bug: 20 Character (pwd)

Defines the amount of RAM for elasticsearch (Java option)

.gitignore

@@ -1,2 +1,5 @@
 *__pycache__*
 .vscode/*
+conf/*
+!conf/README.md
+!conf/zamba.conf.example

CHANGELOG.md

@@ -1,12 +0,0 @@
-**** Zamba LXC Toolbox v0.1 ****
-- `locales` are now configured noninteractive #21
-- timezone is now configured with `pct set` command in `install.sh` #22
-- changed command sequence in `install.sh` - select container first, then start the installation
-- improved / updated documentation
-- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
-- (un)privileged now defined as constant based on created service #6
-- improved log messages in `install.sh`
-- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
-- changed `mailpiler` version to 1.3.11
-- changed `element-web` version to 1.7.25
-- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)

README.md

@@ -5,15 +5,26 @@ Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC contai
 The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes.
 The package also provides LXC container installers for `mailpiler`, `matrix-synapse` + `element-web` and more services will follow in future releases.
 ### Requirements
-Proxmox VE Server with at least one configured ZFS Pool.
+Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 ### Included services:
-- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
-- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
-- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `checkmk` => Check_MK 2.0 Monitoring Server
+- `debian-priv` => Debian privileged container with basic toolset
+- `debian-unpriv` => Debian unprivileged container with basic toolset
+- `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
+- `kopano-core` => Kopano Core Grouoware [kopano.io](https://kopano.io/)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
-- `debian-unpriv` => Debian unprivileged container with basic toolset
-- `debian-unpriv` => Debian privileged container with basic toolset
+- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
+- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
+- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
+- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
+- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
+- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
+- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
+- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
+- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash
@@ -26,14 +37,24 @@ git clone https://github.com/bashclub/zamba-lxc-toolbox
 cd zamba-lxc-toolbox
 ```
 ### Configuration
-To fit your requirements, please edit the file `zamba.conf` with your favourite text editor (e.g. `vim` or `nano`).
-The required adjustments are in the LXC container section and in the section for the service you want to launch.
-For further information about the config variables, have a look at [zamba.conf.md](zamba.conf.md)
+Copy `zamba.conf.example` located in `conf` directory to a new file (default: `zamba.conf`) and adjust your desired settings.
+For further information about configuration variables, have a look at [conf/README.md](conf/README.md)
+```bash
+cp conf/zamba.conf.example conf/zamba.conf
+```
 ### Installation
-After configuring, you are able to launch the script interactively:
+After configuring, you are able to launch the script interactively (only works with `conf/zamba.conf`):
 ```bash
 bash install.sh
 ```
+### Advanced Usage
+You can set optional parameters (config file, service, container id):
+#### Example:
+```bash
+bash install.sh -i 280 -c conf/my-zmb-service.conf -s zmb-member
+```
+You can also view possible parameters with `install.sh -h`
+
 After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.
 
 Once the script has finished, the container is installed and running and you can continue with the service specific configuration.

conf/README.md

@@ -1,4 +1,5 @@
-# `zamba.conf` options reference
+# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS
+# Configuration options reference
 This is the reference of all config options you can set in `zamba.conf`
 <br>
 
@@ -48,15 +49,20 @@ Defines the amount of swap space in MB your LXC container is allowed to use (def
 LXC_SWAP="1024"
 ```
 ### LXC_HOSTNAME
-Defines the hostname of your LXC container
+Defines the hostname of your LXC container (Default: Name of installed Service)
 ```bash
-LXC_SWAP="zamba"
+LXC_HOSTNAME="zamba"
 ```
 ### LXC_DOMAIN
 Defines the domain name / search domain of your LXC container
 ```bash
 LXC_DOMAIN="zmb.rocks"
 ```
+### LXC_DHCP
+Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+```bash
+LXC_DHCP=false
+```
 ### LXC_IP
 Defines the local IP address and subnet of your LXC container in CIDR format
 ```bash
@@ -87,7 +93,7 @@ LXC_VLAN="80"
 ### LXC_PWD
 Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
 ```bash
-LXC_PWD="S3cr3tp@ssw0rd"
+LXC_PWD="Start!123"
 ```
 ### LXC_AUTHORIZED_KEY
 Defines an authorized_keys file to push into the LXC container.
@@ -98,7 +104,7 @@ LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
 ### LXC_TOOLSET
 Define your (administrative) tools, you always want to have installed into your LXC container
 ```bash
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
 ```
 ### LXC_TIMEZONE
 Define the local timezone of your LXC container (default: Euroe/Berlin)
@@ -111,6 +117,13 @@ Define system language on LXC container (locales)
 LXC_LOCALE="de_DE.utf8"
 ```
 This parameter is not used yet, but will be integrated in future releases.
+
+### LXC_VIM_BG_DARK
+Set dark background for vim syntax highlighting (0 or 1)
+```bash
+LXC_VIM_BG_DARK=1
+```
+
 <br>
 
 ## Zamba Server Section
@@ -127,11 +140,6 @@ Defines the domain name in your Active Directory or Workgroup (AD DC, AD member,
 ```bash
 ZMB_DOMAIN="ZMB"
 ```
-### ZMB_DNS_BACKEND
-Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-```bash
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-```
 ### ZMB_ADMIN_USER
 Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ```bash
@@ -140,7 +148,7 @@ ZMB_ADMIN_USER="Administrator"
 ### ZMB_ADMIN_PASS
 Defines the domain administrator's password (AD DC, AD member).
 ```bash
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
@@ -163,22 +171,7 @@ PILER_FQDN="piler.zmb.rocks"
 ### PILER_SMARTHOST
 Defines the smarthost for piler mail archive
 ```bash
-PILER_SMARTHOST="10.10.80.20"
-```
-### PILER_VERSION
-Defines the version number of piler mail archive to install
-```bash
-PILER_VERSION="1.3.10"
-```
-### PILER_SPHINX_VERSION
-Defines the version of sphinx to install
-```bash
-PILER_SPHINX_VERSION="3.3.1"
-```
-### PILER_PHP_VERSION
-Defines the php version to install
-```bash
-PILER_PHP_VERSION="7.4"
+PILER_SMARTHOST="your.mailserver.tld"
 ```
 <br>
 
@@ -197,13 +190,67 @@ Define the FQDN for the Element Web virtual host
 ```bash
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 ```
-### MATRIX_ELEMENT_VERSION
-Define the version of Element Web
+
+### MATRIX_ADMIN_USER
+Define the administrative user of matrix service
 ```bash
-MATRIX_ELEMENT_VERSION="v1.7.24"
+MATRIX_ADMIN_USER="admin"
 ```
-### MATRIX_JITSI_FQDN
-Define the FQDN for the Jitsi Meet virtual host
+
+### MATRIX_ADMIN_PASSWORD
+Define the admin password
 ```bash
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
+MATRIX_ADMIN_PASSWORD="Start!123"
+```
+
+## Nextcloud-Section
+
+### NEXTCLOUD_FQDN
+Define the FQDN of your Nextcloud server
+```bash
+NEXTCLOUD_FQDN="nc1.zmb.rocks"
+```
+
+### NEXTCLOUD_ADMIN_USR
+The initial admin-user which will be configured
+```bash
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+```
+
+### NEXTCLOUD_ADMIN_PWD
+Build a strong password for this user. Username and password will shown at the end of the instalation. 
+```bash
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
+```
+### NEXTCLOUD_DATA
+Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+```bash
+NEXTCLOUD_DATA="nc_data"
+```
+### NEXTCLOUD_REVPROX
+Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+```bash
+NEXTCLOUD_REVPROX="192.168.100.254"
+```
+
+## Check_MK-Section
+
+### CMK_INSTANCE
+Define the name of your checkmk instance
+```bash
+CMK_INSTANCE=zmbrocks
+```
+
+### CMK_ADMIN_PW
+Define the password of user 'cmkadmin'
+```bash
+CMK_ADMIN_PW='Start!123'
+```
+
+### CMK_EDITION
+checkmk edition (raw or free)
+- raw = completely free
+- free = limited version of the enterprise edition (25 hosts, 1 instance)
+```bash
+CMK_EDITION=raw
 ```

