diff --git a/.gitignore b/.gitignore index 6b2a1e2..4a66929 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ *__pycache__* -.vscode/* \ No newline at end of file +.vscode/* +conf/* +!conf/README.md +!conf/zamba.conf.example \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 8344929..b7acdea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,13 @@ -**** Zamba LXC Toolbox main branch **** +**** Zamba LXC Toolbox devel branch **** - added dhcp support - fixed hardcoded samba sharename in `zmb-standalone` script - added support for container id's larger than 999 +- added optional parameters for ct id, service and config file +- mailpiler version now configured to download `latest` version +- added `conf` folder to store user configs +- splitted basic container setup and service installation into multiple scripts +- created `constants` to minimize config variables +- added `wsdd` to `zmb-standalone` service **** Zamba LXC Toolbox v0.1 **** - `locales` are now configured noninteractive #21 diff --git a/README.md b/README.md index 6753e90..9cbc32b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Zamba LXC Toolbox +# IMPORTANT NOTE: +`devel` branch is still under heavy development, do not use this on a productive machine! + ## About Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC containers with preconfigured services on Proxmox with ZFS. The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes. @@ -12,6 +15,7 @@ Proxmox VE Server with at least one configured ZFS Pool. - `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) +- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration - `debian-unpriv` => Debian unprivileged container with basic toolset - `debian-priv` => Debian privileged container with basic toolset ## Usage diff --git a/debian-priv.sh b/archive/debian-priv.sh similarity index 100% rename from debian-priv.sh rename to archive/debian-priv.sh diff --git a/debian-unpriv.sh b/archive/debian-unpriv.sh similarity index 62% rename from debian-unpriv.sh rename to archive/debian-unpriv.sh index 881a310..7d90719 100644 --- a/debian-unpriv.sh +++ b/archive/debian-unpriv.sh @@ -5,12 +5,19 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille -dpkg-reconfigure locales - source /root/zamba.conf +source /root/proxmox.conf -# Set Timezone -ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime +sed -i "s/^#.$HOST_LOCALE/$HOST_LOCALE/" /etc/locale.gen +locale-gen $HOST_LOCALE + +sed -i "s/^#.$LXC_LOCALE/$LXC_LOCALE/" /etc/locale.gen +locale-gen $LXC_LOCALE +echo LANG=$LXC_LOCALE > /etc/default/locale +echo LANGUAGE=$LXC_LOCALE >> /etc/default/locale +export LANG=$LXC_LOCALE +export LANGUAGE=$LXC_LOCALE +export LC_CTYPE=C apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade diff --git a/mailpiler.sh b/archive/mailpiler.sh similarity index 100% rename from mailpiler.sh rename to archive/mailpiler.sh diff --git a/matrix.sh b/archive/matrix.sh similarity index 100% rename from matrix.sh rename to archive/matrix.sh diff --git a/zamba.conf b/archive/zamba.conf similarity index 91% rename from zamba.conf rename to archive/zamba.conf index 0613bf7..d7a0c29 100644 --- a/zamba.conf +++ b/archive/zamba.conf @@ -75,6 +75,9 @@ LXC_TIMEZONE="Europe/Berlin" # Define system language on LXC container (locales) LXC_LOCALE=de_DE.UTF-8 +# Set dark background for vim syntax highlighting (0 or 1) +LXC_VIM_BG_DARK=1 + ############### Zamba-Server-Section ############### # Defines the REALM for the Active Directory (AD DC, AD member) @@ -84,9 +87,6 @@ ZMB_REALM="ZMB.ROCKS" # IMPORTANT NOTE: ZMB_DOMAIN is case sensitive and the value needs to be written completely in capital letters ZMB_DOMAIN="ZMB" -# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage -ZMB_DNS_BACKEND="SAMBA_INTERNAL" - # Defines the name of your domain administrator account (AD DC, AD member, standalone) ZMB_ADMIN_USER="administrator" # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour @@ -102,12 +102,6 @@ ZMB_SHARE="share" PILER_FQDN="piler.zmb.rocks" # Defines the smarthost for piler mail archive PILER_SMARTHOST="your.mailserver.tld" -# Defines the version number of piler mail archive to install -PILER_VERSION="1.3.11" -# Defines the version of sphinx to install -PILER_SPHINX_VERSION="3.3.1" -# Defines the php version to install -PILER_PHP_VERSION="7.4" ############### Matrix-Section ############### @@ -117,8 +111,5 @@ MATRIX_FQDN="matrix.zmb.rocks" # Define the FQDN for the Element Web virtual host MATRIX_ELEMENT_FQDN="element.zmb.rocks" -# Define the version of Element Web -MATRIX_ELEMENT_VERSION="v1.7.25" - # Define the FQDN for the Jitsi Meet virtual host MATRIX_JITSI_FQDN="meet.zmb.rocks" diff --git a/zmb-ad.sh b/archive/zmb-ad.sh similarity index 100% rename from zmb-ad.sh rename to archive/zmb-ad.sh diff --git a/zmb-member.sh b/archive/zmb-member.sh similarity index 100% rename from zmb-member.sh rename to archive/zmb-member.sh diff --git a/zmb-standalone.sh b/archive/zmb-standalone.sh similarity index 100% rename from zmb-standalone.sh rename to archive/zmb-standalone.sh diff --git a/conf/README.md b/conf/README.md new file mode 100644 index 0000000..4a821a3 --- /dev/null +++ b/conf/README.md @@ -0,0 +1 @@ +# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS \ No newline at end of file diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example new file mode 100644 index 0000000..2885a7e --- /dev/null +++ b/conf/zamba.conf.example @@ -0,0 +1,143 @@ +#!/bin/bash + +# This ist the Zamba main configuration file. +# Please adjust the settings to your needs before running the installer. + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + + +############### Linux Container Section ############### + +# Defines the Proxmox storage where your LXC container template are stored (default: local) +LXC_TEMPLATE_STORAGE="local" + +# Defines the size in GB of the LXC container's root filesystem (default: 32) +# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`. +LXC_ROOTFS_SIZE="32" +# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs) +LXC_ROOTFS_STORAGE="local-zfs" + +# Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100) +LXC_SHAREFS_SIZE="100" +# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs) +LXC_SHAREFS_STORAGE="local-zfs" +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="tank" + +# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) +LXC_MEM="1024" + +# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024) +LXC_SWAP="1024" + +# Defines the hostname of your LXC container +LXC_HOSTNAME="${service}" + +# Defines the domain name / search domain of your LXC container +LXC_DOMAIN="zmb.rocks" + +# Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false] +LXC_DHCP=false + +# Defines the local IP address and subnet of your LXC container in CIDR format +LXC_IP="192.168.100.200/24" + +# Defines the default gateway IP address of your LXC container +LXC_GW="192.168.100.254" + +# Defines the DNS server ip address of your LXC container +# `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS +# For other services this should be your active directory domain controller (if present, else a DNS server of your choice) +LXC_DNS="192.168.100.254" + +# Defines the network bridge to bind the network adapter of your LXC container +LXC_BRIDGE="vmbr0" + +# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty. +LXC_VLAN= + +# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour. +LXC_PWD='S3cr3tp@ssw0rd' + +# Defines an authorized_keys file to push into the LXC container. +# By default the authorized_keys will be inherited from your proxmox host. +LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys + +# Define your (administrative) tools, you always want to have installed into your LXC container +LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc" + +# Define the local timezone of your LXC container (default: Euroe/Berlin) +LXC_TIMEZONE="Europe/Berlin" + +# Define system language on LXC container (locales) +# With this paramater you can generate additional locales, the default language will be inherited from proxmox host. +# en_US.UTF-8 english +# de_DE.UTF-8 german (default) +LXC_LOCALE="de_DE.UTF-8" + +# Set dark background for vim syntax highlighting (0 or 1) +LXC_VIM_BG_DARK=1 + +############### Zamba-Server-Section ############### + +# Defines the REALM for the Active Directory (AD DC, AD member) +ZMB_REALM="ZMB.ROCKS" +# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone) +ZMB_DOMAIN="ZMB" + +# Defines the name of your domain administrator account (AD DC, AD member, standalone) +ZMB_ADMIN_USER="administrator" +# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour +# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail +ZMB_ADMIN_PASS='1c@nd0@nyth1n9' + +# Defines the name of your Zamba share +ZMB_SHARE="share" + +############### Mailpiler-Section ############### + +# Defines the (public) FQDN of your piler mail archive +PILER_FQDN="piler.zmb.rocks" +# Defines the smarthost for piler mail archive +PILER_SMARTHOST="your.mailserver.tld" + +############### Matrix-Section ############### + +# Define the FQDN of your Matrix server +MATRIX_FQDN="matrix.zmb.rocks" + +# Define the FQDN for the Element Web virtual host +MATRIX_ELEMENT_FQDN="element.zmb.rocks" + +############### Nextcloud-Section ############### + +# Define the FQDN of your Nextcloud server +NEXTCLOUD_FQDN="nc1.zmb.rocks" + +# The initial admin-user which will be configured +NEXTCLOUD_ADMIN_USR="zmb-admin" + +# Build a strong password for this user. Username and password will shown at the end of the instalation. +NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" + +# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT +NEXTCLOUD_DATA="nc_data" + +# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban +NEXTCLOUD_REVPROX="192.168.100.254" + +############### Check_MK-Section ############### + +# Define the name of your checkmk instance +CMK_INSTANCE=zmbrocks + +# Define the password of user 'cmkadmin' +CMK_ADMIN_PW='Ju5t@n0thers3cur3p@ssw0rd' + +# checkmk edition (raw or free) +# raw = completely free +# free = limited version of the enterprise edition (25 hosts, 1 instance) +CMK_EDITION=raw diff --git a/install.sh b/install.sh old mode 100644 new mode 100755 index 4a20bbf..d283175 --- a/install.sh +++ b/install.sh @@ -15,78 +15,102 @@ # Please adjust th settings in 'zamba.conf' to your needs before running the script ############### ZAMBA INSTALL SCRIPT ############### +prog="$(basename "$0")" + +usage() { + cat >&2 <<-EOF + usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE] + installs a preconfigured lxc container on your proxmox server + -i CTID provide a container id instead of auto detection + -s SERVICE provide the service name and skip the selection dialog + -c CFGFILE use a different config file than 'zamba.conf' + -h displays this help text + --------------------------------------------------------------------------- + (C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub) + --------------------------------------------------------------------------- + + EOF + exit $1 +} + +ctid=0 +service=ask +config=$PWD/conf/zamba.conf +verbose=0 + +while getopts "hi:s:c:" opt; do + case $opt in + h) usage 0 ;; + i) ctid=$OPTARG ;; + s) service=$OPTARG ;; + c) config=$OPTARG ;; + *) usage 1 ;; + esac +done +shift $((OPTIND-1)) # Load configuration file -source $PWD/zamba.conf +echo "Loading config file '$config'..." +source $config -LXC_MP="0" -LXC_UNPRIVILEGED="1" -LXC_NESTING="0" +OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a) -select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do - case $opt in - debian-unpriv) - echo "Debian-only LXC container unprivileged mode selected" - break - ;; - debian-priv) - echo "Debian-only LXC container privileged mode selected" - LXC_UNPRIVILEGED="0" - break - ;; - zmb-standalone) - echo "Configuring LXC container '$opt'!" - LXC_MP="1" - LXC_UNPRIVILEGED="0" - break - ;; - zmb-member) - echo "Configuring LXC container '$opt'!" - LXC_MP="1" - LXC_UNPRIVILEGED="0" - break - ;; - zmb-ad) - echo "Selected Zamba AD DC" - LXC_NESTING="1" - LXC_UNPRIVILEGED="0" - break - ;; - mailpiler) - echo "Configuring LXC container for '$opt'!" - LXC_NESTING="1" - break - ;; - matrix) - echo "Install Matrix chat server and element web service" - break - ;; - quit) - echo "Script aborted by user interaction." +valid=0 +if [[ "$service" == "ask" ]]; then + select svc in $OPTS quit; do + if [[ "$svc" != "quit" ]]; then + for line in $(echo $OPTS); do + if [[ "$svc" == "$line" ]]; then + service=$svc + echo "Installation of $service selected." + valid=1 + break + fi + done + else + echo "Selected 'quit' exiting without action..." exit 0 - ;; - *) - echo "Invalid option! Exiting..." - exit 1 - ;; - esac -done + fi + if [[ "$valid" == "1" ]]; then + break + fi + done +else + for line in $(echo $OPTS); do + if [[ "$service" == "$line" ]]; then + echo "Installation of $service selected." + valid=1 + break + fi + done +fi + +if [[ "$valid" != "1" ]]; then + echo "Invalid option, exiting..." + usage 1 +fi + +source $PWD/src/$service/constants-service.conf # CHeck is the newest template available, else download it. -DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2) -DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2) +DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | cut -d'_' -f2) +DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | cut -d'_' -f2) if [[ $DEB_LOC == $DEB_REP ]]; then - echo "Newest Version of Debian 10 Standard $DEP_REP exists."; + echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists."; else - echo "Will now download newest Debian 10 Standard $DEP_REP."; - pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz + echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP."; + pveam download $LXC_TEMPLATE_STORAGE "$LXC_TEMPLATE_VERSION"_$DEB_REP\_amd64.tar.gz fi -# Get next free LXC-number -LXC_LST=$( lxc-ls -1 | tail -1 ) -LXC_CHK=$((LXC_LST+1)); +if [ $ctid -gt 99 ]; then + LXC_CHK=$ctid +else + # Get next free LXC-number + LXC_LST=$( lxc-ls -1 | tail -1 ) + LXC_CHK=$((LXC_LST+1)); +fi if [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then LXC_NBR=$(pvesh get /cluster/nextid); @@ -96,15 +120,11 @@ fi echo "Will now create LXC Container $LXC_NBR!"; # Create the container -pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; +pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/"$LXC_TEMPLATE_VERSION"_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; sleep 2; # Check vlan configuration -if [[ $LXC_VLAN != "" ]];then - VLAN=",tag=$LXC_VLAN" -else - VLAN="" -fi +if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi # Reconfigure conatiner pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING; if [ $LXC_DHCP == true ]; then @@ -124,23 +144,22 @@ PS3="Select the Server-Function: " pct start $LXC_NBR; sleep 5; # Set the root password and key -echo "Setting root password" echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd; -echo "Creating /root/.ssh" lxc-attach -n$LXC_NBR mkdir /root/.ssh; -echo "Copying authorized_keys" pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys -echo "Copying sources.list" -pct push $LXC_NBR ./sources.list /etc/apt/sources.list -echo "Copying zamba.conf" -pct push $LXC_NBR ./zamba.conf /root/zamba.conf -echo "Copying install script" -pct push $LXC_NBR ./$opt.sh /root/$opt.sh -echo "Install '$opt'!" -lxc-attach -n$LXC_NBR bash /root/$opt.sh +pct push $LXC_NBR $config /root/zamba.conf +pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf +pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh +pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh +pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf -if [[ $opt == "zmb-ad" ]]; then +echo "Installing basic container setup..." +lxc-attach -n$LXC_NBR bash /root/lxc-base.sh +echo "Install '$service'!" +lxc-attach -n$LXC_NBR bash /root/install-service.sh + +if [[ $service == "zmb-ad" ]]; then pct stop $LXC_NBR pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1) pct start $LXC_NBR -fi +fi \ No newline at end of file diff --git a/new-config.py b/new-config.py new file mode 100755 index 0000000..48b8af8 --- /dev/null +++ b/new-config.py @@ -0,0 +1,136 @@ +#!