Merge remote-tracking branch 'upstream/dev' into kimai

# Conflicts:
#	src/kimai/install-service.sh

src/kimai/install-service.sh

@@ -162,4 +162,4 @@ systemctl daemon-reload
 systemctl enable --now php${PHP_VERSION}-fpm nginx
 systemctl restart php${PHP_VERSION}-fpm nginx
 
-echo -e "Your kimai installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\n\nPassword:\t${LXC_PWD}\n\n"
+echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"

src/zammad/constants-service.conf

@@ -18,3 +18,6 @@ LXC_UNPRIVILEGED="1"
 
 # enable nesting feature
 LXC_NESTING="1"
+
+# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+LXC_MEM="4096"

src/zammad/install-service.sh

@@ -15,7 +15,34 @@ wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/za
 echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert zammad
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
+
+
+cat << EOF >>/etc/hosts
+0.0.0.0 image.zammad.com
+0.0.0.0 images.zammad.com
+0.0.0.0 geo.zammad.com
+0.0.0.0 www.zammad.com
+0.0.0.0 www.zammad.org
+0.0.0.0 www.zammad.net
+0.0.0.0 www.zammad.de
+0.0.0.0 zammad.com
+0.0.0.0 zammad.org
+0.0.0.0 zammad.net
+0.0.0.0 zammad.de
+#
+127.0.0.1 elasticsearch
+0.0.0.0 geoip.elastic.co
+EOF
+
+# Java set startup environment 
+mkdir -p /etc/elasticsearch/jvm.options.d
+cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
+# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
+# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
+-Xms1g
+-Xmx1g
+EOF
 
 # configurwe nginx
 rm -f /etc/nginx/sites-enabled/default
@@ -66,7 +93,16 @@ server {
     ssl_stapling_verify on;
 
     resolver 1.1.1.1 1.0.0.1;
-
+#
+#  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
+#
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
+    add_header Referrer-Policy "strict-origin";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
     add_header Strict-Transport-Security "max-age=31536000" always;
 
     location = /robots.txt  {
@@ -118,6 +154,17 @@ server {
 }
 EOF
 
+ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
+
 openssl dhparam -out /etc/nginx/dhparam.pem 4096
 
-systemctl restart nginx
+systemctl enable elasticsearch.service
+systemctl restart nginx elasticsearch.service
+
+# Elasticsearch conntact to Zammad
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
+zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
+zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
+systemctl restart elasticsearch.service
+zammad run rake searchindex:rebuild

src/zmb-ad-join/install-service.sh

@@ -53,11 +53,14 @@ restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF
 
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
+
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp cifs-utils samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default

src/zmb-ad/install-service.sh

@@ -59,11 +59,14 @@ restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF
 
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
+
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
   cat << EOF > /etc/nginx/sites-available/default

src/zmb-member/install-service.sh

@@ -12,10 +12,11 @@ source /root/constants-service.conf
 # add wsdd package repo
 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
 echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF

src/zmb-standalone/install-service.sh

@@ -11,18 +11,33 @@ source /root/constants-service.conf
 
 # add wsdd package repo
 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
+echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
 echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 
+cat << EOF > /etc/apt/preferences.d/samba
+Package: samba*
+Pin: release a=$(lsb_release -cs)-backports
+Pin-Priority: 900
+EOF
+
+cat << EOF > /etc/apt/preferences.d/winbind
+Package: winbind*
+Pin: release a=$(lsb_release -cs)-backports
+Pin-Priority: 900
+EOF
+
+cat << EOF > /etc/apt/preferences.d/cockpit
+Package: cockpit*
+Pin: release a=$(lsb_release -cs)-backports
+Pin-Priority: 900
+EOF
+
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
-
-mkdir /usr/share/cockpit/smb
-wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html
-wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json
-wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js
 
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
 useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
@@ -30,23 +45,52 @@ echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
 smbpasswd -x $USER
 (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
 
-cat << EOF >> /etc/samba/smb.conf
+usermod -aG sudo $USER
-[$ZMB_SHARE]
+
-    comment = Main Share
+cat << EOF | sudo tee -i /etc/samba/smb.conf
-    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+[global]
-    read only = No
+    include = registry
-    vfs objects = shadow_copy2
+EOF
-	create mask = 0660
+
-	directory mask = 0770
+cat << EOF | sudo tee -i /etc/samba/import.template
+[global]
+    workgroup = WORKGROUP
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    log level = 3
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
+    vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
+    map acl inherit = yes
+    acl_xattr:ignore system acls = yes
     shadow: snapdir = .zfs/snapshot
     shadow: sort = desc
     shadow: format = -%Y-%m-%d-%H%M
-    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
     shadow: delimiter = -20
+    fruit:encoding = native
+    fruit:metadata = stream
+    fruit:zero_file_id = yes
+    fruit:nfs_aces = no
 EOF
 
+net conf import /etc/samba/import.template
+
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
+net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+net conf setparm $ZMB_SHARE readonly no
+net conf setparm $ZMB_SHARE browseable yes
+net conf setparm $ZMB_SHARE createmask 0660
+net conf setparm $ZMB_SHARE directorymask 0770
+
 systemctl restart smbd nmbd wsdd