conf/zamba.conf.example

@@ -34,11 +34,14 @@ LXC_MEM="1024"
 LXC_SWAP="1024"
 
 # Defines the hostname of your LXC container
-LXC_HOSTNAME="zamba"
+LXC_HOSTNAME="${service}"
 
 # Defines the domain name / search domain of your LXC container
 LXC_DOMAIN="zmb.rocks"
 
+# Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+LXC_DHCP=false
+
 # Defines the local IP address and subnet of your LXC container in CIDR format
 LXC_IP="192.168.100.200/24"
 
@@ -54,23 +57,29 @@ LXC_DNS="192.168.100.254"
 LXC_BRIDGE="vmbr0"
 
 # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
-LXC_VLAN=
+LXC_VLAN=NONE
 
 # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
-LXC_PWD='S3cr3tp@ssw0rd'
+LXC_PWD='Start!123'
 
 # Defines an authorized_keys file to push into the LXC container.
 # By default the authorized_keys will be inherited from your proxmox host.
 LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys
 
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
 
 # Define the local timezone of your LXC container (default: Euroe/Berlin)
 LXC_TIMEZONE="Europe/Berlin"
 
 # Define system language on LXC container (locales)
-LXC_LOCALE=de_DE.UTF-8
+# With this paramater you can generate additional locales, the default language will be inherited from proxmox host.
+# en_US.UTF-8  english
+# de_DE.UTF-8  german (default)
+LXC_LOCALE="de_DE.UTF-8"
+
+# Set dark background for vim syntax highlighting (0 or 1)
+LXC_VIM_BG_DARK=1
 
 ############### Zamba-Server-Section ###############
 
@@ -79,14 +88,11 @@ ZMB_REALM="ZMB.ROCKS"
 # Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
 ZMB_DOMAIN="ZMB"
 
-# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
 # Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ZMB_ADMIN_USER="administrator"
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'
 
 # Defines the name of your Zamba share
 ZMB_SHARE="share"
@@ -94,15 +100,9 @@ ZMB_SHARE="share"
 ############### Mailpiler-Section ###############
 
 # Defines the (public) FQDN of your piler mail archive
-PILER_FQDN="piler.zmb.rocks"
+PILER_FQDN="mailpiler.zmb.rocks"
 # Defines the smarthost for piler mail archive
-PILER_SMARTHOST="your.mailserver.tld"
-# Defines the version number of piler mail archive to install
-PILER_VERSION="1.3.11"
-# Defines the version of sphinx to install
-PILER_SPHINX_VERSION="3.3.1"
-# Defines the php version to install
-PILER_PHP_VERSION="7.4"
+PILER_SMARTHOST="mail.zmb.rocks"
 
 ############### Matrix-Section ###############
 
@@ -112,8 +112,50 @@ MATRIX_FQDN="matrix.zmb.rocks"
 # Define the FQDN for the Element Web virtual host
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 
-# Define the version of Element Web
-MATRIX_ELEMENT_VERSION="v1.7.25"
+# Define the administrative user of matrix service
+MATRIX_ADMIN_USER="admin"
 
-# Define the FQDN for the Jitsi Meet virtual host
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
+# Define the admin password
+MATRIX_ADMIN_PASSWORD="Start!123"
+
+############### Nextcloud-Section ###############
+
+# Define the FQDN of your Nextcloud server
+NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
+
+# The initial admin-user which will be configured
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+
+# Build a strong password for this user. Username and password will shown at the end of the installation. 
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
+
+# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+NEXTCLOUD_DATA="nc_data"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+NEXTCLOUD_REVPROX="192.168.100.254"
+
+############### Check_MK-Section ###############
+
+# Define the name of your checkmk instance
+CMK_INSTANCE=zmbrocks
+
+# Define the password of user 'cmkadmin'
+CMK_ADMIN_PW='Start!123'
+
+# checkmk edition (raw or free)
+# raw = completely free
+# free = limited version of the enterprise edition (25 hosts, 1 instance)
+CMK_EDITION=raw
+
+############### Kopano-Section ###############
+
+# Define the FQDN of your Nextcloud server
+KOPANO_FQDN="kopano.zmb.rocks"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+KOPANO_MAILGW="192.168.100.254"
+
+# Kopano test- or subscription-key offerd from 
+# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
+KOPANO_REPKEY="1234567890abcdefghijklmno"

debian-priv.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

debian-unpriv.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-dpkg-reconfigure locales
-
-source /root/zamba.conf
-
-# Set Timezone
-ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

install.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail
 
 # This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
 # On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@@ -15,78 +16,109 @@
 # Please adjust th settings in 'zamba.conf' to your needs before running the script
 
 ############### ZAMBA INSTALL SCRIPT ###############
+prog="$(basename $0)"
+
+usage() {
+	cat >&2 <<-EOF
+	usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	  installs a preconfigured lxc container on your proxmox server
+    -i CTID      provide a container id instead of auto detection
+    -s SERVICE   provide the service name and skip the selection dialog
+    -c CFGFILE   use a different config file than 'zamba.conf'
+    -h           displays this help text
+  ---------------------------------------------------------------------------
+    (C) 2021     zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
+  ---------------------------------------------------------------------------
+
+	EOF
+	exit $1
+}
+
+ctid=0
+service=ask
+config=$PWD/conf/zamba.conf
+
+while getopts "hi:s:c:" opt; do
+  case $opt in
+    h) usage 0 ;;
+    i) ctid=$OPTARG ;;
+    s) service=$OPTARG ;;
+    c) config=$OPTARG ;;
+    *) usage 1 ;;
+  esac
+done
+shift $((OPTIND-1))
+
+OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)
+
+valid=0
+if [[ "$service" == "ask" ]]; then
+  select svc in $OPTS quit; do
+    if [[ "$svc" != "quit" ]]; then
+       for line in $OPTS; do
+        if [[ "$svc" == "$line" ]]; then
+          service=$svc
+          echo "Installation of $service selected."
+          valid=1
+          break
+        fi
+      done
+    else
+      echo "Selected 'quit' exiting without action..."
+      exit 0
+    fi
+    if [[ "$valid" == "1" ]]; then
+      break
+    fi
+  done
+else
+  for line in $OPTS; do
+    if [[ "$service" == "$line" ]]; then
+      echo "Installation of $service selected."
+      valid=1
+      break
+    fi
+  done
+fi
+
+if [[ "$valid" != "1" ]]; then
+  echo "Invalid option, exiting..."
+  usage 1
+fi
 