/usr/bin/python3 +import os +from src import config_base, menu + +# Check installation of zfs-auto-snapshot, if not installed, just notify user +config_base.check_zfs_autosnapshot() + +cfg = {} +# set template storage +t_storages = config_base.get_pve_storages(content=config_base.PveStorageContent.vztmpl) +if len(t_storages.keys()) > 1: + t_stors={} + for st in t_storages.keys(): + t_stors[st] = f"driver: {t_storages[st]['driver']}\tfree space: {int(t_storages[st]['available'])/1024/1024:.2f} GB" + cfg['LXC_TEMPLATE_STORAGE'] = menu.radiolist("Select container template storage", "Please choose the storage, where your container templates are stored.", t_stors) +elif len(t_storages.keys()) == 1: + cfg['LXC_TEMPLATE_STORAGE'] = next(iter(t_storages)) +else: + print("Could not find any storage enabled for container templates. Please ensure your storages are configured properly.") + os._exit(1) + +# get zmb service +cfg['ZMB_SERVICE'] = menu.radiolist("Select service","Please choose the service to install:", config_base.get_zmb_services()) + +# get static ct features +ct_features = config_base.get_ct_features(cfg["ZMB_SERVICE"]) +cfg['LXC_UNPRIVILEGED'] = ct_features['unprivileged'] +# get ct id +cfg['LXC_NBR'] = menu.question("Container ID", f"Please select an ID for the {cfg['ZMB_SERVICE']} container.", menu.qType.Integer, config_base.get_ct_id(), config_base.validate_ct_id) + +# configure rootfs +r_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir) +if len(r_storages.keys()) > 1: + r_stors = {} + for st in r_storages.keys(): + r_stors[st] = f"driver: {r_storages[st]['driver']}\tfree space: {int(r_storages[st]['available'])/1024/1024:.2f} GB" + cfg['LXC_ROOTFS_STORAGE'] = menu.radiolist("Select rootfs storage", "Please choose the storage for your container's rootfs",r_stors) +elif len(r_storages.keys()) == 1: + cfg['LXC_ROOTFS_STORAGE'] = next(iter(r_storages)) +else: + print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.") + os._exit(1) + +cfg['LXC_ROOTFS_SIZE'] = menu.question("Set rootfs size","Please type in the desired rootfs size (GB)", menu.qType.Integer,32) + +# create additional mountpoints +if 'size' in ct_features['sharefs'].keys(): + f_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir) + if len(f_storages.keys()) > 1: + f_stors = {} + for st in f_storages.keys(): + f_stors[st] = f"driver: {f_storages[st]['driver']}\tfree space: {int(f_storages[st]['available'])/1024/1024:.2f} GB" + cfg['LXC_SHAREFS_STORAGE'] = menu.radiolist("Select sharefs storage", "Please choose the storage of your shared filesystem", f_stors) + elif len(r_storages.keys()) == 1: + cfg['LXC_SHAREFS_STORAGE'] = next(iter(f_storages)) + else: + print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.") + os._exit(1) + cfg['LXC_SHAREFS_SIZE'] = menu.question("Select sharefs size","Please type in the desired size (GB) of your shared filesystem", menu.qType.Integer,ct_features['sharefs']['size']) + cfg['LXC_SHAREFS_MOUNTPOINT'] = menu.question("Select sharefs mountpoint","Please type in the folder where to mount your shared filesystem inside the container.", menu.qType.String,ct_features['sharefs']['mountpoint']) + +# configure ram and swap +cfg['LXC_MEM'] = menu.question("Set container RAM", "Please type in the desired amount of RAM for the container (MB)",menu.qType.Integer,ct_features["mem"]) +cfg['LXC_SWAP'] = menu.question("Set container Swap", "Please type in the desired amount of Swap for the container (MB)",menu.qType.Integer,ct_features["swap"]) +cfg['LXC_HOSTNAME'] = menu.question("Set container Hostname", "Please type in the desired hostname of the container",menu.qType.String,ct_features['hostname']) +cfg['LXC_DOMAIN'] = menu.question("Set container search domain", "Please type in the search domain of your network.", menu.qType.String,ct_features['domain']) +cfg['LXC_TIMEZONE'] = 'host' # TODO +cfg['LXC_LOCALE'] = "de_DE.utf8" # TODO + +# get pve bridge +bridges = config_base.get_pve_bridges() +if len(bridges) > 1: + cfg['LXC_BRIDGE'] = menu.radiolist("Select PVE Network Bridge", f"Please select the network bridge to connect the {cfg['ZMB_SERVICE']} container",bridges) +elif len(bridges) == 1: + cfg['LXC_BRIDGE'] = bridges[0] +else: + print("Could not find any bridge device to connect container. Please ensure your networksettings are configured properly.") + os._exit(1) + +cfg['LXC_VLAN'] = menu.question("Set vlan tag", "You you want to tag your container's network to a vlan? (0 = untagged, 1 - 4094 = tagged vlan id)",menu.qType.Integer,0, config_base.validate_vlan) + +# configure network interface +if cfg['ZMB_SERVICE'] != 'zmb-ad': + enable_dhcp = menu.question("Set network mode", "Do you want to configure the network interface in dhcp mode?",menu.qType.Boolean,default=True) +else: + enable_dhcp = False +if enable_dhcp == True: + cfg["LXC_NET_MODE"] = 'dhcp' +else: + cfg["LXC_NET_MODE"] = 'static' + cfg["LXC_IP"] = menu.question("Set interface IP Addess", "Pleace type in the containers IP address (CIDR Format).",menu.qType.String,default='10.10.10.10/8') + cfg["LXC_GW"] = menu.question("Set interface default gateway", "Pleace type in the containers default gateway.",menu.qType.String,default='10.10.10.1') +cfg['LXC_DNS'] = menu.question("Set containers dns server", "Pleace type in the containers dns server. ZMB AD will use this as dns forwarder",menu.qType.String,default='10.10.10.1') + +cfg['LXC_PWD'] = menu.question("Set root password", "Please type in the containers root password", menu.qType.String,default='') +cfg['LXC_AUTHORIZED_KEY'] = menu.question ("Set authorized_keys file to import", "Please select authorized_keys file to import.", menu.qType.String, default='~/.ssh/authorized_keys') + +os.system('clear') +print (f"#### Zamba LXC Toolbox ####\n") +print (f"GLOBAL CONFIGURATION:") +print (f"\tct template storage:\t{cfg['LXC_TEMPLATE_STORAGE']}") +print (f"\nCONTAINER CONFIGURATION:") +print (f"\tzmb service:\t\t{cfg['ZMB_SERVICE']}") +print (f"\tcontainer id:\t\t{cfg['LXC_NBR']}") +print (f"\tunprivileged:\t\t{cfg['LXC_UNPRIVILEGED']}") +for feature in ct_features['features'].keys(): + if feature == 'nesting': + cfg['LXC_NESTING'] = ct_features['features'][feature] + print (f"\t{feature}:\t\t{cfg['LXC_NESTING']}") +print (f"\tcontainer memory:\t{cfg['LXC_MEM']} MB") +print (f"\tcontainer swap:\t\t{cfg['LXC_SWAP']} MB") +print (f"\tcontainer hostname:\t{cfg['LXC_HOSTNAME']}") +print (f"\tct search domain:\t{cfg['LXC_DOMAIN']}") +print (f"\tcontainer timezone\t{cfg['LXC_TIMEZONE']}") +print (f"\tcontainer language\t{cfg['LXC_LOCALE']}") +print (f"\nSTORAGE CONFIGURATION:") +print (f"\trootfs storage:\t\t{cfg['LXC_ROOTFS_STORAGE']}") +print (f"\trootfs size:\t\t{cfg['LXC_ROOTFS_SIZE']} GB") +if 'size' in ct_features['sharefs'].keys(): + print (f"\tsharefs storage:\t{cfg['LXC_SHAREFS_STORAGE']}") + print (f"\tsharefs size:\t\t{cfg['LXC_SHAREFS_SIZE']} GB") + print (f"\tsharefs mountpoint:\t{cfg['LXC_SHAREFS_MOUNTPOINT']}") +print (f"\nNETWORK CONFIGURATION:") +print (f"\tpve bridge:\t\t{cfg['LXC_BRIDGE']}") +if cfg['LXC_VLAN'] > 0: + print (f"\tcontainer vlan:\t\t{cfg['LXC_VLAN']}") +else: + print (f"\tcontainer vlan:\t\tuntagged") +print (f"\tnetwork mode:\t\t{cfg['LXC_NET_MODE']}") +if enable_dhcp == False: + print (f"\tip address (CIDR):\t{cfg['LXC_IP']}") + print (f"\tdefault gateway:\t{cfg['LXC_GW']}") + print (f"\tdns server / forwarder:\t{cfg['LXC_GW']}") +print (f"\nCONTAINER CREDENTIALS:") +print (f"\troot password:\t\t{cfg['LXC_PWD']}") +print (f"\tauthorized ssh keys:\t{cfg['LXC_AUTHORIZED_KEY']}") \ No newline at end of file diff --git a/proxmox.conf b/proxmox.conf new file mode 100644 index 0000000..13e26f3 --- /dev/null +++ b/proxmox.conf @@ -0,0 +1 @@ +HOST_LOCALE=de_DE.UTF-8 diff --git a/src/__init__.py b/src/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf new file mode 100644 index 0000000..f14becb --- /dev/null +++ b/src/checkmk/constants-service.conf @@ -0,0 +1,25 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# checkmk version +CMK_VERSION=2.0.0p4 +# build number of the debian package (needs to start with underscore) +CMK_BUILD=_0 \ No newline at end of file diff --git a/src/checkmk/install-service.sh b/src/checkmk/install-service.sh new file mode 100644 index 0000000..25ab743 --- /dev/null +++ b/src/checkmk/install-service.