Rigo/zamba-lxc-toolbox
1
0
Fork 0
forked from bashclub/zamba-lxc-toolbox
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #43 from bashclub/2022-01-14

Browse Source 
Release 1.0
This commit is contained in:
DerFossiBaer 2022-01-16 01:26:06 +01:00 committed by GitHub
commit f3a0ab1d66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
40 changed files with 1618 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,2 +1,5 @@
*__pycache__*
.vscode/*
.vscode/*
conf/*
!conf/README.md
!conf/zamba.conf.example

17
CHANGELOG.md
View File

@ -1,17 +0,0 @@
**** Zamba LXC Toolbox main branch ****
- added dhcp support
- fixed hardcoded samba sharename in `zmb-standalone` script
- added support for container id's larger than 999
**** Zamba LXC Toolbox v0.1 ****
- `locales` are now configured noninteractive #21
- timezone is now configured with `pct set` command in `install.sh` #22
- changed command sequence in `install.sh` - select container first, then start the installation
- improved / updated documentation
- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
- (un)privileged now defined as constant based on created service #6
- improved log messages in `install.sh`
- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
- changed `mailpiler` version to 1.3.11
- changed `element-web` version to 1.7.25
- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)

34
README.md
View File

@ -7,13 +7,19 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna
### Requirements
Proxmox VE Server with at least one configured ZFS Pool.
### Included services:
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
- `checkmk` => Check_MK 2.0 Monitoring Server
- `debian-priv` => Debian privileged container with basic toolset
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
- `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `debian-priv` => Debian privileged container with basic toolset
- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
## Usage
Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
```bash
@ -26,14 +32,24 @@ git clone https://github.com/bashclub/zamba-lxc-toolbox
cd zamba-lxc-toolbox
```
### Configuration
To fit your requirements, please edit the file `zamba.conf` with your favourite text editor (e.g. `vim` or `nano`).
The required adjustments are in the LXC container section and in the section for the service you want to launch.
For further information about the config variables, have a look at [zamba.conf.md](zamba.conf.md)
Copy `zamba.conf.example` located in `conf` directory to a new file (default: `zamba.conf`) and adjust your desired settings.
For further information about configuration variables, have a look at [conf/README.md](conf/README.md)
```bash
cp conf/zamba.conf.example conf/zamba.conf
```
### Installation
After configuring, you are able to launch the script interactively:
After configuring, you are able to launch the script interactively (only works with `conf/zamba.conf`):
```bash
bash install.sh
```
### Advanced Usage
You can set optional parameters (config file, service, container id):
#### Example:
```bash
bash install.sh -i 280 -c conf/my-zmb-service.conf -s zmb-member
```
You can also view possible parameters with `install.sh -h`
After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.
Once the script has finished, the container is installed and running and you can continue with the service specific configuration.

108
zamba.conf.md → conf/README.md
View File

@ -1,4 +1,5 @@
# `zamba.conf` options reference
# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS
# Configuration options reference
This is the reference of all config options you can set in `zamba.conf`
<br>
@ -48,7 +49,7 @@ Defines the amount of swap space in MB your LXC container is allowed to use (def
LXC_SWAP="1024"
```
### LXC_HOSTNAME
Defines the hostname of your LXC container
Defines the hostname of your LXC container (Default: Name of installed Service)
```bash
LXC_SWAP="zamba"
```
@ -92,7 +93,7 @@ LXC_VLAN="80"
### LXC_PWD
Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
```bash
LXC_PWD="S3cr3tp@ssw0rd"
LXC_PWD="Start!123"
```
### LXC_AUTHORIZED_KEY
Defines an authorized_keys file to push into the LXC container.
@ -103,7 +104,7 @@ LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
### LXC_TOOLSET
Define your (administrative) tools, you always want to have installed into your LXC container
```bash
LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
```
### LXC_TIMEZONE
Define the local timezone of your LXC container (default: Euroe/Berlin)
@ -116,6 +117,13 @@ Define system language on LXC container (locales)
LXC_LOCALE="de_DE.utf8"
```
This parameter is not used yet, but will be integrated in future releases.
### LXC_VIM_BG_DARK
Set dark background for vim syntax highlighting (0 or 1)
```bash
LXC_VIM_BG_DARK=1
```
<br>
## Zamba Server Section
@ -132,11 +140,6 @@ Defines the domain name in your Active Directory or Workgroup (AD DC, AD member,
```bash
ZMB_DOMAIN="ZMB"
```
### ZMB_DNS_BACKEND
Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
```bash
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
```
### ZMB_ADMIN_USER
Defines the name of your domain administrator account (AD DC, AD member, standalone)
```bash
@ -145,7 +148,7 @@ ZMB_ADMIN_USER="Administrator"
### ZMB_ADMIN_PASS
Defines the domain administrator's password (AD DC, AD member).
```bash
ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
ZMB_ADMIN_PASS='Start!123'
```
Please use 'single quotation marks' to avoid unexpected behaviour.
`zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
@ -168,22 +171,7 @@ PILER_FQDN="piler.zmb.rocks"
### PILER_SMARTHOST
Defines the smarthost for piler mail archive
```bash
PILER_SMARTHOST="10.10.80.20"
```
### PILER_VERSION
Defines the version number of piler mail archive to install
```bash
PILER_VERSION="1.3.10"
```
### PILER_SPHINX_VERSION
Defines the version of sphinx to install
```bash
PILER_SPHINX_VERSION="3.3.1"
```
### PILER_PHP_VERSION
Defines the php version to install
```bash
PILER_PHP_VERSION="7.4"
PILER_SMARTHOST="your.mailserver.tld"
```
<br>
@ -202,13 +190,67 @@ Define the FQDN for the Element Web virtual host
```bash
MATRIX_ELEMENT_FQDN="element.zmb.rocks"
```
### MATRIX_ELEMENT_VERSION
Define the version of Element Web
### MATRIX_ADMIN_USER
Define the administrative user of matrix service
```bash
MATRIX_ELEMENT_VERSION="v1.7.24"
MATRIX_ADMIN_USER="admin"
```
### MATRIX_JITSI_FQDN
Define the FQDN for the Jitsi Meet virtual host
### MATRIX_ADMIN_PASSWORD
Define the admin password
```bash
MATRIX_JITSI_FQDN="meet.zmb.rocks"
```
MATRIX_ADMIN_PASSWORD="Start!123"
```
## Nextcloud-Section
### NEXTCLOUD_FQDN
Define the FQDN of your Nextcloud server
```bash
NEXTCLOUD_FQDN="nc1.zmb.rocks"
```
### NEXTCLOUD_ADMIN_USR
The initial admin-user which will be configured
```bash
NEXTCLOUD_ADMIN_USR="zmb-admin"
```
### NEXTCLOUD_ADMIN_PWD
Build a strong password for this user. Username and password will shown at the end of the instalation.
```bash
NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
```
### NEXTCLOUD_DATA
Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
```bash
NEXTCLOUD_DATA="nc_data"
```
### NEXTCLOUD_REVPROX
Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
```bash
NEXTCLOUD_REVPROX="192.168.100.254"
```
## Check_MK-Section
### CMK_INSTANCE
Define the name of your checkmk instance
```bash
CMK_INSTANCE=zmbrocks
```
### CMK_ADMIN_PW
Define the password of user 'cmkadmin'
```bash
CMK_ADMIN_PW='Start!123'
```
### CMK_EDITION
checkmk edition (raw or free)
- raw = completely free
- free = limited version of the enterprise edition (25 hosts, 1 instance)
```bash
CMK_EDITION=raw
```

