Improved doc, removed just-lxc, added (un)priv ct

This commit is contained in:
thorstenspille 2021-04-17 15:33:59 +02:00
parent 2b917c02e8
commit 582444e57b
6 changed files with 93 additions and 68 deletions

View File

@ -7,12 +7,13 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna
### Requirements ### Requirements
Proxmox VE Server with at least one configured ZFS Pool. Proxmox VE Server with at least one configured ZFS Pool.
### Included services: ### Included services:
- `just-lxc` => Debian LXC Container only
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions) - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
- `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
- `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `debian-unpriv` => Debian privileged container with basic toolset
## Usage ## Usage
Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`. Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
```bash ```bash

18
debian-unpriv.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
dpkg-reconfigure locales
source /root/zamba.conf
# Set Timezone
ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

View File

@ -17,19 +17,19 @@
############### ZAMBA INSTALL SCRIPT ############### ############### ZAMBA INSTALL SCRIPT ###############
# Load configuration file # Load configuration file
source ./zamba.conf source $PWD/zamba.conf
LXC_MP="0" LXC_MP="0"
LXC_UNPRIVILEGED="1" LXC_UNPRIVILEGED="1"
LXC_NESTING="0" LXC_NESTING="0"
select opt in just_lxc zmb-standalone zmb-member zmb-ad mailpiler matrix quit; do select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
case $opt in case $opt in
deb-unpriv) debian-unpriv)
echo "Debian-only LXC container unprivileged mode selected" echo "Debian-only LXC container unprivileged mode selected"
break break
;; ;;
deb-priv) debian-priv)
echo "Debian-only LXC container privileged mode selected" echo "Debian-only LXC container privileged mode selected"
LXC_UNPRIVILEGED="0" LXC_UNPRIVILEGED="0"
break break
@ -120,8 +120,8 @@ pct start $LXC_NBR;
sleep 5; sleep 5;
# Set the root password and key # Set the root password and key
echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd; echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
lxc-attach -n$LXC_NBR mkdir /root/.ssh; lxc-attach -n$LXC_NBR mkdir -p /root/.ssh;
echo -e "$LXC_AUTHORIZED_KEY" | lxc-attach -n$LXC_NBR tee /root/.ssh/authorized_keys; pct push $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
pct push $LXC_NBR ./sources.list /etc/apt/sources.list pct push $LXC_NBR ./sources.list /etc/apt/sources.list
pct push $LXC_NBR ./zamba.conf /root/zamba.conf pct push $LXC_NBR ./zamba.conf /root/zamba.conf
pct push $LXC_NBR ./$opt.sh /root/$opt.sh pct push $LXC_NBR ./$opt.sh /root/$opt.sh

View File

@ -11,96 +11,110 @@
############### Linux Container Section ############### ############### Linux Container Section ###############
# The storage, where your container tmeplates are located (in most cases: local) # Defines the Proxmox storage where your LXC container template are stored (default: local)
LXC_TEMPLATE_STORAGE="local" LXC_TEMPLATE_STORAGE="local"
# Define the size and storage location of the container's root filesystem # Defines the size in GB of the LXC container's root filesystem (default: 32)
# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`.
LXC_ROOTFS_SIZE="32" LXC_ROOTFS_SIZE="32"
# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs)
LXC_ROOTFS_STORAGE="local-zfs" LXC_ROOTFS_STORAGE="local-zfs"
# Define the size, storage location and mountpoint of the container's shared filesystem (required for 'zmb_standalone' and 'zmb_member') # Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100)
LXC_SHAREFS_SIZE="100" LXC_SHAREFS_SIZE="100"
# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
LXC_SHAREFS_STORAGE="local-zfs" LXC_SHAREFS_STORAGE="local-zfs"
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank" LXC_SHAREFS_MOUNTPOINT="tank"
# Size of the RAM assigned to the container # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
LXC_MEM="1024" LXC_MEM="1024"
# Size of the SWAP assigned to the container # Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
LXC_SWAP="1024" LXC_SWAP="1024"
# The hostname (eg. zamba1 or mailpiler1) # Defines the hostname of your LXC container
LXC_HOSTNAME="zamba" LXC_HOSTNAME="zamba"
# The domain suffix (the domain name / search domain of th container, results to the FQDN 'LXC_HOTNAME.LXC_DOMAIN') # Defines the domain name / search domain of your LXC container
LXC_DOMAIN="zmb.rocks" LXC_DOMAIN="zmb.rocks"
# IP-address and subnet # Defines the local IP address and subnet of your LXC container in CIDR format
LXC_IP="10.10.80.20/24" LXC_IP="192.168.100.200/24"
# Gateway # Defines the default gateway IP address of your LXC container
LXC_GW="10.10.80.10" LXC_GW="192.168.100.254"
# DNS-server (should be your AD DC) # Defines the DNS server ip address of your LXC container
LXC_DNS="10.10.80.10" # `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
# For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
LXC_DNS="192.168.100.254"
# Networkbridge for this container # Defines the network bridge to bind the network adapter of your LXC container
LXC_BRIDGE="vmbr0" LXC_BRIDGE="vmbr0"
# Optional VLAN number for this container # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
LXC_VLAN="" LXC_VLAN=
# root password - take care to delete from this file. Please use 'single quatation marks' to avoid unexpected behaviour. # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
LXC_PWD='S3cr3tp@ssw0rd' LXC_PWD='S3cr3tp@ssw0rd'
