mirror of
https://github.com/bashclub/zamba-lxc-toolbox.git
synced 2024-11-08 03:31:58 +01:00
ad: add wsdd, migrate debian 11, configure nginx
This commit is contained in:
parent
24c9b03abe
commit
4f0b47949f
@ -10,9 +10,6 @@
|
|||||||
# Debian Version, which will be installed
|
# Debian Version, which will be installed
|
||||||
LXC_TEMPLATE_VERSION="debian-11-standard"
|
LXC_TEMPLATE_VERSION="debian-11-standard"
|
||||||
|
|
||||||
# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
|
|
||||||
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
|
|
||||||
|
|
||||||
# Create sharefs mountpoint
|
# Create sharefs mountpoint
|
||||||
LXC_MP="0"
|
LXC_MP="0"
|
||||||
|
|
||||||
@ -21,3 +18,15 @@ LXC_UNPRIVILEGED="0"
|
|||||||
|
|
||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# add optional features to samba ad dc
|
||||||
|
|
||||||
|
# CURRENTLY SUPPORTED:
|
||||||
|
# wsdd = add windows service discovery
|
||||||
|
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
|
||||||
|
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
|
||||||
|
|
||||||
|
# Example:
|
||||||
|
# OPTIONAL_FEATURES=(wsdd)
|
||||||
|
# OPTIONAL_FEATURES=(wsdd splitdns)
|
||||||
|
OPTIONAL_FEATURES=()
|
@ -8,47 +8,21 @@
|
|||||||
source /root/zamba.conf
|
source /root/zamba.conf
|
||||||
source /root/constants-service.conf
|
source /root/constants-service.conf
|
||||||
|
|
||||||
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
|
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
|
||||||
BINDNINE=bind9
|
|
||||||
fi
|
|
||||||
|
|
||||||
## configure ntp
|
for f in ${OPTIONAL_FEATURES[@]}; do
|
||||||
cat << EOF > /etc/ntp.conf
|
if [[ "$f" == "wsdd" ]]; then
|
||||||
# Local clock. Note that is not the "localhost" address!
|
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
|
||||||
server 127.127.1.0
|
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
|
||||||
fudge 127.127.1.0 stratum 10
|
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
|
||||||
|
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
|
||||||
# Where to retrieve the time from
|
elif [[ "$f" == "splitdns" ]]; then
|
||||||
server 0.de.pool.ntp.org iburst prefer
|
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
|
||||||
server 1.de.pool.ntp.org iburst prefer
|
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
|
||||||
server 2.de.pool.ntp.org iburst prefer
|
elif [[ "$f" == "bind9dlz" ]]; then
|
||||||
|
ZMB_DNS_BACKEND="BIND9_DLZ"
|
||||||
driftfile /var/lib/ntp/ntp.drift
|
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
|
||||||
logfile /var/log/ntp
|
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
|
||||||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
|
|
||||||
|
|
||||||
# Access control
|
|
||||||
# Default restriction: Allow clients only to query the time
|
|
||||||
restrict default kod nomodify notrap nopeer mssntp
|
|
||||||
|
|
||||||
# No restrictions for "localhost"
|
|
||||||
restrict 127.0.0.1
|
|
||||||
|
|
||||||
# Enable the time sources to only provide time to this host
|
|
||||||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
|
|
||||||
tinker panic 0
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# update packages
|
|
||||||
apt update
|
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
|
||||||
# install required packages
|
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
|
|
||||||
|
|
||||||
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
|
|
||||||
# configure bind dns service
|
# configure bind dns service
|
||||||
cat << EOF > /etc/default/bind9
|
cat << EOF > /etc/default/bind9
|
||||||
#
|
#
|
||||||
@ -93,11 +67,59 @@ options {
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
mkdir -p /var/lib/samba/bind-dns/dns
|
mkdir -p /var/lib/samba/bind-dns/dns
|
||||||
|
else
|
||||||
|
echo "Unsupported optional feature $f"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
## configure ntp
|
||||||
|
cat << EOF > /etc/ntp.conf
|
||||||
|
# Local clock. Note that is not the "localhost" address!
|
||||||
|
server 127.127.1.0
|
||||||
|
fudge 127.127.1.0 stratum 10
|
||||||
|
|
||||||
|
# Where to retrieve the time from
|
||||||
|
server 0.de.pool.ntp.org iburst prefer
|
||||||
|
server 1.de.pool.ntp.org iburst prefer
|
||||||
|
server 2.de.pool.ntp.org iburst prefer
|
||||||
|
|
||||||
|
driftfile /var/lib/ntp/ntp.drift
|
||||||
|
logfile /var/log/ntp
|
||||||
|
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
|
||||||
|
|
||||||
|
# Access control
|
||||||
|
# Default restriction: Allow clients only to query the time
|
||||||
|
restrict default kod nomodify notrap nopeer mssntp
|
||||||
|
|
||||||
|
# No restrictions for "localhost"
|
||||||
|
restrict 127.0.0.1
|
||||||
|
|
||||||
|
# Enable the time sources to only provide time to this host
|
||||||
|
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||||
|
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||||
|
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||||
|
|
||||||
|
tinker panic 0
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# update packages
|
||||||
|
apt update
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||||
|
# install required packages
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
|
||||||
|
|
||||||
|
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
||||||
|
cat << EOF > /etc/nginx/sites-available/default
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name $LXC_DOMAIN default_server;
|
||||||
|
return 301 http://www.$LXC_DOMAIN\$request_uri;
|
||||||
|
}
|
||||||
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# stop + disable samba services and remove default config
|
# stop + disable samba services and remove default config
|
||||||
systemctl stop smbd nmbd winbind
|
systemctl disable --now smbd nmbd winbind systemd-resolved
|
||||||
systemctl disable smbd nmbd winbind
|
|
||||||
rm -f /etc/samba/smb.conf
|
rm -f /etc/samba/smb.conf
|
||||||
rm -f /etc/krb5.conf
|
rm -f /etc/krb5.conf
|
||||||
|
|
||||||
@ -107,7 +129,7 @@ samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAI
|
|||||||
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
||||||
|
|
||||||
systemctl unmask samba-ad-dc
|
systemctl unmask samba-ad-dc
|
||||||
systemctl enable samba-ad-dc $BINDNINE
|
systemctl enable samba-ad-dc $ADDITIONAL_SERVICES
|
||||||
systemctl restart samba-ad-dc $BINDNINE
|
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
|
||||||
|
|
||||||
exit 0
|
exit 0
|
Loading…
Reference in New Issue
Block a user