Merge pull request #78 from diddip21/dev

Update kimai
removed lxc mountpoint from kimai
2023-05-23 21:38:10 +02:00 · 2023-02-13 17:36:19 +01:00 · 2023-02-13 17:03:11 +01:00 · 2023-02-12 22:43:33 +01:00 · 2023-02-12 22:32:55 +01:00 · 2023-02-12 15:59:43 +01:00
65 changed files with 4580 additions and 340 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,5 @@
 *__pycache__*
-.vscode/*
+.vscode/*
+conf/*
+!conf/README.md
+!conf/zamba.conf.example
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,12 +0,0 @@
-**** Zamba LXC Toolbox v0.1 ****
- `locales` are now configured noninteractive #21
- timezone is now configured with `pct set` command in `install.sh` #22
- changed command sequence in `install.sh` - select container first, then start the installation
- improved / updated documentation
- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
- (un)privileged now defined as constant based on created service #6
- improved log messages in `install.sh`
- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
- changed `mailpiler` version to 1.3.11
- changed `element-web` version to 1.7.25
- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)
--- a/README.md
+++ b/README.md
@ -5,15 +5,32 @@ Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC contai
 The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes.
 The package also provides LXC container installers for `mailpiler`, `matrix-synapse` + `element-web` and more services will follow in future releases.
 ### Requirements
-Proxmox VE Server with at least one configured ZFS Pool.
+Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 ### Included services:
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
+- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
+- `debian-priv` => Debian privileged container with basic toolset
+- `debian-unpriv` => Debian unprivileged container with basic toolset
+- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
+- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
+- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
+- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `debian-unpriv` => Debian privileged container with basic toolset
+- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
+- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
+- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
+- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
+- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
+- `unifi` => Unifi Controller [ui.com](https://ui.com)
+- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
+- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
+- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
+- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
+- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
+- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash
@ -26,14 +43,24 @@ git clone https://github.com/bashclub/zamba-lxc-toolbox
 cd zamba-lxc-toolbox
 ```
 ### Configuration
-To fit your requirements, please edit the file `zamba.conf` with your favourite text editor (e.g. `vim` or `nano`).
-The required adjustments are in the LXC container section and in the section for the service you want to launch.
-For further information about the config variables, have a look at [zamba.conf.md](zamba.conf.md)
+Copy `zamba.conf.example` located in `conf` directory to a new file (default: `zamba.conf`) and adjust your desired settings.
+For further information about configuration variables, have a look at [conf/README.md](conf/README.md)
+```bash
+cp conf/zamba.conf.example conf/zamba.conf
+```
 ### Installation
-After configuring, you are able to launch the script interactively:
+After configuring, you are able to launch the script interactively (only works with `conf/zamba.conf`):
 ```bash
 bash install.sh
 ```
+### Advanced Usage
+You can set optional parameters (config file, service, container id):
+#### Example:
+```bash
+bash install.sh -i 280 -c conf/my-zmb-service.conf -s zmb-member
+```
+You can also view possible parameters with `install.sh -h`
+
 After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.

 Once the script has finished, the container is installed and running and you can continue with the service specific configuration.
--- a/conf/README.md
+++ b/conf/README.md
@ -1,4 +1,5 @@
-# `zamba.conf` options reference
+# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS
+# Configuration options reference
 This is the reference of all config options you can set in `zamba.conf`
 <br>

@ -39,24 +40,30 @@ LXC_SHAREFS_MOUNTPOINT="tank"
 ```
 ### LXC_MEM
 Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+If a service needs more minimum memory, LXC_MEM will be overwritten.
 ```bash
-LXC_MEM="1024"
+LXC_MEM=1024
 ```
 ### LXC_SWAP
 Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
 ```bash
-LXC_SWAP="1024"
+LXC_SWAP=1024
 ```
 ### LXC_HOSTNAME
-Defines the hostname of your LXC container
+Defines the hostname of your LXC container (Default: Name of installed Service)
 ```bash
-LXC_SWAP="zamba"
+LXC_HOSTNAME="zamba"
 ```
 ### LXC_DOMAIN
 Defines the domain name / search domain of your LXC container
 ```bash
 LXC_DOMAIN="zmb.rocks"
 ```
+### LXC_DHCP
+Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+```bash
+LXC_DHCP=false
+```
 ### LXC_IP
 Defines the local IP address and subnet of your LXC container in CIDR format
 ```bash
@ -87,7 +94,7 @@ LXC_VLAN="80"
 ### LXC_PWD
 Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
 ```bash
-LXC_PWD="S3cr3tp@ssw0rd"
+LXC_PWD="Start!123"
 ```
 ### LXC_AUTHORIZED_KEY
 Defines an authorized_keys file to push into the LXC container.
@ -98,7 +105,7 @@ LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
 ### LXC_TOOLSET
 Define your (administrative) tools, you always want to have installed into your LXC container
 ```bash
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
 ```
 ### LXC_TIMEZONE
 Define the local timezone of your LXC container (default: Euroe/Berlin)
@ -111,6 +118,13 @@ Define system language on LXC container (locales)
 LXC_LOCALE="de_DE.utf8"
 ```
 This parameter is not used yet, but will be integrated in future releases.
+
+### LXC_VIM_BG_DARK
+Set dark background for vim syntax highlighting (0 or 1)
+```bash
+LXC_VIM_BG_DARK=1
+```
+
 <br>

 ## Zamba Server Section
@ -127,11 +141,6 @@ Defines the domain name in your Active Directory or Workgroup (AD DC, AD member,
 ```bash
 ZMB_DOMAIN="ZMB"
 ```
-### ZMB_DNS_BACKEND
-Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-```bash
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-```
 ### ZMB_ADMIN_USER
 Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ```bash
@ -140,7 +149,7 @@ ZMB_ADMIN_USER="Administrator"
 ### ZMB_ADMIN_PASS
 Defines the domain administrator's password (AD DC, AD member).
 ```bash
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
@ -163,22 +172,7 @@ PILER_FQDN="piler.zmb.rocks"
 ### PILER_SMARTHOST
 Defines the smarthost for piler mail archive
 ```bash
-PILER_SMARTHOST="10.10.80.20"
-```
-### PILER_VERSION
-Defines the version number of piler mail archive to install
-```bash
-PILER_VERSION="1.3.10"
-```
-### PILER_SPHINX_VERSION
-Defines the version of sphinx to install
-```bash
-PILER_SPHINX_VERSION="3.3.1"
-```
-### PILER_PHP_VERSION
-Defines the php version to install
-```bash
-PILER_PHP_VERSION="7.4"
+PILER_SMARTHOST="your.mailserver.tld"
 ```
 <br>

@ -197,13 +191,67 @@ Define the FQDN for the Element Web virtual host
 ```bash
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 ```
-### MATRIX_ELEMENT_VERSION
-Define the version of Element Web
+
+### MATRIX_ADMIN_USER
+Define the administrative user of matrix service
 ```bash
-MATRIX_ELEMENT_VERSION="v1.7.24"
+MATRIX_ADMIN_USER="admin"
 ```
-### MATRIX_JITSI_FQDN
-Define the FQDN for the Jitsi Meet virtual host
+
+### MATRIX_ADMIN_PASSWORD
+Define the admin password
 ```bash
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
-```
+MATRIX_ADMIN_PASSWORD="Start!123"
+```
+
+## Nextcloud-Section
+
+### NEXTCLOUD_FQDN
+Define the FQDN of your Nextcloud server
+```bash
+NEXTCLOUD_FQDN="nc1.zmb.rocks"
+```
+
+### NEXTCLOUD_ADMIN_USR
+The initial admin-user which will be configured
+```bash
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+```
+
+### NEXTCLOUD_ADMIN_PWD
+Build a strong password for this user. Username and password will shown at the end of the instalation. 
+```bash
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
+```
+### NEXTCLOUD_DATA
+Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+```bash
+NEXTCLOUD_DATA="nc_data"
+```
+### NEXTCLOUD_REVPROX
+Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+```bash
+NEXTCLOUD_REVPROX="192.168.100.254"
+```
+
+## Check_MK-Section
+
+### CMK_INSTANCE
+Define the name of your checkmk instance
+```bash
+CMK_INSTANCE=zmbrocks
+```
+
+### CMK_ADMIN_PW
+Define the password of user 'cmkadmin'
+```bash
+CMK_ADMIN_PW='Start!123'
+```
+
+### CMK_EDITION
+checkmk edition (raw or free)
+- raw = completely free
+- free = limited version of the enterprise edition (25 hosts, 1 instance)
+```bash
+CMK_EDITION=raw
+```
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@ -28,17 +28,20 @@ LXC_SHAREFS_STORAGE="local-zfs"
 LXC_SHAREFS_MOUNTPOINT="tank"

 # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
-LXC_MEM="1024"
+LXC_MEM=1024

 # Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
-LXC_SWAP="1024"
+LXC_SWAP=1024

 # Defines the hostname of your LXC container
-LXC_HOSTNAME="zamba"
+LXC_HOSTNAME="${service}"

 # Defines the domain name / search domain of your LXC container
 LXC_DOMAIN="zmb.rocks"

+# Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+LXC_DHCP=false
+
 # Defines the local IP address and subnet of your LXC container in CIDR format
 LXC_IP="192.168.100.200/24"

@ -54,23 +57,38 @@ LXC_DNS="192.168.100.254"
 LXC_BRIDGE="vmbr0"

 # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
-LXC_VLAN=
+LXC_VLAN=NONE

 # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
-LXC_PWD='S3cr3tp@ssw0rd'
+LXC_PWD='Start!123'

 # Defines an authorized_keys file to push into the LXC container.
 # By default the authorized_keys will be inherited from your proxmox host.
 LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys

 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"

 # Define the local timezone of your LXC container (default: Euroe/Berlin)
 LXC_TIMEZONE="Europe/Berlin"

 # Define system language on LXC container (locales)
-LXC_LOCALE=de_DE.UTF-8
+# With this paramater you can generate additional locales, the default language will be inherited from proxmox host.
+# en_US.UTF-8  english
+# de_DE.UTF-8  german (default)
+LXC_LOCALE="de_DE.UTF-8"
+
+# Set dark background for vim syntax highlighting (0 or 1)
+LXC_VIM_BG_DARK=1
+
+# Default random password length
+LXC_RANDOMPWD=32
+
+# Automatically add meta tags to lxc container
+LXC_AUTOTAG=1
+
+# Add meta tags to linux container
+LXC_TAGS="linux,debian,${service}"

 ############### Zamba-Server-Section ###############

@ -79,14 +97,11 @@ ZMB_REALM="ZMB.ROCKS"
 # Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
 ZMB_DOMAIN="ZMB"

-# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
 # Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ZMB_ADMIN_USER="administrator"
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'

 # Defines the name of your Zamba share
 ZMB_SHARE="share"
@ -94,15 +109,9 @@ ZMB_SHARE="share"
 ############### Mailpiler-Section ###############

 # Defines the (public) FQDN of your piler mail archive
-PILER_FQDN="piler.zmb.rocks"
+PILER_FQDN="mailpiler.zmb.rocks"
 # Defines the smarthost for piler mail archive
-PILER_SMARTHOST="your.mailserver.tld"
-# Defines the version number of piler mail archive to install
-PILER_VERSION="1.3.11"
-# Defines the version of sphinx to install
-PILER_SPHINX_VERSION="3.3.1"
-# Defines the php version to install
-PILER_PHP_VERSION="7.4"
+PILER_SMARTHOST="mail.zmb.rocks"

 ############### Matrix-Section ###############

@ -112,8 +121,67 @@ MATRIX_FQDN="matrix.zmb.rocks"
 # Define the FQDN for the Element Web virtual host
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"

-# Define the version of Element Web
-MATRIX_ELEMENT_VERSION="v1.7.25"
+# Define the administrative user of matrix service
+MATRIX_ADMIN_USER="admin"

-# Define the FQDN for the Jitsi Meet virtual host
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
+# Define the admin password
+MATRIX_ADMIN_PASSWORD="Start!123"
+
+############### Nextcloud-Section ###############
+
+# Define the FQDN of your Nextcloud server
+NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
+
+# The initial admin-user which will be configured
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+
+# Build a strong password for this user. Username and password will shown at the end of the installation. 
+# NEXTCLOUD_ADMIN_PWD='very_secure_password'
+
+# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+NEXTCLOUD_DATA="nc_data"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+NEXTCLOUD_REVPROX="192.168.100.254"
+
+############### Check_MK-Section ###############
+
+# Define the name of your checkmk instance
+CMK_INSTANCE=zmbrocks
+
+# Define the password of user 'cmkadmin'
+CMK_ADMIN_PW='Start!123'
+
+# checkmk edition (raw or free)
+# raw = completely free
+# free = limited version of the enterprise edition (25 hosts, 1 instance)
+CMK_EDITION=raw
+
+############### Kopano-Section ###############
+
+# Define the FQDN of your Nextcloud server
+KOPANO_FQDN="kopano.zmb.rocks"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+KOPANO_MAILGW="192.168.100.254"
+
+# Kopano test- or subscription-key offerd from 
+# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
+KOPANO_REPKEY="1234567890abcdefghijklmno"
+
+############### Tactical-RMM Section ###############
+
+rmmdomain=api.${LXC_DOMAIN}
+frontenddomain=${LXC_HOSTNAME}.${LXC_DOMAIN}
+meshdomain=mesh.${LXC_DOMAIN}
+adminemail=rmm@${LXC_DOMAIN}
+
+############### vaultwarden Section ###############
+VW_SMTP_HOST=mail.bashclub.org
+VW_SMTP_FROM="vaultwarden@bashclub.org"
+VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
+VW_SMTP_PORT=587
+VW_SMTP_SSL=true
+VW_SMTP_EXPLICIT_TLS=false
+VW_SMTP_USERNAME=vaultwarden@bashclub.org
+VW_SMTP_PASSWORD='<yourEmailPassword>'
--- a/debian-priv.sh
+++ b/debian-priv.sh
@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
--- a/install.sh
+++ b/install.sh
@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail

 # This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
 # On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@ -15,78 +16,112 @@
 # Please adjust th settings in 'zamba.conf' to your needs before running the script

 ############### ZAMBA INSTALL SCRIPT ###############
+prog="$(basename $0)"

-# Load configuration file
-source $PWD/zamba.conf
+usage() {
+	cat >&2 <<-EOF
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	  installs a preconfigured lxc container on your proxmox server
+    -i CTID      provide a container id instead of auto detection
+    -s SERVICE   provide the service name and skip the selection dialog
+    -c CFGFILE   use a different config file than 'zamba.conf'
+    -d           Debug mode inside LXC container
+    -h           displays this help text
+  ---------------------------------------------------------------------------
+    (C) 2021     zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
+  ---------------------------------------------------------------------------

-LXC_MP="0"
-LXC_UNPRIVILEGED="1"
-LXC_NESTING="0"
+	EOF
+	exit $1
+}

-select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
+ctid=0
+service=ask
+config=$PWD/conf/zamba.conf
+debug=0
+
+while getopts "hi:s:c:d" opt; do
  case $opt in
-    debian-unpriv)
-      echo "Debian-only LXC container unprivileged mode selected"
-      break
-      ;;
-    debian-priv)
-      echo "Debian-only LXC container privileged mode selected"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-standalone)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-member)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-ad)
-      echo "Selected Zamba AD DC"
-      LXC_NESTING="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    mailpiler)
-      echo "Configuring LXC container for '$opt'!"
