From ffda6e2bb8484546aae52aaa7e7c2bd7dd054cd6 Mon Sep 17 00:00:00 2001 From: DerFossibaer Date: Fri, 11 Feb 2022 22:32:38 +0100 Subject: [PATCH 01/96] kopano-core_0.1 --- src/kopano-core/constants-service.conf | 44 ++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 src/kopano-core/constants-service.conf diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf new file mode 100644 index 0000000..30026c7 --- /dev/null +++ b/src/kopano-core/constants-service.conf @@ -0,0 +1,44 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-10-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') +KOPANO_VERSION="latest" + +# Defines the php version to install +KOPANO_PHP_VERSION="7.3" + +# Defines Maria DB Version +MARIA_DB_VERS="10.5" + +# Defines the name from the SQL database +MARIA_DB_NAME="kopano" + +# Defines the name from the SQL user +MARIA_DB_USER="kopano" + +# Build a strong password for the SQL user - could be overwritten with something fixed +secure_pwd() { + set +o pipefail + LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32 +} +MARIA_ROOT_PWD=$(secure_pwd) +MARIA_USER_PWD=$(secure_pwd) + From 638621d16ebac10e93f257ce8e801d4b20b54c6a Mon Sep 17 00:00:00 2001 From: DerFossibaer Date: Fri, 11 Feb 2022 22:34:27 +0100 Subject: [PATCH 02/96] kopano-core_0.1 --- src/kopano-core/install-service.sh | 94 ++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 src/kopano-core/install-service.sh diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh new file mode 100644 index 0000000..0c08266 --- /dev/null +++ b/src/kopano-core/install-service.sh @@ -0,0 +1,94 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +HOSTNAME=$(hostname -f) + +wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - +echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list + +wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - +echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list + +wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add - +echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ +php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} + +#timedatectl set-timezone Europe/Berlin +#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www +#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www + +#### Secure Maria Instance #### + +mysqladmin -u root password "[$MARIA_ROOT_PWD]" + +mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''" +mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" +mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'" +mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" + +#### Create user and DB for Kopano #### + +mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'" +mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'" +mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" + +echo "root-password: $MARIA_ROOT_PWD,\ +db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log + +cat > /etc/apt/sources.list.d/kopano.list << EOF + +# Kopano Core +deb https://download.kopano.io/supported/core:/final/Debian_10/ ./ + +# Kopano WebApp +deb https://download.kopano.io/supported/webapp:/final/Debian_10/ ./ + +# Kopano MobileDeviceManagement +deb https://download.kopano.io/supported/mdm:/final/Debian_10/ ./ + +# Kopano Files +deb https://download.kopano.io/supported/files:/final/Debian_10/ ./ + +# Z-Push +deb https://download.kopano.io/zhub/z-push:/final/Debian_10/ ./ + +EOF + +cat > /etc/apt/auth.conf.d/kopano.conf << EOF + +machine download.kopano.io +login serial +password $KOPANO_REPKEY + +EOF + +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_10/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_10/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_10/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_10/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_10/Release.key | apt-key add - + +apt update && apt full-upgrade -y + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \ +z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files + +#### Adjust nginx settings #### + +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN" +openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 + +mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak + + From c1e483c1df42f938bb1d5736ef48ea151d661408 Mon Sep 17 00:00:00 2001 From: DerFossibaer Date: Sat, 12 Feb 2022 12:50:27 +0100 Subject: [PATCH 03/96] Kopano-core_0.11 --- conf/zamba.conf.example | 12 ++ src/kopano-core/install-service.sh | 181 ++++++++++++++++++++++++++++- 2 files changed, 192 insertions(+), 1 deletion(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index f6a0150..52d9329 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -147,3 +147,15 @@ CMK_ADMIN_PW='Start!123' # raw = completely free # free = limited version of the enterprise edition (25 hosts, 1 instance) CMK_EDITION=raw + +############### Kopano-Section ############### + +# Define the FQDN of your Nextcloud server +KOPANO_FQDN="kopano.zmb.rocks" + +# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban +KOPANO_MAILGW="192.168.100.254" + +# Kopano test- or subscription-key offerd from +# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10 +KOPANO_REPKEY="1234567890abcdefghijklmno" diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh index 0c08266..53c375f 100644 --- a/src/kopano-core/install-service.sh +++ b/src/kopano-core/install-service.sh @@ -84,11 +84,190 @@ apt update && apt full-upgrade -y DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \ z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files +#### Adjust kopano settings #### + +cat > /etc/kopano/ldap.cfg << EOF + +!include /usr/share/kopano/ldap.active-directory.cfg + +ldap_uri = ldap://10.10.81.12:389 +ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks +ldap_bind_passwd = Start123! +ldap_search_base = dc=zmb,dc=rocks + +#ldap_user_search_filter = (kopanoAccount=1) + +EOF + +cat > /etc/kopano/server.cfg << EOF + +server_listen = *:236 +local_admin_users = root kopano + +#database_engine = mysql +#mysql_host = localhost +#mysql_port = 3306 +mysql_user = $MARIA_DB_USER +mysql_password = $MARIA_USER_PWD +mysql_database = $MARIA_DB_NAME + +user_plugin = ldap +user_plugin_config = /etc/kopano/ldap.cfg + +EOF + +#### Adjust php settings #### + +sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php + +cat > /etc/php/7.3/fpm/pool.d/webapp.conf << EOF + +[webapp] +listen = 127.0.0.1:9002 +user = www-data +group = www-data +listen.allowed_clients = 127.0.0.1 +pm = dynamic +pm.max_children = 150 +pm.start_servers = 35 +pm.min_spare_servers = 20 +pm.max_spare_servers = 50 +pm.max_requests = 200 +listen.backlog = -1 +request_terminate_timeout = 120s +rlimit_files = 131072 +rlimit_core = unlimited +catch_workers_output = yes + +EOF + +sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php + #### Adjust nginx settings #### openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN" openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 -mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak +#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak + +cat > /etc/nginx/sites-available/webapp.conf << EOF +upstream php-handler { + server 127.0.0.1:9002; + #server unix:/var/run/php5-fpm.sock; + #server unix:/var/run/php/php7.3-fpm.sock; +} + +server{ + listen 80; + charset utf-8; + listen [::]:80; + server_name _; + + location / { + rewrite ^(.*) https://\$server_name\$1 permanent; + } + } + +server { + charset utf-8; + listen 443; + listen [::]:443 ssl; + server_name _; + ssl on; + client_max_body_size 1024m; + ssl_certificate /etc/ssl/certs/kopano.crt; + ssl_certificate_key /etc/ssl/private/kopano.key; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; + ssl_prefer_server_ciphers on; + # + # ssl_dhparam require you to create a dhparam.pem, this takes a long time + ssl_dhparam /etc/ssl/certs/dhparam.pem; + # + + # add headers + server_tokens off; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location /webapp { + alias /usr/share/kopano-webapp/; + index index.php; + + location ~ /webapp/presence/ { + rewrite ^/webapp/presence(/.*)$ \$1 break; + proxy_pass http://localhost:1234; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + } + + } + + location ~* ^/webapp/(.+\.php)$ { + alias /usr/share/kopano-webapp/; + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } + + fastcgi_param PHP_VALUE " + register_globals=off + magic_quotes_gpc=off + magic_quotes_runtime=off + post_max_size=31M + upload_max_filesize=30M + "; + fastcgi_param PHP_VALUE "post_max_size=31M + upload_max_filesize=30M + max_execution_time=3660 + "; + + include fastcgi_params; + fastcgi_index index.php; + #fastcgi_param HTTPS on; + fastcgi_param SCRIPT_FILENAME \$document_root\$1; + fastcgi_pass php-handler; + access_log /var/log/nginx/kopano-webapp-access.log; + error_log /var/log/nginx/kopano-webapp-error.log; + + # CSS and Javascript + location ~* \.(?:css|js)$ { + expires 1y; + access_log off; + add_header Cache-Control "public"; + } + + # All (static) resources set to 2 months expiration time. + location ~* \.(?:jpg|gif|png)\$ { + expires 2M; + access_log off; + add_header Cache-Control "public"; + } + + # enable gzip compression + gzip on; + gzip_min_length 1100; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/xml text/css application/json; + gzip_vary on; + } + +} + +map \$http_upgrade \$connection_upgrade { + default upgrade; + '' close; +} +EOF + +ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/ + +systemctl restart nginx + From b995bf5283298bd5bf6784ee9de750454bfa2806 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 15 Mar 2022 13:18:30 +0100 Subject: [PATCH 04/96] Create constants-service.conf --- src/zmb-ad-join/constants-service.conf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 src/zmb-ad-join/constants-service.conf diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf new file mode 100644 index 0000000..de68731 --- /dev/null +++ b/src/zmb-ad-join/constants-service.conf @@ -0,0 +1,22 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +OPTIONAL_FEATURES=(wsdd splitdns) From 26d2d0e2de1e841d2db168edd8e03a9233679349 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 15 Mar 2022 13:18:57 +0100 Subject: [PATCH 05/96] Create install-service.sh --- src/zmb-ad-join/install-service.sh | 136 +++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 src/zmb-ad-join/install-service.sh diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh new file mode 100644 index 0000000..d07a7a0 --- /dev/null +++ b/src/zmb-ad-join/install-service.sh @@ -0,0 +1,136 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille +source /root/zamba.conf +source /root/constants-service.conf + +ZMB_DNS_BACKEND="SAMBA_INTERNAL" + +for f in ${OPTIONAL_FEATURES[@]}; do + if [[ "$f" == "wsdd" ]]; then + ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" + apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key + echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list + elif [[ "$f" == "splitdns" ]]; then + ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" + elif [[ "$f" == "bind9dlz" ]]; then + ZMB_DNS_BACKEND="BIND9_DLZ" + ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" + else + echo "Unsupported optional feature $f" + fi +done + +## configure ntp +cat << EOF > /etc/ntp.conf +# Local clock. Note that is not the "localhost" address! +server 127.127.1.0 +fudge 127.127.1.0 stratum 10 +# Where to retrieve the time from +server 0.de.pool.ntp.org iburst prefer +server 1.de.pool.ntp.org iburst prefer +server 2.de.pool.ntp.org iburst prefer +driftfile /var/lib/ntp/ntp.drift +logfile /var/log/ntp +ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ +# Access control +# Default restriction: Allow clients only to query the time +restrict default kod nomodify notrap nopeer mssntp +# No restrictions for "localhost" +restrict 127.0.0.1 +# Enable the time sources to only provide time to this host +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +tinker panic 0 +EOF + +# update packages +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +# install required packages +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils + +if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then + cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + server_name _; + return 301 http://www.$LXC_DOMAIN\$request_uri; +} +EOF +fi + +if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then + # configure bind dns service + cat << EOF > /etc/default/bind9 +# +# run resolvconf? +RESOLVCONF=no +# startup options for the server +OPTIONS="-4 -u bind" +EOF + + cat << EOF > /etc/bind/named.conf.local +// +// Do any local configuration here +// +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +dlz "$LXC_DOMAIN" { + database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; +}; +EOF + + cat << EOF > /etc/bind/named.conf.options +options { + directory "/var/cache/bind"; + forwarders { + $LXC_DNS; + }; + allow-query { any;}; + dnssec-validation no; + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + listen-on { any; }; + tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; + minimal-responses yes; +}; +EOF + + mkdir -p /var/lib/samba/bind-dns/dns +fi + +mv /etc/krb5.conf /etc/krb5.conf.bak +cat > /etc/krb5.conf < /etc/cron.d/sysvol-sync << EOF +*/5 * * * * root /usr/bin/rsync -XAavz --delete-after root@$LXC_DNS:/var/lib/samba/sysvol/ /var/lib/samba/sysvol +EOF + +ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096 + +systemctl unmask samba-ad-dc +systemctl enable samba-ad-dc +systemctl restart samba-ad-dc $ADDITIONAL_SERVICES From 2e34f1543789b1286bc7e7fe7e5debe83d29e905 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 15 Mar 2022 13:35:57 +0100 Subject: [PATCH 06/96] Update install-service.sh --- src/zmb-ad-join/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index d07a7a0..da5d728 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -55,7 +55,7 @@ EOF apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp cifs-utils samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then cat << EOF > /etc/nginx/sites-available/default From 0715a4ff972b35ade99ce4f4f63b0f31315b9b26 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 7 Apr 2022 16:43:00 +0200 Subject: [PATCH 07/96] Update README.md --- conf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/README.md b/conf/README.md index 3b84cd0..36c232f 100644 --- a/conf/README.md +++ b/conf/README.md @@ -51,7 +51,7 @@ LXC_SWAP="1024" ### LXC_HOSTNAME Defines the hostname of your LXC container (Default: Name of installed Service) ```bash -LXC_SWAP="zamba" +LXC_HOSTNAME="zamba" ``` ### LXC_DOMAIN Defines the domain name / search domain of your LXC container From 86aba998dfb013611a3d2f0f9a7362fcbde7fdb1 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 6 May 2022 00:27:19 +0200 Subject: [PATCH 08/96] Added zammad container #31 --- src/zammad/constants-service.conf | 20 +++++ src/zammad/install-service.sh | 122 ++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 src/zammad/constants-service.conf create mode 100644 src/zammad/install-service.sh diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf new file mode 100644 index 0000000..1e8fb5e --- /dev/null +++ b/src/zammad/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh new file mode 100644 index 0000000..957437f --- /dev/null +++ b/src/zammad/install-service.sh @@ -0,0 +1,122 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key +apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch +wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo +echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert zammad + +# configurwe nginx +rm -f /etc/nginx/sites-enabled/default + +cat << EOF > /etc/nginx/sites-available/zammad.conf +upstream zammad-railsserver { + server 127.0.0.1:3000; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://\$host\$request_uri; +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name _; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + location = /robots.txt { + access_log off; log_not_found off; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + location / { + proxy_set_header Host \$http_host; + proxy_set_header CLIENT_IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + # change this line in an SSO setup + proxy_set_header X-Forwarded-User ""; + + proxy_read_timeout 180; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} +EOF + +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl restart nginx \ No newline at end of file From cdc9c7bb3aa53b2bfb466b4a181e32bfaa24836c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Fri, 6 May 2022 00:34:28 +0200 Subject: [PATCH 09/96] Update README.md Added kopano and zammad --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 0805f39..858ad1e 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `checkmk` => Check_MK 2.0 Monitoring Server - `debian-priv` => Debian privileged container with basic toolset - `debian-unpriv` => Debian unprivileged container with basic toolset +- `kopano-core` => Kopano Core Grouoware [kopano.io](https://kopano.io/) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) - `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration @@ -17,6 +18,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de) - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server) - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org) +- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/) - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported - `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions) - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions) From 68751c63aae7cb3307a11435d7ea8cb4cfa6e1d5 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 15:47:15 +0200 Subject: [PATCH 10/96] Added gitea container --- src/gitea/constants-service.conf | 35 +++++++ src/gitea/install-service.sh | 171 +++++++++++++++++++++++++++++++ 2 files changed, 206 insertions(+) create mode 100644 src/gitea/constants-service.conf create mode 100644 src/gitea/install-service.sh diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf new file mode 100644 index 0000000..09949e8 --- /dev/null +++ b/src/gitea/constants-service.conf @@ -0,0 +1,35 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the IP from the SQL server +GITEA_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +GITEA_DB_PORT="5432" + +# Defines the name from the SQL database +GITEA_DB_NAME="gitea" + +# Defines the name from the SQL user +GITEA_DB_USR="gitea" + +# Build a strong password for the SQL user - could be overwritten with something fixed +GITEA_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" \ No newline at end of file diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh new file mode 100644 index 0000000..9c43322 --- /dev/null +++ b/src/gitea/install-service.sh @@ -0,0 +1,171 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - +echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list + +wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip + +timedatectl set-timezone ${LXC_TIMEZONE} + +systemctl enable --now postgresql + +su - postgres < /etc/systemd/system/gitea.service +[Unit] +Description=Gitea +After=syslog.target +After=network.target +After=postgresql.service + +[Service] +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/ +ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/ + +[Install] +WantedBy=multi-user.target +EOF + +cat << EOF > /etc/gitea/app.ini +RUN_MODE = prod +RUN_USER = git + +[repository] +ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories + +[repository.local] +LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads + +[database] +DB_TYPE=postgres +HOST=localhost +NAME=${GITEA_DB_NAME} +USER=${GITEA_DB_USR} +PASSWD=${GITEA_DB_PWD} +SSL_MODE=disable + +[server] +APP_DATA_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea +DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +SSH_DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +HTTP_PORT = 3000 +ROOT_URL = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/ +DISABLE_SSH = false +SSH_PORT = 11122 +SSH_LISTEN_PORT = 22 +EOF + +chown -R root:git /etc/gitea +chmod 770 /etc/gitea +chmod 770 /etc/gitea/app.ini + +cat << EOF > /etc/nginx/conf.d/default.conf +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + location = /robots.txt { + access_log off; + log_not_found off; + } + + location = /favicon.ico { + access_log off; + log_not_found off; + } + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + location / { + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:3000; + proxy_read_timeout 90; + } +} + +EOF +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl daemon-reload +systemctl enable --now gitea +systemctl restart nginx From ad255537474b2fc3fff07e366fdef408e974277f Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 15:47:44 +0200 Subject: [PATCH 11/96] Added new services to README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 858ad1e..4fc1a55 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `checkmk` => Check_MK 2.0 Monitoring Server - `debian-priv` => Debian privileged container with basic toolset - `debian-unpriv` => Debian unprivileged container with basic toolset +- `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io) - `kopano-core` => Kopano Core Grouoware [kopano.io](https://kopano.io/) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) @@ -20,6 +21,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org) - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/) - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported +- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain - `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions) - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions) ## Usage From 60c43dc2bf8ca4e3940bc30e63b0d846e12d8092 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 17:12:33 +0200 Subject: [PATCH 12/96] Added shellcheck, cheanged debian-security repo --- src/lxc-base.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lxc-base.sh b/src/lxc-base.sh index b89d820..a99fdfe 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -euo pipefail # Authors: # (C) 2021 Idea an concept by Christian Zengel @@ -29,7 +30,7 @@ deb http://ftp.de.debian.org/debian bullseye main contrib deb http://ftp.de.debian.org/debian bullseye-updates main contrib # security updates -deb http://security.debian.org bullseye-security main contrib +deb http://ftp.de.debian.org/debian-security bullseye-security main contrib EOF elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then @@ -40,7 +41,7 @@ deb http://ftp.de.debian.org/debian buster main contrib deb http://ftp.de.debian.org/debian buster-updates main contrib # security updates -deb http://security.debian.org buster/updates main contrib +deb http://ftp.de.debian.org/debian-security buster/updates main contrib EOF else echo "LXC Debian Version false. Please check configuration files!" ; exit fi From 836bae67b332491b0ea0e79384d138c084b9f0c0 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 19:31:36 +0200 Subject: [PATCH 13/96] Updated urbackup to debian11 --- src/urbackup/constants-service.