65
zamba.conf → conf/zamba.conf.example
View File

@ -34,7 +34,7 @@ LXC_MEM="1024"
LXC_SWAP="1024"
# Defines the hostname of your LXC container
LXC_HOSTNAME="zamba"
LXC_HOSTNAME="${service}"
# Defines the domain name / search domain of your LXC container
LXC_DOMAIN="zmb.rocks"
@ -60,38 +60,39 @@ LXC_BRIDGE="vmbr0"
LXC_VLAN=
# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
LXC_PWD='S3cr3tp@ssw0rd'
LXC_PWD='Start!123'
# Defines an authorized_keys file to push into the LXC container.
# By default the authorized_keys will be inherited from your proxmox host.
LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
# Define the local timezone of your LXC container (default: Euroe/Berlin)
LXC_TIMEZONE="Europe/Berlin"
# Define system language on LXC container (locales)
LXC_LOCALE=de_DE.UTF-8
# With this paramater you can generate additional locales, the default language will be inherited from proxmox host.
# en_US.UTF-8 english
# de_DE.UTF-8 german (default)
LXC_LOCALE="de_DE.UTF-8"
# Set dark background for vim syntax highlighting (0 or 1)
LXC_VIM_BG_DARK=1
############### Zamba-Server-Section ###############
# Defines the REALM for the Active Directory (AD DC, AD member)
# IMPORTANT NOTE: ZMB_REALM is case sensitive and the value needs to be written completely in capital letters, otherwise Kerberos will fail
ZMB_REALM="ZMB.ROCKS"
# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
# IMPORTANT NOTE: ZMB_DOMAIN is case sensitive and the value needs to be written completely in capital letters
ZMB_DOMAIN="ZMB"
# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
# Defines the name of your domain administrator account (AD DC, AD member, standalone)
ZMB_ADMIN_USER="administrator"
# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
ZMB_ADMIN_PASS='Start!123'
# Defines the name of your Zamba share
ZMB_SHARE="share"
@ -102,12 +103,6 @@ ZMB_SHARE="share"
PILER_FQDN="piler.zmb.rocks"
# Defines the smarthost for piler mail archive
PILER_SMARTHOST="your.mailserver.tld"
# Defines the version number of piler mail archive to install
PILER_VERSION="1.3.11"
# Defines the version of sphinx to install
PILER_SPHINX_VERSION="3.3.1"
# Defines the php version to install
PILER_PHP_VERSION="7.4"
############### Matrix-Section ###############
@ -117,8 +112,38 @@ MATRIX_FQDN="matrix.zmb.rocks"
# Define the FQDN for the Element Web virtual host
MATRIX_ELEMENT_FQDN="element.zmb.rocks"
# Define the version of Element Web
MATRIX_ELEMENT_VERSION="v1.7.25"
# Define the administrative user of matrix service
MATRIX_ADMIN_USER="admin"
# Define the FQDN for the Jitsi Meet virtual host
MATRIX_JITSI_FQDN="meet.zmb.rocks"
# Define the admin password
MATRIX_ADMIN_PASSWORD="Start!123"
############### Nextcloud-Section ###############
# Define the FQDN of your Nextcloud server
NEXTCLOUD_FQDN="nc1.zmb.rocks"
# The initial admin-user which will be configured
NEXTCLOUD_ADMIN_USR="zmb-admin"
# Build a strong password for this user. Username and password will shown at the end of the instalation.
NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
NEXTCLOUD_DATA="nc_data"
# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
NEXTCLOUD_REVPROX="192.168.100.254"
############### Check_MK-Section ###############
# Define the name of your checkmk instance
CMK_INSTANCE=zmbrocks
# Define the password of user 'cmkadmin'
CMK_ADMIN_PW='Start!123'
# checkmk edition (raw or free)
# raw = completely free
# free = limited version of the enterprise edition (25 hosts, 1 instance)
CMK_EDITION=raw

