- bench init internally invokes sudo for system operations
- frappe user has no password, causing 'Sorry, try again' hang
- Add /etc/sudoers.d/frappe with NOPASSWD:ALL
- bench setup production requires root (is_root check) - was failing as frappe user
- Add nginx and supervisor as apt dependencies for production setup
- Remove custom erpnext.service - bench manages gunicorn+workers via supervisor
- Port 8000 → 80 (nginx reverse proxy)
- Fix bench update in CT to run as frappe user with proper PATH
- MariaDB uses unix_socket auth - frappe user can't connect as MySQL root
- Set proper password and pass via --db-root-password to bench new-site
- Store DB_ROOT_PASSWORD in .env for reference
Create a dedicated 'frappe' user and run all bench/uv commands as that user. Chown /opt, install frappe-bench and perform bench init, get-app and new-site via sudo -u frappe (preserving PATH), and run 'bench setup production frappe --yes'. Update the systemd service to User=frappe so Gunicorn and bench processes do not run as root, improving security and isolation.
- tubearchivist: backend on 8100 behind nginx on 8000 (was both 8000)
- jitsi: URI=download.jitsi.org suite=stable/ component=empty for flat repo
- erpnext: use CI=1 and FRAPPE_ALLOW_SUPERUSER=1 (not BENCH_ALLOW_SUPERUSER)
uv tool install frappe-bench places the bench executable in
~/.local/bin which is not on PATH by default, causing 'command
not found' (exit 127) when running bench init.
Add container templates, install scripts and metadata for six applications: BirdNET-Go, ERPNext, Jitsi Meet, Storybook, Storyteller and Tube Archivist. New files include ct/* scripts (container templates and update handlers), install/* scripts (installation and systemd service setup, dependency installation and build steps) and json/* metadata entries (app catalog data, default resources, ports and notes). Each install script configures required dependencies, creates services, and prepares runtime configuration (e.g. DB, ElasticSearch, Node/Python environments, ffmpeg/Readium). This commit enables automated LXC provisioning and update flows for these apps.