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf index 6d9a772..c63658b 100644 --- a/src/urbackup/constants-service.conf +++ b/src/urbackup/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-10-standard" +LXC_TEMPLATE_VERSION="debian-11-standard" # Create sharefs mountpoint LXC_MP="1" @@ -23,4 +23,4 @@ LXC_NESTING="1" URBACKUP_DATA="urbackup" # OS codename for opensuse / urbackup repo -REPO_CODENAME="Debian_10" \ No newline at end of file +REPO_CODENAME="Debian_11" \ No newline at end of file From 51b9573bf0fa29a6d235635a2e93f30fdb43ec62 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 23:35:10 +0200 Subject: [PATCH 14/96] remove sources.list --- sources.list | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 sources.list diff --git a/sources.list b/sources.list deleted file mode 100644 index aa474ae..0000000 --- a/sources.list +++ /dev/null @@ -1,6 +0,0 @@ -deb http://ftp.de.debian.org/debian buster main contrib - -deb http://ftp.de.debian.org/debian buster-updates main contrib - -# security updates -deb http://security.debian.org buster/updates main contrib \ No newline at end of file From 062c3c9543d8882ff03fc901b5d52c0b26022b52 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 23:36:02 +0200 Subject: [PATCH 15/96] Fxed README.md --- conf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/README.md b/conf/README.md index 36c232f..00268c7 100644 --- a/conf/README.md +++ b/conf/README.md @@ -220,7 +220,7 @@ NEXTCLOUD_ADMIN_USR="zmb-admin" ### NEXTCLOUD_ADMIN_PWD Build a strong password for this user. Username and password will shown at the end of the instalation. ```bash -NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" +NEXTCLOUD_ADMIN_PWD="$(random_password)" ``` ### NEXTCLOUD_DATA Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT From bc2640c6dd400975014efb7827ff04737b2b5199 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 23:36:18 +0200 Subject: [PATCH 16/96] Fixed zamba.conf.example --- conf/zamba.conf.example | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 52d9329..f3492c1 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -57,7 +57,7 @@ LXC_DNS="192.168.100.254" LXC_BRIDGE="vmbr0" # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty. -LXC_VLAN= +LXC_VLAN=NONE # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour. LXC_PWD='Start!123' @@ -126,8 +126,8 @@ NEXTCLOUD_FQDN="nextcloud.zmb.rocks" # The initial admin-user which will be configured NEXTCLOUD_ADMIN_USR="zmb-admin" -# Build a strong password for this user. Username and password will shown at the end of the instalation. -NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" +# Build a strong password for this user. Username and password will shown at the end of the installation. +NEXTCLOUD_ADMIN_PWD="$(random_password)" # Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT NEXTCLOUD_DATA="nc_data" From 5b01d9b1c7ae7ed5ae809871e1dc3ccfc524e6d7 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 May 2022 23:40:31 +0200 Subject: [PATCH 17/96] Integrated shellcheck changes by @fbartels --- install.sh | 50 +++++++++++++++----------- src/checkmk/install-service.sh | 1 + src/functions.sh | 8 +++++ src/gitea/constants-service.conf | 4 +-- src/gitea/install-service.sh | 17 ++------- src/kopano-core/constants-service.conf | 9 ++--- src/kopano-core/install-service.sh | 1 + src/lxc-base.sh | 1 + src/mailpiler/install-service.sh | 1 + src/matrix/install-service.sh | 5 +-- src/nextcloud/constants-service.conf | 2 +- src/nextcloud/install-service.sh | 1 + src/onlyoffice/install-service.sh | 10 +++++- src/open3a/install-service.sh | 3 +- src/proxmox-pbs/install-service.sh | 1 + src/urbackup/install-service.sh | 1 + src/zammad/install-service.sh | 1 + src/zmb-ad-join/install-service.sh | 2 ++ src/zmb-ad/install-service.sh | 1 + src/zmb-member/install-service.sh | 1 + src/zmb-standalone/install-service.sh | 1 + 21 files changed, 73 insertions(+), 48 deletions(-) create mode 100644 src/functions.sh diff --git a/install.sh b/install.sh index addf0ef..fb8b1be 100755 --- a/install.sh +++ b/install.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -euo pipefail # This script will create and fire up a standard debian buster lxc container on your Proxmox VE. # On a Proxmox cluster, the script will create the container on the local node, where it's executed. @@ -15,7 +16,7 @@ # Please adjust th settings in 'zamba.conf' to your needs before running the script ############### ZAMBA INSTALL SCRIPT ############### -prog="$(basename "$0")" +prog="$(basename $0)" usage() { cat >&2 <<-EOF @@ -36,7 +37,6 @@ usage() { ctid=0 service=ask config=$PWD/conf/zamba.conf -verbose=0 while getopts "hi:s:c:" opt; do case $opt in @@ -49,13 +49,13 @@ while getopts "hi:s:c:" opt; do done shift $((OPTIND-1)) -OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a) +OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n) valid=0 if [[ "$service" == "ask" ]]; then select svc in $OPTS quit; do if [[ "$svc" != "quit" ]]; then - for line in $(echo $OPTS); do + for line in $OPTS; do if [[ "$svc" == "$line" ]]; then service=$svc echo "Installation of $service selected." @@ -72,7 +72,7 @@ if [[ "$service" == "ask" ]]; then fi done else - for line in $(echo $OPTS); do + for line in $OPTS; do if [[ "$service" == "$line" ]]; then echo "Installation of $service selected." valid=1 @@ -88,9 +88,16 @@ fi # Load configuration file echo "Loading config file '$config'..." -source $config +if [ ! -e "$config" ]; then + echo "Configuration files does not exist" + exit 1 +fi -source $PWD/src/$service/constants-service.conf +source "src/functions.sh" + +source "$config" + +source "$PWD/src/$service/constants-service.conf" # CHeck is the newest template available, else download it. DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) @@ -99,7 +106,7 @@ TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail if [[ $DEB_LOC == $DEB_REP ]]; then - echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists."; + echo "Newest Version of $LXC_TEMPLATE_VERSION $DEB_REP exists."; else echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP."; pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME @@ -121,17 +128,17 @@ fi echo "Will now create LXC Container $LXC_NBR!"; # Create the container -pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; +pct create $LXC_NBR --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; sleep 2; # Check vlan configuration -if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi +if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi # Reconfigure conatiner pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING; if [ $LXC_DHCP == true ]; then - pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN; + pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN" else - pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN; + pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN fi sleep 2 @@ -144,15 +151,15 @@ PS3="Select the Server-Function: " pct start $LXC_NBR; sleep 5; -# Set the root password and key -echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd; -lxc-attach -n$LXC_NBR mkdir /root/.ssh; +# Set the root ssh key +pct exec $LXC_NBR -- mkdir /root/.ssh pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys -pct push $LXC_NBR $config /root/zamba.conf -pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf -pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh -pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh -pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf +pct push $LXC_NBR "$config" /root/zamba.conf +pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh +pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf +pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh +pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh +pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf echo "Installing basic container setup..." lxc-attach -n$LXC_NBR bash /root/lxc-base.sh @@ -161,6 +168,7 @@ lxc-attach -n$LXC_NBR bash /root/install-service.sh if [[ $service == "zmb-ad" ]]; then pct stop $LXC_NBR - pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1) + ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format + pct set $LXC_NBR -nameserver ${LXC_IP%/*} pct start $LXC_NBR fi diff --git a/src/checkmk/install-service.sh b/src/checkmk/install-service.sh index d422a13..6822b58 100644 --- a/src/checkmk/install-service.sh +++ b/src/checkmk/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/functions.sh b/src/functions.sh new file mode 100644 index 0000000..fa37998 --- /dev/null +++ b/src/functions.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# +# This script has basic functions like a random password generator + +random_password() { + set +o pipefail + C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32 +} \ No newline at end of file diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf index 09949e8..77513ba 100644 --- a/src/gitea/constants-service.conf +++ b/src/gitea/constants-service.conf @@ -31,5 +31,5 @@ GITEA_DB_NAME="gitea" # Defines the name from the SQL user GITEA_DB_USR="gitea" -# Build a strong password for the SQL user - could be overwritten with something fixed -GITEA_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" \ No newline at end of file +# Build a strong password for the SQL user - could be overwritten with something fixed +GITEA_DB_PWD="$(random_password)" \ No newline at end of file diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh index 9c43322..f57f7e5 100644 --- a/src/gitea/install-service.sh +++ b/src/gitea/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf @@ -83,10 +84,11 @@ SSL_MODE=disable APP_DATA_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} SSH_DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +HTTP_HOST = localhost HTTP_PORT = 3000 ROOT_URL = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/ DISABLE_SSH = false -SSH_PORT = 11122 +SSH_PORT = 22 SSH_LISTEN_PORT = 22 EOF @@ -136,24 +138,11 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; - location = /robots.txt { - access_log off; - log_not_found off; - } - - location = /favicon.ico { - access_log off; - log_not_found off; - } - access_log /var/log/nginx/gitea.access.log; error_log /var/log/nginx/gitea.error.log; client_max_body_size 50M; - location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { - expires max; - } location / { proxy_set_header X-Real-IP \$remote_addr; proxy_set_header Host \$host; diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf index 30026c7..739d6d1 100644 --- a/src/kopano-core/constants-service.conf +++ b/src/kopano-core/constants-service.conf @@ -35,10 +35,7 @@ MARIA_DB_NAME="kopano" MARIA_DB_USER="kopano" # Build a strong password for the SQL user - could be overwritten with something fixed -secure_pwd() { - set +o pipefail - LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32 -} -MARIA_ROOT_PWD=$(secure_pwd) -MARIA_USER_PWD=$(secure_pwd) + +MARIA_ROOT_PWD=$(random_password) +MARIA_USER_PWD=$(random_password) diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh index 53c375f..ef5fbe5 100644 --- a/src/kopano-core/install-service.sh +++ b/src/kopano-core/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/lxc-base.sh b/src/lxc-base.sh index a99fdfe..e90f6b7 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -8,6 +8,7 @@ set -euo pipefail # load configuration echo "Loading configuration..." +source /root/functions.sh source /root/zamba.conf source /root/constants.conf source /root/constants-service.conf diff --git a/src/mailpiler/install-service.sh b/src/mailpiler/install-service.sh index 035b852..217bfc6 100644 --- a/src/mailpiler/install-service.sh +++ b/src/mailpiler/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index 1283d5b..bec0ae3 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -5,14 +5,15 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +MRX_PKE=$(random_password) ELE_DBNAME="synapse_db" ELE_DBUSER="synapse_user" -ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +ELE_DBPASS=$(random_password) DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2 diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index e7ba80a..c805262 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -38,4 +38,4 @@ NEXTCLOUD_DB_NAME="nextcloud_db" NEXTCLOUD_DB_USR="nextcloud" # Build a strong password for the SQL user - could be overwritten with something fixed -NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" +NEXTCLOUD_DB_PWD="$(random_password)" diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index 0137db9..e719ce6 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh index c623bee..afea5b3 100644 --- a/src/onlyoffice/install-service.sh +++ b/src/onlyoffice/install-service.sh @@ -1,7 +1,15 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -ONLYOFFICE_DB_PASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +ONLYOFFICE_DB_PASS=$(random_password) apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index 9b22d69..cae28e0 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -5,12 +5,13 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf webroot=/var/www/html -MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)" +MYSQL_PASSWORD="$(random_password)" apt update diff --git a/src/proxmox-pbs/install-service.sh b/src/proxmox-pbs/install-service.sh index 4c3c121..5e77729 100644 --- a/src/proxmox-pbs/install-service.sh +++ b/src/proxmox-pbs/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh index b9ce29a..e35ddcf 100644 --- a/src/urbackup/install-service.sh +++ b/src/urbackup/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index 957437f..b6ea274 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index da5d728..ee0dae9 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -4,6 +4,8 @@ # (C) 2021 Idea an concept by Christian Zengel # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index c4c2845..dd87596 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index 0cf017d..c2fdfcf 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 8d0979e..6ba2878 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf From ec8b7cb2f00df5700614b28d2139de6f86d7ed29 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 23 May 2022 22:20:34 +0200 Subject: [PATCH 18/96] Changed apt repo to tu-dresden --- src/lxc-base.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/lxc-base.sh b/src/lxc-base.sh index e90f6b7..5ae63a7 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -26,23 +26,23 @@ locale-gen $LXC_LOCALE if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then cat << EOF > /etc/apt/sources.list -deb http://ftp.de.debian.org/debian bullseye main contrib +deb https://debian.inf.tu-dresden.de/debian bullseye main contrib -deb http://ftp.de.debian.org/debian bullseye-updates main contrib +deb https://debian.inf.tu-dresden.de/debian bullseye-updates main contrib # security updates -deb http://ftp.de.debian.org/debian-security bullseye-security main contrib +deb https://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib EOF elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then cat << EOF > /etc/apt/sources.list -deb http://ftp.de.debian.org/debian buster main contrib +deb https://debian.inf.tu-dresden.de/debian buster main contrib -deb http://ftp.de.debian.org/debian buster-updates main contrib +deb https://debian.inf.tu-dresden.de/debian buster-updates main contrib # security updates -deb http://ftp.de.debian.org/debian-security buster/updates main contrib +deb https://debian.inf.tu-dresden.de/debian-security buster/updates main contrib EOF else echo "LXC Debian Version false. Please check configuration files!" ; exit fi From 19feb9b6d5983febf07d2bc690bf4f27f9cb9b1d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 23 May 2022 22:20:49 +0200 Subject: [PATCH 19/96] remove sources.list --- src/sources.list | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 src/sources.list diff --git a/src/sources.list b/src/sources.list deleted file mode 100644 index aa474ae..0000000 --- a/src/sources.list +++ /dev/null @@ -1,6 +0,0 @@ -deb http://ftp.de.debian.org/debian buster main contrib - -deb http://ftp.de.debian.org/debian buster-updates main contrib - -# security updates -deb http://security.debian.org buster/updates main contrib \ No newline at end of file From a24c78edc226ea6d7fc838479668385490b95db1 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 23 May 2022 22:21:07 +0200 Subject: [PATCH 20/96] Add zabbix container --- src/zabbix/constants-service.conf | 36 +++++++ src/zabbix/install-service.sh | 172 ++++++++++++++++++++++++++++++ 2 files changed, 208 insertions(+) create mode 100644 src/zabbix/constants-service.conf create mode 100644 src/zabbix/install-service.sh diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf new file mode 100644 index 0000000..5dbe68c --- /dev/null +++ b/src/zabbix/constants-service.conf @@ -0,0 +1,36 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + + +# Defines the IP from the SQL server +ZABBIX_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +ZABBIX_DB_PORT="5432" + +# Defines the name from the SQL database +ZABBIX_DB_NAME="zabbix" + +# Defines the name from the SQL user +ZABBIX_DB_USR="zabbix" + +# Build a strong password for the SQL user - could be overwritten with something fixed +ZABBIX_DB_PWD="$(random_password)" \ No newline at end of file diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh new file mode 100644 index 0000000..5e7fa1e --- /dev/null +++ b/src/zabbix/install-service.sh @@ -0,0 +1,172 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key +echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list + +wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-sql-scripts zabbix-agent sudo ssl-cert + +unlink /etc/nginx/sites-enabled/default + +cat << EOF > /etc/zabbix/nginx.conf +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + location /.well-known/ { + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; + } + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + root /usr/share/zabbix; + + index index.php; + + location = /favicon.ico { + log_not_found off; + } + + location / { + try_files \$uri \$uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /\.ht { + deny all; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + + location /vendor { + deny all; + return 404; + } + + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING \$query_string; + fastcgi_param REQUEST_METHOD \$request_method; + fastcgi_param CONTENT_TYPE \$content_type; + fastcgi_param CONTENT_LENGTH \$content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } +} +EOF + +ln -sf /etc/zabbix/nginx.conf /etc/nginx/sites-enabled/zabbix.conf + +cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf +[zabbix] +user = www-data +group = www-data + +listen = /var/run/php/zabbix.sock +listen.owner = www-data +listen.allowed_clients = 127.0.0.1 + +pm = dynamic +pm.max_children = 50 +pm.start_servers = 5 +pm.min_spare_servers = 5 +pm.max_spare_servers = 35 +pm.max_requests = 200 + +php_value[session.save_handler] = files +php_value[session.save_path] = /var/lib/php/sessions/ + +php_value[max_execution_time] = 300 +php_value[memory_limit] = 128M +php_value[post_max_size] = 16M +php_value[upload_max_filesize] = 2M +php_value[max_input_time] = 300 +php_value[max_input_vars] = 10000 +EOF + +timedatectl set-timezone ${LXC_TIMEZONE} + +systemctl enable --now postgresql + +su - postgres <> /etc/zabbix/zabbix_server.conf + +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm + +systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm \ No newline at end of file From 42d5c05079ee73567016d738ae97886614bbbc55 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 23 May 2022 23:16:18 +0200 Subject: [PATCH 21/96] Activate all supported languages in zabbix --- src/zabbix/install-service.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh index 5e7fa1e..196b44a 100644 --- a/src/zabbix/install-service.sh +++ b/src/zabbix/install-service.sh @@ -161,6 +161,8 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created." EOF +sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php + zcat /usr/share/doc/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql zabbix echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf From a36177b8d35a128490ec610366d6a59352a7ad0e Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 23 May 2022 23:20:49 +0200 Subject: [PATCH 22/96] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4fc1a55..2b5a841 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de) - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server) - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org) +- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com) - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/) - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported - `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain From 9b9354f09c9bd80a353491ab1b77de9fc8771cb0 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:11:24 +0200 Subject: [PATCH 23/96] Add debug param, switch to pct exec --- install.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/install.sh b/install.sh index fb8b1be..8f6867f 100755 --- a/install.sh +++ b/install.sh @@ -20,11 +20,12 @@ prog="$(basename $0)" usage() { cat >&2 <<-EOF - usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE] + usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] installs a preconfigured lxc container on your proxmox server -i CTID provide a container id instead of auto detection -s SERVICE provide the service name and skip the selection dialog -c CFGFILE use a different config file than 'zamba.conf' + -d Debug mode inside LXC container -h displays this help text --------------------------------------------------------------------------- (C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub) @@ -37,13 +38,15 @@ usage() { ctid=0 service=ask config=$PWD/conf/zamba.conf +debug=0 -while getopts "hi:s:c:" opt; do +while getopts "hi:s:c:d" opt; do case $opt in h) usage 0 ;; i) ctid=$OPTARG ;; s) service=$OPTARG ;; c) config=$OPTARG ;; + d) debug=1 ;; *) usage 1 ;; esac done @@ -161,10 +164,12 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf +if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi + echo "Installing basic container setup..." -lxc-attach -n$LXC_NBR bash /root/lxc-base.sh +pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh" echo "Install '$service'!" -lxc-attach -n$LXC_NBR bash /root/install-service.sh +pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh" if [[ $service == "zmb-ad" ]]; then pct stop $LXC_NBR From c28bbc32d94f6a97715ef0c388df3d1b8d720c08 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:11:45 +0200 Subject: [PATCH 24/96] Add Tactical RMM parameters --- conf/zamba.conf.example | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index f3492c1..760aab7 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -159,3 +159,10 @@ KOPANO_MAILGW="192.168.100.254" # Kopano test- or subscription-key offerd from # https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10 KOPANO_REPKEY="1234567890abcdefghijklmno" + +############### Tactical-RMM Section ############### + +rmmdomain=api.${LXC_DOMAIN} +frontenddomain=${LXC_HOSTNAME}.${LXC_DOMAIN} +meshdomain=mesh.${LXC_DOMAIN} +adminemail=rmm@${LXC_DOMAIN} \ No newline at end of file From 2b4a533c958d499b63de90b0b0368cdc33d0183a Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:12:40 +0200 Subject: [PATCH 25/96] Add dirmngr to TOOLSET_BASE --- src/constants.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.conf b/src/constants.conf index bc1838c..ecde0f0 100644 --- a/src/constants.conf +++ b/src/constants.conf @@ -8,4 +8,4 @@ # This file contains the project constants on container level # Define your (administrative) tools, you always want to have installed into your LXC container -LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common" \ No newline at end of file +LXC_TOOLSET_BASE="lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget" \ No newline at end of file From 6a4335c5ecb0c641dddac603503a20818e20bc77 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:13:17 +0200 Subject: [PATCH 26/96] Remove setting timezone in gitea installer --- src/gitea/install-service.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh index f57f7e5..5532922 100644 --- a/src/gitea/install-service.sh +++ b/src/gitea/install-service.sh @@ -19,8 +19,6 @@ apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip -timedatectl set-timezone ${LXC_TIMEZONE} - systemctl enable --now postgresql su - postgres < Date: Thu, 9 Jun 2022 18:13:34 +0200 Subject: [PATCH 27/96] Changed open3a version to 3.6 --- src/open3a/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index cae28e0..4cab551 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -56,7 +56,7 @@ CREATE DATABASE IF NOT EXISTS open3a; GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';" cd $webroot -wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip +wget https://www.open3a.de/download/open3A%203.6.zip -O $webroot/open3a.zip unzip open3a.zip rm open3a.zip chmod 666 system/DBData/Installation.pfdb.php From e01a6f67bc50809a5483a93f0261c1ab9c24fe4d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:13:56 +0200 Subject: [PATCH 28/96] Add tactical rmm container --- src/tactical-rmm/constants-service.conf | 47 ++ src/tactical-rmm/install-service.sh | 712 ++++++++++++++++++++++++ 2 files changed, 759 insertions(+) create mode 100644 src/tactical-rmm/constants-service.conf create mode 100644 src/tactical-rmm/install-service.sh diff --git a/src/tactical-rmm/constants-service.conf b/src/tactical-rmm/constants-service.conf new file mode 100644 index 0000000..507c380 --- /dev/null +++ b/src/tactical-rmm/constants-service.conf @@ -0,0 +1,47 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the IP from the SQL server +RMM_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +RMM_DB_PORT="5432" + +# Defines the name from the SQL database +RMM_DB_NAME="rmm" + +# Defines the name from the SQL user +pgusername="rmm" + +# Build a strong password for the SQL user - could be overwritten with something fixed +RMMUSER=tactical +pgpw="$(random_password)" +DJANGO_SEKRET="$(random_password)" +ADMINURL="$(random_password)" +MESHPASSWD="$(random_password)" +meshusername="$(random_password)" + +# vars from tactical-rmm install script +SCRIPTS_DIR="/opt/trmm-community-scripts" +PYTHON_VER="3.10.4" +TMP_FILE=$(mktemp -p "" "rmminstall_XXXXXXXXXX") +osname=debian +djangousername=admin \ No newline at end of file diff --git a/src/tactical-rmm/install-service.sh b/src/tactical-rmm/install-service.sh new file mode 100644 index 0000000..41d0c14 --- /dev/null +++ b/src/tactical-rmm/install-service.sh @@ -0,0 +1,712 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +codename=$(lsb_release -cs) + +useradd -m -G sudo -s /bin/bash ${RMMUSER} + +echo "deb https://repo.mongodb.org/apt/$osname buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list +echo "deb https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgres.list +echo "deb https://deb.nodesource.com/node_16.x $codename main" > /etc/apt/sources.list.d/nodejs.list +echo "deb https://dl.yarnpkg.com/debian stable main" > tee /etc/apt/sources.list.d/yarn.list + +apt-key adv --fetch https://pgp.mongodb.com/server-4.4.pub +apt-key adv --fetch https://deb.nodesource.com/gpgkey/nodesource.gpg.key +apt-key adv --fetch https://dl.yarnpkg.com/debian/yarnkey.gpg +apt-key adv --fetch https://www.postgresql.org/media/keys/ACCC4CF8.asc + + +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq sudo ssl-cert nginx mongodb-org gcc g++ make build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev ca-certificates redis git postgresql-14 rpl +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nodejs + +echo "${RMMUSER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${RMMUSER} + +npm install --no-fund --location=global npm + +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/${frontenddomain}.key -out /etc/ssl/certs/${frontenddomain}.pem -subj "/CN=$frontenddomain" -addext "subjectAltName=DNS:*.${frontenddomain}" +chown root:ssl-cert /etc/ssl/private/${frontenddomain}.key +chmod 640 /etc/ssl/private/${frontenddomain}.key +usermod -aG ssl-cert ${RMMUSER} + +update-ca-certificates + +systemctl enable mongod.service postgresql.service + +# configure hosts file +echo "127.0.1.1 ${rmmdomain} ${frontenddomain} ${meshdomain}" | tee --append /etc/hosts > /dev/null + +# set global nginx vars +sed -i 's/worker_connections.*/worker_connections 2048;/g' /etc/nginx/nginx.conf +sed -i 's/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 64;/g' /etc/nginx/nginx.conf + +# compile python3 +su - ${RMMUSER} << EOF +cd ~ +wget https://www.python.org/ftp/python/${PYTHON_VER}/Python-${PYTHON_VER}.tgz +tar -xf Python-${PYTHON_VER}.tgz +cd Python-${PYTHON_VER} +./configure --enable-optimizations +make -j $(nproc) +sudo make altinstall +cd ~ +sudo rm -rf Python-${PYTHON_VER} Python-${PYTHON_VER}.tgz +EOF + + +systemctl restart mongod postgresql +systemctl stop nginx + +# configure postgresql +cd /var/lib/postgresql +sudo -u postgres psql -c "CREATE DATABASE tacticalrmm;" +sudo -u postgres psql -c "CREATE USER ${pgusername} WITH PASSWORD '${pgpw}';" +sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET client_encoding TO 'utf8';" +sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET default_transaction_isolation TO 'read committed';" +sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET timezone TO 'UTC';" +sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE tacticalrmm TO ${pgusername};" + +# clone tacticalrmm +mkdir /rmm +chown ${RMMUSER}:${RMMUSER} /rmm +mkdir -p /var/log/celery +chown ${RMMUSER}:${RMMUSER} /var/log/celery +mkdir -p ${SCRIPTS_DIR} +chown ${RMMUSER}:${RMMUSER} ${SCRIPTS_DIR} +su - ${RMMUSER} << EOF +cd /rmm +git clone -b master https://github.com/amidaware/tacticalrmm.git /rmm +git config user.email "admin@example.com" +git config user.name "Bob" +cd ${SCRIPTS_DIR} +git clone -b main https://github.com/amidaware/community-scripts.git ${SCRIPTS_DIR}/ +git config user.email "admin@example.com" +git config user.name "Bob" +EOF + +# configure NATS server +NATS_SERVER_VER=$(grep "^NATS_SERVER_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') +nats_tmp=$(mktemp -d -t nats-server-XXXXXXXXXXXXX) +wget https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER_VER}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -O ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz +tar -xzf ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -C ${nats_tmp} +mv ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64/nats-server /usr/local/bin/ +chmod +x /usr/local/bin/nats-server +chown ${RMMUSER}:${RMMUSER} /usr/local/bin/nats-server +rm -rf ${nats_tmp} + +# fix cert in nats-rmm.conf +rpl "/etc/letsencrypt/live/${frontenddomain}/fullchain.pem" "/etc/ssl/certs/${frontenddomain}.pem" /rmm/api/tacticalrmm/nats-rmm.conf +rpl "/etc/letsencrypt/live/${frontenddomain}/privkey.pem" "/etc/ssl/private/${frontenddomain}.key" /rmm/api/tacticalrmm/nats-rmm.conf + +# install meshcentral +MESH_VER=$(grep "^MESH_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') + +mkdir -p /meshcentral/meshcentral-data +chown ${RMMUSER}:${RMMUSER} -R /meshcentral + +su - ${RMMUSER} << EOF +cd /meshcentral +npm install meshcentral@${MESH_VER} +EOF + +chown ${RMMUSER}:${RMMUSER} -R /meshcentral + +meshcfg="$(cat << EOF +{ + "settings": { + "Cert": "${meshdomain}", + "MongoDb": "mongodb://127.0.0.1:27017", + "MongoDbName": "meshcentral", + "WANonly": true, + "Minify": 1, + "Port": 4430, + "AliasPort": 443, + "RedirPort": 800, + "AllowLoginToken": true, + "AllowFraming": true, + "_AgentPing": 60, + "AgentPong": 300, + "AllowHighQualityDesktop": true, + "TlsOffload": "127.0.0.1", + "agentCoreDump": false, + "Compression": true, + "WsCompression": true, + "AgentWsCompression": true, + "MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 } + }, + "domains": { + "": { + "Title": "Tactical RMM", + "Title2": "Tactical RMM", + "NewAccounts": false, + "CertUrl": "https://${meshdomain}:443/", + "GeoLocation": true, + "CookieIpCheck": false, + "mstsc": true, + "force2factor": false + } + } +} +EOF +)" +sudo -u ${RMMUSER} echo "${meshcfg}" > /meshcentral/meshcentral-data/config.json + +localvars="$(cat << EOF +SECRET_KEY = "${DJANGO_SEKRET}" + +DEBUG = False + +ALLOWED_HOSTS = ['${rmmdomain}'] + +ADMIN_URL = "${ADMINURL}/" + +CORS_ORIGIN_WHITELIST = [ + "https://${frontenddomain}" +] + +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': 'tacticalrmm', + 'USER': '${pgusername}', + 'PASSWORD': '${pgpw}', + 'HOST': 'localhost', + 'PORT': '5432', + } +} + +MESH_USERNAME = "${meshusername}" +MESH_SITE = "https://${meshdomain}" +REDIS_HOST = "localhost" +ADMIN_ENABLED = True +EOF +)" +sudo -u ${RMMUSER} echo "${localvars}" > /rmm/api/tacticalrmm/tacticalrmm/local_settings.py + +cp /rmm/natsapi/bin/nats-api /usr/local/bin +chown ${RMMUSER}:${RMMUSER} /usr/local/bin/nats-api +chmod +x /usr/local/bin/nats-api + +SETUPTOOLS_VER=$(grep "^SETUPTOOLS_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') +WHEEL_VER=$(grep "^WHEEL_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') + +su - ${RMMUSER} << EOF +cd /rmm/api/ +/usr/local/bin/python3.10 -m venv env +source /rmm/api/env/bin/activate +cd /rmm/api/tacticalrmm +pip install --no-cache-dir --upgrade pip +pip install --no-cache-dir setuptools==${SETUPTOOLS_VER} wheel==${WHEEL_VER} +pip install --no-cache-dir -r /rmm/api/tacticalrmm/requirements.txt +python manage.py migrate +python manage.py collectstatic --no-input +python manage.py create_natsapi_conf +python manage.py load_chocos +python manage.py load_community_scripts +python manage.py create_installer_user +deactivate +EOF + +# install backend +echo 'Optimizing for number of processors' +uwsgiprocs=4 +if [[ "$(nproc)" == "1" ]]; then + uwsgiprocs=2 +else + uwsgiprocs=$(nproc) +fi + +uwsgini="$(cat << EOF +[uwsgi] +chdir = /rmm/api/tacticalrmm +module = tacticalrmm.wsgi +home = /rmm/api/env +master = true +processes = ${uwsgiprocs} +threads = ${uwsgiprocs} +enable-threads = true +socket = /rmm/api/tacticalrmm/tacticalrmm.sock +harakiri = 300 +chmod-socket = 660 +buffer-size = 65535 +vacuum = true +die-on-term = true +max-requests = 500 +disable-logging = true +EOF +)" +sudo -u ${RMMUSER} echo "${uwsgini}" > /rmm/api/tacticalrmm/app.ini + +# create systemd services + +rmmservice="$(cat << EOF +[Unit] +Description=tacticalrmm uwsgi daemon +After=network.target postgresql.service + +[Service] +User=${RMMUSER} +Group=www-data +WorkingDirectory=/rmm/api/tacticalrmm +Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +ExecStart=/rmm/api/env/bin/uwsgi --ini app.ini +Restart=always +RestartSec=10s + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${rmmservice}" | sudo tee /etc/systemd/system/rmm.service > /dev/null + +daphneservice="$(cat << EOF +[Unit] +Description=django channels daemon +After=network.target + +[Service] +User=${RMMUSER} +Group=www-data +WorkingDirectory=/rmm/api/tacticalrmm +Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +ExecStart=/rmm/api/env/bin/daphne -u /rmm/daphne.sock tacticalrmm.asgi:application +Restart=always +RestartSec=3s + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${daphneservice}" | sudo tee /etc/systemd/system/daphne.service > /dev/null + +natsservice="$(cat << EOF +[Unit] +Description=NATS Server +After=network.target + +[Service] +PrivateTmp=true +Type=simple +ExecStart=/usr/local/bin/nats-server -c /rmm/api/tacticalrmm/nats-rmm.conf +ExecReload=/usr/bin/kill -s HUP \$MAINPID +ExecStop=/usr/bin/kill -s SIGINT \$MAINPID +User=${RMMUSER} +Group=www-data +Restart=always +RestartSec=5s +LimitNOFILE=1000000 + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${natsservice}" | sudo tee /etc/systemd/system/nats.service > /dev/null + +natsapi="$(cat << EOF +[Unit] +Description=TacticalRMM Nats Api v1 +After=nats.service + +[Service] +Type=simple +ExecStart=/usr/local/bin/nats-api +User=${RMMUSER} +Group=${RMMUSER} +Restart=always +RestartSec=5s + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${natsapi}" | sudo tee /etc/systemd/system/nats-api.service > /dev/null + +celeryservice="$(cat << EOF +[Unit] +Description=Celery Service V2 +After=network.target redis-server.service postgresql.service + +[Service] +Type=forking +User=${RMMUSER} +Group=${RMMUSER} +EnvironmentFile=/etc/conf.d/celery.conf +WorkingDirectory=/rmm/api/tacticalrmm +ExecStart=/bin/sh -c '\${CELERY_BIN} -A \$CELERY_APP multi start \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel="\${CELERYD_LOG_LEVEL}" \$CELERYD_OPTS' +ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --loglevel="\${CELERYD_LOG_LEVEL}"' +ExecReload=/bin/sh -c '\${CELERY_BIN} -A \$CELERY_APP multi restart \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel="\${CELERYD_LOG_LEVEL}" \$CELERYD_OPTS' +Restart=always +RestartSec=10s + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${celeryservice}" | sudo tee /etc/systemd/system/celery.service > /dev/null + +celerybeatservice="$(cat << EOF +[Unit] +Description=Celery Beat Service V2 +After=network.target redis-server.service postgresql.service + +[Service] +Type=simple +User=${RMMUSER} +Group=${RMMUSER} +EnvironmentFile=/etc/conf.d/celery.conf +WorkingDirectory=/rmm/api/tacticalrmm +ExecStart=/bin/sh -c '\${CELERY_BIN} -A \${CELERY_APP} beat --pidfile=\${CELERYBEAT_PID_FILE} --logfile=\${CELERYBEAT_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL}' +Restart=always +RestartSec=10s + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${celerybeatservice}" | sudo tee /etc/systemd/system/celerybeat.service > /dev/null + +meshservice="$(cat << EOF +[Unit] +Description=MeshCentral Server +After=network.target mongod.service nginx.service +[Service] +Type=simple +LimitNOFILE=1000000 +ExecStart=/usr/bin/node node_modules/meshcentral +Environment=NODE_ENV=production +WorkingDirectory=/meshcentral +User=${RMMUSER} +Group=${RMMUSER} +Restart=always +RestartSec=10s + +[Install] +WantedBy=multi-user.target +EOF +)" +echo "${meshservice}" | sudo tee /etc/systemd/system/meshcentral.service > /dev/null + + +# create nginx config + +nginxrmm="$(cat << EOF +server_tokens off; + +upstream tacticalrmm { + server unix:////rmm/api/tacticalrmm/tacticalrmm.sock; +} + +map \$http_user_agent \$ignore_ua { + "~python-requests.*" 0; + "~go-resty.*" 0; + default 1; +} + +server { + listen 80; + listen [::]:80; + server_name ${rmmdomain}; + return 301 https://\$server_name\$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name ${rmmdomain}; + client_max_body_size 300M; + access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=\$ignore_ua; + error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; + ssl_certificate /etc/ssl/certs/${frontenddomain}.pem; + ssl_certificate_key /etc/ssl/private/${frontenddomain}.key; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; + + location /static/ { + root /rmm/api/tacticalrmm; + } + + location /private/ { + internal; + add_header "Access-Control-Allow-Origin" "https://${frontenddomain}"; + alias /rmm/api/tacticalrmm/tacticalrmm/private/; + } + + location ~ ^/(natsapi) { + allow 127.0.0.1; + deny all; + uwsgi_pass tacticalrmm; + include /etc/nginx/uwsgi_params; + uwsgi_read_timeout 500s; + uwsgi_ignore_client_abort on; + } + + location ~ ^/ws/ { + proxy_pass http://unix:/rmm/daphne.sock; + + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_redirect off; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host \$server_name; + } + + location / { + uwsgi_pass tacticalrmm; + include /etc/nginx/uwsgi_params; + uwsgi_read_timeout 9999s; + uwsgi_ignore_client_abort on; + } +} +EOF +)" +echo "${nginxrmm}" | sudo tee /etc/nginx/sites-available/rmm.conf > /dev/null + + +nginxmesh="$(cat << EOF +server { + listen 80; + listen [::]:80; + server_name ${meshdomain}; + return 301 https://\$server_name\$request_uri; +} + +server { + + listen 443 ssl; + listen [::]:443 ssl; + proxy_send_timeout 330s; + proxy_read_timeout 330s; + server_name ${meshdomain}; + ssl_certificate /etc/ssl/certs/${frontenddomain}.pem; + ssl_certificate_key /etc/ssl/private/${frontenddomain}.key; + + ssl_session_cache shared:WEBSSL:10m; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; + + location / { + proxy_pass http://127.0.0.1:4430/; + proxy_http_version 1.1; + + proxy_set_header Host \$host; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-Host \$host:\$server_port; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + } +} +EOF +)" +echo "${nginxmesh}" | sudo tee /etc/nginx/sites-available/meshcentral.conf > /dev/null + +ln -s /etc/nginx/sites-available/rmm.conf /etc/nginx/sites-enabled/rmm.conf +ln -s /etc/nginx/sites-available/meshcentral.conf /etc/nginx/sites-enabled/meshcentral.conf + +# configure celery +mkdir /etc/conf.d + +celeryconf="$(cat << EOF +CELERYD_NODES="w1" + +CELERY_BIN="/rmm/api/env/bin/celery" + +CELERY_APP="tacticalrmm" + +CELERYD_MULTI="multi" + +CELERYD_OPTS="--time-limit=86400 --autoscale=20,2" + +CELERYD_PID_FILE="/rmm/api/tacticalrmm/%n.pid" +CELERYD_LOG_FILE="/var/log/celery/%n%I.log" +CELERYD_LOG_LEVEL="ERROR" + +CELERYBEAT_PID_FILE="/rmm/api/tacticalrmm/beat.pid" +CELERYBEAT_LOG_FILE="/var/log/celery/beat.log" +EOF +)" +echo "${celeryconf}" | sudo tee /etc/conf.d/celery.conf > /dev/null + +chown ${RMMUSER}:${RMMUSER} -R /etc/conf.d/ + +systemctl daemon-reload + +# install frontend + +su - ${RMMUSER} << EOF + +if [ -d ~/.npm ]; then + chown -R $RMMUSER:$RMMUSER ~/.npm +fi + +if [ -d ~/.config ]; then + chown -R $RMMUSER:$RMMUSER ~/.config +fi + +echo -e "PROD_URL = \"https://${rmmdomain}\"\nDEV_URL = \"https://${rmmdomain}\"" > /rmm/web/.env + +cd /rmm/web +npm install +npm audit fix +npm run build +EOF + +mkdir -p /var/www/rmm +cp -pvr /rmm/web/dist /var/www/rmm/ +chown www-data:www-data -R /var/www/rmm/dist + +nginxfrontend="$(cat << EOF +server { + server_name ${frontenddomain}; + charset utf-8; + location / { + root /var/www/rmm/dist; + try_files \$uri \$uri/ /index.html; + add_header Cache-Control "no-store, no-cache, must-revalidate"; + add_header Pragma "no-cache"; + } + error_log /var/log/nginx/frontend-error.log; + access_log /var/log/nginx/frontend-access.log; + + listen 443 ssl; + listen [::]:443 ssl; + ssl_certificate /etc/ssl/certs/${frontenddomain}.pem; + ssl_certificate_key /etc/ssl/private/${frontenddomain}.key; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; +} + +server { + if (\$host = ${frontenddomain}) { + return 301 https://\$host\$request_uri; + } + + listen 80; + listen [::]:80; + server_name ${frontenddomain}; + return 404; +} +EOF +)" +echo "${nginxfrontend}" | tee /etc/nginx/sites-available/frontend.conf > /dev/null + +ln -s /etc/nginx/sites-available/frontend.conf /etc/nginx/sites-enabled/frontend.conf + + +for i in rmm.service daphne.service celery.service celerybeat.service nginx +do + systemctl enable ${i} + systemctl stop ${i} + systemctl start ${i} +done +sleep 5 +systemctl enable meshcentral + +systemctl restart meshcentral + +CHECK_MESH_READY=1 +while ! [[ $CHECK_MESH_READY ]]; do + CHECK_MESH_READY=$(sudo journalctl -u meshcentral.service -b --no-pager | grep "MeshCentral HTTP server running on port") + echo -ne "Mesh Central not ready yet...\n" + sleep 3 +done + +node /meshcentral/node_modules/meshcentral --logintokenkey + +MESHTOKENKEY=$(node /meshcentral/node_modules/meshcentral --logintokenkey) +sudo -u ${USER} echo "MESH_TOKEN_KEY = \"$MESHTOKENKEY\"" >> /rmm/api/tacticalrmm/tacticalrmm/local_settings.py + +systemctl stop meshcentral +sleep 1 +cd /meshcentral + +sudo -u ${RMMUSER} node node_modules/meshcentral --createaccount ${meshusername} --pass ${MESHPASSWD} --email ${adminemail} +sleep 1 +sudo -u ${RMMUSER} node node_modules/meshcentral --adminaccount ${meshusername} + +systemctl start meshcentral +sleep 5 + + +sudo -u ${RMMUSER} node node_modules/meshcentral/meshctrl.js --url wss://${meshdomain}:443 --loginuser ${meshusername} --loginpass ${MESHPASSWD} AddDeviceGroup --name TacticalRMM +sleep 1 + +systemctl enable nats.service +su - ${RMMUSER} < /usr/local/bin/register-rmm-admin +cd /rmm/api +source /rmm/api/env/bin/activate +cd /rmm/api/tacticalrmm +printf >&2 "Please create your login for the RMM website and django admin\n" +printf >&2 "\n" +echo -ne "Username: " +read djangousername +python manage.py createsuperuser --username \${djangousername} --email ${adminemail} +RANDBASE=\$(python manage.py generate_totp) +python manage.py generate_barcode \${RANDBASE} \${djangousername} ${frontenddomain} +deactivate +EOF +chmod +x /usr/local/bin/register-rmm-admin + +printf >&2 "Installation complete!\n\n" +printf >&2 "Access your rmm at: https://${frontenddomain}\n\n" +printf >&2 "Django admin url (disabled by default): https://${rmmdomain}/${ADMINURL}/\n\n" +printf >&2 "MeshCentral username: ${meshusername}\n" +printf >&2 "MeshCentral password: ${MESHPASSWD}\n\n" + +printf >&2 "Please run 'register-rmm-admin' to create an administrative rmm user.\n\n" \ No newline at end of file From ccfdef4462b88d1f229f10935c25886892f79e1b Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:14:59 +0200 Subject: [PATCH 29/96] zabbix: Fix logfle name & db credentials --- src/zabbix/install-service.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh index 196b44a..81d6a12 100644 --- a/src/zabbix/install-service.sh +++ b/src/zabbix/install-service.sh @@ -30,8 +30,8 @@ server { server_tokens off; - access_log /var/log/nginx/gitea.access.log; - error_log /var/log/nginx/gitea.error.log; + access_log /var/log/nginx/zabbix.access.log; + error_log /var/log/nginx/zabbix.error.log; location /.well-known/ { } @@ -156,14 +156,14 @@ timedatectl set-timezone ${LXC_TIMEZONE} systemctl enable --now postgresql su - postgres <> /etc/zabbix/zabbix_server.conf From 476692b072ee10ee7aaf5fb4ea86facf583de891 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:26:28 +0200 Subject: [PATCH 30/96] No automatic 2FA on admin user creation --- src/tactical-rmm/install-service.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tactical-rmm/install-service.sh b/src/tactical-rmm/install-service.sh index 41d0c14..0a6308b 100644 --- a/src/tactical-rmm/install-service.sh +++ b/src/tactical-rmm/install-service.sh @@ -697,8 +697,8 @@ printf >&2 "\n" echo -ne "Username: " read djangousername python manage.py createsuperuser --username \${djangousername} --email ${adminemail} -RANDBASE=\$(python manage.py generate_totp) -python manage.py generate_barcode \${RANDBASE} \${djangousername} ${frontenddomain} +#RANDBASE=\$(python manage.py generate_totp) +#python manage.py generate_barcode \${RANDBASE} \${djangousername} ${frontenddomain} deactivate EOF chmod +x /usr/local/bin/register-rmm-admin From 442e7a3dd58b9f2ff36f3fa850069681ad631d3d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 18:54:03 +0200 Subject: [PATCH 31/96] Change finished message --- src/tactical-rmm/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tactical-rmm/install-service.sh b/src/tactical-rmm/install-service.sh index 0a6308b..4ff614e 100644 --- a/src/tactical-rmm/install-service.sh +++ b/src/tactical-rmm/install-service.sh @@ -709,4 +709,4 @@ printf >&2 "Django admin url (disabled by default): https://${rmmdomain}/${ADMIN printf >&2 "MeshCentral username: ${meshusername}\n" printf >&2 "MeshCentral password: ${MESHPASSWD}\n\n" -printf >&2 "Please run 'register-rmm-admin' to create an administrative rmm user.\n\n" \ No newline at end of file +printf >&2 "Please run 'pct exec {container id} -- su - root -c register-rmm-admin' to create an administrative rmm user.\n\n" \ No newline at end of file From 4a112950c042e87438f12aeb3ad60d8f4bad2e76 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Jun 2022 22:32:02 +0200 Subject: [PATCH 32/96] Fix onlyoffice update problem --- src/onlyoffice/fix-update.sh | 25 +++++++++++++++++++++++++ src/onlyoffice/install-service.sh | 29 +++++++++++++++++++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 src/onlyoffice/fix-update.sh diff --git a/src/onlyoffice/fix-update.sh b/src/onlyoffice/fix-update.sh new file mode 100644 index 0000000..8d8f553 --- /dev/null +++ b/src/onlyoffice/fix-update.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +cat > /usr/local/bin/ods-apt-pre-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds-ssl.conf +systemctl stop nginx.service +DFOE +chmod +x /usr/local/bin/ods-apt-pre-hook + +cat > /usr/local/bin/ods-apt-post-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds.conf +ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf +systemctl restart nginx +DFOE +chmod +x /usr/local/bin/ods-apt-post-hook + + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook +DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";}; +EOF + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook +DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";}; +EOF diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh index afea5b3..ae1018b 100644 --- a/src/onlyoffice/install-service.sh +++ b/src/onlyoffice/install-service.sh @@ -44,8 +44,33 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/only rm /etc/nginx/conf.d/ds.conf cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf + +sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf +sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf + ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf -sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf -sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf +cat > /usr/local/bin/ods-apt-pre-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds-ssl.conf +systemctl stop nginx.service +DFOE +chmod +x /usr/local/bin/ods-apt-pre-hook + +cat > /usr/local/bin/ods-apt-post-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds.conf +ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf +systemctl restart nginx +DFOE +chmod +x /usr/local/bin/ods-apt-post-hook + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook +DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";}; +EOF + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook +DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";}; +EOF + systemctl restart nginx \ No newline at end of file From 0d227a12f603684ef88fdeec7282e3200dddcf74 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Jun 2022 22:51:47 +0200 Subject: [PATCH 33/96] Add bookstack conteiner --- src/bookstack/constants-service.conf | 20 ++++ src/bookstack/install-service.sh | 147 +++++++++++++++++++++++++++ 2 files changed, 167 insertions(+) create mode 100644 src/bookstack/constants-service.conf create mode 100644 src/bookstack/install-service.sh diff --git a/src/bookstack/constants-service.conf b/src/bookstack/constants-service.conf new file mode 100644 index 0000000..4f5ef36 --- /dev/null +++ b/src/bookstack/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh new file mode 100644 index 0000000..0cbb903 --- /dev/null +++ b/src/bookstack/install-service.sh @@ -0,0 +1,147 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +BOOKSTACK_DB_PWD=$(random_password) +webroot=/var/www/bookstack/public + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip + +mkdir /etc/nginx/ssl +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" + +PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2) + +cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN; +} + +server { + + client_max_body_size 100M; + fastcgi_buffers 64 4K; + + listen 443 http2 ssl default_server; + listen [::]:443 http2 ssl default_server; + server_name $LXC_HOSTNAME.