 # Load configuration file
-source $PWD/zamba.conf
+echo "Loading config file '$config'..."
+if [ ! -e "$config" ]; then
+  echo "Configuration files does not exist"
+  exit 1
+fi
 
-LXC_MP="0"
-LXC_UNPRIVILEGED="1"
-LXC_NESTING="0"
+source "src/functions.sh"
 
-select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
-  case $opt in
-    debian-unpriv)
-      echo "Debian-only LXC container unprivileged mode selected"
-      break
-      ;;
-    debian-priv)
-      echo "Debian-only LXC container privileged mode selected"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-standalone)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-member)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-ad)
-      echo "Selected Zamba AD DC"
-      LXC_NESTING="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    mailpiler)
-      echo "Configuring LXC container for '$opt'!"
-      LXC_NESTING="1"
-      break
-      ;;
-    matrix)
-      echo "Install Matrix chat server and element web service"
-      break
-      ;;
-    quit)
-      echo "Script aborted by user interaction."
-      exit 0
-      ;;
-    *)
-      echo "Invalid option! Exiting..."
-      exit 1
-      ;;
-    esac
-done
+source "$config"
+
+source "$PWD/src/$service/constants-service.conf"
 
 # CHeck is the newest template available, else download it.
-DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
-DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2)
+DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
+DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
+TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
 
 if [[ $DEB_LOC == $DEB_REP ]];
 then
-  echo "Newest Version of Debian 10 Standard $DEP_REP exists.";
+  echo "Newest Version of $LXC_TEMPLATE_VERSION $DEB_REP exists.";
 else
-  echo "Will now download newest Debian 10 Standard $DEP_REP.";
-  pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz
+  echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP.";
+  pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
 fi
 
-# Get next free LXC-number
-LXC_LST=$( lxc-ls | egrep -o '.{1,5}$' )
-LXC_CHK=$((LXC_LST+1));
+if [ $ctid -gt 99 ]; then
+  LXC_CHK=$ctid
+else
+  # Get next free LXC-number
+  LXC_LST=$( lxc-ls -1 | tail -1 )
+  LXC_CHK=$((LXC_LST+1));
+fi
 
 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
   LXC_NBR=$(pvesh get /cluster/nextid);
@@ -96,17 +128,18 @@ fi
 echo "Will now create LXC Container $LXC_NBR!";
 
 # Create the container
-pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
 sleep 2;
 
 # Check vlan configuration
-if [[ $LXC_VLAN != "" ]];then
-  VLAN=",tag=$LXC_VLAN"
-else
- VLAN=""
-fi
+if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
+if [ $LXC_DHCP == true ]; then
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
+else
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
+fi
 sleep 2
 
 if [ $LXC_MP -gt 0 ]; then
@@ -118,24 +151,24 @@ PS3="Select the Server-Function: "
 
 pct start $LXC_NBR;
 sleep 5;
-# Set the root password and key
-echo "Setting root password"
-echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
-echo "Creating /root/.ssh"
-lxc-attach -n$LXC_NBR mkdir /root/.ssh;
-echo "Copying authorized_keys"
+# Set the root ssh key
+pct exec $LXC_NBR -- mkdir /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
-echo "Copying sources.list"
-pct push $LXC_NBR ./sources.list /etc/apt/sources.list
-echo "Copying zamba.conf"
-pct push $LXC_NBR ./zamba.conf /root/zamba.conf
-echo "Copying install script"
-pct push $LXC_NBR ./$opt.sh /root/$opt.sh
-echo "Install '$opt'!"
-lxc-attach -n$LXC_NBR bash /root/$opt.sh
+pct push $LXC_NBR "$config" /root/zamba.conf
+pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
+pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
+pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
+pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
+pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 
-if [[ $opt == "zmb-ad" ]]; then
+echo "Installing basic container setup..."
+lxc-attach -n$LXC_NBR bash /root/lxc-base.sh
+echo "Install '$service'!"
+lxc-attach -n$LXC_NBR bash /root/install-service.sh
+
+if [[ $service == "zmb-ad" ]]; then
   pct stop $LXC_NBR
-  pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
   pct start $LXC_NBR
 fi

sources.list

@@ -1,6 +0,0 @@
-deb http://ftp.de.debian.org/debian buster main contrib
-
-deb http://ftp.de.debian.org/debian buster-updates main contrib
-
-# security updates
-deb http://security.debian.org buster/updates main contrib

src/checkmk/constants-service.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# checkmk version
+CMK_VERSION=2.0.0p23
+# build number of the debian package (needs to start with underscore)
+CMK_BUILD=_0

src/checkmk/install-service.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cd /tmp
+wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+
+omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
+
+cat << EOF > /etc/apache2/sites-available/000-default.conf
+<VirtualHost *:80>
+	RewriteEngine On
+	RewriteCond %{HTTPS} !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
+</VirtualHost>
+EOF
+
+a2enmod ssl
+a2enmod rewrite
+a2ensite default-ssl
+
+systemctl restart apache2.service
+
+omd start $CMK_INSTANCE
+
+# install matrix notification plugin
+
+wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
+chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py

src/constants.conf

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on container level
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common"

src/debian-priv/constants-service.conf

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"

src/debian-priv/install-service.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-priv' is ready to use!"

src/debian-unpriv/constants-service.conf

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"

src/debian-unpriv/install-service.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-unpriv' is ready to use!"

src/functions.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+# This script has basic functions like a random password generator
+
+random_password() {
+    set +o pipefail
+    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32
+}
+
+random_password_open3a() {
+    set +o pipefail
+    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c20
+}

src/gitea/constants-service.conf

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the IP from the SQL server
+GITEA_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+GITEA_DB_PORT="5432"
+
+# Defines the name from the SQL database
+GITEA_DB_NAME="gitea"
+
+# Defines the name from the SQL user
+GITEA_DB_USR="gitea"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+GITEA_DB_PWD="$(random_password)"

src/gitea/install-service.sh

@@ -0,0 +1,160 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
+psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
+echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
+EOF
+
+adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
+
+curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
+chmod +x /usr/local/bin/gitea
+mkdir -p /etc/gitea
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
+chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
+chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
+
+cat << EOF > /etc/systemd/system/gitea.service
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/gitea/app.ini
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
+
+[database]
+DB_TYPE=postgres
+HOST=localhost
+NAME=${GITEA_DB_NAME}
+USER=${GITEA_DB_USR}
+PASSWD=${GITEA_DB_PWD}
+SSL_MODE=disable
+
+[server]
+APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
+DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+HTTP_HOST        = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+SSH_LISTEN_PORT  = 22
+EOF
+
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 770 /etc/gitea/app.ini
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log /var/log/nginx/gitea.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log  /var/log/nginx/gitea.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl daemon-reload
+systemctl enable --now gitea
+systemctl restart nginx