20
debian-priv.sh
View File

@ -1,20 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

18
debian-unpriv.sh
View File

@ -1,18 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
dpkg-reconfigure locales
source /root/zamba.conf
# Set Timezone
ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

175
install.sh Normal file → Executable file
View File

@ -15,78 +15,102 @@
# Please adjust th settings in 'zamba.conf' to your needs before running the script
############### ZAMBA INSTALL SCRIPT ###############
prog="$(basename "$0")"
usage() {
cat >&2 <<-EOF
usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE]
installs a preconfigured lxc container on your proxmox server
-i CTID provide a container id instead of auto detection
-s SERVICE provide the service name and skip the selection dialog
-c CFGFILE use a different config file than 'zamba.conf'
-h displays this help text
---------------------------------------------------------------------------
(C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
---------------------------------------------------------------------------
EOF
exit $1
}
ctid=0
service=ask
config=$PWD/conf/zamba.conf
verbose=0
while getopts "hi:s:c:" opt; do
case $opt in
h) usage 0 ;;
i) ctid=$OPTARG ;;
s) service=$OPTARG ;;
c) config=$OPTARG ;;
*) usage 1 ;;
esac
done
shift $((OPTIND-1))
# Load configuration file
source $PWD/zamba.conf
echo "Loading config file '$config'..."
source $config
LXC_MP="0"
LXC_UNPRIVILEGED="1"
LXC_NESTING="0"
OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a)
select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
case $opt in
debian-unpriv)
echo "Debian-only LXC container unprivileged mode selected"
break
;;
debian-priv)
echo "Debian-only LXC container privileged mode selected"
LXC_UNPRIVILEGED="0"
break
;;
zmb-standalone)
echo "Configuring LXC container '$opt'!"
LXC_MP="1"
LXC_UNPRIVILEGED="0"
break
;;
zmb-member)
echo "Configuring LXC container '$opt'!"
LXC_MP="1"
LXC_UNPRIVILEGED="0"
break
;;
zmb-ad)
echo "Selected Zamba AD DC"
LXC_NESTING="1"
LXC_UNPRIVILEGED="0"
break
;;
mailpiler)
echo "Configuring LXC container for '$opt'!"
LXC_NESTING="1"
break
;;
matrix)
echo "Install Matrix chat server and element web service"
break
;;
quit)
echo "Script aborted by user interaction."
valid=0
if [[ "$service" == "ask" ]]; then
select svc in $OPTS quit; do
if [[ "$svc" != "quit" ]]; then
for line in $(echo $OPTS); do
if [[ "$svc" == "$line" ]]; then
service=$svc
echo "Installation of $service selected."
valid=1
break
fi
done
else
echo "Selected 'quit' exiting without action..."
exit 0
;;
*)
echo "Invalid option! Exiting..."
exit 1
;;
esac
done
fi
if [[ "$valid" == "1" ]]; then
break
fi
done
else
for line in $(echo $OPTS); do
if [[ "$service" == "$line" ]]; then
echo "Installation of $service selected."
valid=1
break
fi
done
fi
if [[ "$valid" != "1" ]]; then
echo "Invalid option, exiting..."
usage 1
fi
source $PWD/src/$service/constants-service.conf
# CHeck is the newest template available, else download it.
DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2)
DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | cut -d'_' -f2)
DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | cut -d'_' -f2)
if [[ $DEB_LOC == $DEB_REP ]];
then
echo "Newest Version of Debian 10 Standard $DEP_REP exists.";
echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists.";
else
echo "Will now download newest Debian 10 Standard $DEP_REP.";
pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz
echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP.";
pveam download $LXC_TEMPLATE_STORAGE "$LXC_TEMPLATE_VERSION"_$DEB_REP\_amd64.tar.gz
fi
# Get next free LXC-number
LXC_LST=$( lxc-ls -1 | tail -1 )
LXC_CHK=$((LXC_LST+1));
if [ $ctid -gt 99 ]; then
LXC_CHK=$ctid
else
# Get next free LXC-number
LXC_LST=$( lxc-ls -1 | tail -1 )
LXC_CHK=$((LXC_LST+1));
fi
if [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
LXC_NBR=$(pvesh get /cluster/nextid);
@ -96,15 +120,11 @@ fi
echo "Will now create LXC Container $LXC_NBR!";
# Create the container
pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/"$LXC_TEMPLATE_VERSION"_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
sleep 2;
# Check vlan configuration
if [[ $LXC_VLAN != "" ]];then
VLAN=",tag=$LXC_VLAN"
else
VLAN=""
fi
if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
# Reconfigure conatiner
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
if [ $LXC_DHCP == true ]; then
@ -124,23 +144,22 @@ PS3="Select the Server-Function: "
pct start $LXC_NBR;
sleep 5;
# Set the root password and key
echo "Setting root password"
echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
echo "Creating /root/.ssh"
lxc-attach -n$LXC_NBR mkdir /root/.ssh;
echo "Copying authorized_keys"
pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
echo "Copying sources.list"
pct push $LXC_NBR ./sources.list /etc/apt/sources.list
echo "Copying zamba.conf"
pct push $LXC_NBR ./zamba.conf /root/zamba.conf
echo "Copying install script"
pct push $LXC_NBR ./$opt.sh /root/$opt.sh
echo "Install '$opt'!"
lxc-attach -n$LXC_NBR bash /root/$opt.sh
pct push $LXC_NBR $config /root/zamba.conf
pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf
pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh
pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh
pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf
if [[ $opt == "zmb-ad" ]]; then
echo "Installing basic container setup..."
lxc-attach -n$LXC_NBR bash /root/lxc-base.sh
echo "Install '$service'!"
lxc-attach -n$LXC_NBR bash /root/install-service.sh
if [[ $service == "zmb-ad" ]]; then
pct stop $LXC_NBR
pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
pct start $LXC_NBR
fi
fi

