Complete rework UNTESTED UNFINISHED

archive/debian-unpriv.sh

@@ -5,12 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
-dpkg-reconfigure locales
-
 source /root/zamba.conf
+source /root/proxmox.conf
 
-# Set Timezone
+sed -i "s/^#.$HOST_LOCALE/$HOST_LOCALE/" /etc/locale.gen
-ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
+locale-gen $HOST_LOCALE
+
+sed -i "s/^#.$LXC_LOCALE/$LXC_LOCALE/" /etc/locale.gen
+locale-gen $LXC_LOCALE
+echo LANG=$LXC_LOCALE > /etc/default/locale
+echo LANGUAGE=$LXC_LOCALE >> /etc/default/locale
+export LANG=$LXC_LOCALE
+export LANGUAGE=$LXC_LOCALE
+export LC_CTYPE=C
 
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade

install.sh

@@ -16,50 +16,37 @@
 
 ############### ZAMBA INSTALL SCRIPT ###############
 
+if [[ "$2" == *".conf" ]]; then
+  CONF=$2
+else
+  CONF=zamba.conf
+fi
+
 # Load configuration file
-source $PWD/zamba.conf
+source $PWD/$CONF
 
+OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a)
 
-select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
+if [ -z ${1+x} ]; then
-  case $opt in
+  if [[ $opt in $OPTS ]]; then
-    debian-unpriv)
+    echo "Configuring '$opt' container..."
-      echo "Debian-only LXC container unprivileged mode selected"
+  else
-      break
+    echo "Invalid option: '$opt', exiting..."
-      ;;
+    exit 1
-    debian-priv)
+  fi
-      echo "Debian-only LXC container privileged mode selected"
+else
-      break
+  select opt in $OPTS quit; do
-      ;;
+    if [[ $opt in $OPTS ]]; then
-    zmb-standalone)
+      echo "Configuring '$opt' container..."
-      echo "Configuring LXC container '$opt'!"
+    elif [[ "$opt" == "quit" ]]; then
-      break
+      echo "'quit' selected, exiting..."
-      ;;
-    zmb-member)
-      echo "Configuring LXC container '$opt'!"
-      break
-      ;;
-    zmb-ad)
-      echo "Selected Zamba AD DC"
-      break
-      ;;
-    mailpiler)
-      echo "Configuring LXC container for '$opt'!"
-      break
-      ;;
-    matrix)
-      echo "Install Matrix chat server and element web service"
-      break
-      ;;
-    quit)
-      echo "Script aborted by user interaction."
       exit 0
-      ;;
+    else
-    *)
+      echo "Invalid option, exiting..."
-      echo "Invalid option! Exiting..."
       exit 1
-      ;;
+    fi
-    esac
+  done
-done
+fi
 
 source $PWD/src/$opt/constants-service.conf
 
@@ -119,7 +106,7 @@ echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
 lxc-attach -n$LXC_NBR mkdir -p /root/.ssh;
 pct push $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
 pct push $LXC_NBR $PWD/src/sources.list /etc/apt/sources.list
-pct push $LXC_NBR $PWD/zamba.conf /root/zamba.conf
+pct push $LXC_NBR $PWD/$CONF /root/zamba.conf
 pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf
 pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh
 pct push $LXC_NBR $PWD/src/$opt/install-service.sh /root/install-service.sh

new-config.py

@@ -0,0 +1,136 @@
+#!/usr/bin/python3
+import os
+from src import config_base, menu
+
+# Check installation of zfs-auto-snapshot, if not installed, just notify user
+config_base.check_zfs_autosnapshot()
+    
+cfg = {}
+# set template storage
+t_storages = config_base.get_pve_storages(content=config_base.PveStorageContent.vztmpl)
+if len(t_storages.keys()) > 1:
+    t_stors={}
+    for st in t_storages.keys():
+        t_stors[st] = f"driver: {t_storages[st]['driver']}\tfree space: {int(t_storages[st]['available'])/1024/1024:.2f} GB"
+    cfg['LXC_TEMPLATE_STORAGE'] = menu.radiolist("Select container template storage", "Please choose the storage, where your container templates are stored.", t_stors)
+elif len(t_storages.keys()) == 1:
+    cfg['LXC_TEMPLATE_STORAGE'] = next(iter(t_storages))
+else:
+    print("Could not find any storage enabled for container templates. Please ensure your storages are configured properly.")
+    os._exit(1)
+
+# get zmb service
+cfg['ZMB_SERVICE'] = menu.radiolist("Select service","Please choose the service to install:", config_base.get_zmb_services())
+
+# get static ct features
+ct_features = config_base.get_ct_features(cfg["ZMB_SERVICE"])
+cfg['LXC_UNPRIVILEGED'] = ct_features['unprivileged']
+# get ct id
+cfg['LXC_NBR'] = menu.question("Container ID", f"Please select an ID for the {cfg['ZMB_SERVICE']} container.", menu.qType.Integer, config_base.get_ct_id(), config_base.validate_ct_id)
+
+# configure rootfs
+r_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir)
+if len(r_storages.keys()) > 1:
+    r_stors = {}
+    for st in r_storages.keys():
+        r_stors[st] = f"driver: {r_storages[st]['driver']}\tfree space: {int(r_storages[st]['available'])/1024/1024:.2f} GB"
+    cfg['LXC_ROOTFS_STORAGE'] = menu.radiolist("Select rootfs storage", "Please choose the storage for your container's rootfs",r_stors)
+elif len(r_storages.keys()) == 1:
+    cfg['LXC_ROOTFS_STORAGE'] = next(iter(r_storages))
+else:
+    print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.")
+    os._exit(1)
+
+cfg['LXC_ROOTFS_SIZE'] = menu.question("Set rootfs size","Please type in the desired rootfs size (GB)", menu.qType.Integer,32)
+
+# create additional mountpoints
+if 'size' in ct_features['sharefs'].keys():
+    f_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir)
+    if len(f_storages.keys()) > 1:
+        f_stors = {}
+        for st in f_storages.keys():
+            f_stors[st] = f"driver: {f_storages[st]['driver']}\tfree space: {int(f_storages[st]['available'])/1024/1024:.2f} GB"
+        cfg['LXC_SHAREFS_STORAGE'] = menu.radiolist("Select sharefs storage", "Please choose the storage of your shared filesystem", f_stors)
+    elif len(r_storages.keys()) == 1:
+        cfg['LXC_SHAREFS_STORAGE'] = next(iter(f_storages))
+    else:
+        print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.")
+        os._exit(1)
+    cfg['LXC_SHAREFS_SIZE'] = menu.question("Select sharefs size","Please type in the desired size (GB) of your shared filesystem", menu.qType.Integer,ct_features['sharefs']['size'])
+    cfg['LXC_SHAREFS_MOUNTPOINT'] = menu.question("Select sharefs mountpoint","Please type in the folder where to mount your shared filesystem inside the container.", menu.qType.String,ct_features['sharefs']['mountpoint'])
+
+# configure ram and swap
+cfg['LXC_MEM'] = menu.question("Set container RAM", "Please type in the desired amount of RAM for the container (MB)",menu.qType.Integer,ct_features["mem"])
+cfg['LXC_SWAP'] = menu.question("Set container Swap", "Please type in the desired amount of Swap for the container (MB)",menu.qType.Integer,ct_features["swap"])
+cfg['LXC_HOSTNAME'] = menu.question("Set container Hostname", "Please type in the desired hostname of the container",menu.qType.String,ct_features['hostname'])
+cfg['LXC_DOMAIN'] = menu.question("Set container search domain", "Please type in the search domain of your network.", menu.qType.String,ct_features['domain'])
+cfg['LXC_TIMEZONE'] = 'host' # TODO
+cfg['LXC_LOCALE'] = "de_DE.utf8" # TODO
+
+# get pve bridge
+bridges = config_base.get_pve_bridges()
+if len(bridges) > 1:
+    cfg['LXC_BRIDGE'] = menu.radiolist("Select PVE Network Bridge", f"Please select the network bridge to connect the {cfg['ZMB_SERVICE']} container",bridges)
+elif len(bridges) == 1:
+    cfg['LXC_BRIDGE'] = bridges[0]
+else:
+    print("Could not find any bridge device to connect container. Please ensure your networksettings are configured properly.")
+    os._exit(1)
+
+cfg['LXC_VLAN'] = menu.question("Set vlan tag", "You you want to tag your container's network to a vlan? (0 = untagged, 1 - 4094 = tagged vlan id)",menu.qType.Integer,0, config_base.validate_vlan)
+
+# configure network interface
+if  cfg['ZMB_SERVICE'] != 'zmb-ad':
+    enable_dhcp = menu.question("Set network mode", "Do you want to configure the network interface in dhcp mode?",menu.qType.Boolean,default=True)
+else:
+    enable_dhcp = False
+if enable_dhcp == True:
+    cfg["LXC_NET_MODE"] = 'dhcp'
+else:
+    cfg["LXC_NET_MODE"] = 'static'
+    cfg["LXC_IP"] = menu.question("Set interface IP Addess", "Pleace type in the containers IP address (CIDR Format).",menu.qType.String,default='10.10.10.10/8')
+    cfg["LXC_GW"] = menu.question("Set interface default gateway", "Pleace type in the containers default gateway.",menu.qType.String,default='10.10.10.1')
+cfg['LXC_DNS']  = menu.question("Set containers dns server", "Pleace type in the containers dns server. ZMB AD will use this as dns forwarder",menu.qType.String,default='10.10.10.1')
+
+cfg['LXC_PWD'] = menu.question("Set root password", "Please type in the containers root password", menu.qType.String,default='')
+cfg['LXC_AUTHORIZED_KEY'] = menu.question ("Set authorized_keys file to import", "Please select authorized_keys file to import.", menu.qType.String, default='~/.ssh/authorized_keys')
+
+os.system('clear')
+print (f"#### Zamba LXC Toolbox ####\n")
+print (f"GLOBAL CONFIGURATION:")
+print (f"\tct template storage:\t{cfg['LXC_TEMPLATE_STORAGE']}")
+print (f"\nCONTAINER CONFIGURATION:")
+print (f"\tzmb service:\t\t{cfg['ZMB_SERVICE']}")
+print (f"\tcontainer id:\t\t{cfg['LXC_NBR']}")
+print (f"\tunprivileged:\t\t{cfg['LXC_UNPRIVILEGED']}")
+for feature in ct_features['features'].keys():
+    if feature == 'nesting':
+        cfg['LXC_NESTING'] = ct_features['features'][feature]
+        print (f"\t{feature}:\t\t{cfg['LXC_NESTING']}")
+print (f"\tcontainer memory:\t{cfg['LXC_MEM']} MB")
+print (f"\tcontainer swap:\t\t{cfg['LXC_SWAP']} MB")
+print (f"\tcontainer hostname:\t{cfg['LXC_HOSTNAME']}")
+print (f"\tct search domain:\t{cfg['LXC_DOMAIN']}")
+print (f"\tcontainer timezone\t{cfg['LXC_TIMEZONE']}")
+print (f"\tcontainer language\t{cfg['LXC_LOCALE']}")
+print (f"\nSTORAGE CONFIGURATION:")
+print (f"\trootfs storage:\t\t{cfg['LXC_ROOTFS_STORAGE']}")
+print (f"\trootfs size:\t\t{cfg['LXC_ROOTFS_SIZE']} GB")
+if 'size' in ct_features['sharefs'].keys():
+    print (f"\tsharefs storage:\t{cfg['LXC_SHAREFS_STORAGE']}")
+    print (f"\tsharefs size:\t\t{cfg['LXC_SHAREFS_SIZE']} GB")
+    print (f"\tsharefs mountpoint:\t{cfg['LXC_SHAREFS_MOUNTPOINT']}")
+print (f"\nNETWORK CONFIGURATION:")
+print (f"\tpve bridge:\t\t{cfg['LXC_BRIDGE']}")
+if cfg['LXC_VLAN'] > 0:
+    print (f"\tcontainer vlan:\t\t{cfg['LXC_VLAN']}")
+else:
+    print (f"\tcontainer vlan:\t\tuntagged")
+print (f"\tnetwork mode:\t\t{cfg['LXC_NET_MODE']}")
+if enable_dhcp == False:
+    print (f"\tip address (CIDR):\t{cfg['LXC_IP']}")
+    print (f"\tdefault gateway:\t{cfg['LXC_GW']}")
+    print (f"\tdns server / forwarder:\t{cfg['LXC_GW']}")
+print (f"\nCONTAINER CREDENTIALS:")
+print (f"\troot password:\t\t{cfg['LXC_PWD']}")
+print (f"\tauthorized ssh keys:\t{cfg['LXC_AUTHORIZED_KEY']}")

proxmox.conf

@@ -0,0 +1 @@
+HOST_LOCALE=de_DE.UTF-8

src/config_base.py

@@ -0,0 +1,121 @@
+#!/usr/bin/python3
+from pathlib import Path
+import os
+import ipaddress
+import socket
+import json
+import subprocess
+from enum import Enum
+
+def check_zfs_autosnapshot():
+    proc = subprocess.Popen(["dpkg","-l","zfs-auto-snapshot"],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
+    proc.communicate()
+    if proc.returncode > 0:
+        print ("'zfs-auto-snapshot' is NOT installed on your system. This ist required for 'previous versions' feature in Zamba containers.\nYou can install it with the following command:\n\tapt install zfs-auto-snapshot\n")
+        input ("Press Enter to continue...")
+
+# get_pve_bridges queries and returns availabe Proxmox bridges
+def get_pve_bridges():
+    pve_bridges=[]
+    ifaces=os.listdir(os.path.join("/","sys","class","net"))
+    for iface in ifaces:
+        if "vmbr" in iface:
+            pve_bridges.append(iface)
+    return pve_bridges
+
+# get_pve_storages queries and returns available Proxmox bridges
+def get_pve_storages(driver=None,content=None):
+    pve_storages={}
+    cmd = ["pvesm","status","--enabled","1"]
+    if content != None:
+        cmd.extend(["--content",content.name])
+    result = subprocess.Popen(cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE).communicate()
+    stdout = result[0].decode("utf-8").split('\n')
+    for line in filter(lambda x: len(x)>0, stdout):
+        if not "Status" in line:
+            item = [x for x in line.split(' ') if x.strip()]
+            storage = {}
+            storage["driver"] = item[1]
+            storage["status"] = item[2]
+            storage["total"] = item[3]
+            storage["used"] = item[4]
+            storage["available"] = item[5]
+            storage["percent_used"] = item[6]
+
+            if driver == None:
+                pve_storages[item[0]] = storage
+            else:
+                if driver.name == storage["driver"]:
+                    pve_storages[item[0]] = storage
+
+    return pve_storages
+
+# get_zmb_services queries and returns available Zamba services
+def get_zmb_services():
+    zmb_services={}
+    for item in Path.iterdir(Path.joinpath(Path.cwd(),"src")):
+        if Path.is_dir(item) and "__" not in item.name:
+            with open(os.path.join(item._str, "info"),"r") as info:
+                description = info.read()
+                zmb_services[item.name] = description
+    return zmb_services
+
+# get_ct_id queries and returns the next available container id
+def get_ct_id(base="ct"):
+    with open("/etc/pve/.vmlist","r") as v:
+        vmlist_json = json.loads(v.read())
+    ct_id = 100
+    for cid in vmlist_json["ids"].keys():
+        if int(cid) > ct_id and base == "ct" and vmlist_json["ids"][cid]["type"] == "lxc":
+            ct_id = int(cid)
+        elif int(cid) > ct_id and base == "all":
+            ct_id = int(cid)
+    while True:
+        ct_id = ct_id + 1
+        if ct_id not in vmlist_json["ids"].keys():
+            break
+    return ct_id
+
+# validate_ct_id queries if ct_id is available and returns as boolean
+def validate_ct_id(ct_id:int):
+    with open("/etc/pve/.vmlist","r") as v:
+        vmlist_json = json.loads(v.read())
+    ct_id = str(ct_id)
+    if int(ct_id) >= 100 and int(ct_id) <= 999999999 and ct_id not in vmlist_json["ids"].keys():
+        return True
+    else:
+        return False
+
+def validate_vlan(tag:int):
+    if int(tag) >= 1 and int(tag) <= 4094:
+        return True
+    else:
+        return False
+
+def get_ct_features(zmb_service):
+    with open(Path.joinpath(Path.cwd(),"src",zmb_service,"features.json")) as ff:
+        return json.loads(ff.read())
+
+
+class PveStorageContent(Enum):
+    images = 0
+    rootdir = 1
+    vztmpl = 2
+    backup = 3
+    iso = 4
+    snippets = 5
+
+class PveStorageType(Enum):
+    zfspool = 0
+    dir = 1
+    nfs = 2
+    cifs = 3
+    pbs = 4
+    glusterfs = 5
+    cephfs = 6
+    lvm = 7
+    lvmthin = 8
+    iscsi = 9
+    iscsidirect = 10
+    rbd = 11
+    zfs = 12

src/constants.conf

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on container level
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common"

src/debian-priv/constants-service.conf

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="0"

src/debian-priv/features.json

@@ -0,0 +1,9 @@
+{
+    "unprivileged": 0,
+    "features": {},
+    "sharefs": {},
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "debian",
+    "domain": "zmb.rocks"
+}

src/debian-priv/info

@@ -0,0 +1 @@
+Debian privileged container with basic tools

src/debian-priv/install-service.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-priv' is ready to use!"

src/debian-unpriv/constants-service.conf

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="0"

src/debian-unpriv/features.json

@@ -0,0 +1,11 @@
+{
+    "unprivileged": 1,
+    "features": {
+        "nesting": 1
+    },
+    "sharefs": {},
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "debian",
+    "domain": "zmb.rocks"
+}

src/debian-unpriv/info

@@ -0,0 +1 @@
+Debian unprivileged container with basic tools

src/debian-unpriv/install-service.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-unpriv' is ready to use!"

src/lxc-base.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# load configuration
+echo "Loading configuration..."
+source /root/zamba.conf
+source /root/constants.conf
+
+echo "Updating locales"
+# update locales
+sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
+cat << EOF > /etc/default/locale
+LANG="$LXC_LOCALE"
+LANGUAGE=$LXC_LOCALE
+EOF
+locale-gen $LXC_LOCALE
+
+# update package lists
+echo "Updating package database..."
+apt update
+
+# install latest packages
+echo "Installing latest updates"
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+
+# install toolset
+echo "Installing preconfigured toolset..."
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
+
+echo "Enabling vim syntax highlighting..."
+sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+if [ $LXC_VIM_BG_DARK -gt 0 ]; then
+    sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
+fi
+
+echo "Basic container setup finished, continuing with service installation..."

src/mailpiler/constants-service.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+PILER_VERSION="latest"
+# Defines the version of sphinx to install
+PILER_SPHINX_VERSION="3.3.1"
+# Defines the php version to install
+PILER_PHP_VERSION="7.4"

src/mailpiler/features.json

@@ -0,0 +1,11 @@
+{
+    "unprivileged": 1,
+    "features": {
+        "nesting": 1
+    },
+    "sharefs": {},
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "piler",
+    "domain": "zmb.rocks"
+}

src/mailpiler/info

@@ -0,0 +1 @@
+Mailpiler email archive

src/mailpiler/install-service.sh

@@ -0,0 +1,176 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/zamba.conf
+
+HOSTNAME=$(hostname -f)
+
+echo "Ensure your Hostname is set to your Piler FQDN!"
+
+echo $HOSTNAME
+
+if 
+    [ "$HOSTNAME" != "$PILER_FQDN" ]
+then
+        echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
+else
+        echo "Hostname matches PILER_FQDNAIN, so starting installation."
+fi
+
+# install php
+wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
+echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
+
+DEBIAN_FRONTEND=nonintercative DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
+
+DEBIAN_FRONTEND=nonintercative DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
+
+cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
+innodb_buffer_pool_size=256M
+innodb_flush_log_at_trx_commit=1
+innodb_log_buffer_size=64M
+innodb_log_file_size=16M
+query_cache_size=0
+query_cache_type=0
+query_cache_limit=2M
+EOF
+
+systemctl restart mariadb
+
+cd /tmp
+wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
+tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
+
+groupadd piler
+useradd -g piler -m -s /bin/bash -d /var/piler piler
+usermod -L piler
+chmod 755 /var/piler
+
+if [[ "$PILER_VERSION" == "latest" ]]; then
+        URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
+        wget -O piler-$PILER_VERSION.tar.gz $URL
+else
+        wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
+fi
+tar -xvzf piler-$PILER_VERSION.tar.gz
+cd piler-$PILER_VERSION/
+./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
+make
+make install
+ldconfig
+
+cp util/postinstall.sh util/postinstall.sh.bak
+sed -i "s/   PILER_SMARTHOST=.*/   PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
+sed -i 's/   WWWGROUP=.*/   WWWGROUP="www-data"/' util/postinstall.sh
+
+make postinstall
+
+cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
+sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
+sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
+
+su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
+
+/etc/init.d/rc.piler start
+/etc/init.d/rc.searchd start
+
+update-rc.d rc.piler defaults
+update-rc.d rc.searchd defaults
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
+
+cd /etc/nginx/sites-available
+cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
+ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
+
+sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
+sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
+
+sed -i "/server_name.*/a \\
+        listen 443 ssl http2;\n\n\
+        ssl_certificate /etc/nginx/ssl/piler.crt;\n\
+        ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
+        ssl_session_timeout 1d;\n\
+        ssl_session_cache shared:SSL:15m;\n\
+        ssl_session_tickets off;\n\n\
+        # modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
+        ssl_protocols TLSv1.2 TLSv1.3;\n\
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
+        ssl_prefer_server_ciphers off;\n\n\
+        add_header X-Frame-Options SAMEORIGIN;\n\
+        add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
+
+sed -i "/^server {.*/i\
+server {\n\
+        listen 80;\n\
+        server_name $PILER_FQDN;\n\
+        server_tokens off;\n\
+        # HTTP to HTTPS redirect.\n\
+        return 301 https://$PILER_FQDN;\n\
+}" /etc/nginx/sites-available/piler-nginx.conf
+
+cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
+sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
+cat >> /usr/local/etc/piler/config-site.php <<EOF
+
+// CUSTOM
+\$config['PROVIDED_BY'] = '$PILER_FQDN';
+\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
+\$config['COMPATIBILITY'] = '';
+
+// fancy features.
+\$config['ENABLE_INSTANT_SEARCH'] = 1;
+\$config['ENABLE_TABLE_RESIZE'] = 1;
+
+\$config['ENABLE_DELETE'] = 1;
+\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
+
+// general settings.
+\$config['TIMEZONE'] = 'Europe/Berlin';
+
+// authentication
+// Enable authentication against an imap server
+//\$config['ENABLE_IMAP_AUTH'] = 1;
+//\$config['RESTORE_OVER_IMAP'] = 1;
+//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
+//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
+//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
+//\$config['IMAP_PORT'] =  993;
+//\$config['IMAP_SSL'] = true;
+
+// authentication against an ldap directory (disabled by default)
+//\$config['ENABLE_LDAP_AUTH'] = 1;
+//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
+//\$config['LDAP_PORT'] = 389;
+//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
+//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
+//\$config['LDAP_MAIL_ATTR'] = 'mail';
+//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
+//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
+//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
+
+// authentication against an Uninvention based ldap directory 
+//\$config['ENABLE_LDAP_AUTH'] = 1;
+//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
+//\$config['LDAP_PORT'] = 7389;
+//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
+//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
+//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
+//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
+//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
+//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
+//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
+//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
+//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
+
+// special settings.
+\$config['MEMCACHED_ENABLED'] = 1;
+\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
+EOF
+
+nginx -t && systemctl restart nginx

src/matrix/constants-service.conf

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="0"

src/matrix/features.json

@@ -0,0 +1,9 @@
+{
+    "unprivileged": 1,
+    "features": {},
+    "sharefs": {},
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "matrix",
+    "domain": "zmb.rocks"
+}

src/matrix/info

@@ -0,0 +1 @@
+Matrix Synapse server with Element Web

src/matrix/install-service.sh

@@ -0,0 +1,153 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/zamba.conf
+
+MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+
+ELE_DBNAME="synapse_db"
+ELE_DBUSER="synapse_user"
+ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+
+DEBIAN_FRONTEND=nonintercative DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
+
+wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
+apt update
+DEBIAN_FRONTEND=nonintercative DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
+systemctl enable matrix-synapse
+
+ss -tulpen
+
+mkdir /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
+
+cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $MATRIX_FQDN;
+
+    return 301 https://$MATRIX_FQDN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $MATRIX_FQDN;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/matrix.crt;
+    ssl_certificate_key /etc/nginx/ssl/matrix.key;
+
+    location / {
+      proxy_pass http://127.0.0.1:8008;
+      proxy_set_header X-Forwarded-For \$remote_addr;
+    }
+}
+
+server {
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+    server_name $MATRIX_FQDN;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/matrix.crt;
+    ssl_certificate_key /etc/nginx/ssl/matrix.key;
+
+    # If you don't wanna serve a site, comment this out
+    root /var/www/$MATRIX_FQDN;
+    index index.html index.htm;
+
+    location / {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+    }
+}
+
+EOF
+ln -s /etc/nginx/sites-available/$MATRIX_FQDN /etc/nginx/sites-enabled/$MATRIX_FQDN
+
+cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $MATRIX_ELEMENT_FQDN;
+    return 301 https://$MATRIX_ELEMENT_FQDN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $MATRIX_ELEMENT_FQDN;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/matrix.crt;
+    ssl_certificate_key /etc/nginx/ssl/matrix.key;
+
+    # If you don't wanna serve a site, comment this out
+    root /var/www/$MATRIX_ELEMENT_FQDN/element;
+    index index.html index.htm;
+} 
+
+EOF
+
+ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN
+
+systemctl restart nginx
+
+mkdir /var/www/$MATRIX_ELEMENT_FQDN
+cd /var/www/$MATRIX_ELEMENT_FQDN
+wget https://packages.riot.im/element-release-key.asc
+gpg --import element-release-key.asc
+
+wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+
+tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
+ln -s element-$MATRIX_ELEMENT_VERSION element
+chown www-data:www-data -R element
+cp ./element/config.sample.json ./element/config.json
+sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
+sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
+
+su postgres <<EOF
+psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
+psql -c "CREATE DATABASE $ELE_DBNAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ELE_DBUSER;"
+echo "Postgres User '$ELE_DBUSER' and database '$ELE_DBNAME' created."
+EOF
+
+cd /
+sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n    user: $ELE_DBUSER\n    password: $ELE_DBPASS\n    host: 127.0.0.1\n    cp_min: 5\n    cp_max: 10|" /etc/matrix-synapse/homeserver.yaml
+
+systemctl restart matrix-synapse
+
+register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
+
+#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
+#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
+
+#apt update
+#apt install -y jitsi-meet
+
+
+

src/menu.py

@@ -0,0 +1,73 @@
+#!/usr/bin/python3
+from enum import Enum
+from . import config_base
+
+def radiolist(title:str,question:str,choices):
+    invalid_input=True
+    while(invalid_input):
+        print(f"#### {title} ####\n")
+        print(question)
+        index = {}
+        counter = 1
+        if isinstance(choices,dict):
+            for choice in choices.keys():
+                if len(choice) <= 12:
+                    sep="\t\t"
+                else:
+                    sep="\t"
+                print(f"{counter})  {choice}{sep}{choices[choice]}")
+                index[str(counter)] = choice
+                counter = counter + 1
+        elif isinstance(choices,list):
+            for choice in choices:
+                print(f"{counter})  {choice}")
+                index[str(counter)] = choice
+                counter = counter + 1
+        else:
+            print (f"object 'choices': {type(choices)} objects are unsupported.")
+        selected = input("Type in number:  ")
+        if selected in index.keys():
+            print("\n")
+            return index[selected]
+    
+def question(title:str,q:str,returntype, default, validation=None):
+    print(f"#### {title} ####\n")
+    if str(returntype.name) == "Boolean":
+        if default == True:
+            suggest = "Y/n"
+        else:
+            suggest = "y/N"
+        a = input(f"{q} [{suggest}]\n")
+        if "y" in str(a).lower():
+            return True
+        elif "n" in str(a).lower():
+            return False
+        else:
+            return default
+    elif str(returntype.name) == "Integer":
+        invalid_input = True
+        while(invalid_input):
+            a = input(f"{q} [{default}]\n")
+            if str(a) == "" or f"{str(default)}" == str(a):
+                return default
+            else:
+                try:
+                    valid = validation(int(a))
+                    if valid:
+                        return int(a)
+                except:
+                    pass
+    else:
+        a = input(f"{q} [{default}]\n")
+        if a == '':
+            return default
+        else:
+            return a
+
+
+class qType(Enum):
+    Boolean = 0
+    Integer = 1
+    String = 2
+    IPAdress = 3
+    CIDR = 4

src/sources.list

@@ -0,0 +1,6 @@
+deb http://ftp.de.debian.org/debian buster main contrib
+
+deb http://ftp.de.debian.org/debian buster-updates main contrib
+
+# security updates
+deb http://security.debian.org buster/updates main contrib

src/zmb-ad/constants-service.conf

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"

src/zmb-ad/features.json

@@ -0,0 +1,11 @@
+{
+    "unprivileged": 0,
+    "features": {
+        "nesting": 1
+    },
+    "sharefs": {},
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "ad",
+    "domain": "zmb.rocks"
+}

src/zmb-ad/info

@@ -0,0 +1 @@
+Zamba Active Directory Domain Controller

src/zmb-ad/install-service.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/zamba.conf
+
+if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
+  BINDNINE=bind9
+fi
+
+## configure ntp
+cat << EOF > /etc/ntp.conf
+# Local clock. Note that is not the "localhost" address!
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+
+# Where to retrieve the time from
+server 0.de.pool.ntp.org     iburst prefer
+server 1.de.pool.ntp.org     iburst prefer
+server 2.de.pool.ntp.org     iburst prefer
+
+driftfile       /var/lib/ntp/ntp.drift
+logfile         /var/log/ntp
+ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
+
+# Access control
+# Default restriction: Allow clients only to query the time
+restrict default kod nomodify notrap nopeer mssntp
+
+# No restrictions for "localhost"
+restrict 127.0.0.1
+
+# Enable the time sources to only provide time to this host
+restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+
+tinker panic 0
+EOF
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
+
+if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+
+  forwarders {
+    $LXC_DNS;
+  };
+
+  allow-query {  any;};
+  dnssec-validation no;
+
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+# stop + disable samba services and remove default config
+systemctl stop smbd nmbd winbind
+systemctl disable smbd nmbd winbind
+rm -f /etc/samba/smb.conf
+rm -f /etc/krb5.conf
+
+# provision zamba domain
+samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
+
+cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc $BINDNINE
+systemctl restart samba-ad-dc $BINDNINE
+
+exit 0

src/zmb-member/constants-service.conf

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="0"

src/zmb-member/features.json

@@ -0,0 +1,12 @@
+{
+    "unprivileged": 0,
+    "features": {},
+    "sharefs": {
+        "size": "100",
+        "mountpoint": "/tank"
+    },
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "zamba",
+    "domain": "zmb.rocks"
+}

src/zmb-member/info

@@ -0,0 +1 @@
+Zamba AD Member Server

src/zmb-member/install-service.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/zamba.conf
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules 
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+    ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist
+
+mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+cat > /etc/samba/smb.conf <<EOF
+[global]
+	workgroup = $ZMB_DOMAIN
+	security = ADS
+	realm = $ZMB_REALM
+	server string = %h server
+
+	vfs objects = acl_xattr shadow_copy2
+    map acl inherit = Yes
+    store dos attributes = Yes
+	idmap config *:backend = tdb
+	idmap config *:range = 3000000-4000000
+	idmap config *:schema_mode = rfc2307
+
+	winbind refresh tickets = Yes
+	winbind use default domain = Yes
+	winbind separator = /
+	winbind nested groups = yes
+	winbind nss info = rfc2307
+
+	pam password change = Yes
+	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+	passwd program = /usr/bin/passwd %u
+
+	template homedir = /home/%U
+	template shell = /bin/bash
+	bind interfaces only = Yes
+	interfaces = lo eth0
+	log file = /var/log/samba/log.%m
+	logging = syslog
+	max log size = 1000
+	panic action = /usr/share/samba/panic-action %d
+
+	load printers = No
+	printcap name = /dev/null
+	printing = bsd
+	disable spoolss = Yes
+
+	allow trusted domains = No
+	dns proxy = No
+	shadow: snapdir = .zfs/snapshot
+	shadow: sort = desc
+	shadow: format = -%Y-%m-%d-%H%M
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+	shadow: delimiter = -20
+
+[$ZMB_SHARE]
+	comment = Main Share
+	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+	read only = No
+	create mask = 0660
+	directory mask = 0770
+	inherit acls = Yes
+
+
+
+EOF
+
+systemctl restart smbd
+
+echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
+sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
+sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
+echo -e "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
+
+systemctl restart winbind nmbd
+wbinfo -u
+wbinfo -g
+
+mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+systemctl restart smbd nmbd winbind
+

src/zmb-standalone/constants-service.conf

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="0"

src/zmb-standalone/features.json

@@ -0,0 +1,12 @@
+{
+    "unprivileged": 0,
+    "features": { },
+    "sharefs": {
+        "size": "100",
+        "mountpoint": "/tank"
+    },
+    "mem": 1024,
+    "swap": 1024,
+    "hostname": "zamba",
+    "domain": "zmb.rocks"
+}

src/zmb-standalone/info

@@ -0,0 +1 @@
+Zamba Standalone Server

src/zmb-standalone/install-service.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/zamba.conf
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules 
+
+USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
+useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
+echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
+smbpasswd -x $USER
+(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
+
+cat << EOF >> /etc/samba/smb.conf
+[share]
+    comment = Main Share
+    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    read only = No
+    vfs objects = shadow_copy2
+    shadow: snapdir = .zfs/snapshot
+    shadow: sort = desc
+    shadow: format = -%Y-%m-%d-%H%M
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+    shadow: delimiter = -20
+EOF
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+systemctl restart smbd nmbd 

zamba.conf.example

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# This ist the Zamba main configuration file.
+# Please adjust the settings to your needs before running the installer.
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+
+############### Linux Container Section ###############
+
+# Defines the Proxmox storage where your LXC container template are stored (default: local)
+LXC_TEMPLATE_STORAGE="local"
+
+# Defines the size in GB of the LXC container's root filesystem (default: 32)
+# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`.
+LXC_ROOTFS_SIZE="32"
+# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs)
+LXC_ROOTFS_STORAGE="local-zfs"
+
+# Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100)
+LXC_SHAREFS_SIZE="100"
+# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
+LXC_SHAREFS_STORAGE="local-zfs"
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+
+# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+LXC_MEM="1024"
+
+# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
+LXC_SWAP="1024"
+
+# Defines the hostname of your LXC container
+LXC_HOSTNAME="zamba"
+
+# Defines the domain name / search domain of your LXC container
+LXC_DOMAIN="zmb.rocks"
+
+# Defines the local IP address and subnet of your LXC container in CIDR format
+LXC_IP="192.168.100.200/24"
+
+# Defines the default gateway IP address of your LXC container
+LXC_GW="192.168.100.254"
+
+# Defines the DNS server ip address of your LXC container
+# `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
+# For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
+LXC_DNS="192.168.100.254"
+
+# Defines the network bridge to bind the network adapter of your LXC container
+LXC_BRIDGE="vmbr0"
+
+# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
+LXC_VLAN=
+
+# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
+LXC_PWD='S3cr3tp@ssw0rd'
+
+# Defines an authorized_keys file to push into the LXC container.
+# By default the authorized_keys will be inherited from your proxmox host.
+LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
+
+# Define the local timezone of your LXC container (default: Euroe/Berlin)
+LXC_TIMEZONE="Europe/Berlin"
+
+# Define system language on LXC container (locales)
+# This parameter is not used yet, but will be integrated in future releases.
+LXC_LOCALE=de_DE.UTF-8
+
+# Set dark background for vim syntax highlighting (0 or 1)
+LXC_VIM_BG_DARK=1
+
+############### Zamba-Server-Section ###############
+
+# Defines the REALM for the Active Directory (AD DC, AD member)
+ZMB_REALM="ZMB.ROCKS"
+# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
+ZMB_DOMAIN="ZMB"
+
+# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+ZMB_ADMIN_USER="administrator"
+# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
+# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
+ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+
+# Defines the name of your Zamba share
+ZMB_SHARE="share"
+
+############### Mailpiler-Section ###############
+
+# Defines the (public) FQDN of your piler mail archive
+PILER_FQDN="piler.zmb.rocks"
+# Defines the smarthost for piler mail archive
+PILER_SMARTHOST="your.mailserver.tld"
+
+
+############### Matrix-Section ###############
+
+# Define the FQDN of your Matrix server
+MATRIX_FQDN="matrix.zmb.rocks"
+
+# Define the FQDN for the Element Web virtual host
+MATRIX_ELEMENT_FQDN="element.zmb.rocks"
+
+# Define the version of Element Web
+MATRIX_ELEMENT_VERSION="v1.7.24"