src/kopano-core/constants-service.conf

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-10-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+KOPANO_VERSION="latest"
+
+# Defines the php version to install
+KOPANO_PHP_VERSION="7.3"
+
+# Defines Maria DB Version
+MARIA_DB_VERS="10.5"
+
+# Defines the name from the SQL database
+MARIA_DB_NAME="kopano"
+
+# Defines the name from the SQL user
+MARIA_DB_USER="kopano"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+
+MARIA_ROOT_PWD=$(random_password)
+MARIA_USER_PWD=$(random_password)
+

src/kopano-core/install-service.sh

@@ -0,0 +1,274 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
+echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
+php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
+
+#timedatectl set-timezone Europe/Berlin
+#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Secure Maria Instance ####
+
+mysqladmin -u root password "[$MARIA_ROOT_PWD]"
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+#### Create user and DB for Kopano ####
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+echo "root-password: $MARIA_ROOT_PWD,\
+db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
+
+cat > /etc/apt/sources.list.d/kopano.list << EOF
+
+# Kopano Core
+deb https://download.kopano.io/supported/core:/final/Debian_10/ ./
+
+# Kopano WebApp
+deb https://download.kopano.io/supported/webapp:/final/Debian_10/ ./
+
+# Kopano MobileDeviceManagement
+deb https://download.kopano.io/supported/mdm:/final/Debian_10/ ./
+
+# Kopano Files
+deb https://download.kopano.io/supported/files:/final/Debian_10/ ./
+
+# Z-Push
+deb https://download.kopano.io/zhub/z-push:/final/Debian_10/ ./
+
+EOF
+
+cat > /etc/apt/auth.conf.d/kopano.conf << EOF
+
+machine download.kopano.io
+login serial
+password $KOPANO_REPKEY
+
+EOF
+
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_10/Release.key | apt-key add -
+
+apt update && apt full-upgrade -y
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
+z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
+
+#### Adjust kopano settings ####
+
+cat > /etc/kopano/ldap.cfg << EOF
+
+!include /usr/share/kopano/ldap.active-directory.cfg
+
+ldap_uri = ldap://10.10.81.12:389
+ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
+ldap_bind_passwd = Start123!
+ldap_search_base = dc=zmb,dc=rocks
+
+#ldap_user_search_filter = (kopanoAccount=1)
+
+EOF
+
+cat > /etc/kopano/server.cfg << EOF
+
+server_listen = *:236
+local_admin_users = root kopano
+
+#database_engine = mysql
+#mysql_host = localhost
+#mysql_port = 3306
+mysql_user = $MARIA_DB_USER
+mysql_password = $MARIA_USER_PWD
+mysql_database = $MARIA_DB_NAME
+
+user_plugin = ldap
+user_plugin_config = /etc/kopano/ldap.cfg
+
+EOF
+
+#### Adjust php settings ####
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+cat > /etc/php/7.3/fpm/pool.d/webapp.conf << EOF
+
+[webapp]
+listen = 127.0.0.1:9002
+user = www-data
+group = www-data
+listen.allowed_clients = 127.0.0.1
+pm = dynamic
+pm.max_children = 150
+pm.start_servers = 35
+pm.min_spare_servers = 20
+pm.max_spare_servers = 50
+pm.max_requests = 200
+listen.backlog = -1
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+EOF
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+#### Adjust nginx settings ####
+
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
+openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+
+#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+cat > /etc/nginx/sites-available/webapp.conf << EOF
+upstream php-handler {
+    server 127.0.0.1:9002;
+    #server unix:/var/run/php5-fpm.sock;
+    #server unix:/var/run/php/php7.3-fpm.sock;
+}
+ 
+server{
+    listen 80;
+    charset utf-8;
+    listen [::]:80;
+    server_name _;
+ 
+    location / {
+        rewrite   ^(.*)   https://\$server_name\$1 permanent;
+    }  
+ }
+ 
+server {
+    charset utf-8;
+    listen 443;
+    listen [::]:443 ssl;
+    server_name _;
+    ssl on;
+    client_max_body_size 1024m;
+    ssl_certificate /etc/ssl/certs/kopano.crt;
+    ssl_certificate_key /etc/ssl/private/kopano.key;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_prefer_server_ciphers on;
+    #
+    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    #
+ 
+    # add headers
+    server_tokens off;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+  
+    location /webapp {
+        alias /usr/share/kopano-webapp/;
+        index index.php;
+     
+    location ~ /webapp/presence/ {
+                rewrite ^/webapp/presence(/.*)$ \$1 break;
+                proxy_pass http://localhost:1234;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_http_version 1.1;
+                }
+ 
+    }
+ 
+    location ~* ^/webapp/(.+\.php)$ {
+        alias /usr/share/kopano-webapp/;
+ 
+        # deny access to .htaccess files
+        location ~ /\.ht {
+                    deny all;
+        }
+  
+        fastcgi_param PHP_VALUE "
+            register_globals=off
+            magic_quotes_gpc=off
+            magic_quotes_runtime=off
+            post_max_size=31M
+            upload_max_filesize=30M
+        ";
+        fastcgi_param PHP_VALUE "post_max_size=31M
+                 upload_max_filesize=30M
+                 max_execution_time=3660
+        ";
+ 
+        include fastcgi_params;
+        fastcgi_index index.php;
+        #fastcgi_param HTTPS on;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
+        fastcgi_pass php-handler;
+        access_log /var/log/nginx/kopano-webapp-access.log;
+        error_log /var/log/nginx/kopano-webapp-error.log;
+ 
+        # CSS and Javascript
+        location ~* \.(?:css|js)$ {
+            expires 1y;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # All (static) resources set to 2 months expiration time.
+        location ~* \.(?:jpg|gif|png)\$ {
+            expires 2M;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # enable gzip compression
+        gzip on;
+        gzip_min_length  1100;
+        gzip_buffers  4 32k;
+        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
+        gzip_vary on;
+        }
+ 
+}
+ 
+map \$http_upgrade \$connection_upgrade {
+        default upgrade;
+        '' close;
+}
+EOF
+
+
+
+ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
+
+systemctl restart nginx
+

src/lxc-base.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# load configuration
+echo "Loading configuration..."
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants.conf
+source /root/constants-service.conf
+
+echo "Updating locales"
+# update locales
+sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
+cat << EOF > /etc/default/locale
+LANG="$LXC_LOCALE"
+LANGUAGE=$LXC_LOCALE
+EOF
+locale-gen $LXC_LOCALE 
+
+# Generate sources
+if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb https://debian.inf.tu-dresden.de/debian bullseye main contrib
+
+deb https://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
+
+# security updates
+deb https://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
+EOF
+
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb https://debian.inf.tu-dresden.de/debian buster main contrib
+
+deb https://debian.inf.tu-dresden.de/debian buster-updates main contrib
+
+# security updates
+deb https://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
+EOF
+else echo "LXC Debian Version false. Please check configuration files!" ; exit
+fi
+
+# update package lists
+echo "Updating package database..."
+apt --allow-releaseinfo-change update
+
+# install latest packages
+echo "Installing latest updates"
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+
+# install toolset
+echo "Installing preconfigured toolset..."
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
+
+echo "Enabling vim syntax highlighting..."
+sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+if [ $LXC_VIM_BG_DARK -gt 0 ]; then
+    sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
+fi
+
+echo "Basic container setup finished, continuing with service installation..."