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.buster_amd64.deb +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.buster_amd64.deb + +omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE + +cat << EOF > /etc/apache2/sites-available/000-default.conf + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L] + +EOF + +a2enmod ssl +a2enmod rewrite +a2ensite default-ssl + +systemctl restart apache2.service + +omd start $CMK_INSTANCE + +# install matrix notification plugin +su - $CMK_INSTANCE +cd ~/local/share/check_mk/notifications/ +wget https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py +chmod +x ./matrix.py +exit \ No newline at end of file diff --git a/src/config_base.py b/src/config_base.py new file mode 100644 index 0000000..1d5cb07 --- /dev/null +++ b/src/config_base.py @@ -0,0 +1,121 @@ +#!/usr/bin/python3 +from pathlib import Path +import os +import ipaddress +import socket +import json +import subprocess +from enum import Enum + +def check_zfs_autosnapshot(): + proc = subprocess.Popen(["dpkg","-l","zfs-auto-snapshot"],stdout=subprocess.PIPE,stderr=subprocess.PIPE) + proc.communicate() + if proc.returncode > 0: + print ("'zfs-auto-snapshot' is NOT installed on your system. This ist required for 'previous versions' feature in Zamba containers.\nYou can install it with the following command:\n\tapt install zfs-auto-snapshot\n") + input ("Press Enter to continue...") + +# get_pve_bridges queries and returns availabe Proxmox bridges +def get_pve_bridges(): + pve_bridges=[] + ifaces=os.listdir(os.path.join("/","sys","class","net")) + for iface in ifaces: + if "vmbr" in iface: + pve_bridges.append(iface) + return pve_bridges + +# get_pve_storages queries and returns available Proxmox bridges +def get_pve_storages(driver=None,content=None): + pve_storages={} + cmd = ["pvesm","status","--enabled","1"] + if content != None: + cmd.extend(["--content",content.name]) + result = subprocess.Popen(cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE).communicate() + stdout = result[0].decode("utf-8").split('\n') + for line in filter(lambda x: len(x)>0, stdout): + if not "Status" in line: + item = [x for x in line.split(' ') if x.strip()] + storage = {} + storage["driver"] = item[1] + storage["status"] = item[2] + storage["total"] = item[3] + storage["used"] = item[4] + storage["available"] = item[5] + storage["percent_used"] = item[6] + + if driver == None: + pve_storages[item[0]] = storage + else: + if driver.name == storage["driver"]: + pve_storages[item[0]] = storage + + return pve_storages + +# get_zmb_services queries and returns available Zamba services +def get_zmb_services(): + zmb_services={} + for item in Path.iterdir(Path.joinpath(Path.cwd(),"src")): + if Path.is_dir(item) and "__" not in item.name: + with open(os.path.join(item._str, "info"),"r") as info: + description = info.read() + zmb_services[item.name] = description + return zmb_services + +# get_ct_id queries and returns the next available container id +def get_ct_id(base="ct"): + with open("/etc/pve/.vmlist","r") as v: + vmlist_json = json.loads(v.read()) + ct_id = 100 + for cid in vmlist_json["ids"].keys(): + if int(cid) > ct_id and base == "ct" and vmlist_json["ids"][cid]["type"] == "lxc": + ct_id = int(cid) + elif int(cid) > ct_id and base == "all": + ct_id = int(cid) + while True: + ct_id = ct_id + 1 + if ct_id not in vmlist_json["ids"].keys(): + break + return ct_id + +# validate_ct_id queries if ct_id is available and returns as boolean +def validate_ct_id(ct_id:int): + with open("/etc/pve/.vmlist","r") as v: + vmlist_json = json.loads(v.read()) + ct_id = str(ct_id) + if int(ct_id) >= 100 and int(ct_id) <= 999999999 and ct_id not in vmlist_json["ids"].keys(): + return True + else: + return False + +def validate_vlan(tag:int): + if int(tag) >= 1 and int(tag) <= 4094: + return True + else: + return False + +def get_ct_features(zmb_service): + with open(Path.joinpath(Path.cwd(),"src",zmb_service,"features.json")) as ff: + return json.loads(ff.read()) + + +class PveStorageContent(Enum): + images = 0 + rootdir = 1 + vztmpl = 2 + backup = 3 + iso = 4 + snippets = 5 + +class PveStorageType(Enum): + zfspool = 0 + dir = 1 + nfs = 2 + cifs = 3 + pbs = 4 + glusterfs = 5 + cephfs = 6 + lvm = 7 + lvmthin = 8 + iscsi = 9 + iscsidirect = 10 + rbd = 11 + zfs = 12 \ No newline at end of file diff --git a/src/constants.conf b/src/constants.conf new file mode 100644 index 0000000..bc1838c --- /dev/null +++ b/src/constants.conf @@ -0,0 +1,11 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on container level + +# Define your (administrative) tools, you always want to have installed into your LXC container +LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common" \ No newline at end of file diff --git a/src/debian-priv/constants-service.conf b/src/debian-priv/constants-service.conf new file mode 100644 index 0000000..1f764d7 --- /dev/null +++ b/src/debian-priv/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/debian-priv/features.json b/src/debian-priv/features.json new file mode 100644 index 0000000..100b62c --- /dev/null +++ b/src/debian-priv/features.json @@ -0,0 +1,9 @@ +{ + "unprivileged": 0, + "features": {}, + "sharefs": {}, + "mem": 1024, + "swap": 1024, + "hostname": "debian", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/debian-priv/info b/src/debian-priv/info new file mode 100644 index 0000000..7490252 --- /dev/null +++ b/src/debian-priv/info @@ -0,0 +1 @@ +Debian privileged container with basic tools \ No newline at end of file diff --git a/src/debian-priv/install-service.sh b/src/debian-priv/install-service.sh new file mode 100644 index 0000000..6b6b19e --- /dev/null +++ b/src/debian-priv/install-service.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +echo "'debian-priv' is ready to use!" \ No newline at end of file diff --git a/src/debian-unpriv/constants-service.conf b/src/debian-unpriv/constants-service.conf new file mode 100644 index 0000000..4f5ef36 --- /dev/null +++ b/src/debian-unpriv/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/debian-unpriv/features.json b/src/debian-unpriv/features.json new file mode 100644 index 0000000..cc1cdec --- /dev/null +++ b/src/debian-unpriv/features.json @@ -0,0 +1,11 @@ +{ + "unprivileged": 1, + "features": { + "nesting": 1 + }, + "sharefs": {}, + "mem": 1024, + "swap": 1024, + "hostname": "debian", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/debian-unpriv/info b/src/debian-unpriv/info new file mode 100644 index 0000000..c1edd70 --- /dev/null +++ b/src/debian-unpriv/info @@ -0,0 +1 @@ +Debian unprivileged container with basic tools \ No newline at end of file diff --git a/src/debian-unpriv/install-service.sh b/src/debian-unpriv/install-service.sh new file mode 100644 index 0000000..4fe3d01 --- /dev/null +++ b/src/debian-unpriv/install-service.