ad: add wsdd, migrate debian 11, configure nginx

2022-01-15 18:45:29 +01:00 · 2022-01-15 18:45:29 +01:00 · 4f0b47949f
commit 4f0b47949f
parent 24c9b03abe
2 changed files with 88 additions and 57 deletions
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@ -10,9 +10,6 @@
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"

-# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
 # Create sharefs mountpoint
 LXC_MP="0"

@ -21,3 +18,15 @@ LXC_UNPRIVILEGED="0"

 # enable nesting feature
 LXC_NESTING="1"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=()
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@ -8,47 +8,21 @@
 source /root/zamba.conf
 source /root/constants-service.conf

-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  BINDNINE=bind9
-fi
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"

-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-
-# No restrictions for "localhost"
-restrict 127.0.0.1
-
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-
-tinker panic 0
-EOF
-
-# update packages
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-# install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
-
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+    apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+    echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
      # configure bind dns service
    cat << EOF > /etc/default/bind9
 #
@ -93,11 +67,59 @@ options {
 EOF

    mkdir -p /var/lib/samba/bind-dns/dns
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done
+
+## configure ntp
+cat << EOF > /etc/ntp.conf
+# Local clock. Note that is not the "localhost" address!
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+
+# Where to retrieve the time from
+server 0.de.pool.ntp.org     iburst prefer
+server 1.de.pool.ntp.org     iburst prefer
+server 2.de.pool.ntp.org     iburst prefer
+
+driftfile       /var/lib/ntp/ntp.drift
+logfile         /var/log/ntp
+ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
+
+# Access control
+# Default restriction: Allow clients only to query the time
+restrict default kod nomodify notrap nopeer mssntp
+
+# No restrictions for "localhost"
+restrict 127.0.0.1
+
+# Enable the time sources to only provide time to this host
+restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+
+tinker panic 0
+EOF
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    server_name $LXC_DOMAIN default_server;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
 fi

 # stop + disable samba services and remove default config
-systemctl stop smbd nmbd winbind
-systemctl disable smbd nmbd winbind
+systemctl disable --now smbd nmbd winbind systemd-resolved
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf

@ -107,7 +129,7 @@ samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAI
 cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

 systemctl unmask samba-ad-dc
-systemctl enable samba-ad-dc $BINDNINE
-systemctl restart samba-ad-dc $BINDNINE
+systemctl enable samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES

 exit 0