src/mailpiler/constants-service.conf

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+PILER_VERSION="latest"
+# Defines the version of sphinx to install
+PILER_SPHINX_VERSION="3.3.1"
+# Defines the php version to install
+PILER_PHP_VERSION="7.4"

src/mailpiler/install-service.sh

@@ -5,14 +5,9 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+source /root/constants-service.conf
 
 HOSTNAME=$(hostname -f)
 
@@ -23,22 +18,26 @@ echo $HOSTNAME
 if 
     [ "$HOSTNAME" != "$PILER_FQDN" ]
 then
-        echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
+        echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
 else
-        echo "Hostname matches PILER_FQDNAIN, so starting installation."
+        echo "Hostname matches $PILER_FQDN, so starting installation."
 fi
 
-apt update && apt full-upgrade -y
-
-apt install -y $LXC_TOOLSET build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 software-properties-common libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23
-
 # install php
 wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
 echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
 
-apt update && apt install -y php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
+apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
+add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
 
-apt purge -y postfix
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
+unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
+mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
+php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
 
 cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
 innodb_buffer_pool_size=256M
@@ -61,7 +60,13 @@ useradd -g piler -m -s /bin/bash -d /var/piler piler
 usermod -L piler
 chmod 755 /var/piler
 
-wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
+if [[ "$PILER_VERSION" == "latest" ]]; then
+        URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
+        PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
+        wget -O piler-$PILER_VERSION.tar.gz $URL
+else
+        wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
+fi
 tar -xvzf piler-$PILER_VERSION.tar.gz
 cd piler-$PILER_VERSION/
 ./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
@@ -94,7 +99,7 @@ cd /etc/nginx/sites-available
 cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
 ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
 
-sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
+sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
 sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
 
 sed -i "/server_name.*/a \\
@@ -114,12 +119,14 @@ sed -i "/server_name.*/a \\
 sed -i "/^server {.*/i\
 server {\n\
         listen 80;\n\
-        server_name $PILER_FQDN default_host;\n\
+        server_name _;\n\
         server_tokens off;\n\
         # HTTP to HTTPS redirect.\n\
-        return 301 https://\$host\$request_uri;\n\
+        return 301 https://$PILER_FQDN;\n\
 }" /etc/nginx/sites-available/piler-nginx.conf
 
+unlink /etc/nginx/sites-enabled/default
+
 cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
 sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
 cat >> /usr/local/etc/piler/config-site.php <<EOF
@@ -179,9 +186,4 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
 \$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
 EOF
 
-rm /etc/nginx/sites-enabled/default
-
 nginx -t && systemctl restart nginx
-
-apt autoremove -y
-apt clean -y

src/matrix/constants-service.conf

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Define the version of Element Web
+MATRIX_ELEMENT_VERSION="v1.9.9"

src/matrix/install-service.sh

@@ -5,28 +5,22 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf
 
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+MRX_PKE=$(random_password)
 
 ELE_DBNAME="synapse_db"
 ELE_DBUSER="synapse_user"
-ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ELE_DBPASS=$(random_password)
 
-apt update && apt full-upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
 
-apt install -y $LXC_TOOLSET apt-transport-https gpg software-properties-common nginx postgresql python3-psycopg2
-
-wget wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
-apt update && apt install -y matrix-synapse-py3
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
 systemctl enable matrix-synapse
 
 ss -tulpen
@@ -94,7 +88,7 @@ cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
 server {
     listen 80;
     listen [::]:80;
-    server_name $MATRIX_ELEMENT_FQDN;
+    server_name _;
     return 301 https://$MATRIX_ELEMENT_FQDN;
 }
 
@@ -114,6 +108,7 @@ server {
 
 EOF
 
+unlink /etc/nginx/sites-enabled/default
 ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN
 
 systemctl restart nginx
@@ -143,19 +138,17 @@ EOF
 cd /
 sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|server_name:|server_name: $MATRIX_FQDN|g" /etc/matrix-synapse/conf.d/server_name.yaml
 sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n    user: $ELE_DBUSER\n    password: $ELE_DBPASS\n    host: 127.0.0.1\n    cp_min: 5\n    cp_max: 10|" /etc/matrix-synapse/homeserver.yaml
 
 systemctl restart matrix-synapse
 
-register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p '$MATRIX_ADMIN_PASSWORD' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
 
 #curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
 #echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
 
 #apt update
 #apt install -y jitsi-meet
-
-
-

src/nextcloud/constants-service.conf

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+NEXTCLOUD_VERSION="latest"
+
+# Defines the php version to install
+NEXTCLOUD_PHP_VERSION="8.0"
+
+# Defines the IP from the SQL server
+NEXTCLOUD_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+NEXTCLOUD_DB_PORT="5432"
+
+# Defines the name from the SQL database
+NEXTCLOUD_DB_NAME="nextcloud_db"
+
+# Defines the name from the SQL user
+NEXTCLOUD_DB_USR="nextcloud"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+NEXTCLOUD_DB_PWD="$(random_password)"