$LXC_DOMAIN; + + root $webroot; + + index index.php; + + ssl_certificate /etc/nginx/ssl/open3a.crt; + ssl_certificate_key /etc/nginx/ssl/open3a.key; + + access_log /var/log/nginx/bookstack.access.log; + error_log /var/log/nginx/bookstack.error.log; + + location / { + try_files \$uri \$uri/ /index.php?\$query_string; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + location ~ /\.ht { + deny all; + } + + fastcgi_hide_header X-Powered-By; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_connect_timeout 3600; + + add_header Permissions-Policy "interest-cohort=()"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + +} + +EOF + +mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD'; +CREATE DATABASE IF NOT EXISTS bookstack; +GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD'; +FLUSH PRIVILEGES;" + +EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" +php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" +if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ] +then + >&2 echo 'ERROR: Invalid composer installer checksum' + rm composer-setup.php + exit 1 +fi +php composer-setup.php --quiet +rm composer-setup.php +# Move composer to global installation +mv composer.phar /usr/local/bin/composer + +cd /var/www +git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack +cd bookstack + +# Install BookStack composer dependencies +export COMPOSER_ALLOW_SUPERUSER=1 +php /usr/local/bin/composer install --no-dev --no-plugins + + +# Copy and update BookStack environment variables +cp .env.example .env +sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env +sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env +sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env +sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env + + +# Generate the application key +php artisan key:generate --no-interaction --force +# Migrate the databases +php artisan migrate --no-interaction --force + +chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage + +systemctl enable --now php7.4-fpm +systemctl restart php7.4-fpm nginx + +echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" From e9200a33ecacfc1d55ff925341d5d29b00dc4a29 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Jun 2022 23:47:54 +0200 Subject: [PATCH 34/96] Add some bookstack tweaks --- src/bookstack/install-service.sh | 45 +++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh index 0cbb903..7c26232 100644 --- a/src/bookstack/install-service.sh +++ b/src/bookstack/install-service.sh @@ -16,7 +16,9 @@ webroot=/var/www/bookstack/public apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server +wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb mkdir /etc/nginx/ssl openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" @@ -36,6 +38,7 @@ server { client_max_body_size 100M; fastcgi_buffers 64 4K; + client_body_timeout 120s; listen 443 http2 ssl default_server; listen [::]:443 http2 ssl default_server; @@ -103,6 +106,10 @@ CREATE DATABASE IF NOT EXISTS bookstack; GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD'; FLUSH PRIVILEGES;" +sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini + EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" @@ -133,15 +140,45 @@ sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env +cat << EOF >> .env +QUEUE_CONNECTION=database +STORAGE_TYPE=local_secure +APP_LANG=de_informal +FILE_UPLOAD_SIZE_LIMIT=100 +SESSION_SECURE_COOKIE=true +CACHE_DRIVER=redis +SESSION_DRIVER=redis +REDIS_SERVERS=127.0.0.1:6379:0 +WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf +ALLOW_UNTRUSTED_SERVER_FETCHING=true +EOF # Generate the application key php artisan key:generate --no-interaction --force # Migrate the databases php artisan migrate --no-interaction --force +php artisan bookstack:db-utf8mb4 > dbupgrade.sql +mysql -u root < dbupgrade.sql + chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage -systemctl enable --now php7.4-fpm -systemctl restart php7.4-fpm nginx +cat << EOF > /etc/systemd/system/bookstack-queue.service +[Unit] +Description=BookStack Queue Worker -echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" +[Service] +User=www-data +Group=www-data +Restart=always +ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload +systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server +systemctl restart php7.4-fpm nginx bookstack-queue redis-server + +echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" \ No newline at end of file From cd664ba745238f4c71e1faee67172a91b404c25a Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 5 Jul 2022 20:55:29 +0200 Subject: [PATCH 35/96] Add servicename and ctis to zmb.conf inside ct --- install.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install.sh b/install.sh index 8f6867f..02a05b3 100755 --- a/install.sh +++ b/install.sh @@ -158,6 +158,8 @@ sleep 5; pct exec $LXC_NBR -- mkdir /root/.ssh pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys pct push $LXC_NBR "$config" /root/zamba.conf +pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf +pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh From 03ae4f61d5343612e541ae7b539eb2a9929ef1f8 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 5 Jul 2022 20:55:57 +0200 Subject: [PATCH 36/96] Add default length for random password --- conf/zamba.conf.example | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 760aab7..cab7d4c 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -81,6 +81,9 @@ LXC_LOCALE="de_DE.UTF-8" # Set dark background for vim syntax highlighting (0 or 1) LXC_VIM_BG_DARK=1 +# Default random password length +LXC_RANDOMPWD=32 + ############### Zamba-Server-Section ############### # Defines the REALM for the Active Directory (AD DC, AD member) @@ -165,4 +168,5 @@ KOPANO_REPKEY="1234567890abcdefghijklmno" rmmdomain=api.${LXC_DOMAIN} frontenddomain=${LXC_HOSTNAME}.${LXC_DOMAIN} meshdomain=mesh.${LXC_DOMAIN} -adminemail=rmm@${LXC_DOMAIN} \ No newline at end of file +adminemail=rmm@${LXC_DOMAIN} + From 261770dec53ece404a247e17e18677a2a20d8415 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 5 Jul 2022 20:58:03 +0200 Subject: [PATCH 37/96] Change password generation to dynamic length --- src/functions.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/functions.sh b/src/functions.sh index fa37998..0a89013 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -1,8 +1,9 @@ #!/bin/bash # # This script has basic functions like a random password generator +LXC_RANDOMPWD=32 random_password() { set +o pipefail - C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32 + C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c${LXC_RANDOMPWD} } \ No newline at end of file From fd7d5d7ac9a0635f9a8c367b66b0acf110eb69e6 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 5 Jul 2022 21:01:28 +0200 Subject: [PATCH 38/96] Fix db password, configure database --- src/open3a/install-service.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index 4cab551..0a84d51 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -11,6 +11,7 @@ source /root/constants-service.conf webroot=/var/www/html +LXC_RANDOMPWD=20 MYSQL_PASSWORD="$(random_password)" apt update @@ -67,6 +68,14 @@ chown -R www-data:www-data $webroot echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup chmod +x /etc/cron.daily/open3a-backup +cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php + +EOF + systemctl enable --now php7.4-fpm systemctl restart php7.4-fpm nginx From 187a2c79c5c55f218d18f200e775c386783ffef8 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 9 Jan 2023 22:51:59 +0100 Subject: [PATCH 39/96] zmb-ad-join: sync sysvol via smb --- src/zmb-ad-join/install-service.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index ee0dae9..87b03e7 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -127,10 +127,24 @@ rm -f /etc/samba/smb.conf echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb -cat > /etc/cron.d/sysvol-sync << EOF -*/5 * * * * root /usr/bin/rsync -XAavz --delete-after root@$LXC_DNS:/var/lib/samba/sysvol/ /var/lib/samba/sysvol +mkdir -p /mnt/sysvol + +cat << EOF > /root/.smbcredentials +username=$ZMB_ADMIN_USER +password=$ZMB_ADMIN_PASS +domain=$ZMB_DOMAIN EOF +echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab + +mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials + +cat > /etc/cron.d/sysvol-sync << EOF +*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol +EOF + +/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol + ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096 systemctl unmask samba-ad-dc From aea5fad54dc6d553b5dffde430692c22fbd184bb Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 9 Jan 2023 22:52:45 +0100 Subject: [PATCH 40/96] Set sources.list to http --- src/lxc-base.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/lxc-base.sh b/src/lxc-base.sh index 5ae63a7..b76340f 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -26,23 +26,23 @@ locale-gen $LXC_LOCALE if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then cat << EOF > /etc/apt/sources.list -deb https://debian.inf.tu-dresden.de/debian bullseye main contrib +deb http://debian.inf.tu-dresden.de/debian bullseye main contrib -deb https://debian.inf.tu-dresden.de/debian bullseye-updates main contrib +deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib # security updates -deb https://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib +deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib EOF elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then cat << EOF > /etc/apt/sources.list -deb https://debian.inf.tu-dresden.de/debian buster main contrib +deb http://debian.inf.tu-dresden.de/debian buster main contrib -deb https://debian.inf.tu-dresden.de/debian buster-updates main contrib +deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib # security updates -deb https://debian.inf.tu-dresden.de/debian-security buster/updates main contrib +deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib EOF else echo "LXC Debian Version false. Please check configuration files!" ; exit fi From 21de64cd5787079de46526863b06d0eb60a9291a Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 9 Jan 2023 22:53:09 +0100 Subject: [PATCH 41/96] More RAM for trmm --- src/tactical-rmm/constants-service.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/tactical-rmm/constants-service.conf b/src/tactical-rmm/constants-service.conf index 507c380..34e35d9 100644 --- a/src/tactical-rmm/constants-service.conf +++ b/src/tactical-rmm/constants-service.conf @@ -25,6 +25,9 @@ RMM_DB_IP="127.0.0.1" # Defines the PORT from the SQL server RMM_DB_PORT="5432" +# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) +LXC_MEM="4096" + # Defines the name from the SQL database RMM_DB_NAME="rmm" @@ -41,7 +44,7 @@ meshusername="$(random_password)" # vars from tactical-rmm install script SCRIPTS_DIR="/opt/trmm-community-scripts" -PYTHON_VER="3.10.4" + TMP_FILE=$(mktemp -p "" "rmminstall_XXXXXXXXXX") osname=debian djangousername=admin \ No newline at end of file From 9e74bca205c71d735bec02817a785e862211d165 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 10 Jan 2023 00:57:04 +0100 Subject: [PATCH 42/96] Add kimai2 container --- src/kimai/constants-service.conf | 26 +++++ src/kimai/install-service.sh | 194 +++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 src/kimai/constants-service.conf create mode 100644 src/kimai/install-service.sh diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf new file mode 100644 index 0000000..c378d16 --- /dev/null +++ b/src/kimai/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') +KIMAI_VERSION="release-2.0-beta" + +# Defines the php version to install +KIMAI_PHP_VERSION="8.1" diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh new file mode 100644 index 0000000..593af6d --- /dev/null +++ b/src/kimai/install-service.sh @@ -0,0 +1,194 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +KIMAI_DB_PWD=$(random_password) +webroot=/var/www/kimai/public + +wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - +echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip + +mkdir /etc/nginx/ssl +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" + +PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2) + +cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN; +} + +server { + + client_max_body_size 100M; + fastcgi_buffers 64 4K; + client_body_timeout 120s; + + listen 443 http2 ssl default_server; + listen [::]:443 http2 ssl default_server; + server_name $LXC_HOSTNAME.$LXC_DOMAIN; + + root $webroot; + + index index.php; + + ssl_certificate /etc/nginx/ssl/kimai.crt; + ssl_certificate_key /etc/nginx/ssl/kimai.key; + + access_log /var/log/nginx/kimai.access.log; + error_log /var/log/nginx/kimai.error.log; + + location / { + try_files \$uri \$uri/ /index.php?\$query_string; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + location ~ /\.ht { + deny all; + } + + fastcgi_hide_header X-Powered-By; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_connect_timeout 3600; + + add_header Permissions-Policy "interest-cohort=()"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + +} + +EOF + +mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD'; +CREATE DATABASE IF NOT EXISTS kimai; +GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD'; +FLUSH PRIVILEGES;" + +sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/8.1/fpm/php.ini +sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/8.1/fpm/php.ini +sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/8.1/fpm/php.ini + +EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" +php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" +if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ] +then + >&2 echo 'ERROR: Invalid composer installer checksum' + rm composer-setup.php + exit 1 +fi +php composer-setup.php --quiet +rm composer-setup.php +# Move composer to global installation +mv composer.phar /usr/local/bin/composer + +cd /var/www +git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1 +cd kimai + +# Install kimai composer dependencies +export COMPOSER_ALLOW_SUPERUSER=1 +/usr/local/bin/composer install --optimize-autoloader -n + +# Copy and update kimai environment variables +cat << EOF >> .env +#================================================================================ +# Configure your database connection and set the correct server version. +# +# You have to replace the following values with your defaults: +# - the version "5.7" +# - the database username "user" +# - the database password "password" +# - the database schema name "database" +# - you might have to adapt port "3306" and server IP "127.0.0.1" as well +# +# For MySQL that would be "serverVersion=5.7" as in: +# DATABASE_URL=mysql://user:password@127.0.0.1:3306/database?charset=utf8&serverVersion=5.7 +# +# For MariaDB it would be "serverVersion=mariadb-10.5.8": +# DATABASE_URL=mysql://user:password@127.0.0.1:3306/database?charset=utf8&serverVersion=mariadb-10.5.8 +# +DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=5.7 + +#================================================================================ +# The full documentation can be found at https://www.kimai.org/documentation/emails.html +# +# Email will be sent with this address as sender: +MAILER_FROM=kimai@example.com +# Email connection (disabled by default) - see documentation for the format +MAILER_URL=null://null + +#================================================================================ +# Running behind reverse proxies? Try these: +# TRUSTED_PROXIES=127.0.0.1,127.0.0.2 +# TRUSTED_HOSTS=localhost,example.com + +#================================================================================ +# do not change, unless you are developing for Kimai +APP_ENV=prod + +#================================================================================ +# should be changed to a unique character sequence, used for hashing cookies +APP_SECRET=$(random_password) + +#================================================================================ +# unlikely, that you need to change this one +CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$ +EOF + +chown -R www-data:www-data . +chmod -R g+r . +chmod -R g+rw var/ + +bin/console kimai:install -n + +bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD + +systemctl daemon-reload +systemctl enable --now php8.1-fpm nginx +systemctl restart php8.1-fpm nginx + +echo -e "Your kimai installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\n\nPassword:\t${LXC_PWD}\n\n" \ No newline at end of file From 4e9af3e39147402173fe8bbd3a352d1490d3c44d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 10 Jan 2023 21:43:26 +0100 Subject: [PATCH 43/96] Redesign of zmb-standalone --- src/zmb-standalone/install-service.sh | 73 +++++++++++++++++++++------ 1 file changed, 57 insertions(+), 16 deletions(-) diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 6ba2878..3d56835 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -11,18 +11,27 @@ source /root/constants-service.conf # add wsdd package repo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key +apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc +echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list +cat << EOF > /etc/apt/preferences.d/samba +Package: samba* +Pin: release a=$(lsb_release -cs)-backports +Pin-Priority: 900 +EOF + +cat << EOF > /etc/apt/preferences.d/cockpit +Package: cockpit* +Pin: release a=$(lsb_release -cs)-backports +Pin-Priority: 900 +EOF + apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit - -mkdir /usr/share/cockpit/smb -wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html -wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json -wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}') useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER @@ -30,21 +39,53 @@ echo "$USER:$ZMB_ADMIN_PASS" | chpasswd smbpasswd -x $USER (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER -cat << EOF >> /etc/samba/smb.conf -[$ZMB_SHARE] - comment = Main Share - path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE - read only = No - vfs objects = shadow_copy2 - create mask = 0660 - directory mask = 0770 +usermod -aG sudo $USER + +cat << EOF | sudo tee -i /etc/samba/smb.conf +[global] + include = registry +EOF + +cat << EOF | sudo tee -i /etc/samba/import.template +[global] + workgroup = WORKGROUP + log file = /var/log/samba/log.%m + max log size = 1000 + logging = file + panic action = /usr/share/samba/panic-action %d + server role = standalone server + obey pam restrictions = yes + unix password sync = yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + pam password change = yes + map to guest = bad user + map acl inherit = yes + acl_xattr:ignore system acls = yes + vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr full_audit shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: format = -%Y-%m-%d-%H%M - shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\} + shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\} shadow: delimiter = -20 + fruit:encoding = native + fruit:metadata = stream + fruit:zero_file_id = yes + fruit:nfs_aces = no + full_audit:priority = notice + full_audit:facility = local5 + full_audit:success = connect disconnect mkdir rmdir read write rename + full_audit:failure = connect + full_audit:prefix = %u|%I|%S EOF +net conf import /etc/samba/import.template + +net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +net conf setparm $ZMB_SHARE readonly no +net conf setparm $ZMB_SHARE createmask 0660 +net conf setparm $ZMB_SHARE directorymask 0770 + mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE From 439f2ba64b06c5b9f998bacd6981a0c22676efe9 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 10 Jan 2023 21:49:15 +0100 Subject: [PATCH 44/96] kimai: Change server version in db config --- src/kimai/install-service.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh index 593af6d..c0a53b7 100644 --- a/src/kimai/install-service.sh +++ b/src/kimai/install-service.sh @@ -151,7 +151,7 @@ cat << EOF >> .env # For MariaDB it would be "serverVersion=mariadb-10.5.8": # DATABASE_URL=mysql://user:password@127.0.0.1:3306/database?charset=utf8&serverVersion=mariadb-10.5.8 # -DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=5.7 +DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.18 #================================================================================ # The full documentation can be found at https://www.kimai.org/documentation/emails.html @@ -191,4 +191,4 @@ systemctl daemon-reload systemctl enable --now php8.1-fpm nginx systemctl restart php8.1-fpm nginx -echo -e "Your kimai installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\n\nPassword:\t${LXC_PWD}\n\n" \ No newline at end of file +echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n" \ No newline at end of file From 04f55cd566109037971af84e5adf02984c3e5eaf Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 10 Jan 2023 22:00:24 +0100 Subject: [PATCH 45/96] Add winbind apt pinnung --- src/zmb-standalone/install-service.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 3d56835..e6a56ee 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -17,7 +17,13 @@ echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/source echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list cat << EOF > /etc/apt/preferences.d/samba -Package: samba* +Package: samba +Pin: release a=$(lsb_release -cs)-backports +Pin-Priority: 900 +EOF + +cat << EOF > /etc/apt/preferences.d/winbind +Package: winbind Pin: release a=$(lsb_release -cs)-backports Pin-Priority: 900 EOF From 666e2b320cdb989b6bdae2f34cc5589c6fca4b1f Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 11 Jan 2023 19:58:24 +0100 Subject: [PATCH 46/96] Fix zmb-standalone --- src/zmb-standalone/install-service.sh | 29 ++++++++++++--------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index e6a56ee..b14bd3b 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -17,13 +17,13 @@ echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/source echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list cat << EOF > /etc/apt/preferences.d/samba -Package: samba +Package: samba* Pin: release a=$(lsb_release -cs)-backports Pin-Priority: 900 EOF cat << EOF > /etc/apt/preferences.d/winbind -Package: winbind +Package: winbind* Pin: release a=$(lsb_release -cs)-backports Pin-Priority: 900 EOF @@ -59,6 +59,7 @@ cat << EOF | sudo tee -i /etc/samba/import.template max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d + log level = 3 server role = standalone server obey pam restrictions = yes unix password sync = yes @@ -66,34 +67,30 @@ cat << EOF | sudo tee -i /etc/samba/import.template passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user + vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr map acl inherit = yes acl_xattr:ignore system acls = yes - vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr full_audit shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: format = -%Y-%m-%d-%H%M shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\} shadow: delimiter = -20 fruit:encoding = native - fruit:metadata = stream - fruit:zero_file_id = yes - fruit:nfs_aces = no - full_audit:priority = notice - full_audit:facility = local5 - full_audit:success = connect disconnect mkdir rmdir read write rename - full_audit:failure = connect - full_audit:prefix = %u|%I|%S + fruit:metadata = stream + fruit:zero_file_id = yes + fruit:nfs_aces = no EOF net conf import /etc/samba/import.template -net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -net conf setparm $ZMB_SHARE readonly no -net conf setparm $ZMB_SHARE createmask 0660 -net conf setparm $ZMB_SHARE directorymask 0770 - mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +net conf setparm $ZMB_SHARE readonly no +net conf setparm $ZMB_SHARE browseable yes +net conf setparm $ZMB_SHARE createmask 0660 +net conf setparm $ZMB_SHARE directorymask 0770 + systemctl restart smbd nmbd wsdd From c9037d4d970deb6c4e7eb782ac6cbf86d70fb59c Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 11 Jan 2023 23:03:03 +0100 Subject: [PATCH 47/96] zmb-member: Update samba to backports --- src/zmb-member/install-service.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index c2fdfcf..2dd69c3 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -12,10 +12,11 @@ source /root/constants-service.conf # add wsdd package repo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list +echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd mv /etc/krb5.conf /etc/krb5.conf.bak cat > /etc/krb5.conf < Date: Wed, 11 Jan 2023 23:03:14 +0100 Subject: [PATCH 48/96] zmb-ad-join:: Update samba to backports --- src/zmb-ad-join/install-service.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index 87b03e7..a75bbbe 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -53,11 +53,14 @@ restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 EOF +echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list + # update packages apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp cifs-utils samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then cat << EOF > /etc/nginx/sites-available/default From 5d314c05f96ce154719a07d83525bd14232663b3 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 11 Jan 2023 23:03:30 +0100 Subject: [PATCH 49/96] zmb-ad: Update samba to backports --- src/zmb-ad/install-service.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index dd87596..2ba387f 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -59,11 +59,14 @@ restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 EOF +echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list + # update packages apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then cat << EOF > /etc/nginx/sites-available/default From b0400cb347351df3879a3a008f00e045b9f99459 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 11 Jan 2023 23:23:56 +0100 Subject: [PATCH 50/96] zammad finetuning --- src/zammad/constants-service.conf | 3 ++ src/zammad/install-service.sh | 53 +++++++++++++++++++++++++++++-- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf index 1e8fb5e..59f06b1 100644 --- a/src/zammad/constants-service.conf +++ b/src/zammad/constants-service.conf @@ -18,3 +18,6 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" + +# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) +LXC_MEM="4096" \ No newline at end of file diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index b6ea274..d71d113 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -15,7 +15,34 @@ wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/za echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert zammad +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad + + +cat << EOF >>/etc/hosts +0.0.0.0 image.zammad.com +0.0.0.0 images.zammad.com +0.0.0.0 geo.zammad.com +0.0.0.0 www.zammad.com +0.0.0.0 www.zammad.org +0.0.0.0 www.zammad.net +0.0.0.0 www.zammad.de +0.0.0.0 zammad.com +0.0.0.0 zammad.org +0.0.0.0 zammad.net +0.0.0.0 zammad.de +# +127.0.0.1 elasticsearch +0.0.0.0 geoip.elastic.co +EOF + +# Java set startup environment +mkdir -p /etc/elasticsearch/jvm.options.d +cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options +# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size +# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g +-Xms1g +-Xmx1g +EOF # configurwe nginx rm -f /etc/nginx/sites-enabled/default @@ -66,7 +93,16 @@ server { ssl_stapling_verify on; resolver 1.1.1.1 1.0.0.1; - +# +# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache +# + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; + add_header Referrer-Policy "strict-origin"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; add_header Strict-Transport-Security "max-age=31536000" always; location = /robots.txt { @@ -118,6 +154,17 @@ server { } EOF +ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/ + openssl dhparam -out /etc/nginx/dhparam.pem 4096 -systemctl restart nginx \ No newline at end of file +systemctl enable elasticsearch.service +systemctl restart nginx elasticsearch.service + +# Elasticsearch conntact to Zammad +/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment +zammad run rails r "Setting.set('es_url', 'http://localhost:9200')" +zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')" +zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy" +systemctl restart elasticsearch.service +zammad run rake searchindex:rebuild \ No newline at end of file From 21db9f37c5cf2f3f73b3cb3ddab65259d6086cbf Mon Sep 17 00:00:00 2001 From: Kevin Papst Date: Thu, 12 Jan 2023 12:44:42 +0100 Subject: [PATCH 51/96] improved kimai image: - reduce upload size for security reasons - added opcache and curl extensions - improve php settings - simplify .env file and fix db connection type - use admin@domain for emails - dynamic php version --- src/kimai/install-service.sh | 65 ++++++++++-------------------------- 1 file changed, 18 insertions(+), 47 deletions(-) diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh index 593af6d..8c55cfc 100644 --- a/src/kimai/install-service.sh +++ b/src/kimai/install-service.sh @@ -19,12 +19,13 @@ echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl mkdir /etc/nginx/ssl openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2) +PHP_VERSION=${PHP_VERSION:0:3} cat << EOF > /etc/nginx/sites-available/default server { @@ -37,7 +38,7 @@ server { server { - client_max_body_size 100M; + client_max_body_size 2M; fastcgi_buffers 64 4K; client_body_timeout 120s; @@ -61,7 +62,7 @@ server { location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock; + fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; @@ -107,9 +108,14 @@ CREATE DATABASE IF NOT EXISTS kimai; GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD'; FLUSH PRIVILEGES;" -sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/8.1/fpm/php.ini -sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/8.1/fpm/php.ini -sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/8.1/fpm/php.ini +sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" @@ -135,47 +141,12 @@ export COMPOSER_ALLOW_SUPERUSER=1 # Copy and update kimai environment variables cat << EOF >> .env -#================================================================================ -# Configure your database connection and set the correct server version. -# -# You have to replace the following values with your defaults: -# - the version "5.7" -# - the database username "user" -# - the database password "password" -# - the database schema name "database" -# - you might have to adapt port "3306" and server IP "127.0.0.1" as well -# -# For MySQL that would be "serverVersion=5.7" as in: -# DATABASE_URL=mysql://user:password@127.0.0.1:3306/database?charset=utf8&serverVersion=5.7 -# -# For MariaDB it would be "serverVersion=mariadb-10.5.8": -# DATABASE_URL=mysql://user:password@127.0.0.1:3306/database?charset=utf8&serverVersion=mariadb-10.5.8 -# -DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=5.7 - -#================================================================================ -# The full documentation can be found at https://www.kimai.org/documentation/emails.html -# -# Email will be sent with this address as sender: -MAILER_FROM=kimai@example.com -# Email connection (disabled by default) - see documentation for the format +# For more infos about the variables, see .env.dist +DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8 +MAILER_FROM=admin@$LXC_DOMAIN MAILER_URL=null://null - -#================================================================================ -# Running behind reverse proxies? Try these: -# TRUSTED_PROXIES=127.0.0.1,127.0.0.2 -# TRUSTED_HOSTS=localhost,example.com - -#================================================================================ -# do not change, unless you are developing for Kimai APP_ENV=prod - -#================================================================================ -# should be changed to a unique character sequence, used for hashing cookies APP_SECRET=$(random_password) - -#================================================================================ -# unlikely, that you need to change this one CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$ EOF @@ -188,7 +159,7 @@ bin/console kimai:install -n bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD systemctl daemon-reload -systemctl enable --now php8.1-fpm nginx -systemctl restart php8.1-fpm nginx +systemctl enable --now php${PHP_VERSION}-fpm nginx +systemctl restart php${PHP_VERSION}-fpm nginx -echo -e "Your kimai installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\n\nPassword:\t${LXC_PWD}\n\n" \ No newline at end of file +echo -e "Your kimai installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\n\nPassword:\t${LXC_PWD}\n\n" From 0036769cc93ae8bfdc226730aa726e3d7a3d9dca Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 12 Jan 2023 13:43:09 +0100 Subject: [PATCH 52/96] Change kimai branch to main --- src/kimai/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf index c378d16..b0bef6e 100644 --- a/src/kimai/constants-service.conf +++ b/src/kimai/constants-service.conf @@ -20,7 +20,7 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') -KIMAI_VERSION="release-2.0-beta" +KIMAI_VERSION="main" # Defines the php version to install KIMAI_PHP_VERSION="8.1" From 84e595d3bbc1021d20cbab63b1ec96d460c1cc22 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 12 Jan 2023 14:22:50 +0100 Subject: [PATCH 53/96] kimai: Overwrite .env, instead of append --- src/kimai/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh index a9236ab..91ff0ea 100644 --- a/src/kimai/install-service.sh +++ b/src/kimai/install-service.sh @@ -140,7 +140,7 @@ export COMPOSER_ALLOW_SUPERUSER=1 /usr/local/bin/composer install --optimize-autoloader -n # Copy and update kimai environment variables -cat << EOF >> .env +cat << EOF > .env # For more infos about the variables, see .env.dist DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8 MAILER_FROM=admin@$LXC_DOMAIN From b6208be38d43301df9fe82a028b821f54c4094e0 Mon Sep 17 00:00:00 2001 From: Kevin Papst Date: Thu, 12 Jan 2023 14:57:33 +0100 Subject: [PATCH 54/96] added kimai to readme --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b5a841..3106eb9 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,8 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `debian-priv` => Debian privileged container with basic toolset - `debian-unpriv` => Debian unprivileged container with basic toolset - `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io) -- `kopano-core` => Kopano Core Grouoware [kopano.io](https://kopano.io/) +- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/) +- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) - `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration From 75e073c0bc8c049bd44e99bdf66070ef30bb6797 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 13 Jan 2023 19:40:37 +0100 Subject: [PATCH 55/96] Add unifi controller --- src/unifi/constants-service.conf | 20 ++++++++++++++++++++ src/unifi/install-service.sh | 22 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 src/unifi/constants-service.conf create mode 100644 src/unifi/install-service.sh diff --git a/src/unifi/constants-service.conf b/src/unifi/constants-service.conf new file mode 100644 index 0000000..4f5ef36 --- /dev/null +++ b/src/unifi/constants-service.conf @@ -0,0 +1,20 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" \ No newline at end of file diff --git a/src/unifi/install-service.sh b/src/unifi/install-service.sh new file mode 100644 index 0000000..4185f76 --- /dev/null +++ b/src/unifi/install-service.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc +wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg + +echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list +echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq sudo unifi \ No newline at end of file From 055f75cec74286b2ff8171a4abfe18e8d7ae2b31 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 14 Jan 2023 01:43:15 +0100 Subject: [PATCH 56/96] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3106eb9..9b6dd05 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,8 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna ### Requirements Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. ### Included services: -- `checkmk` => Check_MK 2.0 Monitoring Server +- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/) +- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/) - `debian-priv` => Debian privileged container with basic toolset - `debian-unpriv` => Debian unprivileged container with basic toolset - `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io) @@ -19,6 +20,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com) - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de) - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server) +- `unifi` => Unifi Controller [ui.com](https://ui.com) - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org) - `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com) - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/) From 455fcb280adff88b0bf87cf1a8070096922116d8 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 15 Jan 2023 22:29:33 +0100 Subject: [PATCH 57/96] Update constants-service.conf --- src/checkmk/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf index fadd3a9..3ebbaa3 100644 --- a/src/checkmk/constants-service.conf +++ b/src/checkmk/constants-service.conf @@ -20,6 +20,6 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # checkmk version -CMK_VERSION=2.0.0p23 +CMK_VERSION=2.1.0p19 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 From 975480dd7e6ba4226baf53fa3b7eed23e4a7bf66 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 15 Jan 2023 22:31:43 +0100 Subject: [PATCH 58/96] open3a: Update version 3.7 --- src/open3a/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index 0a84d51..f45cebd 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -57,7 +57,7 @@ CREATE DATABASE IF NOT EXISTS open3a; GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';" cd $webroot -wget https://www.open3a.de/download/open3A%203.6.zip -O $webroot/open3a.zip +wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip unzip open3a.zip rm open3a.zip chmod 666 system/DBData/Installation.pfdb.php From afb496daf19ad7cbddc219d9692f5dee805e9377 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 16 Jan 2023 09:35:01 +0100 Subject: [PATCH 59/96] Change mailpiler version to 1.3.12 --- src/mailpiler/constants-service.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mailpiler/constants-service.conf b/src/mailpiler/constants-service.conf index 91bfc92..c943bf2 100644 --- a/src/mailpiler/constants-service.conf +++ b/src/mailpiler/constants-service.conf @@ -20,8 +20,8 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') -PILER_VERSION="latest" +PILER_VERSION="1.3.12" # Defines the version of sphinx to install PILER_SPHINX_VERSION="3.3.1" # Defines the php version to install -PILER_PHP_VERSION="7.4" \ No newline at end of file +PILER_PHP_VERSION="7.4" From 1d4de5ede7b48b29935e1dad8c5aa44799ef98dd Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 Jan 2023 02:30:09 +0100 Subject: [PATCH 60/96] Add vaultwarden container --- conf/zamba.conf.example | 9 ++ src/vaultwarden/constants-service.conf | 29 +++++ src/vaultwarden/install-service.sh | 162 +++++++++++++++++++++++++ 3 files changed, 200 insertions(+) create mode 100644 src/vaultwarden/constants-service.conf create mode 100644 src/vaultwarden/install-service.sh diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index cab7d4c..127f9a4 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -170,3 +170,12 @@ frontenddomain=${LXC_HOSTNAME}.${LXC_DOMAIN} meshdomain=mesh.${LXC_DOMAIN} adminemail=rmm@${LXC_DOMAIN} +############### vaultwarden Section ############### +VW_SMTP_HOST=mail.bashclub.org +VW_SMTP_FROM="vaultwarden@bashclub.org" +VW_SMTP_FROM_NAME="Vaultwarden Password Manager" +VW_SMTP_PORT=587 +VW_SMTP_SSL=true +VW_SMTP_EXPLICIT_TLS=false +VW_SMTP_USERNAME=vaultwarden@bashclub.org +VW_SMTP_PASSWORD='' \ No newline at end of file diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf new file mode 100644 index 0000000..fe2b115 --- /dev/null +++ b/src/vaultwarden/constants-service.conf @@ -0,0 +1,29 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the name from the SQL database +VAULTWARDEN_DB_NAME="vaultwarden" + +# Defines the name from the SQL user +VAULTWARDEN_DB_USR="vaultwarden" + +# Build a strong password for the SQL user - could be overwritten with something fixed +VAULTWARDEN_DB_PWD="$(random_password)" \ No newline at end of file diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh new file mode 100644 index 0000000..0ffa636 --- /dev/null +++ b/src/vaultwarden/install-service.sh @@ -0,0 +1,162 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +admin_token=$(openssl rand -base64 48) + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert + +systemctl enable --now postgresql + +wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract +chmod +x docker-image-extract +./docker-image-extract vaultwarden/server:alpine +mkdir /opt/vaultwarden +mkdir -p /var/lib/vaultwarden/data +useradd vaultwarden +chown -R vaultwarden:vaultwarden /var/lib/vaultwarden +mv output/vaultwarden /opt/vaultwarden +mv output/web-vault /var/lib/vaultwarden/ +rm -Rf output +rm -Rf docker-image-extract + +su - postgres < /var/lib/vaultwarden/.env +DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden +DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN} +ORG_CREATION_USERS=admin@$LXC_DOMAIN +# Use `openssl rand -base64 48` to generate +ADMIN_TOKEN=$admin_token +# Uncomment this once vaults restored +SIGNUPS_ALLOWED=false +INVITATIONS_ALLOWED=false +SMTP_HOST=$VW_SMTP_HOST +SMTP_FROM=$VW_SMTP_FROM +SMTP_FROM_NAME="$VW_SMTP_FROM_NAME" +SMTP_PORT=$VW_SMTP_PORT # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us> +SMTP_SSL=$VW_SMTP_SSL # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_> +SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o> +SMTP_USERNAME=$VW_SMTP_USERNAME +SMTP_PASSWORD=$VW_SMTP_PASSWORD +SMTP_TIMEOUT=15 +EOF + +cat << EOF > /etc/systemd/system/vaultwarden.service +[Unit] +Description=Bitwarden Server (Rust Edition) +Documentation=https://github.com/dani-garcia/vaultwarden +After=network.target + +[Service] +User=vaultwarden +Group=vaultwarden +EnvironmentFile=/var/lib/vaultwarden/.env +ExecStart=/opt/vaultwarden/vaultwarden +LimitNOFILE=1048576 +LimitNPROC=64 +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=strict +WorkingDirectory=/var/lib/vaultwarden +ReadWriteDirectories=/var/lib/vaultwarden +AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target +EOF + +cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook +DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";}; +EOF + +cat << EOF > /var/lib/vaultwarden/update.sh +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" +wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract +chmod +x docker-image-extract +./docker-image-extract vaultwarden/server:alpine +mv output/vaultwarden /opt/vaultwarden +systemctl stop vaultwarden.service +cp -rlf output/web-vault /var/lib/vaultwarden/ +rm -Rf output +rm -Rf docker-image-extract +systemctl start vaultwarden.service +EOF + +chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook +chmod +x /var/lib/vaultwarden/update.sh + +cat << EOF > /etc/nginx/conf.d/default.conf +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/vaultwarden.access.log; + error_log /var/log/nginx/vaultwarden.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + access_log /var/log/nginx/vaultwarden.access.log; + error_log /var/log/nginx/vaultwarden.error.log; + + client_max_body_size 50M; + + location / { + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:8000; + proxy_read_timeout 90; + } +} + +EOF +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl daemon-reload +systemctl enable --now vaultwarden +systemctl restart nginx \ No newline at end of file From 7347aaf6d54387bf61cff219d65c7b3b0603cff3 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 Jan 2023 02:47:26 +0100 Subject: [PATCH 61/96] Add sudo to standard toolchain --- src/constants.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.conf b/src/constants.conf index ecde0f0..be08b75 100644 --- a/src/constants.conf +++ b/src/constants.conf @@ -8,4 +8,4 @@ # This file contains the project constants on container level # Define your (administrative) tools, you always want to have installed into your LXC container -LXC_TOOLSET_BASE="lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget" \ No newline at end of file +LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget" \ No newline at end of file From ffb88737d1f985e010c46b52a82c15ae374d8ef6 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 Jan 2023 02:49:05 +0100 Subject: [PATCH 62/96] Move sudo to default toolchain --- src/bookstack/install-service.sh | 2 +- src/nextcloud/install-service.sh | 2 +- src/unifi/install-service.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh index 7c26232..f16d2aa 100644 --- a/src/bookstack/install-service.sh +++ b/src/bookstack/install-service.sh @@ -16,7 +16,7 @@ webroot=/var/www/bookstack/public apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index e719ce6..75e72ac 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -22,7 +22,7 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \ +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \ postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline} timedatectl set-timezone $LXC_TIMEZONE diff --git a/src/unifi/install-service.sh b/src/unifi/install-service.sh index 4185f76..b09541f 100644 --- a/src/unifi/install-service.sh +++ b/src/unifi/install-service.sh @@ -19,4 +19,4 @@ echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/s apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq sudo unifi \ No newline at end of file +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi \ No newline at end of file From cc294118ae18128e305501f997689b930820ab3d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 21 Jan 2023 02:51:51 +0100 Subject: [PATCH 63/96] Make gitea unprivileged --- src/gitea/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf index 77513ba..af82f81 100644 --- a/src/gitea/constants-service.conf +++ b/src/gitea/constants-service.conf @@ -14,7 +14,7 @@ LXC_TEMPLATE_VERSION="debian-11-standard" LXC_MP="1" # Create unprivileged container -LXC_UNPRIVILEGED="0" +LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" From ae27f3697b10db6b2a4fd1763d2b0c759fd3e4ba Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 24 Jan 2023 23:04:00 +0100 Subject: [PATCH 64/96] Add automated tagging --- conf/zamba.conf.example | 6 ++++++ install.sh | 6 +++++- src/bookstack/constants-service.conf | 5 ++++- src/checkmk/constants-service.conf | 3 +++ src/debian-priv/constants-service.conf | 5 ++++- src/debian-unpriv/constants-service.conf | 5 ++++- src/gitea/constants-service.conf | 5 ++++- src/kimai/constants-service.conf | 3 +++ src/kopano-core/constants-service.conf | 2 ++ src/mailpiler/constants-service.conf | 3 +++ src/matrix/constants-service.conf | 3 +++ src/nextcloud/constants-service.conf | 3 +++ src/onlyoffice/constants-service.conf | 5 ++++- src/open3a/constants-service.conf | 5 ++++- src/proxmox-pbs/constants-service.conf | 5 ++++- src/unifi/constants-service.conf | 5 ++++- src/urbackup/constants-service.conf | 5 ++++- src/vaultwarden/constants-service.conf | 5 ++++- src/vaultwarden/install-service.sh | 1 - src/zabbix/constants-service.conf | 5 ++++- src/zammad/constants-service.conf | 5 ++++- src/zmb-ad-join/constants-service.conf | 3 +++ src/zmb-ad/constants-service.conf | 5 ++++- src/zmb-member/constants-service.conf | 5 ++++- src/zmb-standalone/constants-service.conf | 5 ++++- 25 files changed, 91 insertions(+), 17 deletions(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 127f9a4..9ddc3df 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -84,6 +84,12 @@ LXC_VIM_BG_DARK=1 # Default random password length LXC_RANDOMPWD=32 +# Automatically add meta tags to lxc container +LXC_AUTOTAG=1 + +# Add meta tags to linux container +LXC_TAGS="linux,debian,${service}" + ############### Zamba-Server-Section ############### # Defines the REALM for the Active Directory (AD DC, AD member) diff --git a/install.sh b/install.sh index 02a05b3..8e5b4c9 100755 --- a/install.sh +++ b/install.sh @@ -102,6 +102,10 @@ source "$config" source "$PWD/src/$service/constants-service.conf" +if [ $LXC_AUTOTAG -gt 0 ]; then + TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}" +fi + # CHeck is the newest template available, else download it. DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) @@ -131,7 +135,7 @@ fi echo "Will now create LXC Container $LXC_NBR!"; # Create the container -pct create $LXC_NBR --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; +pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; sleep 2; # Check vlan configuration diff --git a/src/bookstack/constants-service.conf b/src/bookstack/constants-service.conf index 4f5ef36..1f9a027 100644 --- a/src/bookstack/constants-service.conf +++ b/src/bookstack/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="0" LXC_UNPRIVILEGED="1" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf index 3ebbaa3..c0042df 100644 --- a/src/checkmk/constants-service.conf +++ b/src/checkmk/constants-service.conf @@ -23,3 +23,6 @@ LXC_NESTING="1" CMK_VERSION=2.1.0p19 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 + +# service dependent meta tags +SERVICE_TAGS="apache2" \ No newline at end of file diff --git a/src/debian-priv/constants-service.conf b/src/debian-priv/constants-service.conf index 1f764d7..550f81c 100644 --- a/src/debian-priv/constants-service.conf +++ b/src/debian-priv/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="0" LXC_UNPRIVILEGED="0" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="privileged" \ No newline at end of file diff --git a/src/debian-unpriv/constants-service.conf b/src/debian-unpriv/constants-service.conf index 4f5ef36..a05e518 100644 --- a/src/debian-unpriv/constants-service.conf +++ b/src/debian-unpriv/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="0" LXC_UNPRIVILEGED="1" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="" \ No newline at end of file diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf index af82f81..eb2ff1e 100644 --- a/src/gitea/constants-service.conf +++ b/src/gitea/constants-service.conf @@ -32,4 +32,7 @@ GITEA_DB_NAME="gitea" GITEA_DB_USR="gitea" # Build a strong password for the SQL user - could be overwritten with something fixed -GITEA_DB_PWD="$(random_password)" \ No newline at end of file +GITEA_DB_PWD="$(random_password)" + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf index b0bef6e..2753b7a 100644 --- a/src/kimai/constants-service.conf +++ b/src/kimai/constants-service.conf @@ -24,3 +24,6 @@ KIMAI_VERSION="main" # Defines the php version to install KIMAI_PHP_VERSION="8.1" + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf index 739d6d1..c393914 100644 --- a/src/kopano-core/constants-service.conf +++ b/src/kopano-core/constants-service.conf @@ -39,3 +39,5 @@ MARIA_DB_USER="kopano" MARIA_ROOT_PWD=$(random_password) MARIA_USER_PWD=$(random_password) +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/mailpiler/constants-service.conf b/src/mailpiler/constants-service.conf index c943bf2..3a295e7 100644 --- a/src/mailpiler/constants-service.conf +++ b/src/mailpiler/constants-service.conf @@ -25,3 +25,6 @@ PILER_VERSION="1.3.12" PILER_SPHINX_VERSION="3.3.1" # Defines the php version to install PILER_PHP_VERSION="7.4" + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx" \ No newline at end of file diff --git a/src/matrix/constants-service.conf b/src/matrix/constants-service.conf index 292d2ce..d544d5c 100644 --- a/src/matrix/constants-service.conf +++ b/src/matrix/constants-service.conf @@ -21,3 +21,6 @@ LXC_NESTING="1" # Define the version of Element Web MATRIX_ELEMENT_VERSION="v1.9.9" + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index c805262..81dca34 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -39,3 +39,6 @@ NEXTCLOUD_DB_USR="nextcloud" # Build a strong password for the SQL user - could be overwritten with something fixed NEXTCLOUD_DB_PWD="$(random_password)" + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file diff --git a/src/onlyoffice/constants-service.conf b/src/onlyoffice/constants-service.conf index bbaeda4..416c1b2 100644 --- a/src/onlyoffice/constants-service.conf +++ b/src/onlyoffice/constants-service.conf @@ -23,4 +23,7 @@ ONLYOFFICE_DB_HOST=localhost ONLYOFFICE_DB_NAME=onlyoffice -ONLYOFFICE_DB_USER=onlyoffice \ No newline at end of file +ONLYOFFICE_DB_USER=onlyoffice + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql,rabbitmq" \ No newline at end of file diff --git a/src/open3a/constants-service.conf b/src/open3a/constants-service.conf index 4f5ef36..1f9a027 100644 --- a/src/open3a/constants-service.conf +++ b/src/open3a/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="0" LXC_UNPRIVILEGED="1" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/proxmox-pbs/constants-service.conf b/src/proxmox-pbs/constants-service.conf index b0609cd..4151e54 100644 --- a/src/proxmox-pbs/constants-service.conf +++ b/src/proxmox-pbs/constants-service.conf @@ -20,4 +20,7 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # Backup ubdir where Urbackup will store backups -PBS_DATA="backup" \ No newline at end of file +PBS_DATA="backup" + +# service dependent meta tags +SERVICE_TAGS="backup" \ No newline at end of file diff --git a/src/unifi/constants-service.conf b/src/unifi/constants-service.conf index 4f5ef36..e38defb 100644 --- a/src/unifi/constants-service.conf +++ b/src/unifi/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="0" LXC_UNPRIVILEGED="1" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="mongodb-server,java" \ No newline at end of file diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf index c63658b..bb9e804 100644 --- a/src/urbackup/constants-service.conf +++ b/src/urbackup/constants-service.conf @@ -23,4 +23,7 @@ LXC_NESTING="1" URBACKUP_DATA="urbackup" # OS codename for opensuse / urbackup repo -REPO_CODENAME="Debian_11" \ No newline at end of file +REPO_CODENAME="Debian_11" + +# service dependent meta tags +SERVICE_TAGS="nginx" \ No newline at end of file diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf index fe2b115..ee433eb 100644 --- a/src/vaultwarden/constants-service.conf +++ b/src/vaultwarden/constants-service.conf @@ -26,4 +26,7 @@ VAULTWARDEN_DB_NAME="vaultwarden" VAULTWARDEN_DB_USR="vaultwarden" # Build a strong password for the SQL user - could be overwritten with something fixed -VAULTWARDEN_DB_PWD="$(random_password)" \ No newline at end of file +VAULTWARDEN_DB_PWD="$(random_password)" + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh index 0ffa636..bee4f3c 100644 --- a/src/vaultwarden/install-service.sh +++ b/src/vaultwarden/install-service.sh @@ -41,7 +41,6 @@ ORG_CREATION_USERS=admin@$LXC_DOMAIN ADMIN_TOKEN=$admin_token # Uncomment this once vaults restored SIGNUPS_ALLOWED=false -INVITATIONS_ALLOWED=false SMTP_HOST=$VW_SMTP_HOST SMTP_FROM=$VW_SMTP_FROM SMTP_FROM_NAME="$VW_SMTP_FROM_NAME" diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf index 5dbe68c..e88cac4 100644 --- a/src/zabbix/constants-service.conf +++ b/src/zabbix/constants-service.conf @@ -33,4 +33,7 @@ ZABBIX_DB_NAME="zabbix" ZABBIX_DB_USR="zabbix" # Build a strong password for the SQL user - could be overwritten with something fixed -ZABBIX_DB_PWD="$(random_password)" \ No newline at end of file +ZABBIX_DB_PWD="$(random_password)" + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf index 59f06b1..d4e5885 100644 --- a/src/zammad/constants-service.conf +++ b/src/zammad/constants-service.conf @@ -20,4 +20,7 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) -LXC_MEM="4096" \ No newline at end of file +LXC_MEM="4096" + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql,elasticsearch" \ No newline at end of file diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf index de68731..244db4c 100644 --- a/src/zmb-ad-join/constants-service.conf +++ b/src/zmb-ad-join/constants-service.conf @@ -20,3 +20,6 @@ LXC_UNPRIVILEGED="0" LXC_NESTING="1" OPTIONAL_FEATURES=(wsdd splitdns) + +# service dependent meta tags +SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary" \ No newline at end of file diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf index 415ffd0..ec5cea6 100644 --- a/src/zmb-ad/constants-service.conf +++ b/src/zmb-ad/constants-service.conf @@ -29,4 +29,7 @@ LXC_NESTING="1" # Example: # OPTIONAL_FEATURES=(wsdd) # OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=() \ No newline at end of file +OPTIONAL_FEATURES=(wsdd splitdns) + +# service dependent meta tags +SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary" \ No newline at end of file diff --git a/src/zmb-member/constants-service.conf b/src/zmb-member/constants-service.conf index e650fc8..12d46e5 100644 --- a/src/zmb-member/constants-service.conf +++ b/src/zmb-member/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="1" LXC_UNPRIVILEGED="0" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="samba,member,fileserver" \ No newline at end of file diff --git a/src/zmb-standalone/constants-service.conf b/src/zmb-standalone/constants-service.conf index e650fc8..b71b870 100644 --- a/src/zmb-standalone/constants-service.conf +++ b/src/zmb-standalone/constants-service.conf @@ -17,4 +17,7 @@ LXC_MP="1" LXC_UNPRIVILEGED="0" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# service dependent meta tags +SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit" \ No newline at end of file From 8f59fa937be48af45b19ddfc31e2e05e7d7a9576 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 30 Jan 2023 19:41:32 +0100 Subject: [PATCH 65/96] Install cifs-utils + rsync, add optional features --- src/zmb-ad-join/constants-service.conf | 10 ++++++++++ src/zmb-ad-join/install-service.sh | 3 +-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf index 244db4c..a63fb39 100644 --- a/src/zmb-ad-join/constants-service.conf +++ b/src/zmb-ad-join/constants-service.conf @@ -19,6 +19,16 @@ LXC_UNPRIVILEGED="0" # enable nesting feature LXC_NESTING="1" +# add optional features to samba ad dc + +# CURRENTLY SUPPORTED: +# wsdd = add windows service discovery +# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup +# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ + +# Example: +# OPTIONAL_FEATURES=(wsdd) +# OPTIONAL_FEATURES=(wsdd splitdns) OPTIONAL_FEATURES=(wsdd splitdns) # service dependent meta tags diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index a75bbbe..67b0798 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -60,8 +60,7 @@ apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils - +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then cat << EOF > /etc/nginx/sites-available/default server { From 443d70888695f3f7b28ea388b26c56b32ac81031 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 9 Feb 2023 20:31:04 +0100 Subject: [PATCH 66/96] Add ecodms container --- src/ecodms/constants-service.conf | 26 ++++++++++++++++++++++++++ src/ecodms/install-service.sh | 21 +++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 src/ecodms/constants-service.conf create mode 100644 src/ecodms/install-service.sh diff --git a/src/ecodms/constants-service.conf b/src/ecodms/constants-service.conf new file mode 100644 index 0000000..1dac056 --- /dev/null +++ b/src/ecodms/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# set ecodms release version +ECODMS_RELEASE=ecodms_220864 + +# service dependent meta tags +SERVICE_TAGS="java,postgresql" \ No newline at end of file diff --git a/src/ecodms/install-service.sh b/src/ecodms/install-service.sh new file mode 100644 index 0000000..9eaf184 --- /dev/null +++ b/src/ecodms/install-service.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections +echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections + +echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list +wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg + +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver \ No newline at end of file From cff05a3a5f4fc4ce121df7d0ced694adb509e674 Mon Sep 17 00:00:00 2001 From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com> Date: Fri, 10 Feb 2023 15:32:38 +0100 Subject: [PATCH 67/96] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b6dd05..648a711 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,8 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/) - `debian-priv` => Debian privileged container with basic toolset - `debian-unpriv` => Debian unprivileged container with basic toolset -- `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io) +- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de) +- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io) - `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/) - `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) @@ -22,6 +23,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server) - `unifi` => Unifi Controller [ui.com](https://ui.com) - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org) +- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden) - `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com) - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/) - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported From 36130b6e875283bf0eb1274f1454ab2692f7023a Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 16:34:09 +0100 Subject: [PATCH 68/96] nextcloud: change php version to 8.1 --- src/nextcloud/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index 81dca34..ac205a1 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -23,7 +23,7 @@ LXC_NESTING="1" NEXTCLOUD_VERSION="latest" # Defines the php version to install -NEXTCLOUD_PHP_VERSION="8.0" +NEXTCLOUD_PHP_VERSION="8.1" # Defines the IP from the SQL server NEXTCLOUD_DB_IP="127.0.0.1" From f70f36550c003870f9b4a113031c6ac4d9227930 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 16:35:33 +0100 Subject: [PATCH 69/96] matrix: remove jitsi, move to new service --- src/matrix/install-service.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index bec0ae3..712ba83 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -146,9 +146,3 @@ sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\ systemctl restart matrix-synapse register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p '$MATRIX_ADMIN_PASSWORD' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008 - -#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg' -#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null - -#apt update -#apt install -y jitsi-meet \ No newline at end of file From 19da1483105838f82bcf0f3a4d7225b57bdeb592 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 18:07:46 +0100 Subject: [PATCH 70/96] Add LXC_MEM_MIN to constatns-service.conf --- src/bookstack/constants-service.conf | 3 +++ src/checkmk/constants-service.conf | 3 +++ src/debian-priv/constants-service.conf | 3 +++ src/debian-unpriv/constants-service.conf | 3 +++ src/ecodms/constants-service.conf | 3 +++ src/gitea/constants-service.conf | 3 +++ src/kimai/constants-service.conf | 3 +++ src/kopano-core/constants-service.conf | 3 +++ src/mailpiler/constants-service.conf | 3 +++ src/matrix/constants-service.conf | 3 +++ src/nextcloud/constants-service.conf | 3 +++ src/onlyoffice/constants-service.conf | 3 +++ src/open3a/constants-service.conf | 3 +++ src/proxmox-pbs/constants-service.conf | 3 +++ src/tactical-rmm/constants-service.conf | 4 ++-- src/unifi/constants-service.conf | 3 +++ src/urbackup/constants-service.conf | 3 +++ src/vaultwarden/constants-service.conf | 3 +++ src/zabbix/constants-service.conf | 3 +++ src/zammad/constants-service.conf | 4 ++-- src/zmb-ad-join/constants-service.conf | 3 +++ src/zmb-ad/constants-service.conf | 3 +++ src/zmb-member/constants-service.conf | 3 +++ src/zmb-standalone/constants-service.conf | 3 +++ 24 files changed, 70 insertions(+), 4 deletions(-) diff --git a/src/bookstack/constants-service.conf b/src/bookstack/constants-service.conf index 1f9a027..6e865bd 100644 --- a/src/bookstack/constants-service.conf +++ b/src/bookstack/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf index c0042df..73978a6 100644 --- a/src/checkmk/constants-service.conf +++ b/src/checkmk/constants-service.conf @@ -24,5 +24,8 @@ CMK_VERSION=2.1.0p19 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + # service dependent meta tags SERVICE_TAGS="apache2" \ No newline at end of file diff --git a/src/debian-priv/constants-service.conf b/src/debian-priv/constants-service.conf index 550f81c..6c4691a 100644 --- a/src/debian-priv/constants-service.conf +++ b/src/debian-priv/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="0" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=512 + # service dependent meta tags SERVICE_TAGS="privileged" \ No newline at end of file diff --git a/src/debian-unpriv/constants-service.conf b/src/debian-unpriv/constants-service.conf index a05e518..7e5a29b 100644 --- a/src/debian-unpriv/constants-service.conf +++ b/src/debian-unpriv/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=512 + # service dependent meta tags SERVICE_TAGS="" \ No newline at end of file diff --git a/src/ecodms/constants-service.conf b/src/ecodms/constants-service.conf index 1dac056..06b8fa2 100644 --- a/src/ecodms/constants-service.conf +++ b/src/ecodms/constants-service.conf @@ -22,5 +22,8 @@ LXC_NESTING="1" # set ecodms release version ECODMS_RELEASE=ecodms_220864 +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=6144 + # service dependent meta tags SERVICE_TAGS="java,postgresql" \ No newline at end of file diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf index eb2ff1e..4019690 100644 --- a/src/gitea/constants-service.conf +++ b/src/gitea/constants-service.conf @@ -34,5 +34,8 @@ GITEA_DB_USR="gitea" # Build a strong password for the SQL user - could be overwritten with something fixed GITEA_DB_PWD="$(random_password)" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf index 2753b7a..12d6e1d 100644 --- a/src/kimai/constants-service.conf +++ b/src/kimai/constants-service.conf @@ -25,5 +25,8 @@ KIMAI_VERSION="main" # Defines the php version to install KIMAI_PHP_VERSION="8.1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf index c393914..684eb6b 100644 --- a/src/kopano-core/constants-service.conf +++ b/src/kopano-core/constants-service.conf @@ -39,5 +39,8 @@ MARIA_DB_USER="kopano" MARIA_ROOT_PWD=$(random_password) MARIA_USER_PWD=$(random_password) +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/mailpiler/constants-service.conf b/src/mailpiler/constants-service.conf index 3a295e7..4523fd3 100644 --- a/src/mailpiler/constants-service.conf +++ b/src/mailpiler/constants-service.conf @@ -26,5 +26,8 @@ PILER_SPHINX_VERSION="3.3.1" # Defines the php version to install PILER_PHP_VERSION="7.4" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx" \ No newline at end of file diff --git a/src/matrix/constants-service.conf b/src/matrix/constants-service.conf index d544d5c..a318186 100644 --- a/src/matrix/constants-service.conf +++ b/src/matrix/constants-service.conf @@ -22,5 +22,8 @@ LXC_NESTING="1" # Define the version of Element Web MATRIX_ELEMENT_VERSION="v1.9.9" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index ac205a1..51f9a33 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -40,5 +40,8 @@ NEXTCLOUD_DB_USR="nextcloud" # Build a strong password for the SQL user - could be overwritten with something fixed NEXTCLOUD_DB_PWD="$(random_password)" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file diff --git a/src/onlyoffice/constants-service.conf b/src/onlyoffice/constants-service.conf index 416c1b2..d135850 100644 --- a/src/onlyoffice/constants-service.conf +++ b/src/onlyoffice/constants-service.conf @@ -25,5 +25,8 @@ ONLYOFFICE_DB_NAME=onlyoffice ONLYOFFICE_DB_USER=onlyoffice +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx,postgresql,rabbitmq" \ No newline at end of file diff --git a/src/open3a/constants-service.conf b/src/open3a/constants-service.conf index 1f9a027..6e865bd 100644 --- a/src/open3a/constants-service.conf +++ b/src/open3a/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/proxmox-pbs/constants-service.conf b/src/proxmox-pbs/constants-service.conf index 4151e54..e720f35 100644 --- a/src/proxmox-pbs/constants-service.conf +++ b/src/proxmox-pbs/constants-service.conf @@ -22,5 +22,8 @@ LXC_NESTING="1" # Backup ubdir where Urbackup will store backups PBS_DATA="backup" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="backup" \ No newline at end of file diff --git a/src/tactical-rmm/constants-service.conf b/src/tactical-rmm/constants-service.conf index 34e35d9..ad74a02 100644 --- a/src/tactical-rmm/constants-service.conf +++ b/src/tactical-rmm/constants-service.conf @@ -25,8 +25,8 @@ RMM_DB_IP="127.0.0.1" # Defines the PORT from the SQL server RMM_DB_PORT="5432" -# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) -LXC_MEM="4096" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 # Defines the name from the SQL database RMM_DB_NAME="rmm" diff --git a/src/unifi/constants-service.conf b/src/unifi/constants-service.conf index e38defb..ccb3471 100644 --- a/src/unifi/constants-service.conf +++ b/src/unifi/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + # service dependent meta tags SERVICE_TAGS="mongodb-server,java" \ No newline at end of file diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf index bb9e804..d1511bb 100644 --- a/src/urbackup/constants-service.conf +++ b/src/urbackup/constants-service.conf @@ -25,5 +25,8 @@ URBACKUP_DATA="urbackup" # OS codename for opensuse / urbackup repo REPO_CODENAME="Debian_11" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx" \ No newline at end of file diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf index ee433eb..65d4f55 100644 --- a/src/vaultwarden/constants-service.conf +++ b/src/vaultwarden/constants-service.conf @@ -28,5 +28,8 @@ VAULTWARDEN_DB_USR="vaultwarden" # Build a strong password for the SQL user - could be overwritten with something fixed VAULTWARDEN_DB_PWD="$(random_password)" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf index e88cac4..d4ac610 100644 --- a/src/zabbix/constants-service.conf +++ b/src/zabbix/constants-service.conf @@ -35,5 +35,8 @@ ZABBIX_DB_USR="zabbix" # Build a strong password for the SQL user - could be overwritten with something fixed ZABBIX_DB_PWD="$(random_password)" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf index d4e5885..823fde3 100644 --- a/src/zammad/constants-service.conf +++ b/src/zammad/constants-service.conf @@ -19,8 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" -# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) -LXC_MEM="4096" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 # service dependent meta tags SERVICE_TAGS="nginx,postgresql,elasticsearch" \ No newline at end of file diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf index a63fb39..712060f 100644 --- a/src/zmb-ad-join/constants-service.conf +++ b/src/zmb-ad-join/constants-service.conf @@ -31,5 +31,8 @@ LXC_NESTING="1" # OPTIONAL_FEATURES=(wsdd splitdns) OPTIONAL_FEATURES=(wsdd splitdns) +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary" \ No newline at end of file diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf index ec5cea6..79de74b 100644 --- a/src/zmb-ad/constants-service.conf +++ b/src/zmb-ad/constants-service.conf @@ -31,5 +31,8 @@ LXC_NESTING="1" # OPTIONAL_FEATURES=(wsdd splitdns) OPTIONAL_FEATURES=(wsdd splitdns) +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary" \ No newline at end of file diff --git a/src/zmb-member/constants-service.conf b/src/zmb-member/constants-service.conf index 12d46e5..47f6a82 100644 --- a/src/zmb-member/constants-service.conf +++ b/src/zmb-member/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="0" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="samba,member,fileserver" \ No newline at end of file diff --git a/src/zmb-standalone/constants-service.conf b/src/zmb-standalone/constants-service.conf index b71b870..1b9daf8 100644 --- a/src/zmb-standalone/constants-service.conf +++ b/src/zmb-standalone/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="0" # enable nesting feature LXC_NESTING="1" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + # service dependent meta tags SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit" \ No newline at end of file From 395e0b71fa535df3faed99d95a963e8572e31c5f Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 18:10:52 +0100 Subject: [PATCH 71/96] Fix LXC_MEM in documentation --- conf/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/conf/README.md b/conf/README.md index 00268c7..962b381 100644 --- a/conf/README.md +++ b/conf/README.md @@ -40,13 +40,14 @@ LXC_SHAREFS_MOUNTPOINT="tank" ``` ### LXC_MEM Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) +If a service needs more minimum memory, LXC_MEM will be overwritten. ```bash -LXC_MEM="1024" +LXC_MEM=1024 ``` ### LXC_SWAP Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024) ```bash -LXC_SWAP="1024" +LXC_SWAP=1024 ``` ### LXC_HOSTNAME Defines the hostname of your LXC container (Default: Name of installed Service) From 9b2d29257a1001719853362a2c7d6a79495d95d4 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 18:13:45 +0100 Subject: [PATCH 72/96] Fix tmpl download, min memory support --- install.sh | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/install.sh b/install.sh index 8e5b4c9..6d18ebd 100755 --- a/install.sh +++ b/install.sh @@ -102,22 +102,18 @@ source "$config" source "$PWD/src/$service/constants-service.conf" +if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then + LXC_MEM=$LXC_MEM_MIN +fi + if [ $LXC_AUTOTAG -gt 0 ]; then TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}" fi -# CHeck is the newest template available, else download it. -DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) -DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) +# Check is the newest template available, else download it. +pveam update TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11) - -if [[ $DEB_LOC == $DEB_REP ]]; -then - echo "Newest Version of $LXC_TEMPLATE_VERSION $DEB_REP exists."; -else - echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP."; - pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME -fi +pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME if [ $ctid -gt 99 ]; then LXC_CHK=$ctid From 96ad186289e5ad43498496e2a2f9f2b4d473ba77 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 18:14:02 +0100 Subject: [PATCH 73/96] =?UTF-8?q?remove=20G=C3=A4nsef=C3=BC=C3=9Fe?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- conf/zamba.conf.example | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 9ddc3df..5d5cba0 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -28,10 +28,10 @@ LXC_SHAREFS_STORAGE="local-zfs" LXC_SHAREFS_MOUNTPOINT="tank" # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) -LXC_MEM="1024" +LXC_MEM=1024 # Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024) -LXC_SWAP="1024" +LXC_SWAP=1024 # Defines the hostname of your LXC container LXC_HOSTNAME="${service}" @@ -136,7 +136,7 @@ NEXTCLOUD_FQDN="nextcloud.zmb.rocks" NEXTCLOUD_ADMIN_USR="zmb-admin" # Build a strong password for this user. Username and password will shown at the end of the installation. -NEXTCLOUD_ADMIN_PWD="$(random_password)" +# NEXTCLOUD_ADMIN_PWD='very_secure_password' # Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT NEXTCLOUD_DATA="nc_data" From 0922ef6cb3dc26dd2448ea58e51b46a2cdace7bc Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Fri, 10 Feb 2023 18:14:37 +0100 Subject: [PATCH 74/96] Autogenerate Nextcloud admin password --- src/nextcloud/install-service.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index 75e72ac..6ea4dfc 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -6,6 +6,9 @@ # (C) 2021 Script rework and documentation by Thorsten Spille source /root/functions.sh + +NEXTCLOUD_ADMIN_PWD=$(random_password) + source /root/zamba.conf source /root/constants-service.conf From f75624c1b3433fc379c11c0e1ecef3ee1329b23f Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 12:12:40 +0100 Subject: [PATCH 75/96] nextcloud: fix trusted_proxies --- src/nextcloud/install-service.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index 6ea4dfc..4f7ab71 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -402,7 +402,9 @@ array ( 'updater.release.channel' => 'stable', 'trusted_proxies' => array ( -'$NEXTCLOUD_REVPROX' +'$NEXTCLOUD_REVPROX', +'127.0.0.1', +'::1', ), ); EOF From 5759aead8d52f95fff91577010ef9b0cc75a29c7 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 12:22:19 +0100 Subject: [PATCH 76/96] checkmk: Set version to current 2.1.0p21 --- src/checkmk/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf index 73978a6..0ba9409 100644 --- a/src/checkmk/constants-service.conf +++ b/src/checkmk/constants-service.conf @@ -20,7 +20,7 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # checkmk version -CMK_VERSION=2.1.0p19 +CMK_VERSION=2.1.0p21 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 From af8370a1abbf515bdc079e7eece63d65a84e7aa1 Mon Sep 17 00:00:00 2001 From: DerFossibaer Date: Sat, 11 Feb 2023 12:44:54 +0100 Subject: [PATCH 77/96] Update auf Debian 11 --- src/kopano-core/constants-service.conf | 6 ++-- src/kopano-core/install-service.sh | 46 ++++++++++++++------------ 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf index 684eb6b..d2e5808 100644 --- a/src/kopano-core/constants-service.conf +++ b/src/kopano-core/constants-service.conf @@ -8,10 +8,10 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-10-standard" +LXC_TEMPLATE_VERSION="debian-11-standard" # Create sharefs mountpoint -LXC_MP="1" +LXC_MP="0" # Create unprivileged container LXC_UNPRIVILEGED="1" @@ -23,7 +23,7 @@ LXC_NESTING="1" KOPANO_VERSION="latest" # Defines the php version to install -KOPANO_PHP_VERSION="7.3" +KOPANO_PHP_VERSION="7.4" # Defines Maria DB Version MARIA_DB_VERS="10.5" diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh index ef5fbe5..b3644f4 100644 --- a/src/kopano-core/install-service.sh +++ b/src/kopano-core/install-service.sh @@ -11,8 +11,8 @@ source /root/constants-service.conf HOSTNAME=$(hostname -f) -wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - -echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list +#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - +#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list @@ -22,8 +22,10 @@ echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_relea apt update +#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ +#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ -php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} +php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} #timedatectl set-timezone Europe/Berlin #mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www @@ -35,7 +37,7 @@ mysqladmin -u root password "[$MARIA_ROOT_PWD]" mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''" mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" -mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'" +#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'" mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" #### Create user and DB for Kopano #### @@ -50,19 +52,19 @@ db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log cat > /etc/apt/sources.list.d/kopano.list << EOF # Kopano Core -deb https://download.kopano.io/supported/core:/final/Debian_10/ ./ +deb https://download.kopano.io/supported/core:/final/Debian_11/ ./ # Kopano WebApp -deb https://download.kopano.io/supported/webapp:/final/Debian_10/ ./ +deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./ # Kopano MobileDeviceManagement -deb https://download.kopano.io/supported/mdm:/final/Debian_10/ ./ +deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./ # Kopano Files -deb https://download.kopano.io/supported/files:/final/Debian_10/ ./ +deb https://download.kopano.io/supported/files:/final/Debian_11/ ./ # Z-Push -deb https://download.kopano.io/zhub/z-push:/final/Debian_10/ ./ +deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./ EOF @@ -74,11 +76,11 @@ password $KOPANO_REPKEY EOF -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_10/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_10/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_10/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_10/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_10/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add - apt update && apt full-upgrade -y @@ -91,7 +93,7 @@ cat > /etc/kopano/ldap.cfg << EOF !include /usr/share/kopano/ldap.active-directory.cfg -ldap_uri = ldap://10.10.81.12:389 +ldap_uri = ldap://192.168.100.100:389 ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks ldap_bind_passwd = Start123! ldap_search_base = dc=zmb,dc=rocks @@ -112,8 +114,8 @@ mysql_user = $MARIA_DB_USER mysql_password = $MARIA_USER_PWD mysql_database = $MARIA_DB_NAME -user_plugin = ldap -user_plugin_config = /etc/kopano/ldap.cfg +#user_plugin = ldap +#user_plugin_config = /etc/kopano/ldap.cfg EOF @@ -121,7 +123,7 @@ EOF sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php -cat > /etc/php/7.3/fpm/pool.d/webapp.conf << EOF +cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF [webapp] listen = 127.0.0.1:9002 @@ -153,9 +155,9 @@ openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 cat > /etc/nginx/sites-available/webapp.conf << EOF upstream php-handler { - server 127.0.0.1:9002; + #server 127.0.0.1:9002; #server unix:/var/run/php5-fpm.sock; - #server unix:/var/run/php/php7.3-fpm.sock; + server unix:/var/run/php/php7.4-fpm.sock; } server{ @@ -270,5 +272,5 @@ EOF ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/ -systemctl restart nginx - +phpenmod kopano +systemctl restart php7.4-fpm nginx From 140f80afb1000d0eb67d7c85d293f1489f4c1bca Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 14:45:43 +0100 Subject: [PATCH 78/96] install.sh: reboot container at end --- install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index 6d18ebd..55aae66 100755 --- a/install.sh +++ b/install.sh @@ -173,9 +173,9 @@ pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh" echo "Install '$service'!" pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh" +pct shutdown $LXC_NBR if [[ $service == "zmb-ad" ]]; then - pct stop $LXC_NBR ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format pct set $LXC_NBR -nameserver ${LXC_IP%/*} - pct start $LXC_NBR fi +pct start $LXC_NBR \ No newline at end of file From 965c936109d8c01776c583c00dd00ad8d1ff5c26 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 14:46:56 +0100 Subject: [PATCH 79/96] functions: ignore stderr when generating password --- src/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/functions.sh b/src/functions.sh index 0a89013..5798afd 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -5,5 +5,5 @@ LXC_RANDOMPWD=32 random_password() { set +o pipefail - C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c${LXC_RANDOMPWD} + C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD} } \ No newline at end of file From 522a02352d520e6f97b4e1692a5eec9e9390529c Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 14:47:28 +0100 Subject: [PATCH 80/96] bookstack: fix finished message --- src/bookstack/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh index f16d2aa..f18802e 100644 --- a/src/bookstack/install-service.sh +++ b/src/bookstack/install-service.sh @@ -181,4 +181,4 @@ systemctl daemon-reload systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server systemctl restart php7.4-fpm nginx bookstack-queue redis-server -echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" \ No newline at end of file +echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" \ No newline at end of file From 498702b394573187461461a67b91f43225ffac32 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 14:47:59 +0100 Subject: [PATCH 81/96] gitea: add updater called by apt-hook --- src/gitea/install-service.sh | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh index 5532922..c49eba5 100644 --- a/src/gitea/install-service.sh +++ b/src/gitea/install-service.sh @@ -17,7 +17,7 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip systemctl enable --now postgresql @@ -36,6 +36,32 @@ mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/ chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/ chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/ +cat << EOF > /usr/local/bin/update-gitea +PATH="/bin:/usr/bin:/usr/local/bin" +echo "Checking github for new gitea version" +current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4) +installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3)) +echo "Installed gitea version is \$installed_version" +if [ \$installed_version != \$current_version ]; then + echo "New gitea version \$current_version available. Stopping gitea.service" + systemctl stop gitea.service + echo "Downloading gitea version \$current_version..." + curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i - + chmod +x /usr/local/bin/gitea + echo "Starting gitea.service..." + systemctl start gitea.service + echo "gitea update finished!" +else + echo "gitea version is up-to-date!" +fi +EOF +chmod +x /usr/local/bin/update-gitea + +cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook +DPkg::Post-Invoke {"/usr/local/bin/update-gitea";}; +EOF +chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook + cat << EOF > /etc/systemd/system/gitea.service [Unit] Description=Gitea From befc08fd4c330750c522d87f2daa1d6ce8e3166f Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 16:21:20 +0100 Subject: [PATCH 82/96] bookstack: fix ip output in finished message --- src/bookstack/install-service.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh index f18802e..1ac181a 100644 --- a/src/bookstack/install-service.sh +++ b/src/bookstack/install-service.sh @@ -181,4 +181,6 @@ systemctl daemon-reload systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server systemctl restart php7.4-fpm nginx bookstack-queue redis-server -echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" \ No newline at end of file +LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) + +echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" \ No newline at end of file From 022871e9d7d4ae0fb0e4ce267c34dbd720b46379 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 16:21:29 +0100 Subject: [PATCH 83/96] kimai: fix ip output in finished message --- src/kimai/install-service.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh index 91ff0ea..c07e4ed 100644 --- a/src/kimai/install-service.sh +++ b/src/kimai/install-service.sh @@ -162,4 +162,6 @@ systemctl daemon-reload systemctl enable --now php${PHP_VERSION}-fpm nginx systemctl restart php${PHP_VERSION}-fpm nginx +LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) + echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n" From b44d99c64b3cf416779302de9a44cd5238ee3865 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 16:21:46 +0100 Subject: [PATCH 84/96] matrix: add tag element-web --- src/matrix/constants-service.conf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/matrix/constants-service.conf b/src/matrix/constants-service.conf index a318186..9bfdb2d 100644 --- a/src/matrix/constants-service.conf +++ b/src/matrix/constants-service.conf @@ -19,11 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" -# Define the version of Element Web -MATRIX_ELEMENT_VERSION="v1.9.9" - # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 # service dependent meta tags -SERVICE_TAGS="nginx,postgresql" \ No newline at end of file +SERVICE_TAGS="nginx,postgresql,element-web" \ No newline at end of file From 0ecabeac626be3fd449488f2c80591886838c9b8 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 11 Feb 2023 16:22:29 +0100 Subject: [PATCH 85/96] matrix: rework, install latest element-web --- src/matrix/install-service.sh | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index 712ba83..fa15c4c 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -14,6 +14,8 @@ MRX_PKE=$(random_password) ELE_DBNAME="synapse_db" ELE_DBUSER="synapse_user" ELE_DBPASS=$(random_password) +ELE_PATH=/var/www/element-web +WEBROOT=/var/www DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2 @@ -67,7 +69,7 @@ server { ssl_certificate_key /etc/nginx/ssl/matrix.key; # If you don't wanna serve a site, comment this out - root /var/www/$MATRIX_FQDN; + root $ELE_PATH; index index.html index.htm; location / { @@ -102,7 +104,7 @@ server { ssl_certificate_key /etc/nginx/ssl/matrix.key; # If you don't wanna serve a site, comment this out - root /var/www/$MATRIX_ELEMENT_FQDN/element; + root $ELE_PATH; index index.html index.htm; } @@ -113,21 +115,23 @@ ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$ systemctl restart nginx -mkdir /var/www/$MATRIX_ELEMENT_FQDN -cd /var/www/$MATRIX_ELEMENT_FQDN -wget https://packages.riot.im/element-release-key.asc +cd /var/www + +wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc gpg --import element-release-key.asc -wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz -wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc +MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4) + +wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz +wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz -ln -s element-$MATRIX_ELEMENT_VERSION element -chown www-data:www-data -R element -cp ./element/config.sample.json ./element/config.json -sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json -sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json +mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH +chown www-data:www-data -R $ELE_PATH +cp $ELE_PATH/config.sample.json $ELE_PATH/config.json +sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json +sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json su postgres < Date: Sun, 12 Feb 2023 11:06:15 +0100 Subject: [PATCH 86/96] open3a: fix ip in finisherd message --- src/open3a/install-service.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index f45cebd..dba2277 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -79,4 +79,6 @@ EOF systemctl enable --now php7.4-fpm systemctl restart php7.4-fpm nginx +LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) + echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a" From 1c74139ebd7d26c71c08ec7a028b3d8e40157ba8 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 11:06:35 +0100 Subject: [PATCH 87/96] pbs: disable failing zfs services --- src/proxmox-pbs/install-service.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/proxmox-pbs/install-service.sh b/src/proxmox-pbs/install-service.sh index 5e77729..6bcfa59 100644 --- a/src/proxmox-pbs/install-service.sh +++ b/src/proxmox-pbs/install-service.sh @@ -21,3 +21,5 @@ apt update && apt upgrade -y DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA + +systemctl disable --now zfs-mount.service zfs-share.service From 02862eb56527506f5c122e458cdff69ade9c4bb7 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:09:17 +0100 Subject: [PATCH 88/96] zmb-ad-join: set dns server after install --- install.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install.sh b/install.sh index 55aae66..1a0dfb1 100755 --- a/install.sh +++ b/install.sh @@ -177,5 +177,7 @@ pct shutdown $LXC_NBR if [[ $service == "zmb-ad" ]]; then ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format pct set $LXC_NBR -nameserver ${LXC_IP%/*} +elif [[ $service == "zmb-ad-join" ]]; then + pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS" fi pct start $LXC_NBR \ No newline at end of file From 3b2eb57d58f097c3b6af1b0e0e87b98d25037d25 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:09:49 +0100 Subject: [PATCH 89/96] lxc-base: add en_US.UTF-8 as default locale --- src/lxc-base.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lxc-base.sh b/src/lxc-base.sh index b76340f..d26954f 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -16,6 +16,7 @@ source /root/constants-service.conf echo "Updating locales" # update locales sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen +sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen cat << EOF > /etc/default/locale LANG="$LXC_LOCALE" LANGUAGE=$LXC_LOCALE From ccc7bd30b402edf3cd287caf501321e565debfb5 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:11:28 +0100 Subject: [PATCH 90/96] zabbix: fin install bug, add web config --- src/zabbix/install-service.sh | 63 ++++++++++++++++++++++++++++++++--- 1 file changed, 59 insertions(+), 4 deletions(-) diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh index 81d6a12..db4a2e7 100644 --- a/src/zabbix/install-service.sh +++ b/src/zabbix/install-service.sh @@ -18,7 +18,7 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-sql-scripts zabbix-agent sudo ssl-cert +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert unlink /etc/nginx/sites-enabled/default @@ -122,8 +122,6 @@ server { } EOF -ln -sf /etc/zabbix/nginx.conf /etc/nginx/sites-enabled/zabbix.conf - cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf [zabbix] user = www-data @@ -151,6 +149,63 @@ php_value[max_input_time] = 300 php_value[max_input_vars] = 10000 EOF +cat << EOF > /etc/zabbix/web/zabbix.conf.php + 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//\$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//\$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//\$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//\$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//\$SSO['SETTINGS'] = []; +EOF + timedatectl set-timezone ${LXC_TIMEZONE} systemctl enable --now postgresql @@ -163,7 +218,7 @@ EOF sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php -zcat /usr/share/doc/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME} +zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME} echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf From 1788a4cf63b1a442c046539ffacd63b40a79b6a5 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:28:59 +0100 Subject: [PATCH 91/96] Add jitsi-meet container --- src/jitsi/constants-service.conf | 26 ++++++++++++++++++++++++++ src/jitsi/install-service.sh | 17 +++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 src/jitsi/constants-service.conf create mode 100644 src/jitsi/install-service.sh diff --git a/src/jitsi/constants-service.conf b/src/jitsi/constants-service.conf new file mode 100644 index 0000000..58e0e40 --- /dev/null +++ b/src/jitsi/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + +# service dependent meta tags +SERVICE_TAGS="" \ No newline at end of file diff --git a/src/jitsi/install-service.sh b/src/jitsi/install-service.sh new file mode 100644 index 0000000..36365bb --- /dev/null +++ b/src/jitsi/install-service.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +curl https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | tee /usr/share/keyrings/jitsi-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | tee /etc/apt/sources.list.d/jitsi-stable.list +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq jitsi-meet \ No newline at end of file From d6d854577f9790f48166b957cb2c61098e5b6f92 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:29:18 +0100 Subject: [PATCH 92/96] zabbix: Fix memory --- src/zabbix/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf index d4ac610..8e267ce 100644 --- a/src/zabbix/constants-service.conf +++ b/src/zabbix/constants-service.conf @@ -36,7 +36,7 @@ ZABBIX_DB_USR="zabbix" ZABBIX_DB_PWD="$(random_password)" # Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=2048 +LXC_MEM_MIN=4096 # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file From 57b8159f3813875362610a1fd5f10686f552918e Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:49:27 +0100 Subject: [PATCH 93/96] rename jitsi to jitsi-meet --- src/{jitsi => jitsi-meet}/constants-service.conf | 0 src/{jitsi => jitsi-meet}/install-service.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename src/{jitsi => jitsi-meet}/constants-service.conf (100%) rename src/{jitsi => jitsi-meet}/install-service.sh (100%) diff --git a/src/jitsi/constants-service.conf b/src/jitsi-meet/constants-service.conf similarity index 100% rename from src/jitsi/constants-service.conf rename to src/jitsi-meet/constants-service.conf diff --git a/src/jitsi/install-service.sh b/src/jitsi-meet/install-service.sh similarity index 100% rename from src/jitsi/install-service.sh rename to src/jitsi-meet/install-service.sh From 07b229a0849fea26627052a9f6e926412ab39982 Mon Sep 17 00:00:00 2001 From: DerFossibaer Date: Sun, 12 Feb 2023 15:56:02 +0100 Subject: [PATCH 94/96] Add new service TP-Link Omada Controller --- src/omada/constants-service.conf | 26 ++++++++++++++++++++++++++ src/omada/install-service.sh | 29 +++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 src/omada/constants-service.conf create mode 100644 src/omada/install-service.sh diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf new file mode 100644 index 0000000..ccb3471 --- /dev/null +++ b/src/omada/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + +# service dependent meta tags +SERVICE_TAGS="mongodb-server,java" \ No newline at end of file diff --git a/src/omada/install-service.sh b/src/omada/install-service.sh new file mode 100644 index 0000000..11efb2e --- /dev/null +++ b/src/omada/install-service.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add - +add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ + +wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc + +echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org + +DL=$(wget -O - -q https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6) + +wget -O /tmp/omada.deb -q $DL + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb \ No newline at end of file From 0cf8d9b6eb2da550c6f295124bfeca3d6373b0b7 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 15:59:43 +0100 Subject: [PATCH 95/96] Readme: add omada --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 648a711..7d2ee2a 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) - `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration +- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/) - `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com) - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de) - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server) From 7ed8bb4bc90875bbc0e753b1d035aff9fcb9569d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 12 Feb 2023 16:05:32 +0100 Subject: [PATCH 96/96] Remove incomplete services, fix zmb.conf --- conf/zamba.conf.example | 22 +- src/jitsi-meet/constants-service.conf | 26 - src/jitsi-meet/install-service.sh | 17 - src/tactical-rmm/constants-service.conf | 50 -- src/tactical-rmm/install-service.sh | 712 ------------------------ 5 files changed, 15 insertions(+), 812 deletions(-) delete mode 100644 src/jitsi-meet/constants-service.conf delete mode 100644 src/jitsi-meet/install-service.sh delete mode 100644 src/tactical-rmm/constants-service.conf delete mode 100644 src/tactical-rmm/install-service.sh diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 5d5cba0..bcb1b98 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -169,19 +169,27 @@ KOPANO_MAILGW="192.168.100.254" # https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10 KOPANO_REPKEY="1234567890abcdefghijklmno" -############### Tactical-RMM Section ############### - -rmmdomain=api.${LXC_DOMAIN} -frontenddomain=${LXC_HOSTNAME}.${LXC_DOMAIN} -meshdomain=mesh.${LXC_DOMAIN} -adminemail=rmm@${LXC_DOMAIN} - ############### vaultwarden Section ############### +# Hostname of your mailserver VW_SMTP_HOST=mail.bashclub.org + +# email address to send from VW_SMTP_FROM="vaultwarden@bashclub.org" + +# display name to send from VW_SMTP_FROM_NAME="Vaultwarden Password Manager" + +# port of your mailserver VW_SMTP_PORT=587 + +# use ssl? VW_SMTP_SSL=true + +# use starttls? VW_SMTP_EXPLICIT_TLS=false + +# username of your mailbox VW_SMTP_USERNAME=vaultwarden@bashclub.org + +# password of your mailbox VW_SMTP_PASSWORD='' \ No newline at end of file diff --git a/src/jitsi-meet/constants-service.conf b/src/jitsi-meet/constants-service.conf deleted file mode 100644 index 58e0e40..0000000 --- a/src/jitsi-meet/constants-service.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -# This file contains the project constants on service level - -# Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-11-standard" - -# Create sharefs mountpoint -LXC_MP="0" - -# Create unprivileged container -LXC_UNPRIVILEGED="1" - -# enable nesting feature -LXC_NESTING="1" - -# Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=4096 - -# service dependent meta tags -SERVICE_TAGS="" \ No newline at end of file diff --git a/src/jitsi-meet/install-service.sh b/src/jitsi-meet/install-service.sh deleted file mode 100644 index 36365bb..0000000 --- a/src/jitsi-meet/install-service.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -source /root/functions.sh -source /root/zamba.conf -source /root/constants-service.conf - -curl https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | tee /usr/share/keyrings/jitsi-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | tee /etc/apt/sources.list.d/jitsi-stable.list -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq jitsi-meet \ No newline at end of file diff --git a/src/tactical-rmm/constants-service.conf b/src/tactical-rmm/constants-service.conf deleted file mode 100644 index ad74a02..0000000 --- a/src/tactical-rmm/constants-service.conf +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -# This file contains the project constants on service level - -# Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-11-standard" - -# Create sharefs mountpoint -LXC_MP="1" - -# Create unprivileged container -LXC_UNPRIVILEGED="0" - -# enable nesting feature -LXC_NESTING="1" - -# Defines the IP from the SQL server -RMM_DB_IP="127.0.0.1" - -# Defines the PORT from the SQL server -RMM_DB_PORT="5432" - -# Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=4096 - -# Defines the name from the SQL database -RMM_DB_NAME="rmm" - -# Defines the name from the SQL user -pgusername="rmm" - -# Build a strong password for the SQL user - could be overwritten with something fixed -RMMUSER=tactical -pgpw="$(random_password)" -DJANGO_SEKRET="$(random_password)" -ADMINURL="$(random_password)" -MESHPASSWD="$(random_password)" -meshusername="$(random_password)" - -# vars from tactical-rmm install script -SCRIPTS_DIR="/opt/trmm-community-scripts" - -TMP_FILE=$(mktemp -p "" "rmminstall_XXXXXXXXXX") -osname=debian -djangousername=admin \ No newline at end of file diff --git a/src/tactical-rmm/install-service.sh b/src/tactical-rmm/install-service.sh deleted file mode 100644 index 4ff614e..0000000 --- a/src/tactical-rmm/install-service.sh +++ /dev/null @@ -1,712 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -source /root/functions.sh -source /root/zamba.conf -source /root/constants-service.conf - -codename=$(lsb_release -cs) - -useradd -m -G sudo -s /bin/bash ${RMMUSER} - -echo "deb https://repo.mongodb.org/apt/$osname buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list -echo "deb https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgres.list -echo "deb https://deb.nodesource.com/node_16.x $codename main" > /etc/apt/sources.list.d/nodejs.list -echo "deb https://dl.yarnpkg.com/debian stable main" > tee /etc/apt/sources.list.d/yarn.list - -apt-key adv --fetch https://pgp.mongodb.com/server-4.4.pub -apt-key adv --fetch https://deb.nodesource.com/gpgkey/nodesource.gpg.key -apt-key adv --fetch https://dl.yarnpkg.com/debian/yarnkey.gpg -apt-key adv --fetch https://www.postgresql.org/media/keys/ACCC4CF8.asc - - -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq sudo ssl-cert nginx mongodb-org gcc g++ make build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev ca-certificates redis git postgresql-14 rpl -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nodejs - -echo "${RMMUSER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${RMMUSER} - -npm install --no-fund --location=global npm - -openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/${frontenddomain}.key -out /etc/ssl/certs/${frontenddomain}.pem -subj "/CN=$frontenddomain" -addext "subjectAltName=DNS:*.${frontenddomain}" -chown root:ssl-cert /etc/ssl/private/${frontenddomain}.key -chmod 640 /etc/ssl/private/${frontenddomain}.key -usermod -aG ssl-cert ${RMMUSER} - -update-ca-certificates - -systemctl enable mongod.service postgresql.service - -# configure hosts file -echo "127.0.1.1 ${rmmdomain} ${frontenddomain} ${meshdomain}" | tee --append /etc/hosts > /dev/null - -# set global nginx vars -sed -i 's/worker_connections.*/worker_connections 2048;/g' /etc/nginx/nginx.conf -sed -i 's/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 64;/g' /etc/nginx/nginx.conf - -# compile python3 -su - ${RMMUSER} << EOF -cd ~ -wget https://www.python.org/ftp/python/${PYTHON_VER}/Python-${PYTHON_VER}.tgz -tar -xf Python-${PYTHON_VER}.tgz -cd Python-${PYTHON_VER} -./configure --enable-optimizations -make -j $(nproc) -sudo make altinstall -cd ~ -sudo rm -rf Python-${PYTHON_VER} Python-${PYTHON_VER}.tgz -EOF - - -systemctl restart mongod postgresql -systemctl stop nginx - -# configure postgresql -cd /var/lib/postgresql -sudo -u postgres psql -c "CREATE DATABASE tacticalrmm;" -sudo -u postgres psql -c "CREATE USER ${pgusername} WITH PASSWORD '${pgpw}';" -sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET client_encoding TO 'utf8';" -sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET default_transaction_isolation TO 'read committed';" -sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET timezone TO 'UTC';" -sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE tacticalrmm TO ${pgusername};" - -# clone tacticalrmm -mkdir /rmm -chown ${RMMUSER}:${RMMUSER} /rmm -mkdir -p /var/log/celery -chown ${RMMUSER}:${RMMUSER} /var/log/celery -mkdir -p ${SCRIPTS_DIR} -chown ${RMMUSER}:${RMMUSER} ${SCRIPTS_DIR} -su - ${RMMUSER} << EOF -cd /rmm -git clone -b master https://github.com/amidaware/tacticalrmm.git /rmm -git config user.email "admin@example.com" -git config user.name "Bob" -cd ${SCRIPTS_DIR} -git clone -b main https://github.com/amidaware/community-scripts.git ${SCRIPTS_DIR}/ -git config user.email "admin@example.com" -git config user.name "Bob" -EOF - -# configure NATS server -NATS_SERVER_VER=$(grep "^NATS_SERVER_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') -nats_tmp=$(mktemp -d -t nats-server-XXXXXXXXXXXXX) -wget https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER_VER}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -O ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -tar -xzf ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -C ${nats_tmp} -mv ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64/nats-server /usr/local/bin/ -chmod +x /usr/local/bin/nats-server -chown ${RMMUSER}:${RMMUSER} /usr/local/bin/nats-server -rm -rf ${nats_tmp} - -# fix cert in nats-rmm.conf -rpl "/etc/letsencrypt/live/${frontenddomain}/fullchain.pem" "/etc/ssl/certs/${frontenddomain}.pem" /rmm/api/tacticalrmm/nats-rmm.conf -rpl "/etc/letsencrypt/live/${frontenddomain}/privkey.pem" "/etc/ssl/private/${frontenddomain}.key" /rmm/api/tacticalrmm/nats-rmm.conf - -# install meshcentral -MESH_VER=$(grep "^MESH_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') - -mkdir -p /meshcentral/meshcentral-data -chown ${RMMUSER}:${RMMUSER} -R /meshcentral - -su - ${RMMUSER} << EOF -cd /meshcentral -npm install meshcentral@${MESH_VER} -EOF - -chown ${RMMUSER}:${RMMUSER} -R /meshcentral - -meshcfg="$(cat << EOF -{ - "settings": { - "Cert": "${meshdomain}", - "MongoDb": "mongodb://127.0.0.1:27017", - "MongoDbName": "meshcentral", - "WANonly": true, - "Minify": 1, - "Port": 4430, - "AliasPort": 443, - "RedirPort": 800, - "AllowLoginToken": true, - "AllowFraming": true, - "_AgentPing": 60, - "AgentPong": 300, - "AllowHighQualityDesktop": true, - "TlsOffload": "127.0.0.1", - "agentCoreDump": false, - "Compression": true, - "WsCompression": true, - "AgentWsCompression": true, - "MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 } - }, - "domains": { - "": { - "Title": "Tactical RMM", - "Title2": "Tactical RMM", - "NewAccounts": false, - "CertUrl": "https://${meshdomain}:443/", - "GeoLocation": true, - "CookieIpCheck": false, - "mstsc": true, - "force2factor": false - } - } -} -EOF -)" -sudo -u ${RMMUSER} echo "${meshcfg}" > /meshcentral/meshcentral-data/config.json - -localvars="$(cat << EOF -SECRET_KEY = "${DJANGO_SEKRET}" - -DEBUG = False - -ALLOWED_HOSTS = ['${rmmdomain}'] - -ADMIN_URL = "${ADMINURL}/" - -CORS_ORIGIN_WHITELIST = [ - "https://${frontenddomain}" -] - -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': 'tacticalrmm', - 'USER': '${pgusername}', - 'PASSWORD': '${pgpw}', - 'HOST': 'localhost', - 'PORT': '5432', - } -} - -MESH_USERNAME = "${meshusername}" -MESH_SITE = "https://${meshdomain}" -REDIS_HOST = "localhost" -ADMIN_ENABLED = True -EOF -)" -sudo -u ${RMMUSER} echo "${localvars}" > /rmm/api/tacticalrmm/tacticalrmm/local_settings.py - -cp /rmm/natsapi/bin/nats-api /usr/local/bin -chown ${RMMUSER}:${RMMUSER} /usr/local/bin/nats-api -chmod +x /usr/local/bin/nats-api - -SETUPTOOLS_VER=$(grep "^SETUPTOOLS_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') -WHEEL_VER=$(grep "^WHEEL_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}') - -su - ${RMMUSER} << EOF -cd /rmm/api/ -/usr/local/bin/python3.10 -m venv env -source /rmm/api/env/bin/activate -cd /rmm/api/tacticalrmm -pip install --no-cache-dir --upgrade pip -pip install --no-cache-dir setuptools==${SETUPTOOLS_VER} wheel==${WHEEL_VER} -pip install --no-cache-dir -r /rmm/api/tacticalrmm/requirements.txt -python manage.py migrate -python manage.py collectstatic --no-input -python manage.py create_natsapi_conf -python manage.py load_chocos -python manage.py load_community_scripts -python manage.py create_installer_user -deactivate -EOF - -# install backend -echo 'Optimizing for number of processors' -uwsgiprocs=4 -if [[ "$(nproc)" == "1" ]]; then - uwsgiprocs=2 -else - uwsgiprocs=$(nproc) -fi - -uwsgini="$(cat << EOF -[uwsgi] -chdir = /rmm/api/tacticalrmm -module = tacticalrmm.wsgi -home = /rmm/api/env -master = true -processes = ${uwsgiprocs} -threads = ${uwsgiprocs} -enable-threads = true -socket = /rmm/api/tacticalrmm/tacticalrmm.sock -harakiri = 300 -chmod-socket = 660 -buffer-size = 65535 -vacuum = true -die-on-term = true -max-requests = 500 -disable-logging = true -EOF -)" -sudo -u ${RMMUSER} echo "${uwsgini}" > /rmm/api/tacticalrmm/app.ini - -# create systemd services - -rmmservice="$(cat << EOF -[Unit] -Description=tacticalrmm uwsgi daemon -After=network.target postgresql.service - -[Service] -User=${RMMUSER} -Group=www-data -WorkingDirectory=/rmm/api/tacticalrmm -Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -ExecStart=/rmm/api/env/bin/uwsgi --ini app.ini -Restart=always -RestartSec=10s - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${rmmservice}" | sudo tee /etc/systemd/system/rmm.service > /dev/null - -daphneservice="$(cat << EOF -[Unit] -Description=django channels daemon -After=network.target - -[Service] -User=${RMMUSER} -Group=www-data -WorkingDirectory=/rmm/api/tacticalrmm -Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -ExecStart=/rmm/api/env/bin/daphne -u /rmm/daphne.sock tacticalrmm.asgi:application -Restart=always -RestartSec=3s - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${daphneservice}" | sudo tee /etc/systemd/system/daphne.service > /dev/null - -natsservice="$(cat << EOF -[Unit] -Description=NATS Server -After=network.target - -[Service] -PrivateTmp=true -Type=simple -ExecStart=/usr/local/bin/nats-server -c /rmm/api/tacticalrmm/nats-rmm.conf -ExecReload=/usr/bin/kill -s HUP \$MAINPID -ExecStop=/usr/bin/kill -s SIGINT \$MAINPID -User=${RMMUSER} -Group=www-data -Restart=always -RestartSec=5s -LimitNOFILE=1000000 - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${natsservice}" | sudo tee /etc/systemd/system/nats.service > /dev/null - -natsapi="$(cat << EOF -[Unit] -Description=TacticalRMM Nats Api v1 -After=nats.service - -[Service] -Type=simple -ExecStart=/usr/local/bin/nats-api -User=${RMMUSER} -Group=${RMMUSER} -Restart=always -RestartSec=5s - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${natsapi}" | sudo tee /etc/systemd/system/nats-api.service > /dev/null - -celeryservice="$(cat << EOF -[Unit] -Description=Celery Service V2 -After=network.target redis-server.service postgresql.service - -[Service] -Type=forking -User=${RMMUSER} -Group=${RMMUSER} -EnvironmentFile=/etc/conf.d/celery.conf -WorkingDirectory=/rmm/api/tacticalrmm -ExecStart=/bin/sh -c '\${CELERY_BIN} -A \$CELERY_APP multi start \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel="\${CELERYD_LOG_LEVEL}" \$CELERYD_OPTS' -ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --loglevel="\${CELERYD_LOG_LEVEL}"' -ExecReload=/bin/sh -c '\${CELERY_BIN} -A \$CELERY_APP multi restart \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel="\${CELERYD_LOG_LEVEL}" \$CELERYD_OPTS' -Restart=always -RestartSec=10s - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${celeryservice}" | sudo tee /etc/systemd/system/celery.service > /dev/null - -celerybeatservice="$(cat << EOF -[Unit] -Description=Celery Beat Service V2 -After=network.target redis-server.service postgresql.service - -[Service] -Type=simple -User=${RMMUSER} -Group=${RMMUSER} -EnvironmentFile=/etc/conf.d/celery.conf -WorkingDirectory=/rmm/api/tacticalrmm -ExecStart=/bin/sh -c '\${CELERY_BIN} -A \${CELERY_APP} beat --pidfile=\${CELERYBEAT_PID_FILE} --logfile=\${CELERYBEAT_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL}' -Restart=always -RestartSec=10s - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${celerybeatservice}" | sudo tee /etc/systemd/system/celerybeat.service > /dev/null - -meshservice="$(cat << EOF -[Unit] -Description=MeshCentral Server -After=network.target mongod.service nginx.service -[Service] -Type=simple -LimitNOFILE=1000000 -ExecStart=/usr/bin/node node_modules/meshcentral -Environment=NODE_ENV=production -WorkingDirectory=/meshcentral -User=${RMMUSER} -Group=${RMMUSER} -Restart=always -RestartSec=10s - -[Install] -WantedBy=multi-user.target -EOF -)" -echo "${meshservice}" | sudo tee /etc/systemd/system/meshcentral.service > /dev/null - - -# create nginx config - -nginxrmm="$(cat << EOF -server_tokens off; - -upstream tacticalrmm { - server unix:////rmm/api/tacticalrmm/tacticalrmm.sock; -} - -map \$http_user_agent \$ignore_ua { - "~python-requests.*" 0; - "~go-resty.*" 0; - default 1; -} - -server { - listen 80; - listen [::]:80; - server_name ${rmmdomain}; - return 301 https://\$server_name\$request_uri; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name ${rmmdomain}; - client_max_body_size 300M; - access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=\$ignore_ua; - error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; - ssl_certificate /etc/ssl/certs/${frontenddomain}.pem; - ssl_certificate_key /etc/ssl/private/${frontenddomain}.key; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_ecdh_curve secp384r1; - ssl_stapling on; - ssl_stapling_verify on; - add_header X-Content-Type-Options nosniff; - - location /static/ { - root /rmm/api/tacticalrmm; - } - - location /private/ { - internal; - add_header "Access-Control-Allow-Origin" "https://${frontenddomain}"; - alias /rmm/api/tacticalrmm/tacticalrmm/private/; - } - - location ~ ^/(natsapi) { - allow 127.0.0.1; - deny all; - uwsgi_pass tacticalrmm; - include /etc/nginx/uwsgi_params; - uwsgi_read_timeout 500s; - uwsgi_ignore_client_abort on; - } - - location ~ ^/ws/ { - proxy_pass http://unix:/rmm/daphne.sock; - - proxy_http_version 1.1; - proxy_set_header Upgrade \$http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_redirect off; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host \$server_name; - } - - location / { - uwsgi_pass tacticalrmm; - include /etc/nginx/uwsgi_params; - uwsgi_read_timeout 9999s; - uwsgi_ignore_client_abort on; - } -} -EOF -)" -echo "${nginxrmm}" | sudo tee /etc/nginx/sites-available/rmm.conf > /dev/null - - -nginxmesh="$(cat << EOF -server { - listen 80; - listen [::]:80; - server_name ${meshdomain}; - return 301 https://\$server_name\$request_uri; -} - -server { - - listen 443 ssl; - listen [::]:443 ssl; - proxy_send_timeout 330s; - proxy_read_timeout 330s; - server_name ${meshdomain}; - ssl_certificate /etc/ssl/certs/${frontenddomain}.pem; - ssl_certificate_key /etc/ssl/private/${frontenddomain}.key; - - ssl_session_cache shared:WEBSSL:10m; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_ecdh_curve secp384r1; - ssl_stapling on; - ssl_stapling_verify on; - add_header X-Content-Type-Options nosniff; - - location / { - proxy_pass http://127.0.0.1:4430/; - proxy_http_version 1.1; - - proxy_set_header Host \$host; - proxy_set_header Upgrade \$http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-Host \$host:\$server_port; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto \$scheme; - } -} -EOF -)" -echo "${nginxmesh}" | sudo tee /etc/nginx/sites-available/meshcentral.conf > /dev/null - -ln -s /etc/nginx/sites-available/rmm.conf /etc/nginx/sites-enabled/rmm.conf -ln -s /etc/nginx/sites-available/meshcentral.conf /etc/nginx/sites-enabled/meshcentral.conf - -# configure celery -mkdir /etc/conf.d - -celeryconf="$(cat << EOF -CELERYD_NODES="w1" - -CELERY_BIN="/rmm/api/env/bin/celery" - -CELERY_APP="tacticalrmm" - -CELERYD_MULTI="multi" - -CELERYD_OPTS="--time-limit=86400 --autoscale=20,2" - -CELERYD_PID_FILE="/rmm/api/tacticalrmm/%n.pid" -CELERYD_LOG_FILE="/var/log/celery/%n%I.log" -CELERYD_LOG_LEVEL="ERROR" - -CELERYBEAT_PID_FILE="/rmm/api/tacticalrmm/beat.pid" -CELERYBEAT_LOG_FILE="/var/log/celery/beat.log" -EOF -)" -echo "${celeryconf}" | sudo tee /etc/conf.d/celery.conf > /dev/null - -chown ${RMMUSER}:${RMMUSER} -R /etc/conf.d/ - -systemctl daemon-reload - -# install frontend - -su - ${RMMUSER} << EOF - -if [ -d ~/.npm ]; then - chown -R $RMMUSER:$RMMUSER ~/.npm -fi - -if [ -d ~/.config ]; then - chown -R $RMMUSER:$RMMUSER ~/.config -fi - -echo -e "PROD_URL = \"https://${rmmdomain}\"\nDEV_URL = \"https://${rmmdomain}\"" > /rmm/web/.env - -cd /rmm/web -npm install -npm audit fix -npm run build -EOF - -mkdir -p /var/www/rmm -cp -pvr /rmm/web/dist /var/www/rmm/ -chown www-data:www-data -R /var/www/rmm/dist - -nginxfrontend="$(cat << EOF -server { - server_name ${frontenddomain}; - charset utf-8; - location / { - root /var/www/rmm/dist; - try_files \$uri \$uri/ /index.html; - add_header Cache-Control "no-store, no-cache, must-revalidate"; - add_header Pragma "no-cache"; - } - error_log /var/log/nginx/frontend-error.log; - access_log /var/log/nginx/frontend-access.log; - - listen 443 ssl; - listen [::]:443 ssl; - ssl_certificate /etc/ssl/certs/${frontenddomain}.pem; - ssl_certificate_key /etc/ssl/private/${frontenddomain}.key; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_ecdh_curve secp384r1; - ssl_stapling on; - ssl_stapling_verify on; - add_header X-Content-Type-Options nosniff; -} - -server { - if (\$host = ${frontenddomain}) { - return 301 https://\$host\$request_uri; - } - - listen 80; - listen [::]:80; - server_name ${frontenddomain}; - return 404; -} -EOF -)" -echo "${nginxfrontend}" | tee /etc/nginx/sites-available/frontend.conf > /dev/null - -ln -s /etc/nginx/sites-available/frontend.conf /etc/nginx/sites-enabled/frontend.conf - - -for i in rmm.service daphne.service celery.service celerybeat.service nginx -do - systemctl enable ${i} - systemctl stop ${i} - systemctl start ${i} -done -sleep 5 -systemctl enable meshcentral - -systemctl restart meshcentral - -CHECK_MESH_READY=1 -while ! [[ $CHECK_MESH_READY ]]; do - CHECK_MESH_READY=$(sudo journalctl -u meshcentral.service -b --no-pager | grep "MeshCentral HTTP server running on port") - echo -ne "Mesh Central not ready yet...\n" - sleep 3 -done - -node /meshcentral/node_modules/meshcentral --logintokenkey - -MESHTOKENKEY=$(node /meshcentral/node_modules/meshcentral --logintokenkey) -sudo -u ${USER} echo "MESH_TOKEN_KEY = \"$MESHTOKENKEY\"" >> /rmm/api/tacticalrmm/tacticalrmm/local_settings.py - -systemctl stop meshcentral -sleep 1 -cd /meshcentral - -sudo -u ${RMMUSER} node node_modules/meshcentral --createaccount ${meshusername} --pass ${MESHPASSWD} --email ${adminemail} -sleep 1 -sudo -u ${RMMUSER} node node_modules/meshcentral --adminaccount ${meshusername} - -systemctl start meshcentral -sleep 5 - - -sudo -u ${RMMUSER} node node_modules/meshcentral/meshctrl.js --url wss://${meshdomain}:443 --loginuser ${meshusername} --loginpass ${MESHPASSWD} AddDeviceGroup --name TacticalRMM -sleep 1 - -systemctl enable nats.service -su - ${RMMUSER} < /usr/local/bin/register-rmm-admin -cd /rmm/api -source /rmm/api/env/bin/activate -cd /rmm/api/tacticalrmm -printf >&2 "Please create your login for the RMM website and django admin\n" -printf >&2 "\n" -echo -ne "Username: " -read djangousername -python manage.py createsuperuser --username \${djangousername} --email ${adminemail} -#RANDBASE=\$(python manage.py generate_totp) -#python manage.py generate_barcode \${RANDBASE} \${djangousername} ${frontenddomain} -deactivate -EOF -chmod +x /usr/local/bin/register-rmm-admin - -printf >&2 "Installation complete!\n\n" -printf >&2 "Access your rmm at: https://${frontenddomain}\n\n" -printf >&2 "Django admin url (disabled by default): https://${rmmdomain}/${ADMINURL}/\n\n" -printf >&2 "MeshCentral username: ${meshusername}\n" -printf >&2 "MeshCentral password: ${MESHPASSWD}\n\n" - -printf >&2 "Please run 'pct exec {container id} -- su - root -c register-rmm-admin' to create an administrative rmm user.\n\n" \ No newline at end of file