# SSH-Key to add to authorized_keys # Defines an authorized_keys file to push into the LXC container.
LXC_AUTHORIZED_KEY="ssh-rsa xxxxxxxx" # By default the authorized_keys will be inherited from your proxmox host.
LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
# Define some optional packages to install (your favourite tools on linux systems) # Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git" LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
# Define system timezone on LXC container # Define the local timezone of your LXC container (default: Euroe/Berlin)
LXC_TIMEZONE="Europe/Berlin" LXC_TIMEZONE="Europe/Berlin"
# Define system language on LXC container (locales) # Define system language on LXC container (locales)
# This parameter is not used yet, but will be integrated in future releases.
LXC_LOCALE="de_DE.utf8" LXC_LOCALE="de_DE.utf8"
############### Zamba-Server-Section ############### ############### Zamba-Server-Section ###############
# Domain Entries to samba/smb.conf. Will be also uses for samba domain-provisioning when zmb-pdc will choosen. # Defines the REALM for the Active Directory (AD DC, AD member)
ZMB_REALM="ZMB.ROCKS" ZMB_REALM="ZMB.ROCKS"
# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
ZMB_DOMAIN="ZMB" ZMB_DOMAIN="ZMB"
# Select the Zamba AD DNS backend, supported are SAMBA_INTERNAL or BIND9_DLZ # Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
ZMB_DNS_BACKEND="SAMBA_INTERNAL" ZMB_DNS_BACKEND="SAMBA_INTERNAL"
# The Domain-Admin and password for zamba installation # Defines the name of your domain administrator account (AD DC, AD member, standalone)
ZMB_ADMIN_USER="Administrator" ZMB_ADMIN_USER="administrator"
# The Domain admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour. # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
ZMB_ADMIN_PASS='MYPASSWORD' # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
# Name of the Zamba Share # Defines the name of your Zamba share
ZMB_SHARE="share" ZMB_SHARE="share"
############### Mailpiler-Section ############### ############### Mailpiler-Section ###############
# The FQDN vor the Hostname. This must be exactly the same like the LXC_HOSTNAME / LXC_DOMAIN at section above. # Defines the (public) FQDN of your piler mail archive
PILER_FQDN="piler.zmb.rocks" PILER_FQDN="piler.zmb.rocks"
PILER_SMARTHOST="10.10.80.20" # Defines the smarthost for piler mail archive
PILER_SMARTHOST="your.mailserver.tld"
# Defines the version number of piler mail archive to install
PILER_VERSION="1.3.10" PILER_VERSION="1.3.10"
# Defines the version of sphinx to install
PILER_SPHINX_VERSION="3.3.1" PILER_SPHINX_VERSION="3.3.1"
# Defines the php version to install
PILER_PHP_VERSION="7.4" PILER_PHP_VERSION="7.4"
############### Matrix-Section ############### ############### Matrix-Section ###############
# The FQDN vor the Hostname. This should be the same like the LXC_HOSTNAME / LXC_DOMAIN at section above. # Define the FQDN of your Matrix server
MATRIX_FQDN="matrix.zmb.rocks" MATRIX_FQDN="matrix.zmb.rocks"
# Virtual host to run the Element Web messenger # Define the FQDN for the Element Web virtual host
MATRIX_ELEMENT_FQDN="element.zmb.rocks" MATRIX_ELEMENT_FQDN="element.zmb.rocks"
# Element Web version # Define the version of Element Web
MATRIX_ELEMENT_VERSION="v1.7.24" MATRIX_ELEMENT_VERSION="v1.7.24"
# Virtuel host to run the Jitsi Meet # Define the FQDN for the Jitsi Meet virtual host
MATRIX_JITSI_FQDN="meet.zmb.rocks" MATRIX_JITSI_FQDN="meet.zmb.rocks"

View File

@ -37,13 +37,6 @@ Defines the mountpoint of the filesystem shared by Zamba inside your LXC contain
```bash ```bash
LXC_SHAREFS_MOUNTPOINT="tank" LXC_SHAREFS_MOUNTPOINT="tank"
``` ```
### LXC_UNPRIVILEGED
Defines if the LXC container will be created in `unpprivileged` or `privileged` mode (default: 1)
```bash
LXC_UNPRIVILEGED="1"
```
Privileged also means the container runs as `root` user. Set this option only, if it's required for the service.