src/nextcloud/install-service.sh

@@ -0,0 +1,444 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
+postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
+
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Create database for nextcloud ####
+
+su - postgres <<EOF
+psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+
+#### Adjust php settings ####
+
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+
+#### Adjust nginx settings ####
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
+openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+
+mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+
+cat > /etc/nginx/nginx.conf <<EOF
+user www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+events {
+worker_connections 1024;
+multi_accept on; use epoll;
+}
+http {
+server_names_hash_bucket_size 64;
+access_log /var/log/nginx/access.log;
+error_log /var/log/nginx/error.log warn;
+set_real_ip_from 127.0.0.1;
+#optional, Sie können das eigene Subnetz ergänzen, bspw.:
+# set_real_ip_from $LXC_IP;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+include /etc/nginx/mime.types;
+default_type application/octet-stream;
+sendfile on;
+send_timeout 3600;
+tcp_nopush on;
+tcp_nodelay on;
+open_file_cache max=500 inactive=10m;
+open_file_cache_errors on;
+keepalive_timeout 65;
+reset_timedout_connection on;
+server_tokens off;
+resolver 127.0.0.53 valid=30s;
+resolver_timeout 5s;
+include /etc/nginx/conf.d/*.conf;
+}
+EOF
+
+[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
+touch /etc/nginx/conf.d/default.conf
+
+cat > /etc/nginx/conf.d/http.conf << EOF
+upstream php-handler {
+server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+}
+server {
+listen 80 default_server;
+listen [::]:80 default_server;
+server_name $NEXTCLOUD_FQDN;
+root /var/www;
+location / {
+return 301 https://\$host\$request_uri;
+}
+}
+EOF
+
+cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+server {
+listen 443      ssl http2;
+listen [::]:443 ssl http2;
+server_name $NEXTCLOUD_FQDN;
+ssl_certificate /etc/ssl/certs/nextcloud.crt;
+ssl_certificate_key /etc/ssl/private/nextcloud.key;
+ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+ssl_ecdh_curve X448:secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_stapling on;
+ssl_stapling_verify on;
+client_max_body_size 5120M;
+fastcgi_buffers 64 4K;
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+add_header Permissions-Policy                   "interest-cohort=()";
+add_header Referrer-Policy                      "no-referrer"   always;
+add_header X-Content-Type-Options               "nosniff"       always;
+add_header X-Download-Options                   "noopen"        always;
+add_header X-Frame-Options                      "SAMEORIGIN"    always;
+add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+add_header X-Robots-Tag                         "none"          always;
+add_header X-XSS-Protection                     "1; mode=block" always;
+fastcgi_hide_header X-Powered-By;
+fastcgi_read_timeout 3600;
+fastcgi_send_timeout 3600;
+fastcgi_connect_timeout 3600;
+root /var/www/nextcloud;
+index index.php index.html /index.php\$request_uri;
+expires 1m;
+location = / {
+if ( \$http_user_agent ~ ^DavClnt ) {
+return 302 /remote.php/webdav/\$is_args\$args;
+}
+}
+location = /robots.txt {
+allow all;
+log_not_found off;
+access_log off;
+}
+location ^~ /apps/rainloop/app/data {
+deny all;
+}
+location ^~ /.well-known {
+location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+location ^~ /.well-known            { return 301 /index.php/\$uri; }
+try_files \$uri \$uri/ =404;
+}
+location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+location ~ \.php(?:\$|/) {
+rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+set \$path_info \$fastcgi_path_info;
+try_files \$fastcgi_script_name =404;
+include fastcgi_params;
+fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+fastcgi_param PATH_INFO \$path_info;
+fastcgi_param HTTPS on;
+fastcgi_param modHeadersAvailable true;
+fastcgi_param front_controller_active true;
+fastcgi_pass php-handler;
+fastcgi_intercept_errors on;
+fastcgi_request_buffering off;
+}
+location ~ \.(?:css|js|svg|gif)\$ {
+try_files \$uri /index.php\$request_uri;
+expires 6M;
+access_log off;
+}
+location ~ \.woff2?\$ {
+try_files \$uri /index.php\$request_uri;
+expires 7d;
+access_log off;
+}
+location / {
+try_files \$uri \$uri/ /index.php\$request_uri;
+}
+location /push/ {
+proxy_pass http://localhost:7867/;
+proxy_http_version 1.1;
+proxy_set_header Upgrade \$http_upgrade;
+proxy_set_header Connection "Upgrade";
+proxy_set_header Host \$host;
+proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+}
+}
+EOF
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+
+#### Adjust redis settings ####
+
+cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
+sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
+sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
+sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+usermod -aG redis www-data
+
+#### Adjust sysctl.conf settings ####
+
+cp /etc/sysctl.conf /etc/sysctl.conf.bak
+echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
+systemctl restart redis
+
+#### HIER MÜSSTE EIN REBOOT REIN ####
+
+
+#### Install nextcloud ####
+
+cd /usr/local/src
+
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
+
+md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
+
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
+
+cat > /root/permissions.sh << EOF
+#!/bin/bash
+find /var/www/ -type f -print0 | xargs -0 chmod 0640
+find /var/www/ -type d -print0 | xargs -0 chmod 0750
+chown -R www-data:www-data /var/www 
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+chmod 0644 /var/www/nextcloud/.htaccess
+chmod 0644 /var/www/nextcloud/.user.ini
+exit 0
+EOF
+
+chmod +x /root/permissions.sh
+/root/permissions.sh
+
+#### install fail2ban ####
+
+cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+EOF
+
+cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 5
+bantime = 3600
+findtime = 36000
+logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
+EOF
+
+systemctl restart fail2ban
+
+#### Create configuration script for nextcloud, which will be executet as user www-data
+
+cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+
+#!/bin/bash 
+
+php /var/www/nextcloud/occ maintenance:install --database pgsql \
+--database-host $NEXTCLOUD_DB_IP \
+--database-port $NEXTCLOUD_DB_PORT \
+--database-name $NEXTCLOUD_DB_NAME \
+--database-user $NEXTCLOUD_DB_USR \
+--database-pass $NEXTCLOUD_DB_PWD \
+--admin-user $NEXTCLOUD_ADMIN_USR \
+--admin-pass $NEXTCLOUD_ADMIN_PWD \
+--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+
+php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
+php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
+
+cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i '/);/d' /var/www/nextcloud/config/config.php
+
+cat >> /var/www/nextcloud/config/config.php << EOF
+'activity_expire_days' => 14,
+'auth.bruteforce.protection.enabled' => true,
+'blacklisted_files' => 
+array (
+0 => '.htaccess',
+1 => 'Thumbs.db',
+2 => 'thumbs.db',
+),
+'cron_log' => true,
+'default_phone_region' => 'DE',
+'enable_previews' => true,
+'enabledPreviewProviders' => 
+array (
+0 => 'OC\Preview\PNG',
+1 => 'OC\Preview\JPEG',
+2 => 'OC\Preview\GIF',
+3 => 'OC\Preview\BMP',
+4 => 'OC\Preview\XBitmap',
+5 => 'OC\Preview\Movie',
+6 => 'OC\Preview\PDF',
+7 => 'OC\Preview\MP3',
+8 => 'OC\Preview\TXT',
+9 => 'OC\Preview\MarkDown',
+),
+'filesystem_check_changes' => 0,
+'filelocking.enabled' => 'true',
+'htaccess.RewriteBase' => '/',
+'integrity.check.disabled' => false,
+'knowledgebaseenabled' => false,
+'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+'loglevel' => 2,
+'logtimezone' => '$LXC_TIMEZONE',
+'log_rotate_size' => 104857600,
+'maintenance' => false,
+'memcache.local' => '\OC\Memcache\APCu',
+'memcache.locking' => '\OC\Memcache\Redis',
+'overwriteprotocol' => 'https',
+'preview_max_x' => 1024,
+'preview_max_y' => 768,
+'preview_max_scale_factor' => 1,
+'redis' => 
+array (
+'host' => '/var/run/redis/redis-server.sock',
+'port' => 0,
+'timeout' => 0.0,
+),
+'quota_include_external_storage' => false,
+'share_folder' => '/Freigaben',
+'skeletondirectory' => '',
+'theme' => '',
+'trashbin_retention_obligation' => 'auto, 7',
+'updater.release.channel' => 'stable',
+'trusted_proxies' => 
+array (
+'$NEXTCLOUD_REVPROX'
+),
+);
+EOF
+
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+php /var/www/nextcloud/occ app:disable survey_client
+php /var/www/nextcloud/occ app:disable firstrunwizard
+php /var/www/nextcloud/occ app:enable admin_audit
+php /var/www/nextcloud/occ app:enable notify_push
+php /var/www/nextcloud/occ app:enable files_pdfviewer
+php /var/www/nextcloud/occ background:cron
+DFOE
+
+/root/permissions.sh
+
+su -s /bin/bash www-data <<EOF
+bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
+EOF
+
+#### Create file for high performance backend
+
+cat > /etc/systemd/system/notify_push.service << EOF
+[Unit]
+Description = Push daemon for Nextcloud clients
+[Service]
+Environment=PORT=7867
+Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
+Environment=ALLOW_SELF_SIGNED=true
+ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
+User=www-data
+[Install]
+WantedBy = multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now notify_push
+
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
+
+shutdown -r now

