 +295,7 @@ load_env_overrides() {
[ -z "$PUBLIC_PROTOCOL" ] && PUBLIC_PROTOCOL="$_ENV_PUBLIC_PROTOCOL" [ -z "$PUBLIC_PROTOCOL" ] && PUBLIC_PROTOCOL="$_ENV_PUBLIC_PROTOCOL"
[ -z "$ADMIN_USER" ] && ADMIN_USER="${SAAS_ADMIN_USER:-}" [ -z "$ADMIN_USER" ] && ADMIN_USER="${SAAS_ADMIN_USER:-}"
[ -z "$ADMIN_PASS" ] && ADMIN_PASS="${SAAS_ADMIN_PASS:-}" [ -z "$ADMIN_PASS" ] && ADMIN_PASS="${SAAS_ADMIN_PASS:-}"
[ -z "$TLS_MODE" ] && TLS_MODE="$_ENV_TLS_MODE" [ -z "$TLS_MODE" ] && TLS_MODE="$_ENV_TLS_MODE"
[ -z "$CERT_FILE" ] && CERT_FILE="$_ENV_CERT_FILE" [ -z "$CERT_FILE" ] && CERT_FILE="$_ENV_CERT_FILE"
[ -z "$KEY_FILE" ] && KEY_FILE="$_ENV_KEY_FILE" [ -z "$KEY_FILE" ] && KEY_FILE="$_ENV_KEY_FILE"
@@ -425,7 +429,37 @@ run_simple_prompts() {
prompt INSTALL_DIR "Install directory" "${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" prompt INSTALL_DIR "Install directory" "${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
prompt PUBLIC_HOST "Public hostname" "${PUBLIC_HOST:-localhost}" prompt PUBLIC_HOST "Public hostname" "${PUBLIC_HOST:-localhost}"
prompt ADMIN_USER "Admin username" "${ADMIN_USER:-$DEFAULT_ADMIN_USER}"
echo ""
echo " Deployment mode:"
echo " [1] Multi-tenant SaaS — manage platform, provision tenants on demand"
echo " [2] Single-tenant — one server instance, local auth, no identity provider"
echo ""
local deploy_choice
read -rp " Select mode [1]: " deploy_choice
case "${deploy_choice:-1}" in
2)
DEPLOYMENT_MODE="standalone"
;;
*)
DEPLOYMENT_MODE="saas"
;;
esac
echo ""
if [ "$DEPLOYMENT_MODE" = "saas" ]; then
while true; do
prompt ADMIN_USER "Admin email" "${ADMIN_USER:-admin@${PUBLIC_HOST:-localhost}}"
# Validate email: must be user@domain.tld format
if echo "$ADMIN_USER" | grep -qE '^[^@]+@[^@]+\.[^@]+$'; then
break
fi
echo -e " ${RED}Invalid email address.${NC} Must be a valid email (e.g. admin@company.com)."
ADMIN_USER=""
done
else
prompt ADMIN_USER "Admin username" "${ADMIN_USER:-$DEFAULT_ADMIN_USER}"
fi
if prompt_yesno "Auto-generate admin password?" "y"; then if prompt_yesno "Auto-generate admin password?" "y"; then
ADMIN_PASS="" ADMIN_PASS=""
@@ -455,22 +489,6 @@ run_simple_prompts() {
prompt_password REGISTRY_TOKEN "Registry token/password" "${REGISTRY_TOKEN:-}" prompt_password REGISTRY_TOKEN "Registry token/password" "${REGISTRY_TOKEN:-}"
fi fi
echo ""
echo " Deployment mode:"
echo " [1] Multi-tenant SaaS — manage platform, provision tenants on demand"
echo " [2] Single-tenant — one server instance, local auth, no identity provider"
echo ""
local deploy_choice
read -rp " Select mode [1]: " deploy_choice
case "${deploy_choice:-1}" in
2)
DEPLOYMENT_MODE="standalone"
;;
*)
DEPLOYMENT_MODE="saas"
;;
esac
} }
run_expert_prompts() { run_expert_prompts() {
@@ -522,7 +540,16 @@ merge_config() {
: "${INSTALL_DIR:=$DEFAULT_INSTALL_DIR}" : "${INSTALL_DIR:=$DEFAULT_INSTALL_DIR}"
: "${PUBLIC_HOST:=localhost}" : "${PUBLIC_HOST:=localhost}"
: "${PUBLIC_PROTOCOL:=$DEFAULT_PUBLIC_PROTOCOL}" : "${PUBLIC_PROTOCOL:=$DEFAULT_PUBLIC_PROTOCOL}"
: "${ADMIN_USER:=$DEFAULT_ADMIN_USER}" if [ "$DEPLOYMENT_MODE" = "saas" ]; then
: "${ADMIN_USER:=admin@${PUBLIC_HOST}}"
# Validate email format in SaaS mode
if ! echo "$ADMIN_USER" | grep -qE '^[^@]+@[^@]+\.[^@]+$'; then
echo -e "${RED}ERROR:${NC} SAAS_ADMIN_USER must be a valid email address (e.g. admin@company.com), got: '$ADMIN_USER'" >&2
exit 1
fi
else
: "${ADMIN_USER:=$DEFAULT_ADMIN_USER}"
fi
: "${TLS_MODE:=$DEFAULT_TLS_MODE}" : "${TLS_MODE:=$DEFAULT_TLS_MODE}"
: "${HTTP_PORT:=$DEFAULT_HTTP_PORT}" : "${HTTP_PORT:=$DEFAULT_HTTP_PORT}"
: "${HTTPS_PORT:=$DEFAULT_HTTPS_PORT}" : "${HTTPS_PORT:=$DEFAULT_HTTPS_PORT}"
@@ -597,6 +624,7 @@ generate_passwords() {
ADMIN_PASS=$(generate_password) ADMIN_PASS=$(generate_password)
log_info "Generated admin password." log_info "Generated admin password."
fi fi
if [ -z "$POSTGRES_PASSWORD" ]; then if [ -z "$POSTGRES_PASSWORD" ]; then
POSTGRES_PASSWORD=$(generate_password) POSTGRES_PASSWORD=$(generate_password)
log_info "Generated PostgreSQL password." log_info "Generated PostgreSQL password."
@@ -644,9 +672,6 @@ SERVER_ADMIN_USER=${ADMIN_USER}
# Bootstrap token (required by server, not used externally in standalone mode) # Bootstrap token (required by server, not used externally in standalone mode)
BOOTSTRAP_TOKEN=$(generate_password) BOOTSTRAP_TOKEN=$(generate_password)
# JWT signing secret (required by server, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
# Docker # Docker
DOCKER_SOCKET=${DOCKER_SOCKET} DOCKER_SOCKET=${DOCKER_SOCKET}
DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0") DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
@@ -738,9 +763,6 @@ CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer-server:${VERSION}
CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:${VERSION} CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:${VERSION}
CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:${VERSION} CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:${VERSION}
# JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
# Compose file assembly # Compose file assembly
COMPOSE_FILE=docker-compose.yml:docker-compose.saas.yml$([ "$TLS_MODE" = "custom" ] && echo ":docker-compose.tls.yml")$([ -n "$MONITORING_NETWORK" ] && echo ":docker-compose.monitoring.yml") COMPOSE_FILE=docker-compose.yml:docker-compose.saas.yml$([ "$TLS_MODE" = "custom" ] && echo ":docker-compose.tls.yml")$([ -n "$MONITORING_NETWORK" ] && echo ":docker-compose.monitoring.yml")
EOF EOF