`Zamba AD DC`, `Zamba AD member`, `Zamba standalone` and `mailpiler` are required to run in privileged mode.
### LXC_MEM ### LXC_MEM
Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
```bash ```bash
@ -75,12 +68,14 @@ Defines the default gateway IP address of your LXC container
LXC_GW="10.10.80.254" LXC_GW="10.10.80.254"
``` ```
### LXC_DNS ### LXC_DNS
Defines the DNS server ip addres of your LXC container Defines the DNS server ip address of your LXC container
```bash ```bash
LXC_DNS="10.10.80.254" LXC_DNS="10.10.80.254"
``` ```
`zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
### LXC_BRIDGE ### LXC_BRIDGE
Defines the network bridge to bind the network adapter of your LXC container to Defines the network bridge to bind the network adapter of your LXC container
```bash ```bash
LXC_BRIDGE="vmbr0" LXC_BRIDGE="vmbr0"
``` ```
@ -90,19 +85,20 @@ Defines the vlan id of the LXC container's network interface, if the network ada
LXC_VLAN="80" LXC_VLAN="80"
``` ```
### LXC_PWD ### LXC_PWD
Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour. Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
```bash ```bash
LXC_PWD="S3cr3tp@ssw0rd" LXC_PWD="S3cr3tp@ssw0rd"
``` ```
### LXC_AUTHORIZED_KEY ### LXC_AUTHORIZED_KEY
If you have a SSH key to add to the LXC container's `root` account authorized_keys, you can paste it here. Defines an authorized_keys file to push into the LXC container.
By default the authorized_keys will be inherited from your proxmox host.
```bash ```bash
LXC_AUTHORIZED_KEY="ssh-rsa xxxxxxxx" LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
``` ```
### LXC_TOOLSET ### LXC_TOOLSET
Define your (administrative) tools, you always want to have instlled into yout LXC container Define your (administrative) tools, you always want to have installed into your LXC container
```bash ```bash
LXC_TOOLSET="net-tools dnsutils mc sysstat lsb-release curl git" LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
``` ```
### LXC_TIMEZONE ### LXC_TIMEZONE
Define the local timezone of your LXC container (default: Euroe/Berlin) Define the local timezone of your LXC container (default: Euroe/Berlin)
@ -110,7 +106,7 @@ Define the local timezone of your LXC container (default: Euroe/Berlin)
LXC_TIMEZONE="Europe/Berlin" LXC_TIMEZONE="Europe/Berlin"
``` ```
### LXC_LOCALE ### LXC_LOCALE
Define system language on LXC container Define system language on LXC container (locales)
```bash ```bash
LXC_LOCALE="de_DE.utf8" LXC_LOCALE="de_DE.utf8"
``` ```
@ -137,21 +133,17 @@ Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND
ZMB_DNS_BACKEND="SAMBA_INTERNAL" ZMB_DNS_BACKEND="SAMBA_INTERNAL"
``` ```
### ZMB_ADMIN_USER ### ZMB_ADMIN_USER
Defines the name of your domain administrator account (AD DC, AD member) Defines the name of your domain administrator account (AD DC, AD member, standalone)
```bash ```bash
ZMB_ADMIN_USER="Administrator" ZMB_ADMIN_USER="Administrator"
``` ```
### ZMB_ADMIN_PASS ### ZMB_ADMIN_PASS
Defines the domain administrator's password (AD DC, AD member). Please use 'single quatation marks' to avoid unexpected behaviour. Defines the domain administrator's password (AD DC, AD member).
```bash ```bash
ZMB_ADMIN_PASS='1c@nd0@nyth1n9' ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
``` ```
### ZMB_DOMAIN_ADMINS_GROUP Please use 'single quotation marks' to avoid unexpected behaviour.
Defines the domain admins group of your active directory. `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
```bash
ZMB_DOMAIN_ADMINS_GROUP="domain admins"
```
On Windows Servers this group depends on the configured OS language.
### ZMB_SHARE ### ZMB_SHARE
Defines the name of your Zamba share Defines the name of your Zamba share
```bash ```bash