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +echo "'debian-unpriv' is ready to use!" \ No newline at end of file diff --git a/src/lxc-base.sh b/src/lxc-base.sh new file mode 100644 index 0000000..b89d820 --- /dev/null +++ b/src/lxc-base.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# load configuration +echo "Loading configuration..." +source /root/zamba.conf +source /root/constants.conf +source /root/constants-service.conf + +echo "Updating locales" +# update locales +sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen +cat << EOF > /etc/default/locale +LANG="$LXC_LOCALE" +LANGUAGE=$LXC_LOCALE +EOF +locale-gen $LXC_LOCALE + +# Generate sources +if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then + +cat << EOF > /etc/apt/sources.list +deb http://ftp.de.debian.org/debian bullseye main contrib + +deb http://ftp.de.debian.org/debian bullseye-updates main contrib + +# security updates +deb http://security.debian.org bullseye-security main contrib +EOF + +elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then + +cat << EOF > /etc/apt/sources.list +deb http://ftp.de.debian.org/debian buster main contrib + +deb http://ftp.de.debian.org/debian buster-updates main contrib + +# security updates +deb http://security.debian.org buster/updates main contrib +EOF +else echo "LXC Debian Version false. Please check configuration files!" ; exit +fi + +# update package lists +echo "Updating package database..." +apt --allow-releaseinfo-change update + +# install latest packages +echo "Installing latest updates" +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade + +# install toolset +echo "Installing preconfigured toolset..." +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET + +echo "Enabling vim syntax highlighting..." +sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc +if [ $LXC_VIM_BG_DARK -gt 0 ]; then + sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc +fi + +echo "Basic container setup finished, continuing with service installation..." \ No newline at end of file diff --git a/src/mailpiler/constants-service.conf b/src/mailpiler/constants-service.conf new file mode 100644 index 0000000..f70dc46 --- /dev/null +++ b/src/mailpiler/constants-service.conf @@ -0,0 +1,27 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-10-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') +PILER_VERSION="latest" +# Defines the version of sphinx to install +PILER_SPHINX_VERSION="3.3.1" +# Defines the php version to install +PILER_PHP_VERSION="7.4" \ No newline at end of file diff --git a/src/mailpiler/features.json b/src/mailpiler/features.json new file mode 100644 index 0000000..5a478f9 --- /dev/null +++ b/src/mailpiler/features.json @@ -0,0 +1,11 @@ +{ + "unprivileged": 1, + "features": { + "nesting": 1 + }, + "sharefs": {}, + "mem": 1024, + "swap": 1024, + "hostname": "piler", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/mailpiler/info b/src/mailpiler/info new file mode 100644 index 0000000..e396db9 --- /dev/null +++ b/src/mailpiler/info @@ -0,0 +1 @@ +Mailpiler email archive \ No newline at end of file diff --git a/src/mailpiler/install-service.sh b/src/mailpiler/install-service.sh new file mode 100644 index 0000000..e557b5d --- /dev/null +++ b/src/mailpiler/install-service.sh @@ -0,0 +1,186 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +HOSTNAME=$(hostname -f) + +echo "Ensure your Hostname is set to your Piler FQDN!" + +echo $HOSTNAME + +if + [ "$HOSTNAME" != "$PILER_FQDN" ] +then + echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit +else + echo "Hostname matches $PILER_FQDN, so starting installation." +fi + +# install php +wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add - +echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list + +apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc' +add-apt-repository 'deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian buster main' + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \ +unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \ +mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \ +php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip} + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix + +cat > /etc/mysql/conf.d/mailpiler.conf <> /usr/local/etc/piler/config-site.php < +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-10-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Define the version of Element Web +MATRIX_ELEMENT_VERSION="v1.7.25" diff --git a/src/matrix/features.json b/src/matrix/features.json new file mode 100644 index 0000000..6798cc8 --- /dev/null +++ b/src/matrix/features.json @@ -0,0 +1,9 @@ +{ + "unprivileged": 1, + "features": {}, + "sharefs": {}, + "mem": 1024, + "swap": 1024, + "hostname": "matrix", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/matrix/info b/src/matrix/info new file mode 100644 index 0000000..174eaa0 --- /dev/null +++ b/src/matrix/info @@ -0,0 +1 @@ +Matrix Synapse server with Element Web \ No newline at end of file diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh new file mode 100644 index 0000000..80d5fff --- /dev/null +++ b/src/matrix/install-service.sh @@ -0,0 +1,154 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + +ELE_DBNAME="synapse_db" +ELE_DBUSER="synapse_user" +ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2 + +wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3 +systemctl enable matrix-synapse + +ss -tulpen + +mkdir /etc/nginx/ssl +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN" + +cat > /etc/nginx/sites-available/$MATRIX_FQDN < /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml +sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml +sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml +sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml +sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n user: $ELE_DBUSER\n password: $ELE_DBPASS\n host: 127.0.0.1\n cp_min: 5\n cp_max: 10|" /etc/matrix-synapse/homeserver.yaml + +systemctl restart matrix-synapse + +register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008 + +#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg' +#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null + +#apt update +#apt install -y jitsi-meet + + + diff --git a/src/menu.py b/src/menu.py new file mode 100644 index 0000000..62af1e0 --- /dev/null +++ b/src/menu.py @@ -0,0 +1,73 @@ +#!/usr/bin/python3 +from enum import Enum +from . import config_base + +def radiolist(title:str,question:str,choices): + invalid_input=True + while(invalid_input): + print(f"#### {title} ####\n") + print(question) + index = {} + counter = 1 + if isinstance(choices,dict): + for choice in choices.keys(): + if len(choice) <= 12: + sep="\t\t" + else: + sep="\t" + print(f"{counter}) {choice}{sep}{choices[choice]}") + index[str(counter)] = choice + counter = counter + 1 + elif isinstance(choices,list): + for choice in choices: + print(f"{counter}) {choice}") + index[str(counter)] = choice + counter = counter + 1 + else: + print (f"object 'choices': {type(choices)} objects are unsupported.") + selected = input("Type in number: ") + if selected in index.keys(): + print("\n") + return index[selected] + +def question(title:str,q:str,returntype, default, validation=None): + print(f"#### {title} ####\n") + if str(returntype.name) == "Boolean": + if default == True: + suggest = "Y/n" + else: + suggest = "y/N" + a = input(f"{q} [{suggest}]\n") + if "y" in str(a).lower(): + return True + elif "n" in str(a).lower(): + return False + else: + return default + elif str(returntype.name) == "Integer": + invalid_input = True + while(invalid_input): + a = input(f"{q} [{default}]\n") + if str(a) == "" or f"{str(default)}" == str(a): + return default + else: + try: + valid = validation(int(a)) + if valid: + return int(a) + except: + pass + else: + a = input(f"{q} [{default}]\n") + if a == '': + return default + else: + return a + + +class qType(Enum): + Boolean = 0 + Integer = 1 + String = 2 + IPAdress = 3 + CIDR = 4 \ No newline at end of file diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf new file mode 100644 index 0000000..ad9bf6d --- /dev/null +++ b/src/nextcloud/constants-service.conf @@ -0,0 +1,41 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-10-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') +NEXTCLOUD_VERSION="latest" + +# Defines the php version to install +NEXTCLOUD_PHP_VERSION="8.0" + +# Defines the IP from the SQL server +NEXTCLOUD_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +NEXTCLOUD_DB_PORT="5432" + +# Defines the name from the SQL database +NEXTCLOUD_DB_NAME="nextcloud_db" + +# Defines the name from the SQL user +NEXTCLOUD_DB_USR="nextcloud" + +# Build a strong password for the SQL user - could be overwritten with something fixed +NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh new file mode 100644 index 0000000..870263c --- /dev/null +++ b/src/nextcloud/install-service.sh @@ -0,0 +1,417 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +HOSTNAME=$(hostname -f) + +wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - +echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list + +wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - +echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list + +wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils nfs-common cifs-utils redis-server imagemagick \ +postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline} + +timedatectl set-timezone Europe/Berlin +mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www +chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www + +#### Create database for nextcloud #### + +su - postgres < /etc/nginx/nginx.conf < /etc/nginx/conf.d/http.conf << EOF +upstream php-handler { +server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock; +} +server { +listen 80 default_server; +listen [::]:80 default_server; +server_name $NEXTCLOUD_FQDN; +root /var/www; +location / { +return 301 https://\$host\$request_uri; +} +} +EOF + +cat > /etc/nginx/conf.d/nextcloud.conf << EOF +server { +listen 443 ssl http2; +listen [::]:443 ssl http2; +server_name $NEXTCLOUD_FQDN; +ssl_certificate /etc/ssl/certs/nextcloud.crt; +ssl_certificate_key /etc/ssl/private/nextcloud.key; +ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt; +#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem; +#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem; +#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem; +#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem; +#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem; +ssl_dhparam /etc/ssl/certs/dhparam.pem; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.3 TLSv1.2; +ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'; +ssl_ecdh_curve X448:secp521r1:secp384r1; +ssl_prefer_server_ciphers on; +ssl_stapling on; +ssl_stapling_verify on; +client_max_body_size 5120M; +fastcgi_buffers 64 4K; +gzip on; +gzip_vary on; +gzip_comp_level 4; +gzip_min_length 256; +gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; +gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; +add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; +add_header Permissions-Policy "interest-cohort=()"; +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Download-Options "noopen" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "none" always; +add_header X-XSS-Protection "1; mode=block" always; +fastcgi_hide_header X-Powered-By; +fastcgi_read_timeout 3600; +fastcgi_send_timeout 3600; +fastcgi_connect_timeout 3600; +root /var/www/nextcloud; +index index.php index.html /index.php\$request_uri; +expires 1m; +location = / { +if ( \$http_user_agent ~ ^DavClnt ) { +return 302 /remote.php/webdav/\$is_args\$args; +} +} +location = /robots.txt { +allow all; +log_not_found off; +access_log off; +} +location ^~ /apps/rainloop/app/data { +deny all; +} +location ^~ /.well-known { +location = /.well-known/carddav { return 301 /remote.php/dav/; } +location = /.well-known/caldav { return 301 /remote.php/dav/; } +location ^~ /.well-known { return 301 /index.php/\$uri; } +try_files \$uri \$uri/ =404; +} +location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/) { return 404; } +location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } +location ~ \.php(?:\$|/) { +rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; +fastcgi_split_path_info ^(.+?\.php)(/.*)\$; +set \$path_info \$fastcgi_path_info; +try_files \$fastcgi_script_name =404; +include fastcgi_params; +fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; +fastcgi_param PATH_INFO \$path_info; +fastcgi_param HTTPS on; +fastcgi_param modHeadersAvailable true; +fastcgi_param front_controller_active true; +fastcgi_pass php-handler; +fastcgi_intercept_errors on; +fastcgi_request_buffering off; +} +location ~ \.(?:css|js|svg|gif)\$ { +try_files \$uri /index.php\$request_uri; +expires 6M; +access_log off; +} +location ~ \.woff2?\$ { +try_files \$uri /index.php\$request_uri; +expires 7d; +access_log off; +} +location / { +try_files \$uri \$uri/ /index.php\$request_uri; +} +} +EOF + +systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx + +#### Adjust redis settings #### + +cp /etc/redis/redis.conf /etc/redis/redis.conf.bak +sed -i "s/port 6379/port 0/" /etc/redis/redis.conf +sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf +sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf +sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf +usermod -aG redis www-data + +#### Adjust sysctl.conf settings #### + +cp /etc/sysctl.conf /etc/sysctl.conf.bak +echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf +systemctl restart redis + +#### HIER MÜSSTE EIN REBOOT REIN #### + + +#### Install nextcloud #### + +cd /usr/local/src + +wget https://download.nextcloud.com/server/releases/latest.tar.bz2 +wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5 + +md5sum -c latest.tar.bz2.md5 < latest.tar.bz2 + +tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2 + +cat > /root/permissions.sh << EOF +#!/bin/bash +find /var/www/ -type f -print0 | xargs -0 chmod 0640 +find /var/www/ -type d -print0 | xargs -0 chmod 0750 +chown -R www-data:www-data /var/www +chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA +chmod 0644 /var/www/nextcloud/.htaccess +chmod 0644 /var/www/nextcloud/.user.ini +exit 0 +EOF + +chmod +x /root/permissions.sh +/root/permissions.sh + +#### install fail2ban #### + +cat </etc/fail2ban/filter.d/nextcloud.conf +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" +EOF + +cat > /etc/fail2ban/jail.d/nextcloud.local << EOF +[nextcloud] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +maxretry = 5 +bantime = 3600 +findtime = 36000 +logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log +EOF + +systemctl restart fail2ban + +#### Create configuration script for nextcloud, which will be executet as user www-data + +cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE + +#!/bin/bash + +php /var/www/nextcloud/occ maintenance:install --database pgsql \ +--database-host $NEXTCLOUD_DB_IP \ +--database-port $NEXTCLOUD_DB_PORT \ +--database-name $NEXTCLOUD_DB_NAME \ +--database-user $NEXTCLOUD_DB_USR \ +--database-pass $NEXTCLOUD_DB_PWD \ +--admin-user $NEXTCLOUD_ADMIN_USR \ +--admin-pass $NEXTCLOUD_ADMIN_PWD \ +--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA + +php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN +php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN + +cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak +sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php +sed -i '/);/d' /var/www/nextcloud/config/config.php + +cat >> /var/www/nextcloud/config/config.php << EOF +'activity_expire_days' => 14, +'auth.bruteforce.protection.enabled' => true, +'blacklisted_files' => +array ( +0 => '.htaccess', +1 => 'Thumbs.db', +2 => 'thumbs.db', +), +'cron_log' => true, +'default_phone_region' => 'DE', +'enable_previews' => true, +'enabledPreviewProviders' => +array ( +0 => 'OC\Preview\PNG', +1 => 'OC\Preview\JPEG', +2 => 'OC\Preview\GIF', +3 => 'OC\Preview\BMP', +4 => 'OC\Preview\XBitmap', +5 => 'OC\Preview\Movie', +6 => 'OC\Preview\PDF', +7 => 'OC\Preview\MP3', +8 => 'OC\Preview\TXT', +9 => 'OC\Preview\MarkDown', +), +'filesystem_check_changes' => 0, +'filelocking.enabled' => 'true', +'htaccess.RewriteBase' => '/', +'integrity.check.disabled' => false, +'knowledgebaseenabled' => false, +'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log', +'loglevel' => 2, +'logtimezone' => 'Europe/Berlin', +'log_rotate_size' => 104857600, +'maintenance' => false, +'memcache.local' => '\OC\Memcache\APCu', +'memcache.locking' => '\OC\Memcache\Redis', +'overwriteprotocol' => 'https', +'preview_max_x' => 1024, +'preview_max_y' => 768, +'preview_max_scale_factor' => 1, +'redis' => +array ( +'host' => '/var/run/redis/redis-server.sock', +'port' => 0, +'timeout' => 0.0, +), +'quota_include_external_storage' => false, +'share_folder' => '/Freigaben', +'skeletondirectory' => '', +'theme' => '', +'trashbin_retention_obligation' => 'auto, 7', +'updater.release.channel' => 'stable', +'trusted_proxies' => +array ( +'$NEXTCLOUD_REVPROX' +), +); +EOF + +sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini +php /var/www/nextcloud/occ app:disable survey_client +php /var/www/nextcloud/occ app:disable firstrunwizard +php /var/www/nextcloud/occ app:enable admin_audit +php /var/www/nextcloud/occ app:enable files_pdfviewer +php /var/www/nextcloud/occ background:cron +DFOE + +/root/permissions.sh + +su -s /bin/bash www-data < /dev/null 2>&1" > /etc/cron.d/nextcloud + +echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################" +systemctl stop nginx php$NEXTCLOUD_PHP_VERSION-fpm +systemctl restart postgresql php$NEXTCLOUD_PHP_VERSION-fpm redis-server nginx + +exit 0 diff --git a/src/onlyoffice/constants-service.conf b/src/onlyoffice/constants-service.conf new file mode 100644 index 0000000..bbaeda4 --- /dev/null +++ b/src/onlyoffice/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +ONLYOFFICE_DB_HOST=localhost + +ONLYOFFICE_DB_NAME=onlyoffice + +ONLYOFFICE_DB_USER=onlyoffice \ No newline at end of file diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh new file mode 100644 index 0000000..7e81b7b --- /dev/null +++ b/src/onlyoffice/install-service.sh @@ -0,0 +1,28 @@ +source /root/zamba.conf +source /root/constants-service.conf +ONLYOFFICE_DB_PASSWORD=$(source /root/postgresql.sh 13 $ONLYOFFICE_DB_NAME $ONLYOFFICE_DB_USER) +source /root/rabbitmq-server.sh + +apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5 +echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list + +apt update + +echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections +echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | sudo debconf-set-selections +echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | sudo debconf-set-selections +echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | sudo debconf-set-selections +echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASSWORD | debconf-set-selections + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver + +cat << EOF > /root/onlyoffice.credentials +ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST +ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME +ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER +ONLYOFFICE_DB_PASSWORD=$ONLYOFFICE_DB_PASSWORD +EOF + +/etc/nginx/conf.d/ds.conf +cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf +ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf diff --git a/src/open3a/constants-service.conf b/src/open3a/constants-service.conf new file mode 100644 index 0000000..bc20c1a --- /dev/null +++ b/src/open3a/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-10-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh new file mode 100644 index 0000000..00c5cc8 --- /dev/null +++ b/src/open3a/install-service.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)" + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd + +cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/html; + + index index.php; + + server_name _; + + location ~ .php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + } +} +EOF + +mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD'; +GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; +CREATE DATABASE IF NOT EXISTS open3a; +GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';" + +cd /var/www/html/ +wget https://www.open3a.de/download/open3A%203.4.zip -O open3a.zip +unzip open3a.zip +rm open3a.zip +chmod 666 system/DBData/Installation.pfdb.php +chmod -R 777 specifics/ +chmod -R 777 system/Backups +chown -R www-data:www-data /var/www/html + +echo "sudo -u www-data /usr/bin/php /var/www/html/plugins/Installation/backup.php; for backup in $(ls -r1 /var/www/html/system/Backup/*.gz | /bin/grep -v $(date +%Y%m%d)); do /bin/rm $backup;done" > /etc/cron.daily/open3a-backup +chmod +x /etc/cron.daily/open3a-backup + +systemctl enable --now php7.3-fpm +systemctl restart nginx + +echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$LXC_IP\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a" \ No newline at end of file diff --git a/src/proxmox-pbs/constants-service.conf b/src/proxmox-pbs/constants-service.conf new file mode 100644 index 0000000..b0609cd --- /dev/null +++ b/src/proxmox-pbs/constants-service.conf @@ -0,0 +1,23 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Backup ubdir where Urbackup will store backups +PBS_DATA="backup" \ No newline at end of file diff --git a/src/proxmox-pbs/install-service.sh b/src/proxmox-pbs/install-service.sh new file mode 100644 index 0000000..1771d45 --- /dev/null +++ b/src/proxmox-pbs/install-service.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list +# PBS pbs-no-subscription repository provided by proxmox.com, +# NOT recommended for production use +deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription +EOF + +wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg + +apt update && apt upgrade -y +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server + +proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA diff --git a/src/sources.list b/src/sources.list new file mode 100644 index 0000000..aa474ae --- /dev/null +++ b/src/sources.list @@ -0,0 +1,6 @@ +deb http://ftp.de.debian.org/debian buster main contrib + +deb http://ftp.de.debian.org/debian buster-updates main contrib + +# security updates +deb http://security.debian.org buster/updates main contrib \ No newline at end of file diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf new file mode 100644 index 0000000..a27d2ff --- /dev/null +++ b/src/urbackup/constants-service.conf @@ -0,0 +1,23 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-10-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Backup ubdir where Urbackup will store backups +URBACKUP_DATA="urbackup" \ No newline at end of file diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh new file mode 100644 index 0000000..b7f6893 --- /dev/null +++ b/src/urbackup/install-service.