Merge pull request #112 from bashclub/dev

release-1.2

README.md

@@ -29,8 +29,8 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
 - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
 - `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
-- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
-- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
+- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash

conf/zamba.conf.example

@@ -25,7 +25,11 @@ LXC_SHAREFS_SIZE="100"
 # Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
 LXC_SHAREFS_STORAGE="local-zfs"
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
+# Moved to constants-service.conf, be careful if you override this value
+# LXC_SHAREFS_MOUNTPOINT="tank"
+
+# cpu core count (default: 0 = unlimited)
+LXC_THREADS=0
 
 # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
 LXC_MEM=1024
@@ -84,6 +88,9 @@ LXC_VIM_BG_DARK=1
 # Default random password length
 LXC_RANDOMPWD=32
 
+# Move lxc to specific ressource pool
+LXC_RESSOURCE_POOL=""
+
 # Automatically add meta tags to lxc container
 LXC_AUTOTAG=1
 
@@ -108,10 +115,7 @@ ZMB_SHARE="share"
 
 ############### Mailpiler-Section ###############
 
-# Defines the (public) FQDN of your piler mail archive
+PILER_BRANCH=release
-PILER_FQDN="mailpiler.zmb.rocks"
-# Defines the smarthost for piler mail archive
-PILER_SMARTHOST="mail.zmb.rocks"
 
 ############### Matrix-Section ###############
 
@@ -170,6 +174,10 @@ KOPANO_MAILGW="192.168.100.254"
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 
 ############### vaultwarden Section ###############
+
+# Enable/disable signups (true/false)
+VW_SIGNUPS_ALLOWED=false
+
 # Hostname of your mailserver
 VW_SMTP_HOST=mail.bashclub.org
 
@@ -193,3 +201,25 @@ VW_SMTP_USERNAME=vaultwarden@bashclub.org
 
 # password of your mailbox
 VW_SMTP_PASSWORD='<yourEmailPassword>'
+
+############### ansible-semaphore Section ###############
+
+SEMAPHORE_ADMIN=admin
+SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
+SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
+SEMAPHORE_ADMIN_PASSWORD='Start123'
+
+############### docker Section ###############
+
+# Install Portainer (=full), Protainer Agent (=agent) or none
+PORTAINER=none
+
+############### zabbix Section ###############
+
+# (Zabbix Proxy) Name:Port of the zabbix server
+ZBX_ADDR=zabbix.zmb.rocks:10051
+
+############### freescout Section ################
+FS_FIRSTNAME=Max
+FS_LASTNAME=Mustermann
+FS_EMAIL=mail@zmb.rocks

install.sh

@@ -130,24 +130,41 @@ else
 fi
 echo "Will now create LXC Container $LXC_NBR!";
 
+if [ $LXC_THREADS -gt 0 ]; then
+  LXC_CORES=--cores\ $LXC_THREADS
+fi
+
+
+if [[ $LXC_RESSOURCE_POOL != "" ]]; then
+  LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
+fi
+
+
 # Create the container
-pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+set +u
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+set -u
 sleep 2;
 
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
 if [ $LXC_DHCP == true ]; then
  pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
 else
  pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
 fi
+
 sleep 2
 
 if [ $LXC_MP -gt 0 ]; then
-  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
+  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
+  pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
+  dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
+  zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
 fi
+
 sleep 2;
 
 PS3="Select the Server-Function: "
@@ -155,7 +172,7 @@ PS3="Select the Server-Function: "
 pct start $LXC_NBR;
 sleep 5;
 # Set the root ssh key
-pct exec $LXC_NBR -- mkdir /root/.ssh
+pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
 pct push $LXC_NBR "$config" /root/zamba.conf
 pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
@@ -181,3 +198,7 @@ elif [[ $service == "zmb-ad-join" ]]; then
   pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
 pct start $LXC_NBR
+if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
+  sleep 5
+  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
+fi

src/ansible-semaphore/constants-service.conf

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# Defines the name from the SQL database
+SEMAPHORE_DB_NAME="semaphore"
+
+# Defines the name from the SQL user
+SEMAPHORE_DB_USR="semaphore"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+SEMAPHORE_DB_PWD="$(random_password)"
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql,nginx"

src/ansible-semaphore/install-service.sh

@@ -0,0 +1,222 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
+psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
+echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
+EOF
+
+curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+
+cat << EOF > /usr/local/bin/update-semaphore
+PATH="/bin:/usr/bin:/usr/local/bin"
+echo "Checking github for new semaphore version"
+current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
+installed_version=\$(semaphore version)
+echo "Installed semaphore version is \$installed_version"
+if [ \$installed_version != \$current_version ]; then
+  echo "New semaphore version \$current_version available. Stopping semaphore.service"
+  systemctl stop semaphore.service
+  echo "Downloading semaphore version \$current_version..."
+  curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
+  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+  echo "Starting semaphore.service..."
+  systemctl start semaphore.service
+  echo "semaphore update finished!"
+else
+  echo "semaphore version is up-to-date!"
+fi
+EOF
+chmod +x /usr/local/bin/update-semaphore
+
+useradd -m -r -s /bin/bash semaphore
+sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
+
+cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
+DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
+EOF
+chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook
+
+cat << EOF > /etc/systemd/system/semaphore.service
+[Unit]
+Description=Semaphore Ansible
+Documentation=https://github.com/semaphoreui/semaphore
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecReload=/bin/kill -HUP \$MAINPID
+ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
+SyslogIdentifier=semaphore
+Restart=always
+User=semaphore
+Group=semaphore
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+mkdir -p /etc/semaphore
+
+cat << EOF > /etc/semaphore/config.json
+{
+ 	"mysql": {
+ 		"host": "",
+ 		"user": "",
+ 		"pass": "",
+ 		"name": "",
+ 		"options": null
+ 	},
+ 	"bolt": {
+ 		"host": "",
+ 		"user": "",
+ 		"pass": "",
+ 		"name": "",
+ 		"options": null
+ 	},
+ 	"postgres": {
+ 		"host": "127.0.0.1:5432",
+ 		"user": "${SEMAPHORE_DB_USR}",
+ 		"pass": "${SEMAPHORE_DB_PWD}",
+ 		"name": "${SEMAPHORE_DB_NAME}",
+ 		"options": {
+ 			"sslmode": "disable"
+ 		}
+ 	},
+ 	"dialect": "postgres",
+ 	"port": "",
+ 	"interface": "",
+ 	"tmp_path": "/tmp/semaphore",
+ 	"cookie_hash": "$(head -c32 /dev/urandom | base64)",
+ 	"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
+ 	"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
+ 	"email_sender": "",
+ 	"email_host": "",
+ 	"email_port": "",
+ 	"email_username": "",
+ 	"email_password": "",
+ 	"web_host": "",
+ 	"ldap_binddn": "",
+ 	"ldap_bindpassword": "",
+ 	"ldap_server": "",
+ 	"ldap_searchdn": "",
+ 	"ldap_searchfilter": "",
+ 	"ldap_mappings": {
+ 		"dn": "",
+ 		"mail": "",
+ 		"uid": "",
+ 		"cn": ""
+ 	},
+ 	"telegram_chat": "",
+ 	"telegram_token": "",
+ 	"slack_url": "",
+ 	"max_parallel_tasks": 0,
+ 	"email_alert": false,
+ 	"email_secure": false,
+ 	"telegram_alert": false,
+ 	"slack_alert": false,
+ 	"ldap_enable": false,
+ 	"ldap_needtls": false,
+ 	"ssh_config_path": "~/.ssh/",
+ 	"demo_mode": false,
+ 	"git_client": ""
+ }
+EOF
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/semaphore.access.log;
+    error_log /var/log/nginx/semaphore.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/semaphore.access.log;
+    error_log  /var/log/nginx/semaphore.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+EOF
+
+echo "source <(semaphore completion bash)" >> /root/.bashrc
+semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
+
+
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now semaphore.service
+systemctl restart nginx.service
+
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the semaphore login:\n        '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n                Enjoy your semaphore intallation.\n\n######################################################################"

src/apt/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="srv"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,15 +23,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
-# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+# enable keyctl feature
-PILER_VERSION="1.3.12"
+LXC_KEYCTL="0"
-# Defines the version of sphinx to install
-PILER_SPHINX_VERSION="3.3.1"
-# Defines the php version to install
-PILER_PHP_VERSION="7.4"
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 
 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"
+SERVICE_TAGS="aptly,nginx"

src/apt/install-service.sh

@@ -0,0 +1,273 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+source /etc/os-release
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
+
+# Create gpg key for apt repo signing
+gpg --batch --gen-key <<EOF
+Key-Type: 1
+Key-Length: 4096
+Subkey-Type: 1
+Subkey-Length: 4096
+Name-Real: ${AM_COMPANY_NAME}
+Name-Email: ${AM_COMPANY_EMAIL}
+Expire-Date: 0
+%no-protection
+EOF
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/aptly.conf
+{
+  "rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
+  "downloadConcurrency": 4,
+  "downloadSpeedLimit": 0,
+  "architectures": [
+        "amd64",
+        "armhf"
+  ],
+  "dependencyFollowSuggests": false,
+  "dependencyFollowRecommends": false,
+  "dependencyFollowAllVariants": false,
+  "dependencyFollowSource": false,
+  "dependencyVerboseResolve": true,
+  "gpgDisableSign": false,
+  "gpgDisableVerify": false,
+  "gpgProvider": "gpg",
+  "downloadSourcePackages": false,
+  "skipLegacyPool": true,
+  "ppaDistributorID": "$AM_COMPANY_NAME",
+  "ppaCodename": ""
+}
+EOF
+
+cat << EOF > /usr/local/bin/update-apt-mirrors
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+for m in $(aptly mirror list -raw); do
+  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
+done
+EOF
+
+chmod +x /usr/local/bin/update-apt-mirrors
+
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        # Force HTTPS connection. This rules is domain agnostic
+        if (\$scheme != "https") {
+                rewrite ^ https://\$host\$uri permanent;
+        }
+
+        # SSL configuration
+        #
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+        ssl_session_timeout  10m;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off; # Requires nginx >= 1.5.9
+        ssl_stapling on; # Requires nginx >= 1.3.7
+        ssl_stapling_verify on; # Requires nginx => 1.3.7
+        resolver 15.137.208.11 15.137.209.11 valid=300s;
+        resolver_timeout 5s;
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
+        root /var/www/html;
+        index index.html index.htm;
+
+        server_name _;
+
+        location /gpg {
+                autoindex on;
+        }
+
+        location /graph {
+                autoindex on;
+        }
+
+        location / {
+                # First attempt to serve request as file, then
+                # as directory, then fall back to displaying a 404.
+                #try_files \$uri \$uri/ =404;
+                proxy_set_header Host \$host;
+                proxy_set_header X-Real-IP \$remote_addr;
+                proxy_pass http://localhost:8080;
+
+        }
+
+        location /api {
+                proxy_pass http://localhost:8000/api;
+        }
+
+        location /api/graph {
+                return 403;
+        }
+}
+EOF
+
+cat << EOF > /etc/systemd/system/aptly.service
+[Unit]
+Description=Aptly Repository service
+
+[Service]
+User=root
+ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
+KillSignal=SIGTERM
+KillMode=process
+TimeoutStopSec=15s
+
+[Install]
+WantedBy=multi-user.target
+
+EOF
+
+cat << EOF > /etc/systemd/system/aptly-api.service
+[Unit]
+Description=Aptly REST API service
+
+[Service]
+User=root
+ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
+KillSignal=SIGTERM
+KillMode=process
+TimeoutStopSec=15s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /root/mirror-examples
+# import proxmox keyring
+wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
+
+# proxmox 8 no subscription mirror (about 11.5 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
+
+# import debian keyring
+cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
+
+# debian 12 main mirror (about 87 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
+
+# debian 12 contrib mirror (about 600 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
+
+# debian 12 non-free mirror (about7,2 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
+
+# debian 12 non-free-firmware mirror (38 Packages)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
+
+# debian 12 update main mirror (about 2,5 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
+
+# debian 12 update contrib mirror (currently empty)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
+
+# debian 12 updates non-free mirror (about 900 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
+
+# debian 12 updates non-free-firmware mirror (about 70 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
+
+# debian 12 security main mirror (about 5,5 GB)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
+
+# debian 12 security contrib mirror (2 packages)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
+
+# debian 12 security non-free mirror (currently empty)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
+
+# debian 12 security non-free-firmware mirror (1 package)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
+
+# debian 12 backports main mirror (about 14,5 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
+
+# debian 12 backports contrib mirror (about 100 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
+
+# debian 12 backports non-free mirror (2 packages)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
+
+# debian 12 backports non-free-firmware mirror (currently empty)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
+EOF
+
+cat << EOF > /usr/local/bin/update-apt-mirrors 
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+for m in \$(aptly mirror list -raw); do
+  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
+done
+EOF
+
+echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
+
+chmod +x /usr/local/bin/update-apt-mirrors 
+
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
+
+chown -R www-data:www-data /var/www
+
+# Create required webserver folders
+sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
+
+# Export gpg key
+sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
+
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now aptly aptly-api
+systemctl restart nginx
+
+echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."

src/authentik/constants-service.conf

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="docker"

src/authentik/install-service.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+mkdir -p /opt/authentik
+wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
+cd /opt/authentik
+cat << EOF > .env
+PG_PASS=$(pwgen -s 40 1)
+AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_AVATARS=initials
+COMPOSE_PORT_HTTP=80
+COMPOSE_PORT_HTTPS=443
+AUTHENTIK_EMAIL__HOST=
+AUTHENTIK_EMAIL__PORT=
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=
+EOF
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
+esac

src/bookstack/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/bookstack/install-service.sh

@@ -16,11 +16,11 @@ webroot=/var/www/bookstack/public
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
-wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb
+curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
 
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 
 PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
@@ -106,9 +106,9 @@ CREATE DATABASE IF NOT EXISTS bookstack;
 GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
 FLUSH PRIVILEGES;"
 
-sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
-sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
-sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
 
 EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
 php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
@@ -178,8 +178,8 @@ WantedBy=multi-user.target
 EOF
 
 systemctl daemon-reload
-systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server
+systemctl enable --now bookstack-queue php${PHP_VERSION:0:3}-fpm nginx redis-server
-systemctl restart php7.4-fpm nginx bookstack-queue redis-server
+systemctl restart php${PHP_VERSION:0:3}-fpm nginx bookstack-queue redis-server
 
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 

src/checkmk/constants-service.conf

@@ -8,10 +8,15 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="opt"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,8 +24,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # checkmk version
-CMK_VERSION=2.1.0p21
+CMK_VERSION=2.3.0p6
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
 

src/checkmk/install-service.sh

@@ -23,6 +23,46 @@ cat << EOF > /etc/apache2/sites-available/000-default.conf
 </VirtualHost>
 EOF
 
+cat << EOF > /etc/apache2/sites-available/default-ssl.conf
+<VirtualHost *:443>
+	RewriteEngine On
+	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
+	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
+
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/html
+
+	ErrorLog \${APACHE_LOG_DIR}/error.log
+	CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+	SSLEngine on
+
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+</VirtualHost>
+EOF
+
 a2enmod ssl
 a2enmod rewrite
 a2ensite default-ssl

src/constants.conf

@@ -8,4 +8,4 @@
 # This file contains the project constants on container level
 
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert"
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"

src/debian-priv/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
 

src/debian-unpriv/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
 

src/docker/constants-service.conf

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS=""

src/docker/install-service.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac

src/ecodms/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,8 +23,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # set ecodms release version
-ECODMS_RELEASE=ecodms_220864
+ECODMS_RELEASE=ecodms_230164
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=6144

src/freescout/constants-service.conf

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"

src/freescout/install-service.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+webroot=/var/www/html
+
+LXC_RANDOMPWD=20
+MYSQL_PASSWORD="$(random_password)"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
+
+
+echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot/freescout/public;
+
+    index index.php index.html index.htm;
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+    client_max_body_size 20M;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ .php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+    	include fastcgi_params;
+    }
+    
+    location ^~ /storage/app/attachment/ {
+        internal;
+        alias /var/www/html/storage/app/attachment/;
+    }
+    
+    location ~* ^/storage/attachment/ {
+        expires 1M;
+        access_log off;
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+    
+    location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
+        expires 2d;
+        access_log off;
+        add_header Cache-Control "public, must-revalidate";
+    }
+    
+    # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
+    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
+        add_header Content-disposition "attachment; filename=\$2";
+        default_type application/octet-stream;
+    }	
+    
+    location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\\\\]+\..*)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+    }
+    
+    location ~ /\. {
+        deny  all;
+    }
+}
+
+EOF
+
+rm /var/www/html/*nginx*.html
+mkdir -p /etc/nginx/ssl
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+
+mysql -uroot -e "CREATE USER 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS freescout;
+GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
+
+curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
+cd $webroot
+tar -vxf freescout.tar.gz
+dir=$(ls -d freescout-helpdesk-freescout*)
+mv -v $dir freescout
+chown -R www-data:www-data /var/www/html
+find /var/www/html -type f -exec chmod 664 {} \;    
+find /var/www/html -type d -exec chmod 775 {} \;
+cd $webroot/freescout
+APP_KEY=$(sudo -u www-data php artisan key:generate --show)
+sudo -u www-data sed -e "s|APP_URL=.*|APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}|" -e "s|DB_DATABASE=|DB_DATABASE=freescout|" -e "s|DB_USERNAME=|DB_USERNAME=freescout|" -e "s|DB_PASSWORD=|DB_PASSWORD=${MYSQL_PASSWORD}|" -e "s|APP_KEY=|APP_KEY=${APP_KEY}|" .env.example > .env
+sudo -u www-data php artisan freescout:clear-cache
+sudo -u www-data php artisan storage:link
+sudo -u www-data php artisan migrate -n --force
+FS_PASSWORD=$(random_password)
+sudo -u www-data php artisan freescout:create-user -n --role=admin --firstName=$FS_FIRSTNAME --lastName=$FS_LASTNAME --email=$FS_EMAIL --password=$FS_PASSWORD
+
+cat << EOF > /etc/cron.d/freescout 
+* * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
+EOF
+
+systemctl enable --now php8.2-fpm
+systemctl restart php8.2-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your freescout installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttps://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\t$FS_EMAIL\nPassword:\t$FS_PASSWORD\n"

src/functions.sh

@@ -5,5 +5,27 @@ LXC_RANDOMPWD=32
 
 random_password() {
     set +o pipefail
-    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+    LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+}
+
+generate_dhparam() {
+    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
+mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
+systemctl restart nginx
+EOF
+    chmod +x /etc/cron.monthly/generate-dhparams
+}
+
+apt_repo() {
+    apt_name=$1
+    apt_key_url=$2
+    apt_key_path=/usr/share/keyrings/${apt_name}.gpg
+    apt_repo_url=$3
+
+    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
+    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+
 }

src/gitea/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the IP from the SQL server
 GITEA_DB_IP="127.0.0.1"
 

src/gitea/install-service.sh

@@ -9,11 +9,11 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
-echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
-echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 
 apt update
 
@@ -120,6 +120,10 @@ chown -R root:git /etc/gitea
 chmod 770 /etc/gitea
 chmod 770 /etc/gitea/app.ini
 
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
     listen 80;
@@ -177,7 +181,7 @@ server {
 }
 
 EOF
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 
 systemctl daemon-reload
 systemctl enable --now gitea

src/kimai/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,11 +23,14 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
-KIMAI_VERSION="main"
+#KIMAI_VERSION="main"
 
 # Defines the php version to install
-KIMAI_PHP_VERSION="8.1"
+KIMAI_PHP_VERSION="8.2"
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

src/kimai/install-service.sh

@@ -14,14 +14,14 @@ source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
 
-wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
 
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 
 PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
@@ -132,7 +132,12 @@ rm composer-setup.php
 mv composer.phar /usr/local/bin/composer
 
 cd /var/www
-git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1
+dl=$(curl -s https://api.github.com/repos/kimai/kimai/releases/latest | grep tarball_url | cut -d'"' -f4)
+version=$(echo $dl | rev | cut -d'/' -f1 | rev)
+wget -O kimai-${version}.tar.gz ${dl}
+tar xfz kimai-${version}.tar.gz
+rm kimai-${version}.tar.gz
+mv kimai-* kimai
 cd kimai
 
 # Install kimai composer dependencies
@@ -142,7 +147,7 @@ export COMPOSER_ALLOW_SUPERUSER=1
 # Copy and update kimai environment variables
 cat << EOF > .env
 # For more infos about the variables, see .env.dist
-DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8
+DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.11.3
 MAILER_FROM=admin@$LXC_DOMAIN
 MAILER_URL=null://null
 APP_ENV=prod
@@ -150,14 +155,14 @@ APP_SECRET=$(random_password)
 CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
 EOF
 
-chown -R www-data:www-data .
-chmod -R g+r .
-chmod -R g+rw var/
-
 bin/console kimai:install -n
 
 bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
 
+chown -R www-data:www-data .
+chmod -R g+r .
+chmod -R g+rw var/
+
 systemctl daemon-reload
 systemctl enable --now php${PHP_VERSION}-fpm nginx
 systemctl restart php${PHP_VERSION}-fpm nginx

src/kopano-core/constants-service.conf

@@ -11,7 +11,11 @@
 LXC_TEMPLATE_VERSION="debian-11-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"
 

src/kopano-core/install-service.sh

@@ -149,7 +149,7 @@ sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kop
 #### Adjust nginx settings ####
 
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
-openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+generate_dhparam
 
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 
@@ -187,7 +187,7 @@ server {
     ssl_prefer_server_ciphers on;
     #
     # ssl_dhparam require you to create a dhparam.pem, this takes a long time
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_dhparam /etc/nginx/dhparam.pem;
     #
  
     # add headers

src/lxc-base.sh

@@ -24,27 +24,39 @@ EOF
 locale-gen $LXC_LOCALE 
 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
-deb http://debian.inf.tu-dresden.de/debian bullseye main contrib
+deb http://deb.debian.org/debian/ buster main contrib
 
-deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
+deb http://deb.debian.org/debian/ buster-updates main contrib
 
 # security updates
-deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
+deb http://security.debian.org/debian-security buster/updates main contrib
 EOF
 
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
-deb http://debian.inf.tu-dresden.de/debian buster main contrib
+deb http://deb.debian.org/debian/ bullseye main contrib
 
-deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib
+deb http://deb.debian.org/debian/ bullseye-updates main contrib
 
 # security updates
-deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
+deb http://security.debian.org/debian-security bullseye-security main contrib
 EOF
+
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://deb.debian.org/debian/ bookworm main contrib
+
+deb http://deb.debian.org/debian/ bookworm-updates main contrib
+
+# security updates
+deb http://security.debian.org/debian-security bookworm-security main contrib
+EOF
+
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi
 

src/mailcow/constants-service.conf

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="docker"

src/mailcow/install-service.sh

@@ -0,0 +1,438 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+cd /opt
+git clone https://github.com/mailcow/mailcow-dockerized
+cd mailcow-dockerized
+
+cat << EOF > mailcow.conf
+# ------------------------------
+# mailcow web ui configuration
+# ------------------------------
+# example.org is _not_ a valid hostname, use a fqdn here.
+# Default admin user is "admin"
+# Default password is "moohoo"
+
+MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
+
+# Password hash algorithm
+# Only certain password hash algorithm are supported. For a fully list of supported schemes,
+# see https://docs.mailcow.email/models/model-passwd/
+MAILCOW_PASS_SCHEME=BLF-CRYPT
+
+# ------------------------------
+# SQL database configuration
+# ------------------------------
+
+DBNAME=mailcow
+DBUSER=mailcow
+
+# Please use long, random alphanumeric strings (A-Za-z0-9)
+
+DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
+# ------------------------------
+# HTTP/S Bindings
+# ------------------------------
+
+# You should use HTTPS, but in case of SSL offloaded reverse proxies:
+# Might be important: This will also change the binding within the container.
+# If you use a proxy within Docker, point it to the ports you set below.
+# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
+# IMPORTANT: Do not use port 8081, 9081 or 65510!
+# Example: HTTP_BIND=1.2.3.4
+# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
+# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
+
+HTTP_PORT=80
+HTTP_BIND=
+
+HTTPS_PORT=443
+HTTPS_BIND=
+
+# ------------------------------
+# Other bindings
+# ------------------------------
+# You should leave that alone
+# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
+
+SMTP_PORT=25
+SMTPS_PORT=465
+SUBMISSION_PORT=587
+IMAP_PORT=143
+IMAPS_PORT=993
+POP_PORT=110
+POPS_PORT=995
+SIEVE_PORT=4190
+DOVEADM_PORT=127.0.0.1:19991
+SQL_PORT=127.0.0.1:13306
+SOLR_PORT=127.0.0.1:18983
+REDIS_PORT=127.0.0.1:7654
+
+# Your timezone
+# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
+# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
+
+TZ=${LXC_TIMEZONE}
+
+# Fixed project name
+# Please use lowercase letters only
+
+COMPOSE_PROJECT_NAME=mailcowdockerized
+
+# Used Docker Compose version
+# Switch here between native (compose plugin) and standalone
+# For more informations take a look at the mailcow docs regarding the configuration options.
+# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
+# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
+
+DOCKER_COMPOSE_VERSION=native
+
+# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
+# When enabled, ACL can be created, that apply to "All authenticated users"
+# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+# Otherwise a user might share data with too many other users.
+ACL_ANYONE=disallow
+
+# Garbage collector cleanup
+# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
+# How long should objects remain in the garbage until they are being deleted? (value in minutes)
+# Check interval is hourly
+
+MAILDIR_GC_TIME=7200
+
+# Additional SAN for the certificate
+#
+# You can use wildcard records to create specific names for every domain you add to mailcow.
+# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
+#ADDITIONAL_SAN=imap.*,smtp.*
+# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
+# plus every domain you add in the future.
+#
+# You can also just add static names...
+#ADDITIONAL_SAN=srv1.example.net
+# ...or combine wildcard and static names:
+#ADDITIONAL_SAN=imap.*,srv1.example.com
+#
+
+ADDITIONAL_SAN=
+
+# Additional server names for mailcow UI
+#
+# Specify alternative addresses for the mailcow UI to respond to
+# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
+# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
+# You can understand this as server_name directive in Nginx.
+# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
+
+ADDITIONAL_SERVER_NAMES=
+
+# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
+
+SKIP_LETS_ENCRYPT=y
+
+# Create seperate certificates for all domains - y/n
+# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
+# see https://doc.dovecot.org/admin_manual/ssl/sni_support
+ENABLE_SSL_SNI=n
+
+# Skip IPv4 check in ACME container - y/n
+
+SKIP_IP_CHECK=n
+
+# Skip HTTP verification in ACME container - y/n
+
+SKIP_HTTP_VERIFICATION=n
+
+# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
+
+SKIP_CLAMD=n
+
+# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
+
+SKIP_SOGO=n
+
+# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
+
+SKIP_SOLR=n
+
+# Solr heap size in MB, there is no recommendation, please see Solr docs.
+# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
+
+SOLR_HEAP=1024
+
+# Allow admins to log into SOGo as email user (without any password)
+
+ALLOW_ADMIN_EMAIL_LOGIN=n
+
+# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
+
+USE_WATCHDOG=y
+
+# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
+# CAUTION:
+# 1. You should use external recipients
+# 2. Mails are sent unsigned (no DKIM)
+# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
+# Multiple rcpts allowed, NO quotation marks, NO spaces
+
+#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
+#WATCHDOG_NOTIFY_EMAIL=
+
+# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
+# You can use this to send notifications to services like Discord, Slack and others.
+#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# JSON body included in the webhook POST request. Needs to be in single quotes.
+# Following variables are available: SUBJECT, BODY
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+
+# Notify about banned IP (includes whois lookup)
+WATCHDOG_NOTIFY_BAN=n
+
+# Send a notification when the watchdog is started.
+WATCHDOG_NOTIFY_START=y
+
+# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
+#WATCHDOG_SUBJECT=
+
+# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
+# https://www.servercow.de/mailcow?lang=en
+# https://www.servercow.de/mailcow?lang=de
+# No data is collected. Opt-in and anonymous.
+# Will only work with unmodified mailcow setups.
+WATCHDOG_EXTERNAL_CHECKS=n
+
+# Enable watchdog verbose logging
+WATCHDOG_VERBOSE=n
+
+# Max log lines per service to keep in Redis logs
+
+LOG_LINES=9999
+
+# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
+# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
+
+IPV4_NETWORK=172.22.1
+
+# Internal IPv6 subnet in fc00::/7
+# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
+
+IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
+
+# Use this IPv4 for outgoing connections (SNAT)
+
+#SNAT_TO_SOURCE=
+
+# Use this IPv6 for outgoing connections (SNAT)
+
+#SNAT6_TO_SOURCE=
+
+# Create or override an API key for the web UI
+# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
+# An API key defined as API_KEY has read-write access
+# An API key defined as API_KEY_READ_ONLY has read-only access
+# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
+# You can define API_KEY and/or API_KEY_READ_ONLY
+
+#API_KEY=
+#API_KEY_READ_ONLY=
+#API_ALLOW_FROM=172.22.1.1,127.0.0.1
+
+# mail_home is ~/Maildir
+MAILDIR_SUB=Maildir
+
+# SOGo session timeout in minutes
+SOGO_EXPIRE_SESSION=480
+
+# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
+# Empty by default to auto-generate master user and password on start.
+# User expands to DOVECOT_MASTER_USER@mailcow.local
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_USER=
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_PASS=
+
+# Let's Encrypt registration contact information
+# Optional: Leave empty for none
+# This value is only used on first order!
+# Setting it at a later point will require the following steps:
+# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
+ACME_CONTACT=
+
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+
+# Spamhaus Data Query Service Key
+# Optional: Leave empty for none
+# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. 
+# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
+# Otherwise it will work normally.
+SPAMHAUS_DQS_KEY=
+
+EOF
+
+cat << EOF > data/conf/nginx/redirect.conf
+server {
+  root /web;
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  include /etc/nginx/conf.d/server_name.active;
+  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+  }
+  location / {
+    return 301 https://\$host\$uri\$is_args\$args;
+  }
+}
+EOF
+
+cat << EOF > /etc/cron.daily/mailcowbackup
+#!/bin/sh
+
+# Backup mailcow data
+# https://docs.mailcow.email/backup_restore/b_n_r-backup/
+
+set -e
+
+OUT="\$(mktemp)"
+export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
+SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
+PARAMETERS="backup all"
+OPTIONS="--delete-days 7"
+mkdir -p \$MAILCOW_BACKUP_LOCATION
+
+# run command
+set +e
+"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
+RESULT=\$?
+
+if [ \$RESULT -ne 0 ]
+    then
+            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
+            echo "RESULT=\$RESULT"
+            echo "STDOUT / STDERR:"
+            cat "\$OUT"
+fi
+EOF
+
+chmod +x /etc/cron.daily/mailcowbackup
+
+cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
+#!/bin/bash
+if ! which check_mk_agent ; then
+  cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
+  status=\$?
+  if [ \$status -eq 3 ]; then
+    state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
+  elif [ \$status -eq 0 ]; then
+    state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
+  else
+    state="3 \"mailcow_update\" - Unknown output from update script ..."
+  fi
+  echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
+  mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
+fi
+exit
+EOF
+chmod +x /etc/cron.daily/checkmk-mailcow-update-check
+
+chmod 600 mailcow.conf
+
+mkdir -p data/assets/ssl
+
+openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
+
+openssl dhparam -out data/assets/ssl/dhparams.pem 2048
+cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
+mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
+systemctl restart nginx
+EOF
+chmod +x /etc/cron.monthly/generate-dhparams
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac

src/mailpiler/install-service.sh

@@ -1,189 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/functions.sh
-source /root/zamba.conf
-source /root/constants-service.conf
-
-HOSTNAME=$(hostname -f)
-
-echo "Ensure your Hostname is set to your Piler FQDN!"
-
-echo $HOSTNAME
-
-if 
-    [ "$HOSTNAME" != "$PILER_FQDN" ]
-then
-        echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
-else
-        echo "Hostname matches $PILER_FQDN, so starting installation."
-fi
-
-# install php
-wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
-echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
-
-apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
-add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
-
-apt update
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
-unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
-mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
-php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
-
-cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
-innodb_buffer_pool_size=256M
-innodb_flush_log_at_trx_commit=1
-innodb_log_buffer_size=64M
-innodb_log_file_size=16M
-query_cache_size=0
-query_cache_type=0
-query_cache_limit=2M
-EOF
-
-systemctl restart mariadb
-
-cd /tmp
-wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
-tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
-
-groupadd piler
-useradd -g piler -m -s /bin/bash -d /var/piler piler
-usermod -L piler
-chmod 755 /var/piler
-
-if [[ "$PILER_VERSION" == "latest" ]]; then
-        URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
-        PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
-        wget -O piler-$PILER_VERSION.tar.gz $URL
-else
-        wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
-fi
-tar -xvzf piler-$PILER_VERSION.tar.gz
-cd piler-$PILER_VERSION/
-./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
-make
-make install
-ldconfig
-
-cp util/postinstall.sh util/postinstall.sh.bak
-sed -i "s/   PILER_SMARTHOST=.*/   PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
-sed -i 's/   WWWGROUP=.*/   WWWGROUP="www-data"/' util/postinstall.sh
-
-make postinstall
-
-cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
-sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
-sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
-
-su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
-
-/etc/init.d/rc.piler start
-/etc/init.d/rc.searchd start
-
-update-rc.d rc.piler defaults
-update-rc.d rc.searchd defaults
-
-mkdir -p /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
-
-cd /etc/nginx/sites-available
-cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
-ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
-
-sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
-sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/server_name.*/a \\
-        listen 443 ssl http2;\n\n\
-        ssl_certificate /etc/nginx/ssl/piler.crt;\n\
-        ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
-        ssl_session_timeout 1d;\n\
-        ssl_session_cache shared:SSL:15m;\n\
-        ssl_session_tickets off;\n\n\
-        # modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
-        ssl_protocols TLSv1.2 TLSv1.3;\n\
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
-        ssl_prefer_server_ciphers off;\n\n\
-        add_header X-Frame-Options SAMEORIGIN;\n\
-        add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/^server {.*/i\
-server {\n\
-        listen 80;\n\
-        server_name _;\n\
-        server_tokens off;\n\
-        # HTTP to HTTPS redirect.\n\
-        return 301 https://$PILER_FQDN;\n\
-}" /etc/nginx/sites-available/piler-nginx.conf
-
-unlink /etc/nginx/sites-enabled/default
-
-cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
-sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
-cat >> /usr/local/etc/piler/config-site.php <<EOF
-
-// CUSTOM
-\$config['PROVIDED_BY'] = '$PILER_FQDN';
-\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
-\$config['COMPATIBILITY'] = '';
-
-// fancy features.
-\$config['ENABLE_INSTANT_SEARCH'] = 1;
-\$config['ENABLE_TABLE_RESIZE'] = 1;
-
-\$config['ENABLE_DELETE'] = 1;
-\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
-
-// general settings.
-\$config['TIMEZONE'] = '$LXC_TIMEZONE';
-
-// authentication
-// Enable authentication against an imap server
-//\$config['ENABLE_IMAP_AUTH'] = 1;
-//\$config['RESTORE_OVER_IMAP'] = 1;
-//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
-//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
-//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['IMAP_PORT'] =  993;
-//\$config['IMAP_SSL'] = true;
-
-// authentication against an ldap directory (disabled by default)
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 389;
-//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_MAIL_ATTR'] = 'mail';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
-
-// authentication against an Uninvention based ldap directory 
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 7389;
-//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
-//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
-
-// special settings.
-\$config['MEMCACHED_ENABLED'] = 1;
-\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
-EOF
-
-nginx -t && systemctl restart nginx

src/matrix/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/matrix/install-service.sh

@@ -27,7 +27,7 @@ systemctl enable matrix-synapse
 
 ss -tulpen
 
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
 
 cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
@@ -120,10 +120,10 @@ cd /var/www
 wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
 gpg --import element-release-key.asc
 
-MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
+MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/element-hq/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
 
-wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
-wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 
 tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz

src/nextcloud/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,11 +23,14 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 NEXTCLOUD_VERSION="latest"
 
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.1"
+NEXTCLOUD_PHP_VERSION="8.2"
 
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"

src/nextcloud/install-service.sh

@@ -14,19 +14,19 @@ source /root/constants-service.conf
 
 HOSTNAME=$(hostname -f)
 
-wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
 echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 
-wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 
 apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
-postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
+postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
 
 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@@ -76,7 +76,7 @@ sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXT
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
@@ -90,7 +90,7 @@ sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/
 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
-openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+generate_dhparam
 
 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 
@@ -113,6 +113,9 @@ set_real_ip_from 127.0.0.1;
 real_ip_header X-Forwarded-For;
 real_ip_recursive on;
 include /etc/nginx/mime.types;
+types {
+        text/javascript mjs;
+    }
 default_type application/octet-stream;
 sendfile on;
 send_timeout 3600;
@@ -136,6 +139,10 @@ cat > /etc/nginx/conf.d/http.conf << EOF
 upstream php-handler {
 server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
 }
+map \$arg_v \$asset_immutable {
+    "" "";
+    default "immutable";
+}
 server {
 listen 80 default_server;
 listen [::]:80 default_server;
@@ -160,7 +167,7 @@ ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
 #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
 #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
 #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
-ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_dhparam /etc/nginx/dhparam.pem;
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
@@ -171,13 +178,15 @@ ssl_prefer_server_ciphers on;
 ssl_stapling on;
 ssl_stapling_verify on;
 client_max_body_size 5120M;
+client_body_timeout 300s;
+client_body_buffer_size 512k;
 fastcgi_buffers 64 4K;
 gzip on;
 gzip_vary on;
 gzip_comp_level 4;
 gzip_min_length 256;
 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
 add_header Permissions-Policy                   "interest-cohort=()";
 add_header Referrer-Policy                      "no-referrer"   always;
@@ -230,10 +239,13 @@ fastcgi_pass php-handler;
 fastcgi_intercept_errors on;
 fastcgi_request_buffering off;
 }
-location ~ \.(?:css|js|svg|gif)\$ {
+location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
 try_files \$uri /index.php\$request_uri;
 expires 6M;
 access_log off;
+    location ~ \.wasm$ {
+            default_type application/wasm;
+        }
 }
 location ~ \.woff2?\$ {
 try_files \$uri /index.php\$request_uri;

src/omada/constants-service.conf

@@ -11,7 +11,11 @@
 LXC_TEMPLATE_VERSION="debian-11-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 

src/omada/install-service.sh

@@ -10,20 +10,14 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-
+wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
-wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
-add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
+wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
-
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
-wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc
+echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
-
+echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
-echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
-
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
-DL=$(wget -O - -q  https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6)
-
-wget -O /tmp/omada.deb -q $DL
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb

src/onlyoffice/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 ONLYOFFICE_DB_HOST=localhost
 
 ONLYOFFICE_DB_NAME=onlyoffice

src/onlyoffice/install-service.sh

@@ -11,7 +11,7 @@ source /root/constants-service.conf
 
 ONLYOFFICE_DB_PASS=$(random_password)
 
-apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
+curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
 
 cat > /etc/apt/preferences.d/onlyoffice << EOF
@@ -45,7 +45,7 @@ ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
 ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
 EOF
 
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 
 rm /etc/nginx/conf.d/ds.conf

src/open3a/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/open3a/install-service.sh

@@ -16,9 +16,9 @@ MYSQL_PASSWORD="$(random_password)"
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
 
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 
 cat << EOF > /etc/nginx/sites-available/default
@@ -45,7 +45,7 @@ server {
 
     location ~ .php$ {
         include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
     }
 }
 
@@ -57,7 +57,7 @@ CREATE DATABASE IF NOT EXISTS open3a;
 GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
 
 cd $webroot
-wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip
+wget https://www.open3a.de/download/open3A%204.0.zip -O $webroot/open3a.zip
 unzip open3a.zip
 rm open3a.zip
 chmod 666 system/DBData/Installation.pfdb.php
@@ -76,8 +76,8 @@ localhost                               &%%%&open3a              &%%%&$MYSQL_PAS
 */ ?>
 EOF
 
-systemctl enable --now php7.4-fpm
+systemctl enable --now php8.2-fpm
-systemctl restart php7.4-fpm nginx
+systemctl restart php8.2-fpm nginx
 
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 

src/piler/constants-service.conf

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/piler"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"

src/piler/install-service.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
+
+echo -e "Installation of piler finished."
+echo -e "\nFor administration please visit the following Website:"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
+echo -e "\nLogin with following credentials:"
+echo -e "\tUser: admin@local"
+echo -e "\tPass: pilerrocks"
+echo -e "\n\nPlease have a look the the GOBD notes (in German):"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"

src/proxmox-pbs/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Backup ubdir where Urbackup will store backups
 PBS_DATA="backup"
 

src/proxmox-pbs/install-service.sh

@@ -15,7 +15,7 @@ cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list
 deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
 EOF
 
-wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
+wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
 
 apt update && apt upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server

src/rei3/constants-service.conf

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+REI3_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+REI3_DB_PORT="5432"
+
+# Defines the name from the SQL database
+REI3_DB_NAME="app"
+
+# Defines the name from the SQL user
+REI3_DB_USR="rei3"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+REI3_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql"

src/rei3/install-service.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir /opt/rei3
+wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
+echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
+psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
+psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
+echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
+EOF
+
+cp /opt/rei3/config_template.json /opt/rei3/config.json
+chmod u+x /opt/rei3/r3
+
+sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json 
+sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json 
+
+/opt/rei3/r3 -install
+#/opt/rei/r3 -newadmin
+systemctl start rei3

src/unifi/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 

src/unifi/install-service.sh

@@ -11,12 +11,12 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
+wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
-wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
+wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
 
-echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
+echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
-echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
+echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi

src/urbackup/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,11 +23,14 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Backup ubdir where Urbackup will store backups
 URBACKUP_DATA="urbackup"
 
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_11"
+REPO_CODENAME="Debian_12"
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

src/urbackup/install-service.sh

@@ -11,7 +11,7 @@ source /root/constants-service.conf
 
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
-mkdir /etc/urbackup
+mkdir -p /etc/urbackup
 echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
 
 echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
@@ -20,7 +20,7 @@ curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
 
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 
 ln -s /usr/share/urbackup/www /var/www/urbackup

src/vaultwarden/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the name from the SQL database
 VAULTWARDEN_DB_NAME="vaultwarden"
 

src/vaultwarden/install-service.sh

@@ -18,7 +18,7 @@ systemctl enable --now postgresql
 wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
 chmod +x docker-image-extract
 ./docker-image-extract vaultwarden/server:alpine
-mkdir /opt/vaultwarden
+mkdir -p /opt/vaultwarden
 mkdir -p /var/lib/vaultwarden/data
 useradd vaultwarden
 chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
@@ -40,7 +40,7 @@ ORG_CREATION_USERS=admin@$LXC_DOMAIN
 # Use `openssl rand -base64 48` to generate
 ADMIN_TOKEN=$admin_token
 # Uncomment this once vaults restored
-SIGNUPS_ALLOWED=false
+SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
 SMTP_HOST=$VW_SMTP_HOST
 SMTP_FROM=$VW_SMTP_FROM
 SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
@@ -64,7 +64,6 @@ Group=vaultwarden
 EnvironmentFile=/var/lib/vaultwarden/.env
 ExecStart=/opt/vaultwarden/vaultwarden
 LimitNOFILE=1048576
-LimitNPROC=64
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
@@ -154,7 +153,10 @@ server {
 }
 
 EOF
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+generate_dhparam
+
+unlink /etc/nginx/sites-enabled/default
 
 systemctl daemon-reload
 systemctl enable --now vaultwarden

src/zabbix-proxy/constants-service.conf

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="data"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix_proxy"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"
+
+ZABBIX_VERSION=7.0 #zabbix 7 beta
+POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"

src/zabbix-proxy/install-service.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
+
+srv=$(grep -E "^Server" /etc/zabbix/zabbix_proxy.conf)
+sed -i "s/$srv/Server=${ZBX_ADDR}/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# ListenPort=/ListenPort=/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/Hostname=Zabbix proxy/Hostname=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
+
+mkdir -p /var/lib/zabbix
+chown -R zabbix:zabbix /var/lib/zabbix/
+chmod 700 /var/lib/zabbix/
+
+
+psk=$(openssl rand -hex 32)
+echo "$psk" > /var/lib/zabbix/proxy.psk
+chown zabbix:zabbix /var/lib/zabbix/proxy.psk
+chmod 600 /var/lib/zabbix/proxy.psk
+
+sed -i "s/# TLSConnect=unencrypted/TLSConnect=psk/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
+
+systemctl enable zabbix-proxy zabbix-agent2
+
+systemctl restart zabbix-proxy zabbix-agent2 
+
+echo -e "Installation of zabbix-proxy finished."
+echo -e "\nPlease register the Proxy on yout zabbix server with following data:"
+echo -e "Proxy name:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
+echo -e "Proxy mode: Active"
+echo -e "Proxy address:\t$(ip a s dev eth0 | grep -m1 inet | cut -d ' ' -f6 | cut -d'/' -f1)"
+echo -e "Encryption:\tPSK"
+echo -e "PSK identity:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
+echo -e "PSK:\t\t${psk}"

src/zabbix/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="data"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 
 # Defines the IP from the SQL server
 ZABBIX_DB_IP="127.0.0.1"
@@ -35,6 +42,11 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
 
+ZABBIX_VERSION=7.0 #zabbix 7 beta
+POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+PHP_VERSION=8.2 # debian 12 default
+TS_VERSION=2.14.2 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 

src/zabbix/install-service.sh

@@ -5,20 +5,20 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
-echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
+apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
-
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
-echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 
 apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 
 unlink /etc/nginx/sites-enabled/default
 
@@ -122,7 +122,7 @@ server {
 }
 EOF
 
-cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
+cat << EOF > /etc/php/$PHP_VERSION/fpm/pool.d/zabbix-php-fpm.conf
 [zabbix]
 user = www-data
 group = www-data
@@ -220,10 +220,17 @@ sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
 
 zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 
+timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
+
+systemctl restart postgresql
+
+echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
+cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
 
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 
-systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm 
+systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 
 
-systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm 
+systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1

src/zammad/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 

src/zammad/install-service.sh

@@ -9,32 +9,16 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
+curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/pkgr-zammad.gpg > /dev/null
-apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
+curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor | tee /etc/apt/trusted.gpg.d/elasticsearch.gpg> /dev/null
-wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"| tee -a /etc/apt/sources.list.d/elastic-7.x.list > /dev/null
-echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/pkgr-zammad.gpg] https://dl.packager.io/srv/deb/zammad/zammad/stable/debian 12 main"| tee /etc/apt/sources.list.d/zammad.list > /dev/null
+
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
 
 
-cat << EOF >>/etc/hosts
-0.0.0.0 image.zammad.com
-0.0.0.0 images.zammad.com
-0.0.0.0 geo.zammad.com
-0.0.0.0 www.zammad.com
-0.0.0.0 www.zammad.org
-0.0.0.0 www.zammad.net
-0.0.0.0 www.zammad.de
-0.0.0.0 zammad.com
-0.0.0.0 zammad.org
-0.0.0.0 zammad.net
-0.0.0.0 zammad.de
-#
-127.0.0.1 elasticsearch
-0.0.0.0 geoip.elastic.co
-EOF
-
 # Java set startup environment 
 mkdir -p /etc/elasticsearch/jvm.options.d
 cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
@@ -44,127 +28,36 @@ cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
 -Xmx1g
 EOF
 
-# configurwe nginx
+# configure nginx
-rm -f /etc/nginx/sites-enabled/default
+generate_dhparam
 
-cat << EOF > /etc/nginx/sites-available/zammad.conf
+unlink /etc/nginx/sites-enabled/default
-upstream zammad-railsserver {
+unlink /etc/nginx/sites-enabled/zammad.conf
-  server 127.0.0.1:3000;
-}
 
-upstream zammad-websocket {
+mkdir -p /etc/nginx/ssl
-  server 127.0.0.1:6042;
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
-}
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
 
-server {
+sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
-    listen 80;
+ -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
-    listen [::]:80;
+ -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
-    server_name _;
+ -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
 
-    server_tokens off;
+ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
 
-    access_log /var/log/nginx/zammad.access.log;
-    error_log /var/log/nginx/zammad.error.log;
 
-    location /.well-known/ {
+# configure elasticsearch
-        root /var/www/html;
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
-    }
-
-    return 301 https://\$host\$request_uri;
-}
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name _;
-    
-    server_tokens off;
-    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-
-    ssl_protocols TLSv1.3 TLSv1.2;
-    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
-    ssl_dhparam /etc/nginx/dhparam.pem;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 180m;
-
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    resolver 1.1.1.1 1.0.0.1;
-#
-#  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
-#
-    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
-    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
-    add_header Referrer-Policy "strict-origin";
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
-    add_header Strict-Transport-Security "max-age=31536000" always;
-
-    location = /robots.txt  {
-    access_log off; log_not_found off;
-    }
-
-    location = /favicon.ico {
-    access_log off; log_not_found off;
-    }
-
-    root /opt/zammad/public;
-
-    access_log /var/log/nginx/zammad.access.log;
-    error_log  /var/log/nginx/zammad.error.log;
-
-    client_max_body_size 50M;
-
-    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
-    expires max;
-    }
-
-    location /ws {
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade \$http_upgrade;
-    proxy_set_header Connection "Upgrade";
-    proxy_set_header CLIENT_IP \$remote_addr;
-    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto	\$scheme;
-    proxy_read_timeout 86400;
-    proxy_pass http://zammad-websocket;
-    }
-
-    location / {
-    proxy_set_header Host \$http_host;
-    proxy_set_header CLIENT_IP \$remote_addr;
-    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto	\$scheme;
-
-    # change this line in an SSO setup
-    proxy_set_header X-Forwarded-User "";
-
-    proxy_read_timeout 180;
-    proxy_pass http://zammad-railsserver;
-
-    gzip on;
-    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
-    gzip_proxied any;
-    }
-}
-EOF
-
-ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
-
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
 
 systemctl enable elasticsearch.service
 systemctl restart nginx elasticsearch.service
 
 # Elasticsearch conntact to Zammad
-/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+zammad run rails r "Setting.set('es_url', 'http://127.0.0.1:9200')"
-zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
 zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
 zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
 systemctl restart elasticsearch.service
-zammad run rake searchindex:rebuild
+zammad run rake zammad:searchindex:rebuild[$(nproc)]

src/zmb-ad-join/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # add optional features to samba ad dc
 
 # CURRENTLY SUPPORTED:
@@ -29,7 +36,7 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

src/zmb-ad-join/install-service.sh

@@ -15,8 +15,6 @@ for f in ${OPTIONAL_FEATURES[@]}; do
   if [[ "$f" == "wsdd" ]]; then
       ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
       ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
-      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
-      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
   elif [[ "$f" == "splitdns" ]]; then
       ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
       ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
@@ -29,38 +27,41 @@ for f in ${OPTIONAL_FEATURES[@]}; do
   fi
 done
 
-## configure ntp
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-# No restrictions for "localhost"
-restrict 127.0.0.1
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-tinker panic 0
-EOF
-
-echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
@@ -123,11 +124,15 @@ cat > /etc/krb5.conf <<EOF
 EOF
 
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
-samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
+samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
+
+
+rm /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 
 mkdir -p /mnt/sysvol
 
@@ -142,13 +147,75 @@ echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0"
 mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
 
 cat > /etc/cron.d/sysvol-sync << EOF
-*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
 EOF
 
 /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
 
+if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
+  samba-tool ntacl sysvolreset
+fi
+
 ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=$1
+if \$1 ; then
+  keep=\$1
+fi
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF

src/zmb-ad/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # add optional features to samba ad dc
 
 # CURRENTLY SUPPORTED:
@@ -29,7 +36,7 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

src/zmb-ad/install-service.sh

@@ -15,8 +15,6 @@ for f in ${OPTIONAL_FEATURES[@]}; do
   if [[ "$f" == "wsdd" ]]; then
     ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
     ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
-    apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
-    echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
   elif [[ "$f" == "splitdns" ]]; then
     ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
     ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
@@ -29,44 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
   fi
 done
 
-## configure ntp
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-
-# No restrictions for "localhost"
-restrict 127.0.0.1
-
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-
-tinker panic 0
-EOF
-
-echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
 
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
   cat << EOF > /etc/nginx/sites-available/default
@@ -125,20 +119,76 @@ EOF
   mkdir -p /var/lib/samba/bind-dns/dns
 fi
 
-
-
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 
 # provision zamba domain
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
 
-cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
 exit 0

src/zmb-cups/constants-service.conf

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,cups,printserver"

src/zmb-cups/install-service.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+apt update
+
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist
+
+mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+cat > /etc/samba/smb.conf <<EOF
+[global]
+	workgroup = $ZMB_DOMAIN
+	security = ADS
+	realm = $ZMB_REALM
+	server string = %h server
+
+	vfs objects = acl_xattr shadow_copy2
+	map acl inherit = Yes
+	store dos attributes = Yes
+	idmap config *:backend = tdb
+	idmap config *:range = 3000000-4000000
+	idmap config *:schema_mode = rfc2307
+
+	winbind refresh tickets = Yes
+	winbind use default domain = Yes
+	winbind separator = /
+	winbind nested groups = yes
+	winbind nss info = rfc2307
+
+	pam password change = Yes
+	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+	passwd program = /usr/bin/passwd %u
+
+	template homedir = /home/%U
+	template shell = /bin/bash
+	bind interfaces only = Yes
+	interfaces = lo eth0
+	log file = /var/log/samba/log.%m
+	logging = syslog
+	max log size = 1000
+	panic action = /usr/share/samba/panic-action %d
+
+	dns proxy = No
+	shadow: snapdir = .zfs/snapshot
+	shadow: sort = desc
+	shadow: format = -%Y-%m-%d-%H%M
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+	shadow: delimiter = -20
+	
+	printing = CUPS
+	rpcd_spoolss:idle_seconds=300
+	rpcd_spoolss:num_workers = 10
+	spoolss: architecture = Windows x64
+
+[printers]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/spool
+	printable = yes
+
+[print$]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+	read only = no
+
+EOF
+
+systemctl restart smbd
+
+echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
+sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
+sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
+echo -e "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
+
+systemctl restart winbind nmbd
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
+cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
+chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+systemctl disable --now cups-browsed.service
+
+cupsctl --remote-admin
+
+systemctl restart cups smbd nmbd winbind wsdd

src/zmb-member/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/zmb-member/install-service.sh

@@ -9,14 +9,12 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-# add wsdd package repo
+# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
-echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
-echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -98,7 +96,7 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
 
-mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
 chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

src/zmb-standalone/constants-service.conf

@@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/zmb-standalone/install-service.sh

@@ -9,34 +9,16 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-# add wsdd package repo
-apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
 apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
-echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
-echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 
-cat << EOF > /etc/apt/preferences.d/samba
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-Package: samba*
-Pin: release a=$(lsb_release -cs)-backports
-Pin-Priority: 900
-EOF
-
-cat << EOF > /etc/apt/preferences.d/winbind
-Package: winbind*
-Pin: release a=$(lsb_release -cs)-backports
-Pin-Priority: 900
-EOF
-
-cat << EOF > /etc/apt/preferences.d/cockpit
-Package: cockpit*
-Pin: release a=$(lsb_release -cs)-backports
-Pin-Priority: 900
-EOF
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')