src/onlyoffice/constants-service.conf

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+ONLYOFFICE_DB_HOST=localhost
+
+ONLYOFFICE_DB_NAME=onlyoffice
+
+ONLYOFFICE_DB_USER=onlyoffice

src/onlyoffice/install-service.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ONLYOFFICE_DB_PASS=$(random_password)
+
+apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
+echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
+
+apt update 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
+
+su postgres <<EOF
+psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
+psql -c "CREATE DATABASE $ONLYOFFICE_DB_NAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ONLYOFFICE_DB_USER;"
+echo "Postgres User '$ONLYOFFICE_DB_USER' and database '$ONLYOFFICE_DB_NAME' created."
+EOF
+
+echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
+
+cat << EOF > /root/onlyoffice.credentials
+ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
+ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME
+ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
+ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
+EOF
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+rm /etc/nginx/conf.d/ds.conf
+cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+
+sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf
+sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx

src/open3a/constants-service.conf

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"

src/open3a/install-service.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+LXC_IP=$(hostname -I)
+webroot=/var/www/html
+
+MYSQL_PASSWORD="$(random_password_open3a)"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    location ~ .php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+    }
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS open3a;
+GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
+
+cd $webroot
+wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip
+unzip open3a.zip
+rm open3a.zip
+chmod 666 system/DBData/Installation.pfdb.php
+chmod -R 777 specifics/
+chmod -R 777 system/Backup
+chown -R www-data:www-data $webroot
+
+echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
+chmod +x /etc/cron.daily/open3a-backup
+
+systemctl enable --now php7.4-fpm
+systemctl restart php7.4-fpm nginx
+
+cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
+<?php echo "This is a database-file."; /*
+host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
+varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)                                                                                         
+localhost                               &%%%&open3a              &%%%&$MYSQL_PASSWORD&%%%&open3a                        &%%%&*                                       %%&&&
+*/ ?>
+EOF
+
+echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"

src/proxmox-pbs/constants-service.conf

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Backup ubdir where Urbackup will store backups
+PBS_DATA="backup"

src/proxmox-pbs/install-service.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list 
+# PBS pbs-no-subscription repository provided by proxmox.com,
+# NOT recommended for production use
+deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
+EOF
+
+wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
+
+apt update && apt upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
+
+proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA

src/urbackup/constants-service.conf

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Backup ubdir where Urbackup will store backups
+URBACKUP_DATA="urbackup"
+
+# OS codename for opensuse / urbackup repo
+REPO_CODENAME="Debian_11"

src/urbackup/install-service.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+mkdir /etc/urbackup
+echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
+
+echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
+curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+ln -s /usr/share/urbackup/www /var/www/urbackup
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root /var/www/urbackup;
+
+    index index.htm;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/urbackup.crt;
+    ssl_certificate_key /etc/nginx/ssl/urbackup.key;
+
+    location /x {
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass 127.0.0.1:55413;
+    }
+}
+
+EOF
+
+sed -i "s/DAEMON_TMPDIR=\"\/tmp\"/DAEMON_TMPDIR=\"\/$LXC_SHAREFS_MOUNTPOINT\/tmp\"/g" /etc/default/urbackupsrv
+sed -i "s/HTTP_SERVER=\"true\"/HTTP_SERVER=\"false\"/g" /etc/default/urbackupsrv
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/tmp
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+
+systemctl restart urbackupsrv nginx

src/zabbix/constants-service.conf

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"

src/zabbix/install-service.sh

@@ -0,0 +1,174 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
+echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-sql-scripts zabbix-agent sudo ssl-cert
+
+unlink /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/zabbix/nginx.conf
+server {
+        listen          80 default_server;
+        listen          [::]:80 default_server;
+        server_name _;
+
+        server_tokens off;
+
+        access_log /var/log/nginx/gitea.access.log;
+        error_log /var/log/nginx/gitea.error.log;
+
+        location /.well-known/ {
+        }
+
+        return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+        }
+
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+
+        server_tokens off;
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 180m;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 1.1.1.1 1.0.0.1;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        root    /usr/share/zabbix;
+
+        index   index.php;
+
+        location = /favicon.ico {
+                log_not_found   off;
+        }
+
+        location / {
+                try_files       \$uri \$uri/ =404;
+        }
+
+        location /assets {
+                access_log      off;
+                expires         10d;
+        }
+
+        location ~ /\.ht {
+                deny            all;
+        }
+
+        location ~ /(api\/|conf[^\.]|include|locale) {
+                deny            all;
+                return          404;
+        }
+
+        location /vendor {
+                deny            all;
+                return          404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+                fastcgi_pass    unix:/var/run/php/zabbix.sock;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index   index.php;
+
+                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
+                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
+                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
+
+                include fastcgi_params;
+                fastcgi_param   QUERY_STRING    \$query_string;
+                fastcgi_param   REQUEST_METHOD  \$request_method;
+                fastcgi_param   CONTENT_TYPE    \$content_type;
+                fastcgi_param   CONTENT_LENGTH  \$content_length;
+
+                fastcgi_intercept_errors        on;
+                fastcgi_ignore_client_abort     off;
+                fastcgi_connect_timeout         60;
+                fastcgi_send_timeout            180;
+                fastcgi_read_timeout            180;
+                fastcgi_buffer_size             128k;
+                fastcgi_buffers                 4 256k;
+                fastcgi_busy_buffers_size       256k;
+                fastcgi_temp_file_write_size    256k;
+        }
+}
+EOF
+
+ln -sf /etc/zabbix/nginx.conf /etc/nginx/sites-enabled/zabbix.conf
+
+cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
+[zabbix]
+user = www-data
+group = www-data
+
+listen = /var/run/php/zabbix.sock
+listen.owner = www-data
+listen.allowed_clients = 127.0.0.1
+
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+pm.max_requests = 200
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/sessions/
+
+php_value[max_execution_time] = 300
+php_value[memory_limit] = 128M
+php_value[post_max_size] = 16M
+php_value[upload_max_filesize] = 2M
+php_value[max_input_time] = 300
+php_value[max_input_vars] = 10000
+EOF
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ZABBIX WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+
+zcat /usr/share/doc/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql zabbix 
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm 
+
+systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm 

src/zammad/constants-service.conf

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+LXC_MEM="2048"