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +mkdir /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA +mkdir /etc/urbackup +echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder + +echo 'deb http://download.opensuse.org/repositories/home:/uroni/Debian_10/ /' | tee /etc/apt/sources.list.d/home:uroni.list +curl -fsSL https://download.opensuse.org/repositories/home:uroni/Debian_10/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null + +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server +chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA \ No newline at end of file diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf new file mode 100644 index 0000000..148d75d --- /dev/null +++ b/src/zmb-ad/constants-service.conf @@ -0,0 +1,23 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage +ZMB_DNS_BACKEND="SAMBA_INTERNAL" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/zmb-ad/features.json b/src/zmb-ad/features.json new file mode 100644 index 0000000..8cc5c0d --- /dev/null +++ b/src/zmb-ad/features.json @@ -0,0 +1,11 @@ +{ + "unprivileged": 0, + "features": { + "nesting": 1 + }, + "sharefs": {}, + "mem": 1024, + "swap": 1024, + "hostname": "ad", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/zmb-ad/info b/src/zmb-ad/info new file mode 100644 index 0000000..092f8dc --- /dev/null +++ b/src/zmb-ad/info @@ -0,0 +1 @@ +Zamba Active Directory Domain Controller \ No newline at end of file diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh new file mode 100644 index 0000000..5005f05 --- /dev/null +++ b/src/zmb-ad/install-service.sh @@ -0,0 +1,113 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then + BINDNINE=bind9 +fi + +## configure ntp +cat << EOF > /etc/ntp.conf +# Local clock. Note that is not the "localhost" address! +server 127.127.1.0 +fudge 127.127.1.0 stratum 10 + +# Where to retrieve the time from +server 0.de.pool.ntp.org iburst prefer +server 1.de.pool.ntp.org iburst prefer +server 2.de.pool.ntp.org iburst prefer + +driftfile /var/lib/ntp/ntp.drift +logfile /var/log/ntp +ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ + +# Access control +# Default restriction: Allow clients only to query the time +restrict default kod nomodify notrap nopeer mssntp + +# No restrictions for "localhost" +restrict 127.0.0.1 + +# Enable the time sources to only provide time to this host +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery + +tinker panic 0 +EOF + +# update packages +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +# install required packages +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE + +if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then + # configure bind dns service + cat << EOF > /etc/default/bind9 +# +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-4 -u bind" +EOF + +cat << EOF > /etc/bind/named.conf.local +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +dlz "$LXC_DOMAIN" { + database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; +}; +EOF + + cat << EOF > /etc/bind/named.conf.options +options { + directory "/var/cache/bind"; + + forwarders { + $LXC_DNS; + }; + + allow-query { any;}; + dnssec-validation no; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + listen-on { any; }; + + tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; + minimal-responses yes; +}; +EOF + + mkdir -p /var/lib/samba/bind-dns/dns +fi + +# stop + disable samba services and remove default config +systemctl stop smbd nmbd winbind +systemctl disable smbd nmbd winbind +rm -f /etc/samba/smb.conf +rm -f /etc/krb5.conf + +# provision zamba domain +samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND + +cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + +systemctl unmask samba-ad-dc +systemctl enable samba-ad-dc $BINDNINE +systemctl restart samba-ad-dc $BINDNINE + +exit 0 diff --git a/src/zmb-member/constants-service.conf b/src/zmb-member/constants-service.conf new file mode 100644 index 0000000..e650fc8 --- /dev/null +++ b/src/zmb-member/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/zmb-member/features.json b/src/zmb-member/features.json new file mode 100644 index 0000000..a651666 --- /dev/null +++ b/src/zmb-member/features.json @@ -0,0 +1,12 @@ +{ + "unprivileged": 0, + "features": {}, + "sharefs": { + "size": "100", + "mountpoint": "/tank" + }, + "mem": 1024, + "swap": 1024, + "hostname": "zamba", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/zmb-member/info b/src/zmb-member/info new file mode 100644 index 0000000..5064c82 --- /dev/null +++ b/src/zmb-member/info @@ -0,0 +1 @@ +Zamba AD Member Server \ No newline at end of file diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh new file mode 100644 index 0000000..e93e54f --- /dev/null +++ b/src/zmb-member/install-service.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules + +mv /etc/krb5.conf /etc/krb5.conf.bak +cat > /etc/krb5.conf < /etc/samba/smb.conf <> /etc/pam.d/common-session + +systemctl restart winbind nmbd +wbinfo -u +wbinfo -g + +mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + +# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins' +chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + +setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + +systemctl restart smbd nmbd winbind + diff --git a/src/zmb-standalone/constants-service.conf b/src/zmb-standalone/constants-service.conf new file mode 100644 index 0000000..e650fc8 --- /dev/null +++ b/src/zmb-standalone/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/zmb-standalone/features.json b/src/zmb-standalone/features.json new file mode 100644 index 0000000..18faaf5 --- /dev/null +++ b/src/zmb-standalone/features.json @@ -0,0 +1,12 @@ +{ + "unprivileged": 0, + "features": { }, + "sharefs": { + "size": "100", + "mountpoint": "/tank" + }, + "mem": 1024, + "swap": 1024, + "hostname": "zamba", + "domain": "zmb.rocks" +} \ No newline at end of file diff --git a/src/zmb-standalone/info b/src/zmb-standalone/info new file mode 100644 index 0000000..29a2c22 --- /dev/null +++ b/src/zmb-standalone/info @@ -0,0 +1 @@ +Zamba Standalone Server \ No newline at end of file diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh new file mode 100644 index 0000000..3fea769 --- /dev/null +++ b/src/zmb-standalone/install-service.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +# add wsdd package repo +apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key +echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list +echo "deb http://ftp.de.debian.org/debian buster-backports main contrib" > /etc/apt/sources.list.d/buster-backports.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t buster-backports cockpit + +mkdir /usr/share/cockpit/smb +wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html +wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json +wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js + +USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}') +useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER +echo "$USER:$ZMB_ADMIN_PASS" | chpasswd +smbpasswd -x $USER +(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER + +cat << EOF >> /etc/samba/smb.conf +[$ZMB_SHARE] + comment = Main Share + path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + read only = No + vfs objects = shadow_copy2 + shadow: snapdir = .zfs/snapshot + shadow: sort = desc + shadow: format = -%Y-%m-%d-%H%M + shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\} + shadow: delimiter = -20 +EOF + +mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + +systemctl restart smbd nmbd wsdd diff --git a/testinstall b/testinstall new file mode 100755 index 0000000..6a6c464 --- /dev/null +++ b/testinstall @@ -0,0 +1,14 @@ + +bash -vx install.sh -s checkmk > checkmk.inst.log +bash -vx install.sh -s debian-unpriv > debian-unpriv.inst.log +bash -vx install.sh -s matrix > matrix.inst.log +bash -vx install.sh -s nextcloud > nextcloud.inst.log +bash -vx install.sh -s open3a > open3a.inst.log +bash -vx install.sh -s zmb-ad > zmb-ad.inst.log +bash -vx install.sh -s zmb-member > zmb-member.inst.log +bash -vx install.sh -s zmb-standalone > zmb-standalone.inst.log +bash -vx install.sh -s debian-priv > debian-priv.inst.log +bash -vx install.sh -s mailpiler > mailpiler.inst.log +bash -vx install.sh -s onlyoffice > onlyoffice.inst.log +bash -vx install.sh -s proxmox-pbs > proxmox-pbs.inst.log +bash -vx install.sh -s urbackup > urbackup.inst.log