-      LXC_NESTING="1"
-      break
-      ;;
-    matrix)
-      echo "Install Matrix chat server and element web service"
-      break
-      ;;
-    quit)
-      echo "Script aborted by user interaction."
-      exit 0
-      ;;
-    *)
-      echo "Invalid option! Exiting..."
-      exit 1
-      ;;
-    esac
+    h) usage 0 ;;
+    i) ctid=$OPTARG ;;
+    s) service=$OPTARG ;;
+    c) config=$OPTARG ;;
+    d) debug=1 ;;
+    *) usage 1 ;;
+  esac
 done
+shift $((OPTIND-1))

-# CHeck is the newest template available, else download it.
-DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
-DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2)
+OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)

-if [[ $DEB_LOC == $DEB_REP ]];
-then
-  echo "Newest Version of Debian 10 Standard $DEP_REP exists.";
+valid=0
+if [[ "$service" == "ask" ]]; then
+  select svc in $OPTS quit; do
+    if [[ "$svc" != "quit" ]]; then
+       for line in $OPTS; do
+        if [[ "$svc" == "$line" ]]; then
+          service=$svc
+          echo "Installation of $service selected."
+          valid=1
+          break
+        fi
+      done
+    else
+      echo "Selected 'quit' exiting without action..."
+      exit 0
+    fi
+    if [[ "$valid" == "1" ]]; then
+      break
+    fi
+  done
 else
-  echo "Will now download newest Debian 10 Standard $DEP_REP.";
-  pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz
+  for line in $OPTS; do
+    if [[ "$service" == "$line" ]]; then
+      echo "Installation of $service selected."
+      valid=1
+      break
+    fi
+  done
 fi

-# Get next free LXC-number
-LXC_LST=$( lxc-ls | egrep -o '.{1,5}$' )
-LXC_CHK=$((LXC_LST+1));
+if [[ "$valid" != "1" ]]; then
+  echo "Invalid option, exiting..."
+  usage 1
+fi
+
+# Load configuration file
+echo "Loading config file '$config'..."
+if [ ! -e "$config" ]; then
+  echo "Configuration files does not exist"
+  exit 1
+fi
+
+source "src/functions.sh"
+
+source "$config"
+
+source "$PWD/src/$service/constants-service.conf"
+
+if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
+  LXC_MEM=$LXC_MEM_MIN
+fi
+
+if [ $LXC_AUTOTAG -gt 0 ]; then
+  TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
+fi
+
+# Check is the newest template available, else download it.
+pveam update
+TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
+pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
+
+if [ $ctid -gt 99 ]; then
+  LXC_CHK=$ctid
+else
+  # Get next free LXC-number
+  LXC_LST=$( lxc-ls -1 | tail -1 )
+  LXC_CHK=$((LXC_LST+1));
+fi

 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
  LXC_NBR=$(pvesh get /cluster/nextid);
@ -96,17 +131,18 @@ fi
 echo "Will now create LXC Container $LXC_NBR!";

 # Create the container
-pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
 sleep 2;

 # Check vlan configuration
-if [[ $LXC_VLAN != "" ]];then
-  VLAN=",tag=$LXC_VLAN"
-else
- VLAN=""
-fi
+if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
+if [ $LXC_DHCP == true ]; then
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
+else
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
+fi
 sleep 2

 if [ $LXC_MP -gt 0 ]; then
@ -118,24 +154,30 @@ PS3="Select the Server-Function: "

 pct start $LXC_NBR;
 sleep 5;
-# Set the root password and key
-echo "Setting root password"
-echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
-echo "Creating /root/.ssh"
-lxc-attach -n$LXC_NBR mkdir /root/.ssh;
-echo "Copying authorized_keys"
+# Set the root ssh key
+pct exec $LXC_NBR -- mkdir /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
-echo "Copying sources.list"
-pct push $LXC_NBR ./sources.list /etc/apt/sources.list
-echo "Copying zamba.conf"
-pct push $LXC_NBR ./zamba.conf /root/zamba.conf
-echo "Copying install script"
-pct push $LXC_NBR ./$opt.sh /root/$opt.sh
-echo "Install '$opt'!"
-lxc-attach -n$LXC_NBR bash /root/$opt.sh
+pct push $LXC_NBR "$config" /root/zamba.conf
+pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
+pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
+pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
+pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
+pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
+pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
+pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf

-if [[ $opt == "zmb-ad" ]]; then
-  pct stop $LXC_NBR
-  pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
-  pct start $LXC_NBR
+if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
+
+echo "Installing basic container setup..."
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
+echo "Install '$service'!"
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
+
+pct shutdown $LXC_NBR
+if [[ $service == "zmb-ad" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-join" ]]; then
+  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
+pct start $LXC_NBR
--- a/sources.list
+++ b/sources.list
@ -1,6 +0,0 @@
-deb http://ftp.de.debian.org/debian buster main contrib
-
-deb http://ftp.de.debian.org/debian buster-updates main contrib
-
-# security updates
-deb http://security.debian.org buster/updates main contrib
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@ -0,0 +1,186 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+BOOKSTACK_DB_PWD=$(random_password)
+webroot=/var/www/bookstack/public
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+
+    client_max_body_size 100M;
+    fastcgi_buffers 64 4K;
+    client_body_timeout 120s;
+
+    listen 443 http2 ssl default_server;
+    listen [::]:443 http2 ssl default_server;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    access_log  /var/log/nginx/bookstack.access.log;
+    error_log   /var/log/nginx/bookstack.error.log;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    fastcgi_hide_header X-Powered-By;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+
+    add_header Permissions-Policy                   "interest-cohort=()";
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
+CREATE DATABASE IF NOT EXISTS bookstack;
+GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
+FLUSH PRIVILEGES;"
+
+sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid composer installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+php composer-setup.php --quiet
+rm composer-setup.php
+# Move composer to global installation
+mv composer.phar /usr/local/bin/composer
+
+cd /var/www
+git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
+cd bookstack
+
+# Install BookStack composer dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+php /usr/local/bin/composer install --no-dev --no-plugins
+
+
+# Copy and update BookStack environment variables
+cp .env.example .env
+sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
+sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
+sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
+sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
+
+cat << EOF >> .env
+QUEUE_CONNECTION=database
+STORAGE_TYPE=local_secure
+APP_LANG=de_informal
+FILE_UPLOAD_SIZE_LIMIT=100
+SESSION_SECURE_COOKIE=true
+CACHE_DRIVER=redis
+SESSION_DRIVER=redis
+REDIS_SERVERS=127.0.0.1:6379:0
+WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
+ALLOW_UNTRUSTED_SERVER_FETCHING=true
+EOF
+
+# Generate the application key
+php artisan key:generate --no-interaction --force
+# Migrate the databases
+php artisan migrate --no-interaction --force
+
+php artisan bookstack:db-utf8mb4 > dbupgrade.sql
+mysql -u root < dbupgrade.sql
+
+chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
+
+cat << EOF > /etc/systemd/system/bookstack-queue.service
+[Unit]
+Description=BookStack Queue Worker
+
+[Service]
+User=www-data
+Group=www-data
+Restart=always
+ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server
+systemctl restart php7.4-fpm nginx bookstack-queue redis-server
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"
--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# checkmk version
+CMK_VERSION=2.1.0p21
+# build number of the debian package (needs to start with underscore)
+CMK_BUILD=_0
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="apache2"
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cd /tmp
+wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+
+omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
+
+cat << EOF > /etc/apache2/sites-available/000-default.conf
+<VirtualHost *:80>
+	RewriteEngine On
+	RewriteCond %{HTTPS} !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
+</VirtualHost>
+EOF
+
+a2enmod ssl
+a2enmod rewrite
+a2ensite default-ssl
+
+systemctl restart apache2.service
+
+omd start $CMK_INSTANCE
+
+# install matrix notification plugin
+
+wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
+chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
--- a/src/constants.conf
+++ b/src/constants.conf
@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on container level
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert"
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=512
+
+# service dependent meta tags
+SERVICE_TAGS="privileged"
--- a/src/debian-priv/install-service.sh
+++ b/src/debian-priv/install-service.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-priv' is ready to use!"
--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=512
+
+# service dependent meta tags
+SERVICE_TAGS=""
--- a/src/debian-unpriv/install-service.sh
+++ b/src/debian-unpriv/install-service.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-unpriv' is ready to use!"
--- a/src/ecodms/constants-service.conf
+++ b/src/ecodms/constants-service.conf
@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# set ecodms release version
+ECODMS_RELEASE=ecodms_220864
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=6144
+
+# service dependent meta tags
+SERVICE_TAGS="java,postgresql"
--- a/src/ecodms/install-service.sh
+++ b/src/ecodms/install-service.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
+echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
+
+echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
+wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver
--- a/src/functions.sh
+++ b/src/functions.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# This script has basic functions like a random password generator
+LXC_RANDOMPWD=32
+
+random_password() {
+    set +o pipefail
+    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+}
--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the IP from the SQL server
+GITEA_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+GITEA_DB_PORT="5432"
+
+# Defines the name from the SQL database
+GITEA_DB_NAME="gitea"
+
+# Defines the name from the SQL user
+GITEA_DB_USR="gitea"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+GITEA_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql"
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@ -0,0 +1,184 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
+psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
+echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
+EOF
+
+adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
+
+curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
+chmod +x /usr/local/bin/gitea
+mkdir -p /etc/gitea
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
+chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
+chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
+
+cat << EOF > /usr/local/bin/update-gitea
+PATH="/bin:/usr/bin:/usr/local/bin"
+echo "Checking github for new gitea version"
+current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
+installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
+echo "Installed gitea version is \$installed_version"
+if [ \$installed_version != \$current_version ]; then
+  echo "New gitea version \$current_version available. Stopping gitea.service"
+  systemctl stop gitea.service
+  echo "Downloading gitea version \$current_version..."
+  curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
+  chmod +x /usr/local/bin/gitea
+  echo "Starting gitea.service..."
+  systemctl start gitea.service
+  echo "gitea update finished!"
+else
+  echo "gitea version is up-to-date!"
+fi
+EOF
+chmod +x /usr/local/bin/update-gitea
+
+cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
+DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
+EOF
+chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
+
+cat << EOF > /etc/systemd/system/gitea.service
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/gitea/app.ini
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
+
+[database]
+DB_TYPE=postgres
+HOST=localhost
+NAME=${GITEA_DB_NAME}
+USER=${GITEA_DB_USR}
+PASSWD=${GITEA_DB_PWD}
+SSL_MODE=disable
+
+[server]
+APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
+DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+HTTP_HOST        = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+SSH_LISTEN_PORT  = 22
+EOF
+
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 770 /etc/gitea/app.ini
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log /var/log/nginx/gitea.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log  /var/log/nginx/gitea.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl daemon-reload
+systemctl enable --now gitea
+systemctl restart nginx
--- a/src/jitsi-meet/constants-service.conf
+++ b/src/jitsi-meet/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS=""
--- a/src/jitsi-meet/install-service.sh
+++ b/src/jitsi-meet/install-service.sh
@ -1,18 +1,17 @@
 #!/bin/bash

+set -euo pipefail
+
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

-dpkg-reconfigure locales
-
+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-# Set Timezone
-ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
-
+curl https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | tee /usr/share/keyrings/jitsi-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | tee /etc/apt/sources.list.d/jitsi-stable.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq jitsi-meet
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+KIMAI_VERSION="main"
+
+# Defines the php version to install
+KIMAI_PHP_VERSION="8.1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@ -0,0 +1,167 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+KIMAI_DB_PWD=$(random_password)
+webroot=/var/www/kimai/public
+
+wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
+PHP_VERSION=${PHP_VERSION:0:3}
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+
+    client_max_body_size 2M;
+    fastcgi_buffers 64 4K;
+    client_body_timeout 120s;
+
+    listen 443 http2 ssl default_server;
+    listen [::]:443 http2 ssl default_server;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/kimai.crt;
+    ssl_certificate_key /etc/nginx/ssl/kimai.key;
+
+    access_log  /var/log/nginx/kimai.access.log;
+    error_log   /var/log/nginx/kimai.error.log;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    fastcgi_hide_header X-Powered-By;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+
+    add_header Permissions-Policy                   "interest-cohort=()";
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
+CREATE DATABASE IF NOT EXISTS kimai;
+GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
+FLUSH PRIVILEGES;"
+
+sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid composer installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+php composer-setup.php --quiet
+rm composer-setup.php
+# Move composer to global installation
+mv composer.phar /usr/local/bin/composer
+
+cd /var/www
+git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1
+cd kimai
+
+# Install kimai composer dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+/usr/local/bin/composer install --optimize-autoloader -n
+
+# Copy and update kimai environment variables
+cat << EOF > .env
+# For more infos about the variables, see .env.dist
+DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8
+MAILER_FROM=admin@$LXC_DOMAIN
+MAILER_URL=null://null
+APP_ENV=prod
+APP_SECRET=$(random_password)
+CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
+EOF
+
+bin/console kimai:install -n
+
+bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
+
+chown -R www-data:www-data .
+chmod -R g+r .
+chmod -R g+rw var/
+
+systemctl daemon-reload
+systemctl enable --now php${PHP_VERSION}-fpm nginx
+systemctl restart php${PHP_VERSION}-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"
--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+KOPANO_VERSION="latest"
+
+# Defines the php version to install
+KOPANO_PHP_VERSION="7.4"
+
+# Defines Maria DB Version
+MARIA_DB_VERS="10.5"
+
+# Defines the name from the SQL database
+MARIA_DB_NAME="kopano"
+
+# Defines the name from the SQL user
+MARIA_DB_USER="kopano"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+
+MARIA_ROOT_PWD=$(random_password)
+MARIA_USER_PWD=$(random_password)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kopano-core/install-service.sh
+++ b/src/kopano-core/install-service.sh
@ -0,0 +1,276 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
+echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
+
+apt update
+
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
+#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
+php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
+
+#timedatectl set-timezone Europe/Berlin
+#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Secure Maria Instance ####
+
+mysqladmin -u root password "[$MARIA_ROOT_PWD]"
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+#### Create user and DB for Kopano ####
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+echo "root-password: $MARIA_ROOT_PWD,\
+db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
+
+cat > /etc/apt/sources.list.d/kopano.list << EOF
+
+# Kopano Core
+deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
+
+# Kopano WebApp
+deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
+
+# Kopano MobileDeviceManagement
+deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
+
+# Kopano Files
+deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
+
+# Z-Push
+deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
+
+EOF
+
+cat > /etc/apt/auth.conf.d/kopano.conf << EOF
+
+machine download.kopano.io
+login serial
+password $KOPANO_REPKEY
+
+EOF
+
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
+
+apt update && apt full-upgrade -y
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
+z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
+
+#### Adjust kopano settings ####
+
+cat > /etc/kopano/ldap.cfg << EOF
+
+!include /usr/share/kopano/ldap.active-directory.cfg
+
+ldap_uri = ldap://192.168.100.100:389
+ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
+ldap_bind_passwd = Start123!
+ldap_search_base = dc=zmb,dc=rocks
+
+#ldap_user_search_filter = (kopanoAccount=1)
+
+EOF
+
+cat > /etc/kopano/server.cfg << EOF
+
+server_listen = *:236
+local_admin_users = root kopano
+
+#database_engine = mysql
+#mysql_host = localhost
+#mysql_port = 3306
+mysql_user = $MARIA_DB_USER
+mysql_password = $MARIA_USER_PWD
+mysql_database = $MARIA_DB_NAME
+
+#user_plugin = ldap
+#user_plugin_config = /etc/kopano/ldap.cfg
+
+EOF
+
+#### Adjust php settings ####
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
+
+[webapp]
+listen = 127.0.0.1:9002
+user = www-data
+group = www-data
+listen.allowed_clients = 127.0.0.1
+pm = dynamic
+pm.max_children = 150
+pm.start_servers = 35
+pm.min_spare_servers = 20
+pm.max_spare_servers = 50
+pm.max_requests = 200
+listen.backlog = -1
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+EOF
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+#### Adjust nginx settings ####
+
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
+openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+
+#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+cat > /etc/nginx/sites-available/webapp.conf << EOF
+upstream php-handler {
+    #server 127.0.0.1:9002;
+    #server unix:/var/run/php5-fpm.sock;
+    server unix:/var/run/php/php7.4-fpm.sock;
+}
+ 
+server{
+    listen 80;
+    charset utf-8;
+    listen [::]:80;
+    server_name _;
+ 
+    location / {
+        rewrite   ^(.*)   https://\$server_name\$1 permanent;
+    }  
+ }
+ 
+server {
+    charset utf-8;
+    listen 443;
+    listen [::]:443 ssl;
+    server_name _;
+    ssl on;
+    client_max_body_size 1024m;
+    ssl_certificate /etc/ssl/certs/kopano.crt;
+    ssl_certificate_key /etc/ssl/private/kopano.key;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_prefer_server_ciphers on;
+    #
+    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    #
+ 
+    # add headers
+    server_tokens off;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+  
+    location /webapp {
+        alias /usr/share/kopano-webapp/;
+        index index.php;
+     
+    location ~ /webapp/presence/ {
+                rewrite ^/webapp/presence(/.*)$ \$1 break;
+                proxy_pass http://localhost:1234;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_http_version 1.1;
+                }
+ 
+    }
+ 
+    location ~* ^/webapp/(.+\.php)$ {
+        alias /usr/share/kopano-webapp/;
+ 
+        # deny access to .htaccess files
+        location ~ /\.ht {
+                    deny all;
+        }
+  
+        fastcgi_param PHP_VALUE "
+            register_globals=off
+            magic_quotes_gpc=off
+            magic_quotes_runtime=off
+            post_max_size=31M
+            upload_max_filesize=30M
+        ";
+        fastcgi_param PHP_VALUE "post_max_size=31M
+                 upload_max_filesize=30M
+                 max_execution_time=3660
+        ";
+ 
+        include fastcgi_params;
+        fastcgi_index index.php;
+        #fastcgi_param HTTPS on;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
+        fastcgi_pass php-handler;
+        access_log /var/log/nginx/kopano-webapp-access.log;
+        error_log /var/log/nginx/kopano-webapp-error.log;
+ 
+        # CSS and Javascript
+        location ~* \.(?:css|js)$ {
+            expires 1y;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # All (static) resources set to 2 months expiration time.
+        location ~* \.(?:jpg|gif|png)\$ {
+            expires 2M;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # enable gzip compression
+        gzip on;
+        gzip_min_length  1100;
+        gzip_buffers  4 32k;
+        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
+        gzip_vary on;
+        }
+ 
+}
+ 
+map \$http_upgrade \$connection_upgrade {
+        default upgrade;
+        '' close;
+}
+EOF
+
+
+
+ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
+
+phpenmod kopano
+systemctl restart php7.4-fpm nginx
--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@ -0,0 +1,69 @@
+#!/bin/bash
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# load configuration
+echo "Loading configuration..."
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants.conf
+source /root/constants-service.conf
+
+echo "Updating locales"
+# update locales
+sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
+sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
+cat << EOF > /etc/default/locale
+LANG="$LXC_LOCALE"
+LANGUAGE=$LXC_LOCALE
+EOF
+locale-gen $LXC_LOCALE 
+
+# Generate sources
+if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://debian.inf.tu-dresden.de/debian bullseye main contrib
+
+deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
+
+# security updates
+deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
+EOF
+
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://debian.inf.tu-dresden.de/debian buster main contrib
+
+deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib
+
+# security updates
+deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
+EOF
+else echo "LXC Debian Version false. Please check configuration files!" ; exit
+fi
+
+# update package lists
+echo "Updating package database..."
+apt --allow-releaseinfo-change update
+
+# install latest packages
+echo "Installing latest updates"
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+
+# install toolset
+echo "Installing preconfigured toolset..."
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
+
+echo "Enabling vim syntax highlighting..."
+sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+if [ $LXC_VIM_BG_DARK -gt 0 ]; then
+    sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
+fi
+
+echo "Basic container setup finished, continuing with service installation..."
--- a/src/mailpiler/constants-service.conf
+++ b/src/mailpiler/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+PILER_VERSION="1.3.12"
+# Defines the version of sphinx to install
+PILER_SPHINX_VERSION="3.3.1"
+# Defines the php version to install
+PILER_PHP_VERSION="7.4"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"
--- a/src/mailpiler/install-service.sh
+++ b/src/mailpiler/install-service.sh
@ -5,14 +5,9 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+source /root/functions.sh
 source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+source /root/constants-service.conf

 HOSTNAME=$(hostname -f)

@ -23,22 +18,26 @@ echo $HOSTNAME
 if 
    [ "$HOSTNAME" != "$PILER_FQDN" ]
 then
-        echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
+        echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
 else
-        echo "Hostname matches PILER_FQDNAIN, so starting installation."
+        echo "Hostname matches $PILER_FQDN, so starting installation."
 fi

-apt update && apt full-upgrade -y
-
-apt install -y $LXC_TOOLSET build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 software-properties-common libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23
-
 # install php
 wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
 echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list

-apt update && apt install -y php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
+apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
+add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"

-apt purge -y postfix
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
+unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
+mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
+php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix

 cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
 innodb_buffer_pool_size=256M
@ -61,7 +60,13 @@ useradd -g piler -m -s /bin/bash -d /var/piler piler
 usermod -L piler
 chmod 755 /var/piler

-wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
+if [[ "$PILER_VERSION" == "latest" ]]; then
+        URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
+        PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
+        wget -O piler-$PILER_VERSION.tar.gz $URL
+else
+        wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
+fi
 tar -xvzf piler-$PILER_VERSION.tar.gz
 cd piler-$PILER_VERSION/
 ./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
@ -94,7 +99,7 @@ cd /etc/nginx/sites-available
 cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
 ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf

-sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
+sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
 sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf

 sed -i "/server_name.*/a \\
@ -114,12 +119,14 @@ sed -i "/server_name.*/a \\
 sed -i "/^server {.*/i\
 server {\n\
        listen 80;\n\
-        server_name $PILER_FQDN default_host;\n\
+        server_name _;\n\
        server_tokens off;\n\
        # HTTP to HTTPS redirect.\n\
-        return 301 https://\$host\$request_uri;\n\
+        return 301 https://$PILER_FQDN;\n\
 }" /etc/nginx/sites-available/piler-nginx.conf

+unlink /etc/nginx/sites-enabled/default
+
 cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
 sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
 cat >> /usr/local/etc/piler/config-site.php <<EOF
@ -179,9 +186,4 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
 \$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
 EOF

-rm /etc/nginx/sites-enabled/default
-
 nginx -t && systemctl restart nginx
-
-apt autoremove -y
-apt clean -y
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,element-web"
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@ -5,28 +5,24 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+MRX_PKE=$(random_password)

 ELE_DBNAME="synapse_db"
 ELE_DBUSER="synapse_user"
-ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ELE_DBPASS=$(random_password)
+ELE_PATH=/var/www/element-web
+WEBROOT=/var/www

-apt update && apt full-upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2

-apt install -y $LXC_TOOLSET apt-transport-https gpg software-properties-common nginx postgresql python3-psycopg2
-
-wget wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
-apt update && apt install -y matrix-synapse-py3
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
 systemctl enable matrix-synapse

 ss -tulpen
@ -73,7 +69,7 @@ server {
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_FQDN;
+    root $ELE_PATH;
    index index.html index.htm;

    location / {
@ -94,7 +90,7 @@ cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
 server {
    listen 80;
    listen [::]:80;
-    server_name $MATRIX_ELEMENT_FQDN;
+    server_name _;
    return 301 https://$MATRIX_ELEMENT_FQDN;
 }

@ -108,31 +104,34 @@ server {
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_ELEMENT_FQDN/element;
+    root $ELE_PATH;
    index index.html index.htm;
 } 

 EOF

+unlink /etc/nginx/sites-enabled/default
 ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN

 systemctl restart nginx

-mkdir /var/www/$MATRIX_ELEMENT_FQDN
-cd /var/www/$MATRIX_ELEMENT_FQDN
-wget https://packages.riot.im/element-release-key.asc
+cd /var/www
+
+wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
 gpg --import element-release-key.asc

-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
+
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc

 tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
-ln -s element-$MATRIX_ELEMENT_VERSION element
-chown www-data:www-data -R element
-cp ./element/config.sample.json ./element/config.json
-sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
-sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
+mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
+chown www-data:www-data -R $ELE_PATH
+cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
+sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
+sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json

 su postgres <<EOF
 psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@ -143,19 +142,18 @@ EOF
 cd /
 sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|server_name:|server_name: $MATRIX_FQDN|g" /etc/matrix-synapse/conf.d/server_name.yaml
 sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n    user: $ELE_DBUSER\n    password: $ELE_DBPASS\n    host: 127.0.0.1\n    cp_min: 5\n    cp_max: 10|" /etc/matrix-synapse/homeserver.yaml

+reg_secret=$(random_password)
+echo -e "registration_shared_secret: \"$reg_secret\"" > /etc/matrix-synapse/conf.d/registration.yaml
+
 systemctl restart matrix-synapse

-register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
-
-#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
-#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
-
-#apt update
-#apt install -y jitsi-meet
-
+rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc

+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008

+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+NEXTCLOUD_VERSION="latest"
+
+# Defines the php version to install
+NEXTCLOUD_PHP_VERSION="8.1"
+
+# Defines the IP from the SQL server
+NEXTCLOUD_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+NEXTCLOUD_DB_PORT="5432"
+
+# Defines the name from the SQL database
+NEXTCLOUD_DB_NAME="nextcloud_db"
+
+# Defines the name from the SQL user
+NEXTCLOUD_DB_USR="nextcloud"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+NEXTCLOUD_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@ -0,0 +1,449 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+
+NEXTCLOUD_ADMIN_PWD=$(random_password)
+
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
+postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
+
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Create database for nextcloud ####
+
+su - postgres <<EOF
+psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+
+#### Adjust php settings ####
+
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+
+#### Adjust nginx settings ####
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
+openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+
+mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+
+cat > /etc/nginx/nginx.conf <<EOF
+user www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+events {
+worker_connections 1024;
+multi_accept on; use epoll;
+}
+http {
+server_names_hash_bucket_size 64;
+access_log /var/log/nginx/access.log;
+error_log /var/log/nginx/error.log warn;
+set_real_ip_from 127.0.0.1;
+#optional, Sie können das eigene Subnetz ergänzen, bspw.:
+# set_real_ip_from $LXC_IP;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+include /etc/nginx/mime.types;
+default_type application/octet-stream;
+sendfile on;
+send_timeout 3600;
+tcp_nopush on;
+tcp_nodelay on;
+open_file_cache max=500 inactive=10m;
+open_file_cache_errors on;
+keepalive_timeout 65;
+reset_timedout_connection on;
+server_tokens off;
+resolver 127.0.0.53 valid=30s;
+resolver_timeout 5s;
+include /etc/nginx/conf.d/*.conf;
+}
+EOF
+
+[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
+touch /etc/nginx/conf.d/default.conf
+
+cat > /etc/nginx/conf.d/http.conf << EOF
+upstream php-handler {
+server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+}
+server {
+listen 80 default_server;
+listen [::]:80 default_server;
+server_name $NEXTCLOUD_FQDN;
+root /var/www;
+location / {
+return 301 https://\$host\$request_uri;
+}
+}
+EOF
+
+cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+server {
+listen 443      ssl http2;
+listen [::]:443 ssl http2;
+server_name $NEXTCLOUD_FQDN;
+ssl_certificate /etc/ssl/certs/nextcloud.crt;
+ssl_certificate_key /etc/ssl/private/nextcloud.key;
+ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+ssl_ecdh_curve X448:secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_stapling on;
+ssl_stapling_verify on;
+client_max_body_size 5120M;
+fastcgi_buffers 64 4K;
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+add_header Permissions-Policy                   "interest-cohort=()";
+add_header Referrer-Policy                      "no-referrer"   always;
+add_header X-Content-Type-Options               "nosniff"       always;
+add_header X-Download-Options                   "noopen"        always;
+add_header X-Frame-Options                      "SAMEORIGIN"    always;
+add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+add_header X-Robots-Tag                         "none"          always;
+add_header X-XSS-Protection                     "1; mode=block" always;
+fastcgi_hide_header X-Powered-By;
+fastcgi_read_timeout 3600;
+fastcgi_send_timeout 3600;
+fastcgi_connect_timeout 3600;
+root /var/www/nextcloud;
+index index.php index.html /index.php\$request_uri;
+expires 1m;
+location = / {
+if ( \$http_user_agent ~ ^DavClnt ) {
+return 302 /remote.php/webdav/\$is_args\$args;
+}
+}
+location = /robots.txt {
+allow all;
+log_not_found off;
+access_log off;
+}
+location ^~ /apps/rainloop/app/data {
+deny all;
+}
+location ^~ /.well-known {
+location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+location ^~ /.well-known            { return 301 /index.php/\$uri; }
+try_files \$uri \$uri/ =404;
+}
+location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+location ~ \.php(?:\$|/) {
+rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+set \$path_info \$fastcgi_path_info;
+try_files \$fastcgi_script_name =404;
+include fastcgi_params;
+fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+fastcgi_param PATH_INFO \$path_info;
+fastcgi_param HTTPS on;
+fastcgi_param modHeadersAvailable true;
+fastcgi_param front_controller_active true;
+fastcgi_pass php-handler;
+fastcgi_intercept_errors on;
+fastcgi_request_buffering off;
+}
+location ~ \.(?:css|js|svg|gif)\$ {
+try_files \$uri /index.php\$request_uri;
+expires 6M;
+access_log off;
+}
+location ~ \.woff2?\$ {
+try_files \$uri /index.php\$request_uri;
+expires 7d;
+access_log off;
+}
+location / {
+try_files \$uri \$uri/ /index.php\$request_uri;
+}
+location /push/ {
+proxy_pass http://localhost:7867/;
+proxy_http_version 1.1;
+proxy_set_header Upgrade \$http_upgrade;
+proxy_set_header Connection "Upgrade";
+proxy_set_header Host \$host;
+proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+}
+}
+EOF
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+
+#### Adjust redis settings ####
+
+cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
+sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
+sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
+sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+usermod -aG redis www-data
+
+#### Adjust sysctl.conf settings ####
+
+cp /etc/sysctl.conf /etc/sysctl.conf.bak
+echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
+systemctl restart redis
+
+#### HIER MÜSSTE EIN REBOOT REIN ####
+
+
+#### Install nextcloud ####
+
+cd /usr/local/src
+
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
+
+md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
+
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
+
+cat > /root/permissions.sh << EOF
+#!/bin/bash
+find /var/www/ -type f -print0 | xargs -0 chmod 0640
+find /var/www/ -type d -print0 | xargs -0 chmod 0750
+chown -R www-data:www-data /var/www 
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+chmod 0644 /var/www/nextcloud/.htaccess
+chmod 0644 /var/www/nextcloud/.user.ini
+exit 0
+EOF
+
+chmod +x /root/permissions.sh
+/root/permissions.sh
+
+#### install fail2ban ####
+
+cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+EOF
+
+cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 5
+bantime = 3600
+findtime = 36000
+logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
+EOF
+
+systemctl restart fail2ban
+
+#### Create configuration script for nextcloud, which will be executet as user www-data
+
+cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+
+#!/bin/bash 
+
+php /var/www/nextcloud/occ maintenance:install --database pgsql \
+--database-host $NEXTCLOUD_DB_IP \
+--database-port $NEXTCLOUD_DB_PORT \
+--database-name $NEXTCLOUD_DB_NAME \
+--database-user $NEXTCLOUD_DB_USR \
+--database-pass $NEXTCLOUD_DB_PWD \
+--admin-user $NEXTCLOUD_ADMIN_USR \
+--admin-pass $NEXTCLOUD_ADMIN_PWD \
+--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+
+php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
+php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
+
+cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i '/);/d' /var/www/nextcloud/config/config.php
+
+cat >> /var/www/nextcloud/config/config.php << EOF
+'activity_expire_days' => 14,
+'auth.bruteforce.protection.enabled' => true,
+'blacklisted_files' => 
+array (
+0 => '.htaccess',
+1 => 'Thumbs.db',
+2 => 'thumbs.db',
+),
+'cron_log' => true,
+'default_phone_region' => 'DE',
+'enable_previews' => true,
+'enabledPreviewProviders' => 
+array (
+0 => 'OC\Preview\PNG',
+1 => 'OC\Preview\JPEG',
+2 => 'OC\Preview\GIF',
+3 => 'OC\Preview\BMP',
+4 => 'OC\Preview\XBitmap',
+5 => 'OC\Preview\Movie',
+6 => 'OC\Preview\PDF',
+7 => 'OC\Preview\MP3',
+8 => 'OC\Preview\TXT',
+9 => 'OC\Preview\MarkDown',
+),
+'filesystem_check_changes' => 0,
+'filelocking.enabled' => 'true',
+'htaccess.RewriteBase' => '/',
+'integrity.check.disabled' => false,
+'knowledgebaseenabled' => false,
+'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+'loglevel' => 2,
+'logtimezone' => '$LXC_TIMEZONE',
+'log_rotate_size' => 104857600,
+'maintenance' => false,
+'memcache.local' => '\OC\Memcache\APCu',
+'memcache.locking' => '\OC\Memcache\Redis',
+'overwriteprotocol' => 'https',
+'preview_max_x' => 1024,
+'preview_max_y' => 768,
+'preview_max_scale_factor' => 1,
+'redis' => 
+array (
+'host' => '/var/run/redis/redis-server.sock',
+'port' => 0,
+'timeout' => 0.0,
+),
+'quota_include_external_storage' => false,
+'share_folder' => '/Freigaben',
+'skeletondirectory' => '',
+'theme' => '',
+'trashbin_retention_obligation' => 'auto, 7',
+'updater.release.channel' => 'stable',
+'trusted_proxies' => 
+array (
+'$NEXTCLOUD_REVPROX',
+'127.0.0.1',
+'::1',
+),
+);
+EOF
+
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+php /var/www/nextcloud/occ app:disable survey_client
+php /var/www/nextcloud/occ app:disable firstrunwizard
+php /var/www/nextcloud/occ app:enable admin_audit
+php /var/www/nextcloud/occ app:enable notify_push
+php /var/www/nextcloud/occ app:enable files_pdfviewer
+php /var/www/nextcloud/occ background:cron
+DFOE
+
+/root/permissions.sh
+
+su -s /bin/bash www-data <<EOF
+bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
+EOF
+
+#### Create file for high performance backend
+
+cat > /etc/systemd/system/notify_push.service << EOF
+[Unit]
+Description = Push daemon for Nextcloud clients
+[Service]
+Environment=PORT=7867
+Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
+Environment=ALLOW_SELF_SIGNED=true
+ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
+User=www-data
+[Install]
+WantedBy = multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now notify_push
+
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
+
+shutdown -r now
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="mongodb-server,java"
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
+
+wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc
+
+echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org
+
+DL=$(wget -O - -q  https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6)
+
+wget -O /tmp/omada.deb -q $DL
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb
--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+ONLYOFFICE_DB_HOST=localhost
+
+ONLYOFFICE_DB_NAME=onlyoffice
+
+ONLYOFFICE_DB_USER=onlyoffice
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,rabbitmq"
--- a/src/onlyoffice/fix-update.sh
+++ b/src/onlyoffice/fix-update.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds-ssl.conf
+systemctl stop nginx.service
+DFOE
+chmod +x /usr/local/bin/ods-apt-pre-hook
+
+cat > /usr/local/bin/ods-apt-post-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx
+DFOE
+chmod +x /usr/local/bin/ods-apt-post-hook
+
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
+DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
+DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
+EOF
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ONLYOFFICE_DB_PASS=$(random_password)
+
+apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
+echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
+
+apt update 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
+
+su postgres <<EOF
+psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
+psql -c "CREATE DATABASE $ONLYOFFICE_DB_NAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ONLYOFFICE_DB_USER;"
+echo "Postgres User '$ONLYOFFICE_DB_USER' and database '$ONLYOFFICE_DB_NAME' created."
+EOF
+
+echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
+
+cat << EOF > /root/onlyoffice.credentials
+ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
+ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME
+ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
+ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
+EOF
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+rm /etc/nginx/conf.d/ds.conf
+cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+
+sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds-ssl.conf
+systemctl stop nginx.service
+DFOE
+chmod +x /usr/local/bin/ods-apt-pre-hook
+
+cat > /usr/local/bin/ods-apt-post-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx
+DFOE
+chmod +x /usr/local/bin/ods-apt-post-hook
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
+DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
+DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
+EOF
+
+systemctl restart nginx
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@ -0,0 +1,84 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+webroot=/var/www/html
+
+LXC_RANDOMPWD=20
+MYSQL_PASSWORD="$(random_password)"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    location ~ .php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+    }
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS open3a;
+GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
+
+cd $webroot
+wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip
+unzip open3a.zip
+rm open3a.zip
+chmod 666 system/DBData/Installation.pfdb.php
+chmod -R 777 specifics/
+chmod -R 777 system/Backup
+chown -R www-data:www-data $webroot
+
+echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
+chmod +x /etc/cron.daily/open3a-backup
+
+cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
+<?php echo "This is a database-file."; /*
+host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
+varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)                                                                                         
+localhost                               &%%%&open3a              &%%%&$MYSQL_PASSWORD&%%%&open3a                        &%%%&*                                       %%&&&
+*/ ?>
+EOF
+
+systemctl enable --now php7.4-fpm
+systemctl restart php7.4-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Backup ubdir where Urbackup will store backups
+PBS_DATA="backup"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="backup"
--- a/src/proxmox-pbs/install-service.sh
+++ b/src/proxmox-pbs/install-service.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list 
+# PBS pbs-no-subscription repository provided by proxmox.com,
+# NOT recommended for production use
+deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
+EOF
+
+wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
+
+apt update && apt upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
+
+proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
+
+systemctl disable --now zfs-mount.service zfs-share.service
--- a/src/tactical-rmm/constants-service.conf
+++ b/src/tactical-rmm/constants-service.conf
@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the IP from the SQL server
+RMM_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+RMM_DB_PORT="5432"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# Defines the name from the SQL database
+RMM_DB_NAME="rmm"
+
+# Defines the name from the SQL user
+pgusername="rmm"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+RMMUSER=tactical
+pgpw="$(random_password)"
+DJANGO_SEKRET="$(random_password)"
+ADMINURL="$(random_password)"
+MESHPASSWD="$(random_password)"
+meshusername="$(random_password)"
+
+# vars from tactical-rmm install script
+SCRIPTS_DIR="/opt/trmm-community-scripts"
+
+TMP_FILE=$(mktemp -p "" "rmminstall_XXXXXXXXXX")
+osname=debian
+djangousername=admin
--- a/src/tactical-rmm/install-service.sh
+++ b/src/tactical-rmm/install-service.sh
@ -0,0 +1,712 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+codename=$(lsb_release -cs)
+
+useradd -m -G sudo -s /bin/bash ${RMMUSER}
+
+echo "deb https://repo.mongodb.org/apt/$osname buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
+echo "deb https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgres.list
+echo "deb https://deb.nodesource.com/node_16.x $codename main" > /etc/apt/sources.list.d/nodejs.list
+echo "deb https://dl.yarnpkg.com/debian stable main" > tee /etc/apt/sources.list.d/yarn.list
+
+apt-key adv --fetch https://pgp.mongodb.com/server-4.4.pub
+apt-key adv --fetch https://deb.nodesource.com/gpgkey/nodesource.gpg.key
+apt-key adv --fetch https://dl.yarnpkg.com/debian/yarnkey.gpg
+apt-key adv --fetch https://www.postgresql.org/media/keys/ACCC4CF8.asc
+
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq sudo ssl-cert nginx mongodb-org gcc g++ make build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev ca-certificates redis git postgresql-14 rpl
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nodejs
+
+echo "${RMMUSER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${RMMUSER}
+
+npm install --no-fund --location=global npm
+
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/${frontenddomain}.key -out /etc/ssl/certs/${frontenddomain}.pem -subj "/CN=$frontenddomain" -addext "subjectAltName=DNS:*.${frontenddomain}"
+chown root:ssl-cert /etc/ssl/private/${frontenddomain}.key
+chmod 640 /etc/ssl/private/${frontenddomain}.key
+usermod -aG ssl-cert ${RMMUSER}
+
+update-ca-certificates
+
+systemctl enable mongod.service postgresql.service
+
+# configure hosts file
+echo "127.0.1.1 ${rmmdomain} ${frontenddomain} ${meshdomain}" | tee --append /etc/hosts > /dev/null
+
+# set global nginx vars
+sed -i 's/worker_connections.*/worker_connections 2048;/g' /etc/nginx/nginx.conf
+sed -i 's/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 64;/g' /etc/nginx/nginx.conf
+
+# compile python3
+su - ${RMMUSER} << EOF
+cd ~
+wget https://www.python.org/ftp/python/${PYTHON_VER}/Python-${PYTHON_VER}.tgz
+tar -xf Python-${PYTHON_VER}.tgz
+cd Python-${PYTHON_VER}
+./configure --enable-optimizations
+make -j $(nproc)
+sudo make altinstall
+cd ~
+sudo rm -rf Python-${PYTHON_VER} Python-${PYTHON_VER}.tgz
+EOF
+
+
+systemctl restart mongod postgresql
+systemctl stop nginx
+
+# configure postgresql
+cd /var/lib/postgresql
+sudo -u postgres psql -c "CREATE DATABASE tacticalrmm;"
+sudo -u postgres psql -c "CREATE USER ${pgusername} WITH PASSWORD '${pgpw}';"
+sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET client_encoding TO 'utf8';"
+sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET default_transaction_isolation TO 'read committed';"
+sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET timezone TO 'UTC';"
+sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE tacticalrmm TO ${pgusername};"
+
+# clone tacticalrmm
+mkdir /rmm
+chown ${RMMUSER}:${RMMUSER} /rmm
+mkdir -p /var/log/celery
+chown ${RMMUSER}:${RMMUSER} /var/log/celery
+mkdir -p ${SCRIPTS_DIR}
+chown ${RMMUSER}:${RMMUSER} ${SCRIPTS_DIR}
+su - ${RMMUSER} << EOF
+cd /rmm
+git clone -b master https://github.com/amidaware/tacticalrmm.git /rmm
+git config user.email "admin@example.com"
+git config user.name "Bob"
+cd ${SCRIPTS_DIR} 
+git clone -b main https://github.com/amidaware/community-scripts.git ${SCRIPTS_DIR}/
+git config user.email "admin@example.com"
+git config user.name "Bob"
+EOF
+
+# configure NATS server
+NATS_SERVER_VER=$(grep "^NATS_SERVER_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
+nats_tmp=$(mktemp -d -t nats-server-XXXXXXXXXXXXX)
+wget https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER_VER}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -O ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz
+tar -xzf ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -C ${nats_tmp}
+mv ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64/nats-server /usr/local/bin/
+chmod +x /usr/local/bin/nats-server
+chown ${RMMUSER}:${RMMUSER} /usr/local/bin/nats-server
+rm -rf ${nats_tmp}
+
+# fix cert in nats-rmm.conf
+rpl "/etc/letsencrypt/live/${frontenddomain}/fullchain.pem" "/etc/ssl/certs/${frontenddomain}.pem" /rmm/api/tacticalrmm/nats-rmm.conf
+rpl "/etc/letsencrypt/live/${frontenddomain}/privkey.pem" "/etc/ssl/private/${frontenddomain}.key" /rmm/api/tacticalrmm/nats-rmm.conf
+
+# install meshcentral
+MESH_VER=$(grep "^MESH_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
+
+mkdir -p /meshcentral/meshcentral-data
+chown ${RMMUSER}:${RMMUSER} -R /meshcentral
+
+su  - ${RMMUSER} << EOF
+cd /meshcentral
+npm install meshcentral@${MESH_VER}
+EOF
+
+chown ${RMMUSER}:${RMMUSER} -R /meshcentral
+
+meshcfg="$(cat << EOF
+{
+  "settings": {
+    "Cert": "${meshdomain}",
+    "MongoDb": "mongodb://127.0.0.1:27017",
+    "MongoDbName": "meshcentral",
+    "WANonly": true,
+    "Minify": 1,
+    "Port": 4430,
+    "AliasPort": 443,
+    "RedirPort": 800,
+    "AllowLoginToken": true,
+    "AllowFraming": true,
+    "_AgentPing": 60,
+    "AgentPong": 300,
+    "AllowHighQualityDesktop": true,
+    "TlsOffload": "127.0.0.1",
+    "agentCoreDump": false,
+    "Compression": true,
+    "WsCompression": true,
+    "AgentWsCompression": true,
+    "MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 }
+  },
+  "domains": {
+    "": {
+      "Title": "Tactical RMM",
+      "Title2": "Tactical RMM",
+      "NewAccounts": false,
+      "CertUrl": "https://${meshdomain}:443/",
+      "GeoLocation": true,
+      "CookieIpCheck": false,
+      "mstsc": true,
+      "force2factor": false
+    }
+  }
+}
+EOF
+)"
+sudo -u ${RMMUSER} echo "${meshcfg}" > /meshcentral/meshcentral-data/config.json
+
+localvars="$(cat << EOF
+SECRET_KEY = "${DJANGO_SEKRET}"
+
+DEBUG = False
+
+ALLOWED_HOSTS = ['${rmmdomain}']
+
+ADMIN_URL = "${ADMINURL}/"
+
+CORS_ORIGIN_WHITELIST = [
+    "https://${frontenddomain}"
+]
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': 'tacticalrmm',
+        'USER': '${pgusername}',
+        'PASSWORD': '${pgpw}',
+        'HOST': 'localhost',
+        'PORT': '5432',
+    }
+}
+
+MESH_USERNAME = "${meshusername}"
+MESH_SITE = "https://${meshdomain}"
+REDIS_HOST    = "localhost"
+ADMIN_ENABLED = True
+EOF
+)"
+sudo -u ${RMMUSER} echo "${localvars}" > /rmm/api/tacticalrmm/tacticalrmm/local_settings.py
+
+cp /rmm/natsapi/bin/nats-api /usr/local/bin
+chown ${RMMUSER}:${RMMUSER} /usr/local/bin/nats-api
+chmod +x /usr/local/bin/nats-api
+
+SETUPTOOLS_VER=$(grep "^SETUPTOOLS_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
+WHEEL_VER=$(grep "^WHEEL_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
+
+su - ${RMMUSER} << EOF
+cd /rmm/api/
+/usr/local/bin/python3.10 -m venv env
+source /rmm/api/env/bin/activate
+cd /rmm/api/tacticalrmm
+pip install --no-cache-dir --upgrade pip
+pip install --no-cache-dir setuptools==${SETUPTOOLS_VER} wheel==${WHEEL_VER}
+pip install --no-cache-dir -r /rmm/api/tacticalrmm/requirements.txt
+python manage.py migrate
+python manage.py collectstatic --no-input
+python manage.py create_natsapi_conf
+python manage.py load_chocos
+python manage.py load_community_scripts
+python manage.py create_installer_user
+deactivate
+EOF
+
+# install backend
+echo 'Optimizing for number of processors'
+uwsgiprocs=4
+if [[ "$(nproc)" == "1" ]]; then
+  uwsgiprocs=2
+else
+  uwsgiprocs=$(nproc)
+fi
+
+uwsgini="$(cat << EOF
+[uwsgi]
+chdir = /rmm/api/tacticalrmm
+module = tacticalrmm.wsgi
+home = /rmm/api/env
+master = true
+processes = ${uwsgiprocs}
+threads = ${uwsgiprocs}
+enable-threads = true
+socket = /rmm/api/tacticalrmm/tacticalrmm.sock
+harakiri = 300
+chmod-socket = 660
+buffer-size = 65535
+vacuum = true
+die-on-term = true
+max-requests = 500
+disable-logging = true
+EOF
+)"
+sudo -u ${RMMUSER} echo "${uwsgini}" > /rmm/api/tacticalrmm/app.ini
+
+# create systemd services
+
+rmmservice="$(cat << EOF
+[Unit]
+Description=tacticalrmm uwsgi daemon
+After=network.target postgresql.service
+
+[Service]
+User=${RMMUSER}
+Group=www-data
+WorkingDirectory=/rmm/api/tacticalrmm
+Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+ExecStart=/rmm/api/env/bin/uwsgi --ini app.ini
+Restart=always
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${rmmservice}" | sudo tee /etc/systemd/system/rmm.service > /dev/null
+
+daphneservice="$(cat << EOF
+[Unit]
+Description=django channels daemon
+After=network.target
+
+[Service]
+User=${RMMUSER}
+Group=www-data
+WorkingDirectory=/rmm/api/tacticalrmm
+Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+ExecStart=/rmm/api/env/bin/daphne -u /rmm/daphne.sock tacticalrmm.asgi:application
+Restart=always
+RestartSec=3s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${daphneservice}" | sudo tee /etc/systemd/system/daphne.service > /dev/null
+
+natsservice="$(cat << EOF
+[Unit]
+Description=NATS Server
+After=network.target
+
+[Service]
+PrivateTmp=true
+Type=simple
+ExecStart=/usr/local/bin/nats-server -c /rmm/api/tacticalrmm/nats-rmm.conf
+ExecReload=/usr/bin/kill -s HUP \$MAINPID
+ExecStop=/usr/bin/kill -s SIGINT \$MAINPID
+User=${RMMUSER}
+Group=www-data
+Restart=always
+RestartSec=5s
+LimitNOFILE=1000000
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${natsservice}" | sudo tee /etc/systemd/system/nats.service > /dev/null
+
+natsapi="$(cat << EOF
+[Unit]
+Description=TacticalRMM Nats Api v1
+After=nats.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/nats-api
+User=${RMMUSER}
+Group=${RMMUSER}
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${natsapi}" | sudo tee /etc/systemd/system/nats-api.service > /dev/null
+
+celeryservice="$(cat << EOF
+[Unit]
+Description=Celery Service V2
+After=network.target redis-server.service postgresql.service
+
+[Service]
+Type=forking
+User=${RMMUSER}
+Group=${RMMUSER}
+EnvironmentFile=/etc/conf.d/celery.conf
+WorkingDirectory=/rmm/api/tacticalrmm
+ExecStart=/bin/sh -c '\${CELERY_BIN} -A \$CELERY_APP multi start \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel="\${CELERYD_LOG_LEVEL}" \$CELERYD_OPTS'
+ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --loglevel="\${CELERYD_LOG_LEVEL}"'
+ExecReload=/bin/sh -c '\${CELERY_BIN} -A \$CELERY_APP multi restart \$CELERYD_NODES --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel="\${CELERYD_LOG_LEVEL}" \$CELERYD_OPTS'
+Restart=always
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${celeryservice}" | sudo tee /etc/systemd/system/celery.service > /dev/null
+
+celerybeatservice="$(cat << EOF
+[Unit]
+Description=Celery Beat Service V2
+After=network.target redis-server.service postgresql.service
+
+[Service]
+Type=simple
+User=${RMMUSER}
+Group=${RMMUSER}
+EnvironmentFile=/etc/conf.d/celery.conf
+WorkingDirectory=/rmm/api/tacticalrmm
+ExecStart=/bin/sh -c '\${CELERY_BIN} -A \${CELERY_APP} beat --pidfile=\${CELERYBEAT_PID_FILE} --logfile=\${CELERYBEAT_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL}'
+Restart=always
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${celerybeatservice}" | sudo tee /etc/systemd/system/celerybeat.service > /dev/null
+
+meshservice="$(cat << EOF
+[Unit]
+Description=MeshCentral Server
+After=network.target mongod.service nginx.service
+[Service]
+Type=simple
+LimitNOFILE=1000000
+ExecStart=/usr/bin/node node_modules/meshcentral
+Environment=NODE_ENV=production
+WorkingDirectory=/meshcentral
+User=${RMMUSER}
+Group=${RMMUSER}
+Restart=always
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+echo "${meshservice}" | sudo tee /etc/systemd/system/meshcentral.service > /dev/null
+
+
+# create nginx config
+
+nginxrmm="$(cat << EOF
+server_tokens off;
+
+upstream tacticalrmm {
+    server unix:////rmm/api/tacticalrmm/tacticalrmm.sock;
+}
+
+map \$http_user_agent \$ignore_ua {
+    "~python-requests.*" 0;
+    "~go-resty.*" 0;
+    default 1;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${rmmdomain};
+    return 301 https://\$server_name\$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name ${rmmdomain};
+    client_max_body_size 300M;
+    access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=\$ignore_ua;
+    error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
+    ssl_certificate /etc/ssl/certs/${frontenddomain}.pem;
+    ssl_certificate_key /etc/ssl/private/${frontenddomain}.key;
+    
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    ssl_ecdh_curve secp384r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header X-Content-Type-Options nosniff;
+    
+    location /static/ {
+        root /rmm/api/tacticalrmm;
+    }
+
+    location /private/ {
+        internal;
+        add_header "Access-Control-Allow-Origin" "https://${frontenddomain}";
+        alias /rmm/api/tacticalrmm/tacticalrmm/private/;
+    }
+
+    location ~ ^/(natsapi) {
+        allow 127.0.0.1;
+        deny all;
+        uwsgi_pass tacticalrmm;
+        include     /etc/nginx/uwsgi_params;
+        uwsgi_read_timeout 500s;
+        uwsgi_ignore_client_abort on;
+    }
+
+    location ~ ^/ws/ {
+        proxy_pass http://unix:/rmm/daphne.sock;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_redirect     off;
+        proxy_set_header   Host \$host;
+        proxy_set_header   X-Real-IP \$remote_addr;
+        proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host \$server_name;
+    }
+
+    location / {
+        uwsgi_pass  tacticalrmm;
+        include     /etc/nginx/uwsgi_params;
+        uwsgi_read_timeout 9999s;
+        uwsgi_ignore_client_abort on;
+    }
+}
+EOF
+)"
+echo "${nginxrmm}" | sudo tee /etc/nginx/sites-available/rmm.conf > /dev/null
+
+
+nginxmesh="$(cat << EOF
+server {
+  listen 80;
+  listen [::]:80;
+  server_name ${meshdomain};
+  return 301 https://\$server_name\$request_uri;
+}
+
+server {
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    proxy_send_timeout 330s;
+    proxy_read_timeout 330s;
+    server_name ${meshdomain};
+    ssl_certificate /etc/ssl/certs/${frontenddomain}.pem;
+    ssl_certificate_key /etc/ssl/private/${frontenddomain}.key;
+
+    ssl_session_cache shared:WEBSSL:10m;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    ssl_ecdh_curve secp384r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header X-Content-Type-Options nosniff;
+
+    location / {
+        proxy_pass http://127.0.0.1:4430/;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host \$host;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-Host \$host:\$server_port;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+}
+EOF
+)"
+echo "${nginxmesh}" | sudo tee /etc/nginx/sites-available/meshcentral.conf > /dev/null
+
+ln -s /etc/nginx/sites-available/rmm.conf /etc/nginx/sites-enabled/rmm.conf
+ln -s /etc/nginx/sites-available/meshcentral.conf /etc/nginx/sites-enabled/meshcentral.conf
+
+# configure celery
+mkdir /etc/conf.d
+
+celeryconf="$(cat << EOF
+CELERYD_NODES="w1"
+
+CELERY_BIN="/rmm/api/env/bin/celery"
+
+CELERY_APP="tacticalrmm"
+
+CELERYD_MULTI="multi"
+
+CELERYD_OPTS="--time-limit=86400 --autoscale=20,2"
+
+CELERYD_PID_FILE="/rmm/api/tacticalrmm/%n.pid"
+CELERYD_LOG_FILE="/var/log/celery/%n%I.log"
+CELERYD_LOG_LEVEL="ERROR"
+
+CELERYBEAT_PID_FILE="/rmm/api/tacticalrmm/beat.pid"
+CELERYBEAT_LOG_FILE="/var/log/celery/beat.log"
+EOF
+)"
+echo "${celeryconf}" | sudo tee /etc/conf.d/celery.conf > /dev/null
+
+chown ${RMMUSER}:${RMMUSER} -R /etc/conf.d/
+
+systemctl daemon-reload
+
+# install frontend
+
+su - ${RMMUSER} << EOF
+
+if [ -d ~/.npm ]; then
+  chown -R $RMMUSER:$RMMUSER ~/.npm
+fi
+
+if [ -d ~/.config ]; then
+  chown -R $RMMUSER:$RMMUSER ~/.config
+fi
+
+echo -e "PROD_URL = \"https://${rmmdomain}\"\nDEV_URL = \"https://${rmmdomain}\"" > /rmm/web/.env
+
+cd /rmm/web
+npm install
+npm audit fix
+npm run build
+EOF
+
+mkdir -p /var/www/rmm
+cp -pvr /rmm/web/dist /var/www/rmm/
+chown www-data:www-data -R /var/www/rmm/dist
+
+nginxfrontend="$(cat << EOF
+server {
+    server_name ${frontenddomain};
+    charset utf-8;
+    location / {
+        root /var/www/rmm/dist;
+        try_files \$uri \$uri/ /index.html;
+        add_header Cache-Control "no-store, no-cache, must-revalidate";
+        add_header Pragma "no-cache";
+    }
+    error_log  /var/log/nginx/frontend-error.log;
+    access_log /var/log/nginx/frontend-access.log;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/ssl/certs/${frontenddomain}.pem;
+    ssl_certificate_key /etc/ssl/private/${frontenddomain}.key;
+    
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    ssl_ecdh_curve secp384r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header X-Content-Type-Options nosniff;
+}
+
+server {
+    if (\$host = ${frontenddomain}) {
+        return 301 https://\$host\$request_uri;
+    }
+
+    listen 80;
+    listen [::]:80;
+    server_name ${frontenddomain};
+    return 404;
+}
+EOF
+)"
+echo "${nginxfrontend}" | tee /etc/nginx/sites-available/frontend.conf > /dev/null
+
+ln -s /etc/nginx/sites-available/frontend.conf /etc/nginx/sites-enabled/frontend.conf
+
+
+for i in rmm.service daphne.service celery.service celerybeat.service nginx
+do
+  systemctl enable ${i}
+  systemctl stop ${i}
+  systemctl start ${i}
+done
+sleep 5
+systemctl enable meshcentral
+
+systemctl restart meshcentral
+
+CHECK_MESH_READY=1
+while ! [[ $CHECK_MESH_READY ]]; do
+  CHECK_MESH_READY=$(sudo journalctl -u meshcentral.service -b --no-pager | grep "MeshCentral HTTP server running on port")
+  echo -ne "Mesh Central not ready yet...\n"
+  sleep 3
+done
+
+node /meshcentral/node_modules/meshcentral --logintokenkey
+
+MESHTOKENKEY=$(node /meshcentral/node_modules/meshcentral --logintokenkey)
+sudo -u ${USER} echo "MESH_TOKEN_KEY = \"$MESHTOKENKEY\"" >> /rmm/api/tacticalrmm/tacticalrmm/local_settings.py
+
+systemctl stop meshcentral
+sleep 1
+cd /meshcentral
+
+sudo -u ${RMMUSER} node node_modules/meshcentral --createaccount ${meshusername} --pass ${MESHPASSWD} --email ${adminemail}
+sleep 1
+sudo -u ${RMMUSER} node node_modules/meshcentral --adminaccount ${meshusername}
+
+systemctl start meshcentral
+sleep 5
+
+
+sudo -u ${RMMUSER} node node_modules/meshcentral/meshctrl.js --url wss://${meshdomain}:443 --loginuser ${meshusername} --loginpass ${MESHPASSWD} AddDeviceGroup --name TacticalRMM
+sleep 1
+
+systemctl enable nats.service
+su - ${RMMUSER} <<EOF
+cd /rmm/api/tacticalrmm
+source /rmm/api/env/bin/activate
+python manage.py initial_db_setup
+python manage.py reload_nats
+deactivate
+EOF
+
+systemctl start nats.service
+
+sleep 1
+systemctl enable nats-api.service
+systemctl start nats-api.service
+
+## disable django admin
+sudo -u ${RMMUSER} sed -i 's/ADMIN_ENABLED = True/ADMIN_ENABLED = False/g' /rmm/api/tacticalrmm/tacticalrmm/local_settings.py
+
+echo 'Restarting services'
+for i in rmm.service daphne.service celery.service celerybeat.service
+do
+  systemctl stop ${i}
+  systemctl start ${i}
+done
+
+cat << EOF > /usr/local/bin/register-rmm-admin
+cd /rmm/api
+source /rmm/api/env/bin/activate
+cd /rmm/api/tacticalrmm
+printf >&2 "Please create your login for the RMM website and django admin\n"
+printf >&2 "\n"
+echo -ne "Username: "
+read djangousername
+python manage.py createsuperuser --username \${djangousername} --email ${adminemail}
+#RANDBASE=\$(python manage.py generate_totp)
+#python manage.py generate_barcode \${RANDBASE} \${djangousername} ${frontenddomain}
+deactivate
+EOF
+chmod +x /usr/local/bin/register-rmm-admin
+
+printf >&2 "Installation complete!\n\n"
+printf >&2 "Access your rmm at: https://${frontenddomain}\n\n"
+printf >&2 "Django admin url (disabled by default): https://${rmmdomain}/${ADMINURL}/\n\n"
+printf >&2 "MeshCentral username: ${meshusername}\n"
+printf >&2 "MeshCentral password: ${MESHPASSWD}\n\n"
+
+printf >&2 "Please run 'pct exec {container id} -- su - root -c register-rmm-admin' to create an administrative rmm user.\n\n"
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="mongodb-server,java"
--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
+wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
+
+echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
+echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Backup ubdir where Urbackup will store backups
+URBACKUP_DATA="urbackup"
+
+# OS codename for opensuse / urbackup repo
+REPO_CODENAME="Debian_11"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx"
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+mkdir /etc/urbackup
+echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
+
+echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
+curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+ln -s /usr/share/urbackup/www /var/www/urbackup
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root /var/www/urbackup;
+
+    index index.htm;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/urbackup.crt;
+    ssl_certificate_key /etc/nginx/ssl/urbackup.key;
+
+    location /x {
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass 127.0.0.1:55413;
+    }
+}
+
+EOF
+
+sed -i "s/DAEMON_TMPDIR=\"\/tmp\"/DAEMON_TMPDIR=\"\/$LXC_SHAREFS_MOUNTPOINT\/tmp\"/g" /etc/default/urbackupsrv
+sed -i "s/HTTP_SERVER=\"true\"/HTTP_SERVER=\"false\"/g" /etc/default/urbackupsrv
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/tmp
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+
+systemctl restart urbackupsrv nginx
--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the name from the SQL database
+VAULTWARDEN_DB_NAME="vaultwarden"
+
+# Defines the name from the SQL user
+VAULTWARDEN_DB_USR="vaultwarden"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+VAULTWARDEN_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql"
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@ -0,0 +1,161 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+admin_token=$(openssl rand -base64 48)
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
+
+systemctl enable --now postgresql
+
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mkdir /opt/vaultwarden
+mkdir -p /var/lib/vaultwarden/data
+useradd vaultwarden
+chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
+mv output/vaultwarden /opt/vaultwarden
+mv output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+
+su - postgres <<EOF
+psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
+psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
+echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
+EOF
+
+cat << EOF > /var/lib/vaultwarden/.env
+DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
+DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
+ORG_CREATION_USERS=admin@$LXC_DOMAIN
+# Use `openssl rand -base64 48` to generate
+ADMIN_TOKEN=$admin_token
+# Uncomment this once vaults restored
+SIGNUPS_ALLOWED=false
+SMTP_HOST=$VW_SMTP_HOST
+SMTP_FROM=$VW_SMTP_FROM
+SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
+SMTP_PORT=$VW_SMTP_PORT          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
+SMTP_SSL=$VW_SMTP_SSL          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
+SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
+SMTP_USERNAME=$VW_SMTP_USERNAME
+SMTP_PASSWORD=$VW_SMTP_PASSWORD
+SMTP_TIMEOUT=15
+EOF
+
+cat << EOF > /etc/systemd/system/vaultwarden.service
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target
+
+[Service]
+User=vaultwarden
+Group=vaultwarden
+EnvironmentFile=/var/lib/vaultwarden/.env
+ExecStart=/opt/vaultwarden/vaultwarden
+LimitNOFILE=1048576
+LimitNPROC=64
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+WorkingDirectory=/var/lib/vaultwarden
+ReadWriteDirectories=/var/lib/vaultwarden
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
+EOF
+
+cat << EOF > /var/lib/vaultwarden/update.sh
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mv output/vaultwarden /opt/vaultwarden
+systemctl stop vaultwarden.service
+cp -rlf output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+systemctl start vaultwarden.service
+EOF
+
+chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+chmod +x /var/lib/vaultwarden/update.sh
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log /var/log/nginx/vaultwarden.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log  /var/log/nginx/vaultwarden.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:8000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl daemon-reload
+systemctl enable --now vaultwarden
+systemctl restart nginx
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/zabbix/install-service.sh
+++ b/src/zabbix/install-service.sh
@ -0,0 +1,229 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
+echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert
+
+unlink /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/zabbix/nginx.conf
+server {
+        listen          80 default_server;
+        listen          [::]:80 default_server;
+        server_name _;
+
+        server_tokens off;
+
+        access_log /var/log/nginx/zabbix.access.log;
+        error_log /var/log/nginx/zabbix.error.log;
+
+        location /.well-known/ {
+        }
+
+        return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+        }
+
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+
+        server_tokens off;
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 180m;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 1.1.1.1 1.0.0.1;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        root    /usr/share/zabbix;
+
+        index   index.php;
+
+        location = /favicon.ico {
+                log_not_found   off;
+        }
+
+        location / {
+                try_files       \$uri \$uri/ =404;
+        }
+
+        location /assets {
+                access_log      off;
+                expires         10d;
+        }
+
+        location ~ /\.ht {
+                deny            all;
+        }
+
+        location ~ /(api\/|conf[^\.]|include|locale) {
+                deny            all;
+                return          404;
+        }
+
+        location /vendor {
+                deny            all;
+                return          404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+                fastcgi_pass    unix:/var/run/php/zabbix.sock;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index   index.php;
+
+                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
+                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
+                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
+
+                include fastcgi_params;
+                fastcgi_param   QUERY_STRING    \$query_string;
+                fastcgi_param   REQUEST_METHOD  \$request_method;
+                fastcgi_param   CONTENT_TYPE    \$content_type;
+                fastcgi_param   CONTENT_LENGTH  \$content_length;
+
+                fastcgi_intercept_errors        on;
+                fastcgi_ignore_client_abort     off;
+                fastcgi_connect_timeout         60;
+                fastcgi_send_timeout            180;
+                fastcgi_read_timeout            180;
+                fastcgi_buffer_size             128k;
+                fastcgi_buffers                 4 256k;
+                fastcgi_busy_buffers_size       256k;
+                fastcgi_temp_file_write_size    256k;
+        }
+}
+EOF
+
+cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
+[zabbix]
+user = www-data
+group = www-data
+
+listen = /var/run/php/zabbix.sock
+listen.owner = www-data
+listen.allowed_clients = 127.0.0.1
+
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+pm.max_requests = 200
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/sessions/
+
+php_value[max_execution_time] = 300
+php_value[memory_limit] = 128M
+php_value[post_max_size] = 16M
+php_value[upload_max_filesize] = 2M
+php_value[max_input_time] = 300
+php_value[max_input_vars] = 10000
+EOF
+
+cat << EOF > /etc/zabbix/web/zabbix.conf.php 
+<?php
+// Zabbix GUI configuration file.
+
+\$DB['TYPE']				= 'POSTGRESQL';
+\$DB['SERVER']			= 'localhost';
+\$DB['PORT']				= '0';
+\$DB['DATABASE']			= '${ZABBIX_DB_NAME}';
+\$DB['USER']				= '${ZABBIX_DB_USR}';
+\$DB['PASSWORD']			= '${ZABBIX_DB_PWD}';
+
+// Schema name. Used for PostgreSQL.
+\$DB['SCHEMA']			= '';
+
+// Used for TLS connection.
+\$DB['ENCRYPTION']		= true;
+\$DB['KEY_FILE']			= '';
+\$DB['CERT_FILE']		= '';
+\$DB['CA_FILE']			= '';
+\$DB['VERIFY_HOST']		= false;
+\$DB['CIPHER_LIST']		= '';
+
+// Vault configuration. Used if database credentials are stored in Vault secrets manager.
+\$DB['VAULT_URL']		= '';
+\$DB['VAULT_DB_PATH']	= '';
+\$DB['VAULT_TOKEN']		= '';
+
+// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
+// This option is enabled by default for new Zabbix installations.
+// For upgraded installations, please read database upgrade notes before enabling this option.
+\$DB['DOUBLE_IEEE754']	= true;
+
+// Uncomment and set to desired values to override Zabbix hostname/IP and port.
+// \$ZBX_SERVER			= '';
+// \$ZBX_SERVER_PORT		= '';
+
+\$ZBX_SERVER_NAME		= '${LXC_HOSTNAME}';
+
+\$IMAGE_FORMAT_DEFAULT	= IMAGE_FORMAT_PNG;
+
+// Uncomment this block only if you are using Elasticsearch.
+// Elasticsearch url (can be string if same url is used for all types).
+//\$HISTORY['url'] = [
+//	'uint' => 'http://localhost:9200',
+//	'text' => 'http://localhost:9200'
+//];
+// Value types stored in Elasticsearch.
+//\$HISTORY['types'] = ['uint', 'text'];
+
+// Used for SAML authentication.
+// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
+//\$SSO['SP_KEY']			= 'conf/certs/sp.key';
+//\$SSO['SP_CERT']			= 'conf/certs/sp.crt';
+//\$SSO['IDP_CERT']		= 'conf/certs/idp.crt';
+//\$SSO['SETTINGS']		= [];
+EOF
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+
+zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm 
+
+systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm 
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,elasticsearch"
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@ -0,0 +1,170 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
+apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
+wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
+echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
+
+
+cat << EOF >>/etc/hosts
+0.0.0.0 image.zammad.com
+0.0.0.0 images.zammad.com
+0.0.0.0 geo.zammad.com
+0.0.0.0 www.zammad.com
+0.0.0.0 www.zammad.org
+0.0.0.0 www.zammad.net
+0.0.0.0 www.zammad.de
+0.0.0.0 zammad.com
+0.0.0.0 zammad.org
+0.0.0.0 zammad.net
+0.0.0.0 zammad.de
+#
+127.0.0.1 elasticsearch
+0.0.0.0 geoip.elastic.co
+EOF
+
+# Java set startup environment 
+mkdir -p /etc/elasticsearch/jvm.options.d
+cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
+# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
+# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
+-Xms1g
+-Xmx1g
+EOF
+
+# configurwe nginx
+rm -f /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/nginx/sites-available/zammad.conf
+upstream zammad-railsserver {
+  server 127.0.0.1:3000;
+}
+
+upstream zammad-websocket {
+  server 127.0.0.1:6042;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/zammad.access.log;
+    error_log /var/log/nginx/zammad.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://\$host\$request_uri;
+}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name _;
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+#
+#  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
+#
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
+    add_header Referrer-Policy "strict-origin";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    location = /robots.txt  {
+    access_log off; log_not_found off;
+    }
+
+    location = /favicon.ico {
+    access_log off; log_not_found off;
+    }
+
+    root /opt/zammad/public;
+
+    access_log /var/log/nginx/zammad.access.log;
+    error_log  /var/log/nginx/zammad.error.log;
+
+    client_max_body_size 50M;
+
+    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
+    expires max;
+    }
+
+    location /ws {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header CLIENT_IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto	\$scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad-websocket;
+    }
+
+    location / {
+    proxy_set_header Host \$http_host;
+    proxy_set_header CLIENT_IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto	\$scheme;
+
+    # change this line in an SSO setup
+    proxy_set_header X-Forwarded-User "";
+
+    proxy_read_timeout 180;
+    proxy_pass http://zammad-railsserver;
+
+    gzip on;
+    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
+    gzip_proxied any;
+    }
+}
+EOF
+
+ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
+
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl enable elasticsearch.service
+systemctl restart nginx elasticsearch.service
+
+# Elasticsearch conntact to Zammad
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
+zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
+zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
+systemctl restart elasticsearch.service
+zammad run rake searchindex:rebuild
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd splitdns)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@ -0,0 +1,154 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+      ZMB_DNS_BACKEND="BIND9_DLZ"
+      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+      echo "Unsupported optional feature $f"
+  fi
+done
+
+## configure ntp
+cat << EOF > /etc/ntp.conf
+# Local clock. Note that is not the "localhost" address!
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+# Where to retrieve the time from
+server 0.de.pool.ntp.org     iburst prefer
+server 1.de.pool.ntp.org     iburst prefer
+server 2.de.pool.ntp.org     iburst prefer
+driftfile       /var/lib/ntp/ntp.drift
+logfile         /var/log/ntp
+ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
+# Access control
+# Default restriction: Allow clients only to query the time
+restrict default kod nomodify notrap nopeer mssntp
+# No restrictions for "localhost"
+restrict 127.0.0.1
+# Enable the time sources to only provide time to this host
+restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+tinker panic 0
+EOF
+
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+	  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+  forwarders {
+    $LXC_DNS;
+  };
+  allow-query {  any;};
+  dnssec-validation no;
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved
+rm -f /etc/samba/smb.conf
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
+
+mkdir -p /mnt/sysvol
+
+cat << EOF > /root/.smbcredentials
+username=$ZMB_ADMIN_USER
+password=$ZMB_ADMIN_PASS
+domain=$ZMB_DOMAIN
+EOF
+
+echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
+
+mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
+
+cat > /etc/cron.d/sysvol-sync << EOF
+*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+EOF
+
+/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+
+ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd splitdns)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@ -5,18 +5,29 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"

-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  BINDNINE=bind9
-fi
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+    apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+    echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done

 ## configure ntp
 cat << EOF > /etc/ntp.conf
@ -48,13 +59,26 @@ restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF

+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
+
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils

-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
@ -65,7 +89,7 @@ RESOLVCONF=no
 OPTIONS="-4 -u bind"
 EOF

-cat << EOF > /etc/bind/named.conf.local
+  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
@ -101,9 +125,10 @@ EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi

+
+
 # stop + disable samba services and remove default config
-systemctl stop smbd nmbd winbind
-systemctl disable smbd nmbd winbind
+systemctl disable --now smbd nmbd winbind systemd-resolved
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf

@ -113,7 +138,7 @@ samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAI
 cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

 systemctl unmask samba-ad-dc
-systemctl enable samba-ad-dc $BINDNINE
-systemctl restart samba-ad-dc $BINDNINE
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES

-exit 0
+exit 0
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,fileserver"
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@ -5,18 +5,18 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+# add wsdd package repo
+apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list

 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd

 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@ -70,12 +70,11 @@ cat > /etc/samba/smb.conf <<EOF
 	printing = bsd
 	disable spoolss = Yes

-	allow trusted domains = No
 	dns proxy = No
 	shadow: snapdir = .zfs/snapshot
 	shadow: sort = desc
 	shadow: format = -%Y-%m-%d-%H%M
-	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20

 [$ZMB_SHARE]
@ -86,8 +85,6 @@ cat > /etc/samba/smb.conf <<EOF
 	directory mask = 0770
 	inherit acls = Yes

-
-
 EOF

 systemctl restart smbd
@ -104,10 +101,9 @@ wbinfo -g
 mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

-setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd winbind
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

+systemctl restart smbd nmbd winbind wsdd
--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# add wsdd package repo
+apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
+echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
+echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
+
+cat << EOF > /etc/apt/preferences.d/samba
+Package: samba*
+Pin: release a=$(lsb_release -cs)-backports
+Pin-Priority: 900
+EOF
+
+cat << EOF > /etc/apt/preferences.d/winbind
+Package: winbind*
+Pin: release a=$(lsb_release -cs)-backports
+Pin-Priority: 900
+EOF
+
+cat << EOF > /etc/apt/preferences.d/cockpit
+Package: cockpit*
+Pin: release a=$(lsb_release -cs)-backports
+Pin-Priority: 900
+EOF
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
+
+USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
+useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
+echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
+smbpasswd -x $USER
+(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
+
+usermod -aG sudo $USER
+
+cat << EOF | sudo tee -i /etc/samba/smb.conf
+[global]
+    include = registry
+EOF
+
+cat << EOF | sudo tee -i /etc/samba/import.template
+[global]
+    workgroup = WORKGROUP
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    log level = 3
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
+    vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
+    map acl inherit = yes
+    acl_xattr:ignore system acls = yes
+    shadow: snapdir = .zfs/snapshot
+    shadow: sort = desc
+    shadow: format = -%Y-%m-%d-%H%M
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
+    shadow: delimiter = -20
+    fruit:encoding = native
+    fruit:metadata = stream
+    fruit:zero_file_id = yes
+    fruit:nfs_aces = no
+EOF
+
+net conf import /etc/samba/import.template
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+net conf setparm $ZMB_SHARE readonly no
+net conf setparm $ZMB_SHARE browseable yes
+net conf setparm $ZMB_SHARE createmask 0660
+net conf setparm $ZMB_SHARE directorymask 0770
+
+systemctl restart smbd nmbd wsdd
--- a/zmb-standalone.sh
+++ b/zmb-standalone.sh
@ -1,44 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba samba-dsdb-modules samba-vfs-modules 
-
-USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
-useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
-echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
-(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
-
-cat << EOF >> /etc/samba/smb.conf
-[share]
-    comment = Main Share
-    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-    read only = No
-    vfs objects = shadow_copy2
-    shadow: snapdir = .zfs/snapshot
-    shadow: sort = desc
-    shadow: format = -%Y-%m-%d-%H%M
-    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
-    shadow: delimiter = -20
-EOF
-
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd
Author	SHA1	Message	Date
Thorsten Spille	ff0df2cbff	Merge pull request #78 from diddip21/dev Update kimai	2023-05-23 21:38:10 +02:00
Patrick G	5c555ab5cd	removed lxc mountpoint from kimai works without additional mountpoint	2023-02-13 17:36:19 +01:00
Patrick G	446bea1b89	Update install-service.sh fix permissions error on install kimai	2023-02-13 17:03:11 +01:00
thorstenspille	b56bb14264	Fix user creation	2023-02-12 22:43:33 +01:00
Thorsten Spille	be9c8c79ea	Update constants.conf	2023-02-12 22:32:55 +01:00
thorstenspille	0cf8d9b6eb	Readme: add omada	2023-02-12 15:59:43 +01:00
DerFossibaer	07b229a084	Add new service TP-Link Omada Controller	2023-02-12 15:56:02 +01:00
thorstenspille	57b8159f38	rename jitsi to jitsi-meet	2023-02-12 15:49:27 +01:00
thorstenspille	d6d854577f	zabbix: Fix memory	2023-02-12 15:29:18 +01:00
thorstenspille	1788a4cf63	Add jitsi-meet container	2023-02-12 15:28:59 +01:00
thorstenspille	ccc7bd30b4	zabbix: fin install bug, add web config	2023-02-12 15:11:28 +01:00
thorstenspille	3b2eb57d58	lxc-base: add en_US.UTF-8 as default locale	2023-02-12 15:09:49 +01:00
thorstenspille	02862eb565	zmb-ad-join: set dns server after install	2023-02-12 15:09:17 +01:00
thorstenspille	1c74139ebd	pbs: disable failing zfs services	2023-02-12 11:06:35 +01:00
thorstenspille	49be094d51	open3a: fix ip in finisherd message	2023-02-12 11:06:15 +01:00
thorstenspille	0ecabeac62	matrix: rework, install latest element-web	2023-02-11 16:22:29 +01:00
thorstenspille	b44d99c64b	matrix: add tag element-web	2023-02-11 16:21:46 +01:00
thorstenspille	022871e9d7	kimai: fix ip output in finished message	2023-02-11 16:21:29 +01:00
thorstenspille	befc08fd4c	bookstack: fix ip output in finished message	2023-02-11 16:21:20 +01:00
thorstenspille	498702b394	gitea: add updater called by apt-hook	2023-02-11 14:47:59 +01:00
thorstenspille	522a02352d	bookstack: fix finished message	2023-02-11 14:47:28 +01:00
thorstenspille	965c936109	functions: ignore stderr when generating password	2023-02-11 14:46:56 +01:00
thorstenspille	140f80afb1	install.sh: reboot container at end	2023-02-11 14:45:43 +01:00
thorstenspille	f2ea8da0aa	Merge branch 'dev' of github.com:bashclub/zamba-lxc-toolbox into dev	2023-02-11 13:10:12 +01:00
DerFossibaer	af8370a1ab	Update auf Debian 11	2023-02-11 12:44:54 +01:00
thorstenspille	5759aead8d	checkmk: Set version to current 2.1.0p21	2023-02-11 12:22:19 +01:00
thorstenspille	f75624c1b3	nextcloud: fix trusted_proxies	2023-02-11 12:12:40 +01:00
thorstenspille	0922ef6cb3	Autogenerate Nextcloud admin password	2023-02-10 18:14:37 +01:00
thorstenspille	96ad186289	remove Gänsefüße	2023-02-10 18:14:02 +01:00
thorstenspille	9b2d29257a	Fix tmpl download, min memory support	2023-02-10 18:13:45 +01:00
thorstenspille	395e0b71fa	Fix LXC_MEM in documentation	2023-02-10 18:10:52 +01:00
thorstenspille	19da148310	Add LXC_MEM_MIN to constatns-service.conf	2023-02-10 18:07:46 +01:00
thorstenspille	f70f36550c	matrix: remove jitsi, move to new service	2023-02-10 16:35:33 +01:00
thorstenspille	e9b80979f9	Merge branch 'dev' of github.com:bashclub/zamba-lxc-toolbox into dev	2023-02-10 16:34:32 +01:00
thorstenspille	36130b6e87	nextcloud: change php version to 8.1	2023-02-10 16:34:09 +01:00
DerFossiBaer	cff05a3a5f	Update README.md	2023-02-10 15:32:38 +01:00
thorstenspille	443d708886	Add ecodms container	2023-02-09 20:31:04 +01:00
thorstenspille	8f59fa937b	Install cifs-utils + rsync, add optional features	2023-01-30 19:41:32 +01:00
thorstenspille	ae27f3697b	Add automated tagging	2023-01-24 23:04:00 +01:00
thorstenspille	cc294118ae	Make gitea unprivileged	2023-01-21 02:51:51 +01:00
thorstenspille	ffb88737d1	Move sudo to default toolchain	2023-01-21 02:49:05 +01:00
thorstenspille	7347aaf6d5	Add sudo to standard toolchain	2023-01-21 02:47:26 +01:00
thorstenspille	1d4de5ede7	Add vaultwarden container	2023-01-21 02:30:09 +01:00
Thorsten Spille	afb496daf1	Change mailpiler version to 1.3.12	2023-01-16 09:35:01 +01:00
Thorsten Spille	975480dd7e	open3a: Update version 3.7	2023-01-15 22:31:43 +01:00
Thorsten Spille	455fcb280a	Update constants-service.conf	2023-01-15 22:29:33 +01:00
Thorsten Spille	055f75cec7	Update README.md	2023-01-14 01:43:15 +01:00
thorstenspille	d9de476dbc	Merge branch 'dev' of https://github.com/bashclub/zamba-lxc-toolbox into dev	2023-01-13 19:40:48 +01:00
thorstenspille	75e073c0bc	Add unifi controller	2023-01-13 19:40:37 +01:00
Thorsten Spille	8182c3b95b	Merge pull request #75 from kevinpapst/kimai-readme added kimai to readme	2023-01-12 15:48:06 +01:00
Kevin Papst	b6208be38d	added kimai to readme	2023-01-12 14:57:33 +01:00
thorstenspille	84e595d3bb	kimai: Overwrite .env, instead of append	2023-01-12 14:22:50 +01:00
thorstenspille	0036769cc9	Change kimai branch to main	2023-01-12 13:43:09 +01:00
Thorsten Spille	d6cd7e0d3f	Merge pull request #74 from kevinpapst/kimai Improved Kimai image	2023-01-12 13:06:47 +01:00
Kevin Papst	6986e124f6	Merge remote-tracking branch 'upstream/dev' into kimai # Conflicts: # src/kimai/install-service.sh	2023-01-12 12:47:41 +01:00
Kevin Papst	21db9f37c5	improved kimai image: - reduce upload size for security reasons - added opcache and curl extensions - improve php settings - simplify .env file and fix db connection type - use admin@domain for emails - dynamic php version	2023-01-12 12:44:42 +01:00
thorstenspille	b0400cb347	zammad finetuning	2023-01-11 23:23:56 +01:00
thorstenspille	5d314c05f9	zmb-ad: Update samba to backports	2023-01-11 23:03:30 +01:00
thorstenspille	65050ad33e	zmb-ad-join:: Update samba to backports	2023-01-11 23:03:14 +01:00
thorstenspille	c9037d4d97	zmb-member: Update samba to backports	2023-01-11 23:03:03 +01:00
thorstenspille	666e2b320c	Fix zmb-standalone	2023-01-11 19:58:24 +01:00
thorstenspille	04f55cd566	Add winbind apt pinnung	2023-01-10 22:00:24 +01:00
thorstenspille	439f2ba64b	kimai: Change server version in db config	2023-01-10 21:49:15 +01:00
thorstenspille	4e9af3e391	Redesign of zmb-standalone	2023-01-10 21:43:26 +01:00
thorstenspille	9e74bca205	Add kimai2 container	2023-01-10 00:57:04 +01:00
thorstenspille	21de64cd57	More RAM for trmm	2023-01-09 22:53:09 +01:00
thorstenspille	aea5fad54d	Set sources.list to http	2023-01-09 22:52:45 +01:00
thorstenspille	187a2c79c5	zmb-ad-join: sync sysvol via smb	2023-01-09 22:51:59 +01:00
thorstenspille	fd7d5d7ac9	Fix db password, configure database	2022-07-05 21:01:28 +02:00
thorstenspille	261770dec5	Change password generation to dynamic length	2022-07-05 20:58:03 +02:00
thorstenspille	03ae4f61d5	Add default length for random password	2022-07-05 20:55:57 +02:00
thorstenspille	cd664ba745	Add servicename and ctis to zmb.conf inside ct	2022-07-05 20:55:29 +02:00
thorstenspille	e9200a33ec	Add some bookstack tweaks	2022-06-10 23:47:54 +02:00
thorstenspille	0d227a12f6	Add bookstack conteiner	2022-06-10 22:51:47 +02:00
thorstenspille	4a112950c0	Fix onlyoffice update problem	2022-06-09 22:32:02 +02:00
thorstenspille	442e7a3dd5	Change finished message	2022-06-09 18:54:03 +02:00
thorstenspille	476692b072	No automatic 2FA on admin user creation	2022-06-09 18:26:28 +02:00
thorstenspille	ccfdef4462	zabbix: Fix logfle name & db credentials	2022-06-09 18:14:59 +02:00
thorstenspille	e01a6f67bc	Add tactical rmm container	2022-06-09 18:13:56 +02:00
thorstenspille	f52d8adfa8	Changed open3a version to 3.6	2022-06-09 18:13:34 +02:00
thorstenspille	6a4335c5ec	Remove setting timezone in gitea installer	2022-06-09 18:13:17 +02:00
thorstenspille	2b4a533c95	Add dirmngr to TOOLSET_BASE	2022-06-09 18:12:40 +02:00
thorstenspille	c28bbc32d9	Add Tactical RMM parameters	2022-06-09 18:11:45 +02:00
thorstenspille	9b9354f09c	Add debug param, switch to pct exec	2022-06-09 18:11:24 +02:00
thorstenspille	a36177b8d3	Update README.md	2022-05-23 23:20:49 +02:00
thorstenspille	42d5c05079	Activate all supported languages in zabbix	2022-05-23 23:16:18 +02:00
thorstenspille	a24c78edc2	Add zabbix container	2022-05-23 22:21:07 +02:00
thorstenspille	19feb9b6d5	remove sources.list	2022-05-23 22:20:49 +02:00
thorstenspille	ec8b7cb2f0	Changed apt repo to tu-dresden	2022-05-23 22:20:34 +02:00
thorstenspille	5b01d9b1c7	Integrated shellcheck changes by @fbartels	2022-05-21 23:40:31 +02:00
thorstenspille	bc2640c6dd	Fixed zamba.conf.example	2022-05-21 23:36:18 +02:00
thorstenspille	062c3c9543	Fxed README.md	2022-05-21 23:36:02 +02:00
thorstenspille	51b9573bf0	remove sources.list	2022-05-21 23:35:10 +02:00
thorstenspille	836bae67b3	Updated urbackup to debian11	2022-05-21 19:31:36 +02:00
thorstenspille	60c43dc2bf	Added shellcheck, cheanged debian-security repo	2022-05-21 17:12:33 +02:00
thorstenspille	ad25553747	Added new services to README.md	2022-05-21 15:47:44 +02:00
thorstenspille	68751c63aa	Added gitea container	2022-05-21 15:47:15 +02:00
Thorsten Spille	87dce28123	Merge pull request #67 from bashclub/main Fixed setting of share acls (user = lower case)	2022-05-18 20:33:43 +02:00
Thorsten Spille	2c80504525	Fixed setting of share acls (user = lower case)	2022-05-18 20:32:53 +02:00
Thorsten Spille	cdc9c7bb3a	Update README.md Added kopano and zammad	2022-05-06 00:34:28 +02:00
thorstenspille	86aba998df	Added zammad container #31	2022-05-06 00:27:19 +02:00
Thorsten Spille	4d3e5bc661	Merge pull request #65 from bashclub/main Apply Bugfixes do dev branch	2022-05-05 22:30:36 +02:00
Thorsten Spille	d935b38c86	Update constants-service.conf	2022-04-20 16:16:28 +02:00
Thorsten Spille	0715a4ff97	Update README.md	2022-04-07 16:43:00 +02:00
Thorsten Spille	e81f6c8aff	Update README.md	2022-04-07 16:42:26 +02:00
Thorsten Spille	ff0566817f	Update install.sh	2022-03-29 12:28:47 +02:00
Thorsten Spille	c24520f06c	Fix changed template download with Debian 11.3	2022-03-29 11:41:01 +02:00
Thorsten Spille	2e34f15437	Update install-service.sh	2022-03-15 13:35:57 +01:00
Thorsten Spille	26d2d0e2de	Create install-service.sh	2022-03-15 13:18:57 +01:00
Thorsten Spille	b995bf5283	Create constants-service.conf	2022-03-15 13:18:30 +01:00
DerFossibaer	c1e483c1df	Kopano-core_0.11	2022-02-12 12:50:27 +01:00
DerFossibaer	638621d16e	kopano-core_0.1	2022-02-11 22:34:27 +01:00
DerFossibaer	ffda6e2bb8	kopano-core_0.1	2022-02-11 22:32:38 +01:00
Thorsten Spille	e78ee9e082	Update constants-service.conf	2022-01-31 14:20:55 +01:00
Thorsten Spille	34373ac297	Update zamba.conf.example fixed default values in zamba.conf.example	2022-01-22 17:15:21 +01:00
Thorsten Spille	f742c209f1	Update install-service.sh	2022-01-22 16:20:39 +01:00
Thorsten Spille	712a9c58b7	Update install-service.sh #50	2022-01-21 22:49:07 +01:00
Thorsten Spille	fb47f1e842	Update install-service.sh #50	2022-01-21 22:44:30 +01:00
Thorsten Spille	d34ae27eaf	Update install-service.sh #50	2022-01-21 22:43:11 +01:00
Thorsten Spille	6b7e216494	Update install-service.sh	2022-01-21 22:34:25 +01:00
Thorsten Spille	aea812c9e6	Update install-service.sh removed installation of nfs-common, added --no-install-recommends parameter	2022-01-18 22:18:51 +01:00
Thorsten Spille	21a6af8817	Fixed interactive mode of install.sh	2022-01-17 19:46:06 +01:00
Thorsten Spille	d3297cf36e	Update README.md	2022-01-16 20:24:55 +01:00
Thorsten Spille	f819bbd6cb	Delete proxmox.conf	2022-01-16 15:33:35 +01:00
Thorsten Spille	03d2802c0e	Update install-service.sh Fixed #33	2022-01-16 12:22:31 +01:00
DerFossiBaer	83e81339d0	Delete new-config.py	2022-01-16 01:31:38 +01:00
DerFossiBaer	f3a0ab1d66	Merge pull request #43 from bashclub/2022-01-14 Release 1.0	2022-01-16 01:26:06 +01:00
DerFossibaer	7d7063a242	nextcloud: added high performance backend	2022-01-16 01:24:19 +01:00
Thorsten Spille	7ed7021ee4	Update README.md	2022-01-15 22:05:31 +01:00
thorstenspille	27741f41c2	Release 1.0	2022-01-15 22:01:54 +01:00
thorstenspille	96b2279a3d	zmb-ad: fixed bind9 config	2022-01-15 21:04:03 +01:00
thorstenspille	17deebe9d5	Merge branch '2022-01-14' of https://github.com/bashclub/zamba-lxc-toolbox into 2022-01-14	2022-01-15 20:37:38 +01:00
thorstenspille	c52cb745f9	zmb-standalone: dynamic codname for backports	2022-01-15 20:37:34 +01:00
thorstenspille	ed6e882645	zmb-member: added wsd, debian 11	2022-01-15 20:33:38 +01:00
DerFossibaer	e7f3192a8b	fix ssl	2022-01-15 19:38:49 +01:00
thorstenspille	82836dc94f	Merge branch '2022-01-14' of https://github.com/bashclub/zamba-lxc-toolbox into 2022-01-14	2022-01-15 18:45:46 +01:00
thorstenspille	4f0b47949f	ad: add wsdd, migrate debian 11, configure nginx	2022-01-15 18:45:29 +01:00
DerFossibaer	b790959e95	Merge branch '2022-01-14' of https://github.com/bashclub/zamba-lxc-toolbox into 2022-01-14	2022-01-15 17:02:24 +01:00
DerFossibaer	7d344c78a5	onlyoffice	2022-01-15 17:01:47 +01:00
thorstenspille	24c9b03abe	urbackup: added https proxy, still debian buster	2022-01-15 16:34:45 +01:00
thorstenspille	d2af773363	proxmox-pbs: migration to debian bullseye	2022-01-15 14:20:28 +01:00
thorstenspille	d2ed7cb0e4	open3a: migration to debian bullseye	2022-01-15 14:10:47 +01:00
thorstenspille	e368bbde08	nextcloud: migration to debian bullseye	2022-01-15 13:13:36 +01:00
thorstenspille	9eebc19922	matrix: migrated to debian bullseye	2022-01-15 12:29:43 +01:00
thorstenspille	5a4e678bdf	mailpiler: migration to debian bullseye	2022-01-15 11:04:14 +01:00
thorstenspille	f92635dc58	checkmk: migration to debian bullseye	2022-01-15 11:01:14 +01:00
thorstenspille	5cbe5220fe	checkmk: added features.json and info	2022-01-15 11:00:33 +01:00
thorstenspille	d9a6301013	checkmk set version 2.0.0p18	2022-01-15 10:59:54 +01:00
root	14fbbd6b33	qMerge branch '2022-01-14' of https://github.com/bashclub/zamba-lxc-toolbox into 2022-01-14	2022-01-14 23:34:09 +01:00
DerFossibaer	4380612175	Nesting all to on	2022-01-14 23:26:57 +01:00
DerFossibaer	bda8bb9e86	coder weekend	2022-01-14 22:44:06 +01:00
thorstenspille	f6cafff82e	Added onlyoffice prototype	2021-10-06 20:17:27 +02:00
thorstenspille	f67620a59e	Merge branch 'devel' of https://github.com/bashclub/zamba-lxc-toolbox into devel	2021-10-06 20:16:43 +02:00
Thorsten Spille	3a1ee6a2bf	Merge pull request #36 from diddip21/devel hostname prefix \| summary to pct description	2021-08-13 15:14:25 +02:00
Thorsten Spille	4b651877c0	Merge pull request #38 from bashclub/revert-37-patch-3 Revert "Update install-service.sh"	2021-08-13 15:13:48 +02:00
Thorsten Spille	57e3b458a9	Revert "Update install-service.sh"	2021-08-13 15:13:38 +02:00
Thorsten Spille	965acb6632	Merge pull request #37 from hpannenb/patch-3 Update install-service.sh	2021-08-13 15:09:02 +02:00
Holger Pannenbäcker	0cac5584ef	Update install-service.sh Fixed a typo.	2021-08-13 11:01:18 +02:00
Patrick Greiner	510bdbb1a6	set LXC_HOSTNAME to service name set lxc_locale german	2021-08-07 18:24:56 +02:00
Patrick G	6583b0daad	Update zamba.conf.example	2021-08-06 22:25:41 +02:00
Patrick G	5ad07c9a06	Update README.md	2021-08-06 22:23:12 +02:00
Patrick Greiner	0888e25e9b	merged conf/README.md with zamba.conf.md	2021-08-06 22:06:13 +02:00
Patrick Greiner	f983e33f69	Merge branch 'devel' of https://github.com/diddip21/zamba-lxc-toolbox into devel	2021-08-06 22:01:22 +02:00
Patrick Greiner	98b1bb77d3	added Config check for Timezone and Storages modified Hostname with Service PREFIX "${service}.zmbrocks" fix "pct set -timezone" # timezone switch added in Version 6.3 https://github.com/bashclub/zamba-lxc-toolbox/issues/29 added Set "/root/summary" file from LXC-container as pct description modified updated Matrix Element Version	2021-08-06 22:00:09 +02:00
Thorsten Spille	32036dfb2f	Update zamba.conf.example fixed checkmk instance name	2021-07-29 17:11:45 +02:00
Thorsten Spille	14fc948e57	Update README.md Added checkmk and open3a to list	2021-07-29 15:15:45 +02:00
Thorsten Spille	01460566ed	Update constants-service.conf Changed checkmk version to 2.0.0p8	2021-07-27 12:18:42 +02:00
Thorsten Spille	c52525caf7	Changed matrix notification plugin installation	2021-07-27 11:30:04 +02:00
thorstenspille	dda16d1400	Set defaul language to de_DE.utf-8	2021-07-12 21:24:59 +02:00
thorstenspille	82552e7b3f	changed vlan tag config to one line	2021-07-12 21:13:25 +02:00
thorstenspille	c3429ebbab	Piler version fix	2021-07-12 21:06:16 +02:00
thorstenspille	bfcbce84ee	fixed mailpiler script (latest version)	2021-07-12 20:59:38 +02:00
thorstenspille	44d093d982	Added cockpit + samba manager to zmb-standalone	2021-07-11 23:26:27 +02:00
thorstenspille	f5da57b487	Added matrix notification	2021-05-21 00:01:09 +02:00
thorstenspille	531c87e15e	Fixed rewrite rule	2021-05-20 21:49:26 +02:00
thorstenspille	5656e79578	Added tls configuration + http reewrite to checkmk	2021-05-20 21:45:53 +02:00
thorstenspille	6a4ccb5011	Added checkmk prototype (TLS config left)	2021-05-19 00:10:35 +02:00
thorstenspille	c07a0f8333	Fixed permissions on webroot, added sudo	2021-05-13 21:34:49 +02:00
thorstenspille	fdb7ed6fd0	Fixed permissions on backup folder	2021-05-13 21:32:37 +02:00
thorstenspille	2f4a5a0de5	Added php-gd to open3a installation	2021-05-13 20:17:46 +02:00
thorstenspille	b239b064e2	Added open3a prototype	2021-05-13 14:16:49 +02:00
DerFossiBaer	94a72bff1e	Update install-service.sh Added'trusted_proxies' => array ( '$NEXTCLOUD_REVPROX' ), To enable source IP detection over reverse proxy	2021-05-05 10:39:58 +02:00
DerFossiBaer	8e6c7b5e6a	Update zamba.conf.example Added Nextcloud_RevProx Parameter will used to config a trusted proxy in config.php	2021-05-05 10:35:46 +02:00
DerFossiBaer	3971df5e7c	Update install.sh	2021-05-03 09:02:16 +02:00
DerFossiBaer	6c643e2df6	Update README.md Line 20 - unpriv => priv	2021-05-03 08:47:48 +02:00
DerFossiBaer	da0de14579	Update install-service.sh	2021-05-02 19:43:55 +02:00
DerFossiBaer	90e7134bac	Update install-service.sh Adjust cronjob line 407	2021-05-02 19:33:54 +02:00
thorstenspille	55d50e3ba6	Added command to load constants-service.conf	2021-05-02 19:21:09 +02:00
thorstenspille	2b9dda705c	Added loading constants-service.conf	2021-05-02 17:10:53 +02:00
DerFossiBaer	50fa92b618	Update README.md	2021-05-02 15:10:22 +02:00
DerFossiBaer	833a00e5c7	Update README.md Added nextcloud	2021-05-02 15:10:05 +02:00
DerFossiBaer	cba621ed19	Update README.md Added nextcloud	2021-05-02 01:16:45 +02:00
DerFossiBaer	7bf34a91ab	Update zamba.conf.example Added nextcloud part	2021-05-02 01:10:18 +02:00
DerFossiBaer	168aa38cfd	Create constants-service.conf	2021-05-02 01:06:58 +02:00
DerFossiBaer	735719d600	Create install-service.sh	2021-05-02 01:04:34 +02:00
Thorsten Spille	128231016e	Merge pull request #26 from hpannenb/patch-2 Update README.md	2021-04-29 21:19:14 +02:00
Holger Pannenbäcker	e09a7ab83d	Update README.md Removed typo.	2021-04-29 16:38:15 +02:00
thorstenspille	2d701d4df2	Replaced while loops with more safe for loops	2021-04-27 20:30:28 +02:00
thorstenspille	73e68efc7a	Moved zamba.conf.example to conf folder	2021-04-27 11:17:02 +02:00
thorstenspille	fcaff32462	Updated Changelog	2021-04-27 09:22:49 +02:00
thorstenspille	ce5bcb00f5	Updated zamba.conf.example	2021-04-27 09:22:05 +02:00
thorstenspille	f6913342ed	Added element version to canstants-service.conf	2021-04-27 09:21:46 +02:00
thorstenspille	e8a7539001	moved zamba.conf to archive	2021-04-27 09:21:10 +02:00
thorstenspille	53a95d34e2	Added wsdd to zmb-standalone #25	2021-04-25 19:26:49 +02:00
thorstenspille	43c05b2dea	Added conf folder to .gitignore	2021-04-25 18:20:26 +02:00
thorstenspille	5a42aadb41	Added variable for vim syntax highlighting	2021-04-25 18:19:00 +02:00
thorstenspille	0b51da7ab9	Fixed call of lxc-base.sh	2021-04-25 18:18:30 +02:00
thorstenspille	54648ffec2	Added parameters to install.sh	2021-04-25 18:02:35 +02:00
thorstenspille	d5a56268df	Added conf folder with README	2021-04-25 18:02:04 +02:00
Thorsten Spille	6e313580e1	Update zamba.conf	2021-04-25 14:22:41 +02:00
Thorsten Spille	c56a9a3815	Update README.md	2021-04-24 17:45:06 +02:00
thorstenspille	2d6e9040eb	Complete rework UNTESTED UNFINISHED	2021-04-24 00:00:27 +02:00
thorstenspille	47ab65316c	Merge branch 'devel' of https://github.com/bashclub/zamba-lxc-toolbox into devel	2021-04-23 19:40:03 +02:00
thorstenspille	7eec15df1c	Move Service constants to extra file	2021-04-23 19:39:58 +02:00
Thorsten Spille	a20cf474b4	Merge pull request #24 from bashclub/main Add Fixes from main to devel	2021-04-23 19:24:10 +02:00
Thorsten Spille	3d4b24ca51	Update CHANGELOG.md	2021-04-23 12:08:25 +02:00
Thorsten Spille	3376652bbe	Fixed conatainer id detection Supporting container ids larger than 999.	2021-04-23 12:05:07 +02:00
Thorsten Spille	a543e0a076	Replaced hardcoded sharename by $ZMB_SHARE	2021-04-22 23:16:22 +02:00
Thorsten Spille	5b05d94d64	Update CHANGELOG.md	2021-04-22 21:26:33 +02:00
Thorsten Spille	ae3f6b6509	Merge pull request #23 from diddip21/main added dhcp support	2021-04-22 21:20:33 +02:00
Patrick	584bffc85b	Update install.sh Fix VLAN on dhcp	2021-04-22 21:18:11 +02:00
Patrick Greiner	4a737723a3	added dhcp support	2021-04-22 19:37:46 +02:00