4
templates/.env.example
View File

@@ -50,7 +50,9 @@ CLICKHOUSE_PASSWORD=CHANGE_ME
# ============================================================ # ============================================================
# Admin credentials (SaaS mode) # Admin credentials (SaaS mode)
# ============================================================ # ============================================================
SAAS_ADMIN_USER=admin # In SaaS mode, this must be an email address (primary user identity).
# In standalone mode, any username is accepted.
SAAS_ADMIN_USER=admin@example.com
SAAS_ADMIN_PASS=CHANGE_ME SAAS_ADMIN_PASS=CHANGE_ME
# ============================================================ # ============================================================

1
templates/docker-compose.saas.yml
View File

@@ -85,7 +85,6 @@ services:
CAMELEER_SAAS_PROVISIONING_DATASOURCEUSERNAME: ${POSTGRES_USER:-cameleer} CAMELEER_SAAS_PROVISIONING_DATASOURCEUSERNAME: ${POSTGRES_USER:-cameleer}
CAMELEER_SAAS_PROVISIONING_DATASOURCEPASSWORD: ${POSTGRES_PASSWORD} CAMELEER_SAAS_PROVISIONING_DATASOURCEPASSWORD: ${POSTGRES_PASSWORD}
CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD: ${CLICKHOUSE_PASSWORD} CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD: ${CLICKHOUSE_PASSWORD}
CAMELEER_SERVER_SECURITY_JWTSECRET: ${CAMELEER_SERVER_SECURITY_JWTSECRET:?CAMELEER_SERVER_SECURITY_JWTSECRET must be set in .env}
CAMELEER_SAAS_PROVISIONING_SERVERIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:-registry.cameleer.io/cameleer/cameleer-server:latest} CAMELEER_SAAS_PROVISIONING_SERVERIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:-registry.cameleer.io/cameleer/cameleer-server:latest}
CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:-registry.cameleer.io/cameleer/cameleer-server-ui:latest} CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:-registry.cameleer.io/cameleer/cameleer-server-ui:latest}
CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE: ${CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE:-registry.cameleer.io/cameleer/cameleer-runtime-base:latest} CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE: ${CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE:-registry.cameleer.io/cameleer/cameleer-runtime-base:latest}

1
templates/docker-compose.server.yml
View File

@@ -29,7 +29,6 @@ services:
CAMELEER_SERVER_CLICKHOUSE_USERNAME: default CAMELEER_SERVER_CLICKHOUSE_USERNAME: default
CAMELEER_SERVER_CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD} CAMELEER_SERVER_CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD}
CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN: ${BOOTSTRAP_TOKEN:?BOOTSTRAP_TOKEN must be set in .env} CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN: ${BOOTSTRAP_TOKEN:?BOOTSTRAP_TOKEN must be set in .env}
CAMELEER_SERVER_SECURITY_JWTSECRET: ${CAMELEER_SERVER_SECURITY_JWTSECRET:?CAMELEER_SERVER_SECURITY_JWTSECRET must be set in .env}
CAMELEER_SERVER_SECURITY_UIUSER: ${SERVER_ADMIN_USER:-admin} CAMELEER_SERVER_SECURITY_UIUSER: ${SERVER_ADMIN_USER:-admin}
CAMELEER_SERVER_SECURITY_UIPASSWORD: ${SERVER_ADMIN_PASS:?SERVER_ADMIN_PASS must be set in .env} CAMELEER_SERVER_SECURITY_UIPASSWORD: ${SERVER_ADMIN_PASS:?SERVER_ADMIN_PASS must be set in .env}
CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost} CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}