136
new-config.py Executable file
View File

@ -0,0 +1,136 @@
#!/usr/bin/python3
import os
from src import config_base, menu
# Check installation of zfs-auto-snapshot, if not installed, just notify user
config_base.check_zfs_autosnapshot()
cfg = {}
# set template storage
t_storages = config_base.get_pve_storages(content=config_base.PveStorageContent.vztmpl)
if len(t_storages.keys()) > 1:
t_stors={}
for st in t_storages.keys():
t_stors[st] = f"driver: {t_storages[st]['driver']}\tfree space: {int(t_storages[st]['available'])/1024/1024:.2f} GB"
cfg['LXC_TEMPLATE_STORAGE'] = menu.radiolist("Select container template storage", "Please choose the storage, where your container templates are stored.", t_stors)
elif len(t_storages.keys()) == 1:
cfg['LXC_TEMPLATE_STORAGE'] = next(iter(t_storages))
else:
print("Could not find any storage enabled for container templates. Please ensure your storages are configured properly.")
os._exit(1)
# get zmb service
cfg['ZMB_SERVICE'] = menu.radiolist("Select service","Please choose the service to install:", config_base.get_zmb_services())
# get static ct features
ct_features = config_base.get_ct_features(cfg["ZMB_SERVICE"])
cfg['LXC_UNPRIVILEGED'] = ct_features['unprivileged']
# get ct id
cfg['LXC_NBR'] = menu.question("Container ID", f"Please select an ID for the {cfg['ZMB_SERVICE']} container.", menu.qType.Integer, config_base.get_ct_id(), config_base.validate_ct_id)
# configure rootfs
r_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir)
if len(r_storages.keys()) > 1:
r_stors = {}
for st in r_storages.keys():
r_stors[st] = f"driver: {r_storages[st]['driver']}\tfree space: {int(r_storages[st]['available'])/1024/1024:.2f} GB"
cfg['LXC_ROOTFS_STORAGE'] = menu.radiolist("Select rootfs storage", "Please choose the storage for your container's rootfs",r_stors)
elif len(r_storages.keys()) == 1:
cfg['LXC_ROOTFS_STORAGE'] = next(iter(r_storages))
else:
print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.")
os._exit(1)
cfg['LXC_ROOTFS_SIZE'] = menu.question("Set rootfs size","Please type in the desired rootfs size (GB)", menu.qType.Integer,32)
# create additional mountpoints
if 'size' in ct_features['sharefs'].keys():
f_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir)
if len(f_storages.keys()) > 1:
f_stors = {}
for st in f_storages.keys():
f_stors[st] = f"driver: {f_storages[st]['driver']}\tfree space: {int(f_storages[st]['available'])/1024/1024:.2f} GB"
cfg['LXC_SHAREFS_STORAGE'] = menu.radiolist("Select sharefs storage", "Please choose the storage of your shared filesystem", f_stors)
elif len(r_storages.keys()) == 1:
cfg['LXC_SHAREFS_STORAGE'] = next(iter(f_storages))
else:
print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.")
os._exit(1)
cfg['LXC_SHAREFS_SIZE'] = menu.question("Select sharefs size","Please type in the desired size (GB) of your shared filesystem", menu.qType.Integer,ct_features['sharefs']['size'])
cfg['LXC_SHAREFS_MOUNTPOINT'] = menu.question("Select sharefs mountpoint","Please type in the folder where to mount your shared filesystem inside the container.", menu.qType.String,ct_features['sharefs']['mountpoint'])
# configure ram and swap
cfg['LXC_MEM'] = menu.question("Set container RAM", "Please type in the desired amount of RAM for the container (MB)",menu.qType.Integer,ct_features["mem"])
cfg['LXC_SWAP'] = menu.question("Set container Swap", "Please type in the desired amount of Swap for the container (MB)",menu.qType.Integer,ct_features["swap"])
cfg['LXC_HOSTNAME'] = menu.question("Set container Hostname", "Please type in the desired hostname of the container",menu.qType.String,ct_features['hostname'])
cfg['LXC_DOMAIN'] = menu.question("Set container search domain", "Please type in the search domain of your network.", menu.qType.String,ct_features['domain'])
cfg['LXC_TIMEZONE'] = 'host' # TODO
cfg['LXC_LOCALE'] = "de_DE.utf8" # TODO
# get pve bridge
bridges = config_base.get_pve_bridges()
if len(bridges) > 1:
cfg['LXC_BRIDGE'] = menu.radiolist("Select PVE Network Bridge", f"Please select the network bridge to connect the {cfg['ZMB_SERVICE']} container",bridges)
elif len(bridges) == 1:
cfg['LXC_BRIDGE'] = bridges[0]
else:
print("Could not find any bridge device to connect container. Please ensure your networksettings are configured properly.")