src/zammad/install-service.sh

@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+LXC_IP=$(hostname -I)
+
+apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
+apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
+
+cat << EOF >>/etc/hosts
+0.0.0.0 image.zammad.com
+0.0.0.0 images.zammad.com
+0.0.0.0 geo.zammad.com
+0.0.0.0 www.zammad.com
+0.0.0.0 www.zammad.org
+0.0.0.0 www.zammad.net
+0.0.0.0 www.zammad.de
+0.0.0.0 zammad.com
+0.0.0.0 zammad.org
+0.0.0.0 zammad.net
+0.0.0.0 zammad.de
+#
+127.0.0.1 elasticsearch
+0.0.0.0 geoip.elastic.co
+EOF
+
+# Java set startup environment 
+mkdir -p /etc/elasticsearch/jvm.options.d
+cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
+# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
+# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
+-Xms1g
+-Xmx1g
+EOF
+
+wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
+echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql
+
+# configurwe nginx
+rm -f /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/nginx/sites-available/zammad.conf
+upstream zammad-railsserver {
+  server 127.0.0.1:3000;
+}
+
+upstream zammad-websocket {
+  server 127.0.0.1:6042;
+}
+
+server {
+    listen 80;
+#EDIT no IPv6 ;-)   listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/zammad.access.log;
+    error_log /var/log/nginx/zammad.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://\$host\$request_uri;
+}
+server {
+    listen 443 ssl http2;
+#EDIT no IPv6 ;-)    listen [::]:443 ssl http2;
+
+    server_name _;
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+#
+#  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
+#
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
+    add_header Referrer-Policy "strict-origin";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
+    
+    location = /robots.txt  {
+    access_log off; log_not_found off;
+    }
+    
+    location = /favicon.ico {
+    access_log off; log_not_found off;
+    }
+
+    root /opt/zammad/public;
+
+    access_log /var/log/nginx/zammad.access.log;
+    error_log  /var/log/nginx/zammad.error.log;
+
+    client_max_body_size 50M;
+
+    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
+    expires max;
+    }
+
+    location /ws {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header CLIENT_IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto	\$scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad-websocket;
+    }
+
+    location / {
+    proxy_set_header Host \$http_host;
+    proxy_set_header CLIENT_IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto	\$scheme;
+
+    # change this line in an SSO setup
+    proxy_set_header X-Forwarded-User "";
+
+    proxy_read_timeout 180;
+    proxy_pass http://zammad-railsserver;
+
+    gzip on;
+    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
+    gzip_proxied any;
+    }
+}
+EOF
+
+#EDIT ADD
+echo -e "\n\n\n   >>> Warte 5 sek. und installier Zammad ...\n\n\n"
+sleep 5
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install zammad
+
+# SymLink nginx Zammad enable
+ln -s /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
+
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+
+systemctl restart nginx
+systemctl enable elasticsearch.service
+systemctl start elasticsearch.service
+
+# Elasticsearch conntact to Zammad
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
+zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
+zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
+
+systemctl restart elasticsearch.service
+zammad run rake searchindex:rebuild
+
+echo -e "Your Zammad installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\n"

src/zmb-ad-join/constants-service.conf

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+OPTIONAL_FEATURES=(wsdd splitdns)

src/zmb-ad-join/install-service.sh

@@ -0,0 +1,138 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+      ZMB_DNS_BACKEND="BIND9_DLZ"
+      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+      echo "Unsupported optional feature $f"
+  fi
+done
+
+## configure ntp
+cat << EOF > /etc/ntp.conf
+# Local clock. Note that is not the "localhost" address!
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+# Where to retrieve the time from
+server 0.de.pool.ntp.org     iburst prefer
+server 1.de.pool.ntp.org     iburst prefer
+server 2.de.pool.ntp.org     iburst prefer
+driftfile       /var/lib/ntp/ntp.drift
+logfile         /var/log/ntp
+ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
+# Access control
+# Default restriction: Allow clients only to query the time
+restrict default kod nomodify notrap nopeer mssntp
+# No restrictions for "localhost"
+restrict 127.0.0.1
+# Enable the time sources to only provide time to this host
+restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+tinker panic 0
+EOF
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp cifs-utils samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+	  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+  forwarders {
+    $LXC_DNS;
+  };
+  allow-query {  any;};
+  dnssec-validation no;
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved
+rm -f /etc/samba/smb.conf
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
+
+cat > /etc/cron.d/sysvol-sync << EOF
+*/5 * * * * root /usr/bin/rsync -XAavz --delete-after root@$LXC_DNS:/var/lib/samba/sysvol/ /var/lib/samba/sysvol
+EOF
+
+ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES

src/zmb-ad/constants-service.conf

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=()

src/zmb-ad/install-service.sh

@@ -5,18 +5,29 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf
 
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  BINDNINE=bind9
-fi
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+    apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+    echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done
 
 ## configure ntp
 cat << EOF > /etc/ntp.conf
@@ -52,9 +63,19 @@ EOF
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
   # configure bind dns service
   cat << EOF > /etc/default/bind9
 #
@@ -65,7 +86,7 @@ RESOLVCONF=no
 OPTIONS="-4 -u bind"
 EOF
 
-cat << EOF > /etc/bind/named.conf.local
+  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
@@ -101,9 +122,10 @@ EOF
   mkdir -p /var/lib/samba/bind-dns/dns
 fi
 
+
+
 # stop + disable samba services and remove default config
-systemctl stop smbd nmbd winbind
-systemctl disable smbd nmbd winbind
+systemctl disable --now smbd nmbd winbind systemd-resolved
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 
@@ -113,7 +135,7 @@ samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAI
 cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
 
 systemctl unmask samba-ad-dc
-systemctl enable samba-ad-dc $BINDNINE
-systemctl restart samba-ad-dc $BINDNINE
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 
 exit 0

src/zmb-member/constants-service.conf

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"

src/zmb-member/install-service.sh

@@ -5,18 +5,17 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf
 
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+# add wsdd package repo
+apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
 
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -70,12 +69,11 @@ cat > /etc/samba/smb.conf <<EOF
 	printing = bsd
 	disable spoolss = Yes
 
-	allow trusted domains = No
 	dns proxy = No
 	shadow: snapdir = .zfs/snapshot
 	shadow: sort = desc
 	shadow: format = -%Y-%m-%d-%H%M
-	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 
 [$ZMB_SHARE]
@@ -86,8 +84,6 @@ cat > /etc/samba/smb.conf <<EOF
 	directory mask = 0770
 	inherit acls = Yes
 
-
-
 EOF
 
 systemctl restart smbd
@@ -104,10 +100,9 @@ wbinfo -g
 mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd winbind
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
+systemctl restart smbd nmbd winbind wsdd

src/zmb-standalone/constants-service.conf

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"

src/zmb-standalone/install-service.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# add wsdd package repo
+apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit
+
+mkdir /usr/share/cockpit/smb
+wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html
+wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json
+wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js
+
+USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
+useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
+echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
+smbpasswd -x $USER
+(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
+
+cat << EOF >> /etc/samba/smb.conf
+[$ZMB_SHARE]
+    comment = Main Share
+    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    read only = No
+    vfs objects = shadow_copy2
+	create mask = 0660
+	directory mask = 0770
+    shadow: snapdir = .zfs/snapshot
+    shadow: sort = desc
+    shadow: format = -%Y-%m-%d-%H%M
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+    shadow: delimiter = -20
+EOF
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+systemctl restart smbd nmbd wsdd

zmb-standalone.sh

@@ -1,44 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba samba-dsdb-modules samba-vfs-modules 
-
-USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
-useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
-echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
-(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
-
-cat << EOF >> /etc/samba/smb.conf
-[share]
-    comment = Main Share
-    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-    read only = No
-    vfs objects = shadow_copy2
-    shadow: snapdir = .zfs/snapshot
-    shadow: sort = desc
-    shadow: format = -%Y-%m-%d-%H%M
-    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
-    shadow: delimiter = -20
-EOF
-
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd