From 582444e57ba90717b356345e4050410fa59efdbf Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 17 Apr 2021 15:33:59 +0200 Subject: [PATCH] Improved doc, removed just-lxc, added (un)priv ct --- README.md | 7 +-- just_lxc.sh => debian-priv.sh | 0 debian-unpriv.sh | 18 ++++++++ install.sh | 12 ++--- zamba.conf | 84 ++++++++++++++++++++--------------- zamba.conf.md | 40 +++++++---------- 6 files changed, 93 insertions(+), 68 deletions(-) rename just_lxc.sh => debian-priv.sh (100%) create mode 100644 debian-unpriv.sh diff --git a/README.md b/README.md index a99f683..3ed2b97 100644 --- a/README.md +++ b/README.md @@ -7,12 +7,13 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna ### Requirements Proxmox VE Server with at least one configured ZFS Pool. ### Included services: -- `just-lxc` => Debian LXC Container only -- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported -- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions) +- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported +- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) +- `debian-unpriv` => Debian unprivileged container with basic toolset +- `debian-unpriv` => Debian privileged container with basic toolset ## Usage Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`. ```bash diff --git a/just_lxc.sh b/debian-priv.sh similarity index 100% rename from just_lxc.sh rename to debian-priv.sh diff --git a/debian-unpriv.sh b/debian-unpriv.sh new file mode 100644 index 0000000..881a310 --- /dev/null +++ b/debian-unpriv.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +dpkg-reconfigure locales + +source /root/zamba.conf + +# Set Timezone +ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime + +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET +sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc diff --git a/install.sh b/install.sh index dcf7026..fabcdee 100644 --- a/install.sh +++ b/install.sh @@ -17,19 +17,19 @@ ############### ZAMBA INSTALL SCRIPT ############### # Load configuration file -source ./zamba.conf +source $PWD/zamba.conf LXC_MP="0" LXC_UNPRIVILEGED="1" LXC_NESTING="0" -select opt in just_lxc zmb-standalone zmb-member zmb-ad mailpiler matrix quit; do +select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do case $opt in - deb-unpriv) + debian-unpriv) echo "Debian-only LXC container unprivileged mode selected" break ;; - deb-priv) + debian-priv) echo "Debian-only LXC container privileged mode selected" LXC_UNPRIVILEGED="0" break @@ -120,8 +120,8 @@ pct start $LXC_NBR; sleep 5; # Set the root password and key echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd; -lxc-attach -n$LXC_NBR mkdir /root/.ssh; -echo -e "$LXC_AUTHORIZED_KEY" | lxc-attach -n$LXC_NBR tee /root/.ssh/authorized_keys; +lxc-attach -n$LXC_NBR mkdir -p /root/.ssh; +pct push $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys pct push $LXC_NBR ./sources.list /etc/apt/sources.list pct push $LXC_NBR ./zamba.conf /root/zamba.conf pct push $LXC_NBR ./$opt.sh /root/$opt.sh diff --git a/zamba.conf b/zamba.conf index 3e3db00..a089c57 100644 --- a/zamba.conf +++ b/zamba.conf @@ -11,96 +11,110 @@ ############### Linux Container Section ############### -# The storage, where your container tmeplates are located (in most cases: local) +# Defines the Proxmox storage where your LXC container template are stored (default: local) LXC_TEMPLATE_STORAGE="local" -# Define the size and storage location of the container's root filesystem +# Defines the size in GB of the LXC container's root filesystem (default: 32) +# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`. LXC_ROOTFS_SIZE="32" +# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs) LXC_ROOTFS_STORAGE="local-zfs" -# Define the size, storage location and mountpoint of the container's shared filesystem (required for 'zmb_standalone' and 'zmb_member') +# Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100) LXC_SHAREFS_SIZE="100" +# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs) LXC_SHAREFS_STORAGE="local-zfs" +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) LXC_SHAREFS_MOUNTPOINT="tank" -# Size of the RAM assigned to the container +# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) LXC_MEM="1024" -# Size of the SWAP assigned to the container +# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024) LXC_SWAP="1024" -# The hostname (eg. zamba1 or mailpiler1) +# Defines the hostname of your LXC container LXC_HOSTNAME="zamba" -# The domain suffix (the domain name / search domain of th container, results to the FQDN 'LXC_HOTNAME.LXC_DOMAIN') +# Defines the domain name / search domain of your LXC container LXC_DOMAIN="zmb.rocks" -# IP-address and subnet -LXC_IP="10.10.80.20/24" +# Defines the local IP address and subnet of your LXC container in CIDR format +LXC_IP="192.168.100.200/24" -# Gateway -LXC_GW="10.10.80.10" +# Defines the default gateway IP address of your LXC container +LXC_GW="192.168.100.254" -# DNS-server (should be your AD DC) -LXC_DNS="10.10.80.10" +# Defines the DNS server ip address of your LXC container +# `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS +# For other services this should be your active directory domain controller (if present, else a DNS server of your choice) +LXC_DNS="192.168.100.254" -# Networkbridge for this container +# Defines the network bridge to bind the network adapter of your LXC container LXC_BRIDGE="vmbr0" -# Optional VLAN number for this container -LXC_VLAN="" +# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty. +LXC_VLAN= -# root password - take care to delete from this file. Please use 'single quatation marks' to avoid unexpected behaviour. +# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour. LXC_PWD='S3cr3tp@ssw0rd' -# SSH-Key to add to authorized_keys -LXC_AUTHORIZED_KEY="ssh-rsa xxxxxxxx" +# Defines an authorized_keys file to push into the LXC container. +# By default the authorized_keys will be inherited from your proxmox host. +LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys" -# Define some optional packages to install (your favourite tools on linux systems) -LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git" +# Define your (administrative) tools, you always want to have installed into your LXC container +LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https" -# Define system timezone on LXC container +# Define the local timezone of your LXC container (default: Euroe/Berlin) LXC_TIMEZONE="Europe/Berlin" # Define system language on LXC container (locales) +# This parameter is not used yet, but will be integrated in future releases. LXC_LOCALE="de_DE.utf8" ############### Zamba-Server-Section ############### -# Domain Entries to samba/smb.conf. Will be also uses for samba domain-provisioning when zmb-pdc will choosen. +# Defines the REALM for the Active Directory (AD DC, AD member) ZMB_REALM="ZMB.ROCKS" +# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone) ZMB_DOMAIN="ZMB" -# Select the Zamba AD DNS backend, supported are SAMBA_INTERNAL or BIND9_DLZ +# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage ZMB_DNS_BACKEND="SAMBA_INTERNAL" -# The Domain-Admin and password for zamba installation -ZMB_ADMIN_USER="Administrator" -# The Domain admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour. -ZMB_ADMIN_PASS='MYPASSWORD' +# Defines the name of your domain administrator account (AD DC, AD member, standalone) +ZMB_ADMIN_USER="administrator" +# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour +# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail +ZMB_ADMIN_PASS='1c@nd0@nyth1n9' -# Name of the Zamba Share +# Defines the name of your Zamba share ZMB_SHARE="share" ############### Mailpiler-Section ############### -# The FQDN vor the Hostname. This must be exactly the same like the LXC_HOSTNAME / LXC_DOMAIN at section above. +# Defines the (public) FQDN of your piler mail archive PILER_FQDN="piler.zmb.rocks" -PILER_SMARTHOST="10.10.80.20" +# Defines the smarthost for piler mail archive +PILER_SMARTHOST="your.mailserver.tld" +# Defines the version number of piler mail archive to install PILER_VERSION="1.3.10" +# Defines the version of sphinx to install PILER_SPHINX_VERSION="3.3.1" +# Defines the php version to install PILER_PHP_VERSION="7.4" ############### Matrix-Section ############### -# The FQDN vor the Hostname. This should be the same like the LXC_HOSTNAME / LXC_DOMAIN at section above. +# Define the FQDN of your Matrix server MATRIX_FQDN="matrix.zmb.rocks" -# Virtual host to run the Element Web messenger +# Define the FQDN for the Element Web virtual host MATRIX_ELEMENT_FQDN="element.zmb.rocks" -# Element Web version +# Define the version of Element Web MATRIX_ELEMENT_VERSION="v1.7.24" -# Virtuel host to run the Jitsi Meet +# Define the FQDN for the Jitsi Meet virtual host MATRIX_JITSI_FQDN="meet.zmb.rocks" diff --git a/zamba.conf.md b/zamba.conf.md index c3b471a..1dfdd40 100644 --- a/zamba.conf.md +++ b/zamba.conf.md @@ -37,13 +37,6 @@ Defines the mountpoint of the filesystem shared by Zamba inside your LXC contain ```bash LXC_SHAREFS_MOUNTPOINT="tank" ``` -### LXC_UNPRIVILEGED -Defines if the LXC container will be created in `unpprivileged` or `privileged` mode (default: 1) -```bash -LXC_UNPRIVILEGED="1" -``` -Privileged also means the container runs as `root` user. Set this option only, if it's required for the service. -`Zamba AD DC`, `Zamba AD member`, `Zamba standalone` and `mailpiler` are required to run in privileged mode. ### LXC_MEM Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) ```bash @@ -60,7 +53,7 @@ Defines the hostname of your LXC container LXC_SWAP="zamba" ``` ### LXC_DOMAIN -Defines the domain name /search domain of your LXC container +Defines the domain name / search domain of your LXC container ```bash LXC_DOMAIN="zmb.rocks" ``` @@ -75,12 +68,14 @@ Defines the default gateway IP address of your LXC container LXC_GW="10.10.80.254" ``` ### LXC_DNS -Defines the DNS server ip addres of your LXC container +Defines the DNS server ip address of your LXC container ```bash LXC_DNS="10.10.80.254" ``` +`zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS +For other services this should be your active directory domain controller (if present, else a DNS server of your choice) ### LXC_BRIDGE -Defines the network bridge to bind the network adapter of your LXC container to +Defines the network bridge to bind the network adapter of your LXC container ```bash LXC_BRIDGE="vmbr0" ``` @@ -90,19 +85,20 @@ Defines the vlan id of the LXC container's network interface, if the network ada LXC_VLAN="80" ``` ### LXC_PWD -Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour. +Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour. ```bash LXC_PWD="S3cr3tp@ssw0rd" ``` ### LXC_AUTHORIZED_KEY -If you have a SSH key to add to the LXC container's `root` account authorized_keys, you can paste it here. +Defines an authorized_keys file to push into the LXC container. +By default the authorized_keys will be inherited from your proxmox host. ```bash -LXC_AUTHORIZED_KEY="ssh-rsa xxxxxxxx" +LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys" ``` ### LXC_TOOLSET -Define your (administrative) tools, you always want to have instlled into yout LXC container +Define your (administrative) tools, you always want to have installed into your LXC container ```bash -LXC_TOOLSET="net-tools dnsutils mc sysstat lsb-release curl git" +LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https" ``` ### LXC_TIMEZONE Define the local timezone of your LXC container (default: Euroe/Berlin) @@ -110,7 +106,7 @@ Define the local timezone of your LXC container (default: Euroe/Berlin) LXC_TIMEZONE="Europe/Berlin" ``` ### LXC_LOCALE -Define system language on LXC container +Define system language on LXC container (locales) ```bash LXC_LOCALE="de_DE.utf8" ``` @@ -137,21 +133,17 @@ Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND ZMB_DNS_BACKEND="SAMBA_INTERNAL" ``` ### ZMB_ADMIN_USER -Defines the name of your domain administrator account (AD DC, AD member) +Defines the name of your domain administrator account (AD DC, AD member, standalone) ```bash ZMB_ADMIN_USER="Administrator" ``` ### ZMB_ADMIN_PASS -Defines the domain administrator's password (AD DC, AD member). Please use 'single quatation marks' to avoid unexpected behaviour. +Defines the domain administrator's password (AD DC, AD member). ```bash ZMB_ADMIN_PASS='1c@nd0@nyth1n9' ``` -### ZMB_DOMAIN_ADMINS_GROUP -Defines the domain admins group of your active directory. -```bash -ZMB_DOMAIN_ADMINS_GROUP="domain admins" -``` -On Windows Servers this group depends on the configured OS language. +Please use 'single quotation marks' to avoid unexpected behaviour. +`zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail. ### ZMB_SHARE Defines the name of your Zamba share ```bash