os._exit(1)
cfg['LXC_VLAN'] = menu.question("Set vlan tag", "You you want to tag your container's network to a vlan? (0 = untagged, 1 - 4094 = tagged vlan id)",menu.qType.Integer,0, config_base.validate_vlan)
# configure network interface
if cfg['ZMB_SERVICE'] != 'zmb-ad':
enable_dhcp = menu.question("Set network mode", "Do you want to configure the network interface in dhcp mode?",menu.qType.Boolean,default=True)
else:
enable_dhcp = False
if enable_dhcp == True:
cfg["LXC_NET_MODE"] = 'dhcp'
else:
cfg["LXC_NET_MODE"] = 'static'
cfg["LXC_IP"] = menu.question("Set interface IP Addess", "Pleace type in the containers IP address (CIDR Format).",menu.qType.String,default='10.10.10.10/8')
cfg["LXC_GW"] = menu.question("Set interface default gateway", "Pleace type in the containers default gateway.",menu.qType.String,default='10.10.10.1')
cfg['LXC_DNS'] = menu.question("Set containers dns server", "Pleace type in the containers dns server. ZMB AD will use this as dns forwarder",menu.qType.String,default='10.10.10.1')
cfg['LXC_PWD'] = menu.question("Set root password", "Please type in the containers root password", menu.qType.String,default='')
cfg['LXC_AUTHORIZED_KEY'] = menu.question ("Set authorized_keys file to import", "Please select authorized_keys file to import.", menu.qType.String, default='~/.ssh/authorized_keys')
os.system('clear')
print (f"#### Zamba LXC Toolbox ####\n")
print (f"GLOBAL CONFIGURATION:")
print (f"\tct template storage:\t{cfg['LXC_TEMPLATE_STORAGE']}")
print (f"\nCONTAINER CONFIGURATION:")
print (f"\tzmb service:\t\t{cfg['ZMB_SERVICE']}")
print (f"\tcontainer id:\t\t{cfg['LXC_NBR']}")
print (f"\tunprivileged:\t\t{cfg['LXC_UNPRIVILEGED']}")
for feature in ct_features['features'].keys():
if feature == 'nesting':
cfg['LXC_NESTING'] = ct_features['features'][feature]
print (f"\t{feature}:\t\t{cfg['LXC_NESTING']}")
print (f"\tcontainer memory:\t{cfg['LXC_MEM']} MB")
print (f"\tcontainer swap:\t\t{cfg['LXC_SWAP']} MB")
print (f"\tcontainer hostname:\t{cfg['LXC_HOSTNAME']}")
print (f"\tct search domain:\t{cfg['LXC_DOMAIN']}")
print (f"\tcontainer timezone\t{cfg['LXC_TIMEZONE']}")
print (f"\tcontainer language\t{cfg['LXC_LOCALE']}")
print (f"\nSTORAGE CONFIGURATION:")
print (f"\trootfs storage:\t\t{cfg['LXC_ROOTFS_STORAGE']}")
print (f"\trootfs size:\t\t{cfg['LXC_ROOTFS_SIZE']} GB")
if 'size' in ct_features['sharefs'].keys():
print (f"\tsharefs storage:\t{cfg['LXC_SHAREFS_STORAGE']}")
print (f"\tsharefs size:\t\t{cfg['LXC_SHAREFS_SIZE']} GB")
print (f"\tsharefs mountpoint:\t{cfg['LXC_SHAREFS_MOUNTPOINT']}")
print (f"\nNETWORK CONFIGURATION:")
print (f"\tpve bridge:\t\t{cfg['LXC_BRIDGE']}")
if cfg['LXC_VLAN'] > 0:
print (f"\tcontainer vlan:\t\t{cfg['LXC_VLAN']}")
else:
print (f"\tcontainer vlan:\t\tuntagged")
print (f"\tnetwork mode:\t\t{cfg['LXC_NET_MODE']}")
if enable_dhcp == False:
print (f"\tip address (CIDR):\t{cfg['LXC_IP']}")
print (f"\tdefault gateway:\t{cfg['LXC_GW']}")
print (f"\tdns server / forwarder:\t{cfg['LXC_GW']}")
print (f"\nCONTAINER CREDENTIALS:")
print (f"\troot password:\t\t{cfg['LXC_PWD']}")
print (f"\tauthorized ssh keys:\t{cfg['LXC_AUTHORIZED_KEY']}")

1
proxmox.conf Normal file
View File

@ -0,0 +1 @@
HOST_LOCALE=de_DE.UTF-8

25
src/checkmk/constants-service.conf Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# checkmk version
CMK_VERSION=2.0.0p18
# build number of the debian package (needs to start with underscore)
CMK_BUILD=_0

37
src/checkmk/install-service.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
cd /tmp
wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
cat << EOF > /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
</VirtualHost>
EOF
a2enmod ssl
a2enmod rewrite
a2ensite default-ssl
systemctl restart apache2.service
omd start $CMK_INSTANCE
# install matrix notification plugin
wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py

11
src/constants.conf Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on container level
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common"

20
src/debian-priv/constants-service.conf Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"

8
src/debian-priv/install-service.sh Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
echo "'debian-priv' is ready to use!"

20
src/debian-unpriv/constants-service.conf Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"

8
src/debian-unpriv/install-service.sh Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
echo "'debian-unpriv' is ready to use!"

66
src/lxc-base.sh Normal file
View File

@ -0,0 +1,66 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# load configuration
echo "Loading configuration..."
source /root/zamba.conf
source /root/constants.conf
source /root/constants-service.conf
echo "Updating locales"
# update locales
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
# Generate sources
if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian bullseye main contrib
deb http://ftp.de.debian.org/debian bullseye-updates main contrib
# security updates
deb http://security.debian.org bullseye-security main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian buster main contrib
deb http://ftp.de.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib
EOF
else echo "LXC Debian Version false. Please check configuration files!" ; exit
fi
# update package lists
echo "Updating package database..."
apt --allow-releaseinfo-change update
# install latest packages
echo "Installing latest updates"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install toolset
echo "Installing preconfigured toolset..."
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
echo "Enabling vim syntax highlighting..."
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
if [ $LXC_VIM_BG_DARK -gt 0 ]; then
sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
fi
echo "Basic container setup finished, continuing with service installation..."

27
src/mailpiler/constants-service.conf Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
PILER_VERSION="latest"
# Defines the version of sphinx to install
PILER_SPHINX_VERSION="3.3.1"
# Defines the php version to install
PILER_PHP_VERSION="7.4"

51
mailpiler.sh → src/mailpiler/install-service.sh
View File

@ -6,13 +6,7 @@
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
@ -23,22 +17,26 @@ echo $HOSTNAME
if
[ "$HOSTNAME" != "$PILER_FQDN" ]
then
echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
else
echo "Hostname matches PILER_FQDNAIN, so starting installation."
echo "Hostname matches $PILER_FQDN, so starting installation."
fi
apt update && apt full-upgrade -y
apt install -y $LXC_TOOLSET build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 software-properties-common libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23
# install php
wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt update && apt install -y php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
apt purge -y postfix
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
innodb_buffer_pool_size=256M
@ -61,7 +59,13 @@ useradd -g piler -m -s /bin/bash -d /var/piler piler
usermod -L piler
chmod 755 /var/piler
wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
if [[ "$PILER_VERSION" == "latest" ]]; then
URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
wget -O piler-$PILER_VERSION.tar.gz $URL
else
wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
fi
tar -xvzf piler-$PILER_VERSION.tar.gz
cd piler-$PILER_VERSION/
./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
@ -94,7 +98,7 @@ cd /etc/nginx/sites-available
cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "/server_name.*/a \\
@ -114,12 +118,14 @@ sed -i "/server_name.*/a \\
sed -i "/^server {.*/i\
server {\n\
listen 80;\n\
server_name $PILER_FQDN default_host;\n\
server_name _;\n\
server_tokens off;\n\
# HTTP to HTTPS redirect.\n\
return 301 https://\$host\$request_uri;\n\
return 301 https://$PILER_FQDN;\n\
}" /etc/nginx/sites-available/piler-nginx.conf
unlink /etc/nginx/sites-enabled/default
cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
cat >> /usr/local/etc/piler/config-site.php <<EOF
@ -137,7 +143,7 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
// general settings.
\$config['TIMEZONE'] = '$LXC_TIMEZONE';
\$config['TIMEZONE'] = 'Europe/Berlin';
// authentication
// Enable authentication against an imap server
@ -179,9 +185,4 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
EOF
rm /etc/nginx/sites-enabled/default
nginx -t && systemctl restart nginx
apt autoremove -y
apt clean -y

23
src/matrix/constants-service.conf Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Define the version of Element Web
MATRIX_ELEMENT_VERSION="v1.9.8"

28
matrix.sh → src/matrix/install-service.sh
View File

@ -6,13 +6,7 @@
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
source /root/constants-service.conf
MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
@ -20,13 +14,12 @@ ELE_DBNAME="synapse_db"
ELE_DBUSER="synapse_user"
ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
apt update && apt full-upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
apt install -y $LXC_TOOLSET apt-transport-https gpg software-properties-common nginx postgresql python3-psycopg2
wget wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
apt update && apt install -y matrix-synapse-py3
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
systemctl enable matrix-synapse
ss -tulpen
@ -94,7 +87,7 @@ cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
server {
listen 80;
listen [::]:80;
server_name $MATRIX_ELEMENT_FQDN;
server_name _;
return 301 https://$MATRIX_ELEMENT_FQDN;
}
@ -114,6 +107,7 @@ server {
EOF
unlink /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN
systemctl restart nginx
@ -143,19 +137,17 @@ EOF
cd /
sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|server_name:|server_name: $MATRIX_FQDN|g" /etc/matrix-synapse/conf.d/server_name.yaml
sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n user: $ELE_DBUSER\n password: $ELE_DBPASS\n host: 127.0.0.1\n cp_min: 5\n cp_max: 10|" /etc/matrix-synapse/homeserver.yaml
systemctl restart matrix-synapse
register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p '$MATRIX_ADMIN_PASSWORD' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
#apt update
#apt install -y jitsi-meet
#apt install -y jitsi-meet

41
src/nextcloud/constants-service.conf Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
NEXTCLOUD_VERSION="latest"
# Defines the php version to install
NEXTCLOUD_PHP_VERSION="8.0"
# Defines the IP from the SQL server
NEXTCLOUD_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
NEXTCLOUD_DB_PORT="5432"
# Defines the name from the SQL database
NEXTCLOUD_DB_NAME="nextcloud_db"
# Defines the name from the SQL user
NEXTCLOUD_DB_USR="nextcloud"
# Build a strong password for the SQL user - could be overwritten with something fixed
NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"

443
src/nextcloud/install-service.sh Normal file
View File

@ -0,0 +1,443 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils nfs-common cifs-utils redis-server imagemagick \
postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
timedatectl set-timezone Europe/Berlin
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#### Create database for nextcloud ####
su - postgres <<EOF
psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
EOF
#### Adjust php settings ####
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
#### Adjust nginx settings ####
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/nginx.conf <<EOF
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on; use epoll;
}
http {
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
set_real_ip_from 127.0.0.1;
#optional, Sie können das eigene Subnetz ergänzen, bspw.:
# set_real_ip_from $LXC_IP;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 127.0.0.53 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}
EOF
[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
touch /etc/nginx/conf.d/default.conf
cat > /etc/nginx/conf.d/http.conf << EOF
upstream php-handler {
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name $NEXTCLOUD_FQDN;
root /var/www;
location / {
return 301 https://\$host\$request_uri;
}
}
EOF
cat > /etc/nginx/conf.d/nextcloud.conf << EOF
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $NEXTCLOUD_FQDN;
ssl_certificate /etc/ssl/certs/nextcloud.crt;
ssl_certificate_key /etc/ssl/private/nextcloud.key;
ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 5120M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
root /var/www/nextcloud;
index index.php index.html /index.php\$request_uri;
expires 1m;
location = / {
if ( \$http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/\$is_args\$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php/\$uri; }
try_files \$uri \$uri/ =404;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:\$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
set \$path_info \$fastcgi_path_info;
try_files \$fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param PATH_INFO \$path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)\$ {
try_files \$uri /index.php\$request_uri;
expires 6M;
access_log off;
}
location ~ \.woff2?\$ {
try_files \$uri /index.php\$request_uri;
expires 7d;
access_log off;
}
location / {
try_files \$uri \$uri/ /index.php\$request_uri;
}
location /push/ {
proxy_pass http://localhost:7867/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
#### Adjust redis settings ####
cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
usermod -aG redis www-data
#### Adjust sysctl.conf settings ####
cp /etc/sysctl.conf /etc/sysctl.conf.bak
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
systemctl restart redis
#### HIER MÜSSTE EIN REBOOT REIN ####
#### Install nextcloud ####
cd /usr/local/src
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
cat > /root/permissions.sh << EOF
#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chown -R www-data:www-data /var/www
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
exit 0
EOF
chmod +x /root/permissions.sh
/root/permissions.sh
#### install fail2ban ####
cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
EOF
cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 3600
findtime = 36000
logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log
EOF
systemctl restart fail2ban
#### Create configuration script for nextcloud, which will be executet as user www-data
cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
#!/bin/bash
php /var/www/nextcloud/occ maintenance:install --database pgsql \
--database-host $NEXTCLOUD_DB_IP \
--database-port $NEXTCLOUD_DB_PORT \
--database-name $NEXTCLOUD_DB_NAME \
--database-user $NEXTCLOUD_DB_USR \
--database-pass $NEXTCLOUD_DB_PWD \
--admin-user $NEXTCLOUD_ADMIN_USR \
--admin-pass $NEXTCLOUD_ADMIN_PWD \
--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
sed -i '/);/d' /var/www/nextcloud/config/config.php
cat >> /var/www/nextcloud/config/config.php << EOF
'activity_expire_days' => 14,
'auth.bruteforce.protection.enabled' => true,
'blacklisted_files' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'default_phone_region' => 'DE',
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\Preview\PNG',
1 => 'OC\Preview\JPEG',
2 => 'OC\Preview\GIF',
3 => 'OC\Preview\BMP',
4 => 'OC\Preview\XBitmap',
5 => 'OC\Preview\Movie',
6 => 'OC\Preview\PDF',
7 => 'OC\Preview\MP3',
8 => 'OC\Preview\TXT',
9 => 'OC\Preview\MarkDown',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
'loglevel' => 2,
'logtimezone' => 'Europe/Berlin',
'log_rotate_size' => 104857600,
'maintenance' => false,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),
'quota_include_external_storage' => false,
'share_folder' => '/Freigaben',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
'trusted_proxies' =>
array (
'$NEXTCLOUD_REVPROX'
),
);
EOF
sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
php /var/www/nextcloud/occ app:disable survey_client
php /var/www/nextcloud/occ app:disable firstrunwizard
php /var/www/nextcloud/occ app:enable admin_audit
php /var/www/nextcloud/occ app:enable notify_push
php /var/www/nextcloud/occ app:enable files_pdfviewer
php /var/www/nextcloud/occ background:cron
DFOE
/root/permissions.sh
su -s /bin/bash www-data <<EOF
bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
EOF
#### Create file for high performance backend
cat > /etc/systemd/system/notify_push.service << EOF
[Unit]
Description = Push daemon for Nextcloud clients
[Service]
Environment=PORT=7867
Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
Environment=ALLOW_SELF_SIGNED=true
ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
User=www-data
[Install]
WantedBy = multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now notify_push
echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################"
shutdown -r now

26
src/onlyoffice/constants-service.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
ONLYOFFICE_DB_HOST=localhost
ONLYOFFICE_DB_NAME=onlyoffice
ONLYOFFICE_DB_USER=onlyoffice

43
src/onlyoffice/install-service.sh Normal file
View File

@ -0,0 +1,43 @@
source /root/zamba.conf
source /root/constants-service.conf
ONLYOFFICE_DB_PASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
su postgres <<EOF
psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
psql -c "CREATE DATABASE $ONLYOFFICE_DB_NAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ONLYOFFICE_DB_USER;"
echo "Postgres User '$ONLYOFFICE_DB_USER' and database '$ONLYOFFICE_DB_NAME' created."
EOF
echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
cat << EOF > /root/onlyoffice.credentials
ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME
ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
EOF
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
rm /etc/nginx/conf.d/ds.conf
cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf
sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx

20
src/open3a/constants-service.conf Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"

72
src/open3a/install-service.sh Normal file
View File

@ -0,0 +1,72 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
webroot=/var/www/html
MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl on;
ssl_certificate /etc/nginx/ssl/open3a.crt;
ssl_certificate_key /etc/nginx/ssl/open3a.key;
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
}
EOF
mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS open3a;
GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
cd $webroot
wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip
unzip open3a.zip
rm open3a.zip
chmod 666 system/DBData/Installation.pfdb.php
chmod -R 777 specifics/
chmod -R 777 system/Backup
chown -R www-data:www-data $webroot
echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
chmod +x /etc/cron.daily/open3a-backup
systemctl enable --now php7.4-fpm
systemctl restart php7.4-fpm nginx
echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$LXC_IP\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"

23
src/proxmox-pbs/constants-service.conf Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Backup ubdir where Urbackup will store backups
PBS_DATA="backup"

22
src/proxmox-pbs/install-service.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list
# PBS pbs-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
EOF
wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
apt update && apt upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA

6
src/sources.list Normal file
View File

@ -0,0 +1,6 @@
deb http://ftp.de.debian.org/debian buster main contrib
deb http://ftp.de.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib

26
src/urbackup/constants-service.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-10-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Backup ubdir where Urbackup will store backups
URBACKUP_DATA="urbackup"
# OS codename for opensuse / urbackup repo
REPO_CODENAME="Debian_10"

63
src/urbackup/install-service.sh Normal file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
mkdir /etc/urbackup
echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
ln -s /usr/share/urbackup/www /var/www/urbackup
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root /var/www/urbackup;
index index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/urbackup.crt;
ssl_certificate_key /etc/nginx/ssl/urbackup.key;
location /x {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:55413;
}
}
EOF
sed -i "s/DAEMON_TMPDIR=\"\/tmp\"/DAEMON_TMPDIR=\"\/$LXC_SHAREFS_MOUNTPOINT\/tmp\"/g" /etc/default/urbackupsrv
sed -i "s/HTTP_SERVER=\"true\"/HTTP_SERVER=\"false\"/g" /etc/default/urbackupsrv
chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/tmp
chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
systemctl restart urbackupsrv nginx

32
src/zmb-ad/constants-service.conf Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=()

55
zmb-ad.sh → src/zmb-ad/install-service.sh
View File

@ -6,17 +6,27 @@
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
BINDNINE=bind9
fi
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
## configure ntp
cat << EOF > /etc/ntp.conf
@ -52,9 +62,19 @@ EOF
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
@ -65,7 +85,7 @@ RESOLVCONF=no
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
@ -101,9 +121,10 @@ EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
# stop + disable samba services and remove default config
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl disable --now smbd nmbd winbind systemd-resolved
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
@ -113,7 +134,7 @@ samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAI
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc $BINDNINE
systemctl restart samba-ad-dc $BINDNINE
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
exit 0
exit 0

20
src/zmb-member/constants-service.conf Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"

22
zmb-member.sh → src/zmb-member/install-service.sh
View File

@ -6,17 +6,15 @@
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
# add wsdd package repo
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
@ -70,12 +68,11 @@ cat > /etc/samba/smb.conf <<EOF
printing = bsd
disable spoolss = Yes
allow trusted domains = No
dns proxy = No
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: delimiter = -20
[$ZMB_SHARE]
@ -86,8 +83,6 @@ cat > /etc/samba/smb.conf <<EOF
directory mask = 0770
inherit acls = Yes
EOF
systemctl restart smbd
@ -109,5 +104,4 @@ chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd winbind
systemctl restart smbd nmbd winbind wsdd

20
src/zmb-standalone/constants-service.conf Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"

51
src/zmb-standalone/install-service.sh Normal file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
source /root/constants-service.conf
# add wsdd package repo
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit
mkdir /usr/share/cockpit/smb
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
cat << EOF >> /etc/samba/smb.conf
[$ZMB_SHARE]
comment = Main Share
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
read only = No
vfs objects = shadow_copy2
create mask = 0660
directory mask = 0770
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: delimiter = -20
EOF
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd wsdd

44
zmb-standalone.sh
View File

@ -1,44 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba samba-dsdb-modules samba-vfs-modules
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
cat << EOF >> /etc/samba/smb.conf
[$ZMB_SHARE]
comment = Main Share
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
read only = No
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
EOF
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd