From 26d2d0e2de1e841d2db168edd8e03a9233679349 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Tue, 15 Mar 2022 13:18:57 +0100
Subject: [PATCH] Create install-service.sh

---
 src/zmb-ad-join/install-service.sh | 136 +++++++++++++++++++++++++++++
 1 file changed, 136 insertions(+)
 create mode 100644 src/zmb-ad-join/install-service.sh

diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh
new file mode 100644
index 0000000..d07a7a0
--- /dev/null
+++ b/src/zmb-ad-join/install-service.sh
@@ -0,0 +1,136 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+      ZMB_DNS_BACKEND="BIND9_DLZ"
+      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+      echo "Unsupported optional feature $f"
+  fi
+done
+
+## configure ntp
+cat << EOF > /etc/ntp.conf
+# Local clock. Note that is not the "localhost" address!
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+# Where to retrieve the time from
+server 0.de.pool.ntp.org     iburst prefer
+server 1.de.pool.ntp.org     iburst prefer
+server 2.de.pool.ntp.org     iburst prefer
+driftfile       /var/lib/ntp/ntp.drift
+logfile         /var/log/ntp
+ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
+# Access control
+# Default restriction: Allow clients only to query the time
+restrict default kod nomodify notrap nopeer mssntp
+# No restrictions for "localhost"
+restrict 127.0.0.1
+# Enable the time sources to only provide time to this host
+restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+tinker panic 0
+EOF
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+	  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+  forwarders {
+    $LXC_DNS;
+  };
+  allow-query {  any;};
+  dnssec-validation no;
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved
+rm -f /etc/samba/smb.conf
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
+
+cat > /etc/cron.d/sysvol-sync << EOF
+*/5 * * * * root /usr/bin/rsync -XAavz --delete-after root@$LXC_DNS:/var/lib/samba/sysvol/ /var/lib/samba/sysvol
+EOF
+
+ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES