Merge branch 'dev' of https://github.com/bashclub/zamba-lxc-toolbox into dev

2024-11-07 19:31:58 +01:00 · 2024-05-01 17:23:24 +02:00 · 2024-05-01 17:23:24 +02:00 · 70b8561798
commit 70b8561798
parent 907093512b 3a70f5f7b1
45 changed files with 916 additions and 287 deletions
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@ -114,10 +114,7 @@ ZMB_SHARE="share"

 ############### Mailpiler-Section ###############

-# Defines the (public) FQDN of your piler mail archive
-PILER_FQDN="mailpiler.zmb.rocks"
-# Defines the smarthost for piler mail archive
-PILER_SMARTHOST="mail.zmb.rocks"
+PILER_BRANCH=release

 ############### Matrix-Section ###############

@ -209,4 +206,9 @@ VW_SMTP_PASSWORD='<yourEmailPassword>'
 SEMAPHORE_ADMIN=admin
 SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
 SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
-SEMAPHORE_ADMIN_PASSWORD='Start123'
+SEMAPHORE_ADMIN_PASSWORD='Start123'
+
+############### docker Section ###############
+
+# Install Portainer (=full), Protainer Agent (=agent) or none
+PORTAINER=none
--- a/install.sh
+++ b/install.sh
@ -149,7 +149,7 @@ sleep 2;
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
 if [ $LXC_DHCP == true ]; then
 pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
 else
--- a/src/ansible-semaphore/constants-service.conf
+++ b/src/ansible-semaphore/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

--- a/src/authentik/constants-service.conf
+++ b/src/authentik/constants-service.conf
@ -8,7 +8,7 @@
 # This file contains the project constants on service level

 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"

 # Create sharefs mountpoint
 LXC_MP="0"
@ -19,15 +19,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

-# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
-PILER_VERSION="1.3.12"
-# Defines the version of sphinx to install
-PILER_SPHINX_VERSION="3.3.1"
-# Defines the php version to install
-PILER_PHP_VERSION="7.4"
+# enable keyctl feature
+LXC_KEYCTL="1"

 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=1024
+LXC_MEM_MIN=2048

 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"
+SERVICE_TAGS="docker"
--- a/src/authentik/install-service.sh
+++ b/src/authentik/install-service.sh
@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+mkdir -p /opt/authentik
+wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
+cd /opt/authentik
+cat << EOF > .env
+PG_PASS=$(pwgen -s 40 1)
+AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_AVATARS=initials
+COMPOSE_PORT_HTTP=80
+COMPOSE_PORT_HTTPS=443
+AUTHENTIK_EMAIL__HOST=
+AUTHENTIK_EMAIL__PORT=
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=
+EOF
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
+esac
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@ -19,8 +19,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # checkmk version
-CMK_VERSION=2.2.0p7
+CMK_VERSION=2.2.0p14
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0

@ -28,4 +31,4 @@ CMK_BUILD=_0
 LXC_MEM_MIN=2048

 # service dependent meta tags
-SERVICE_TAGS="apache2"
+SERVICE_TAGS="apache2"
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512

--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512

--- a/src/docker/constants-service.conf
+++ b/src/docker/constants-service.conf
@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS=""
--- a/src/docker/install-service.sh
+++ b/src/docker/install-service.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac
--- a/src/ecodms/constants-service.conf
+++ b/src/ecodms/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # set ecodms release version
 ECODMS_RELEASE=ecodms_230164

--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the IP from the SQL server
 GITEA_DB_IP="127.0.0.1"

--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 #KIMAI_VERSION="main"

--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"

--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@ -27,9 +27,9 @@ locale-gen $LXC_LOCALE
 if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then

 cat << EOF > /etc/apt/sources.list
-deb http://ftp.halifax.rwth-aachen.de/debian/ buster main contrib
+deb http://deb.debian.org/debian/ buster main contrib

-deb http://ftp.halifax.rwth-aachen.de/debian/ buster-updates main contrib
+deb http://deb.debian.org/debian/ buster-updates main contrib

 # security updates
 deb http://security.debian.org/debian-security buster/updates main contrib
@ -38,9 +38,9 @@ EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then

 cat << EOF > /etc/apt/sources.list
-deb http://ftp.halifax.rwth-aachen.de/debian/ bullseye main contrib
+deb http://deb.debian.org/debian/ bullseye main contrib

-deb http://ftp.halifax.rwth-aachen.de/debian/ bullseye-updates main contrib
+deb http://deb.debian.org/debian/ bullseye-updates main contrib

 # security updates
 deb http://security.debian.org/debian-security bullseye-security main contrib
@ -49,9 +49,9 @@ EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then

 cat << EOF > /etc/apt/sources.list
-deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm main contrib
+deb http://deb.debian.org/debian/ bookworm main contrib

-deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-updates main contrib
+deb http://deb.debian.org/debian/ bookworm-updates main contrib

 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="docker"
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@ -0,0 +1,438 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+cd /opt
+git clone https://github.com/mailcow/mailcow-dockerized
+cd mailcow-dockerized
+
+cat << EOF > mailcow.conf
+# ------------------------------
+# mailcow web ui configuration
+# ------------------------------
+# example.org is _not_ a valid hostname, use a fqdn here.
+# Default admin user is "admin"
+# Default password is "moohoo"
+
+MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
+
+# Password hash algorithm
+# Only certain password hash algorithm are supported. For a fully list of supported schemes,
+# see https://docs.mailcow.email/models/model-passwd/
+MAILCOW_PASS_SCHEME=BLF-CRYPT
+
+# ------------------------------
+# SQL database configuration
+# ------------------------------
+
+DBNAME=mailcow
+DBUSER=mailcow
+
+# Please use long, random alphanumeric strings (A-Za-z0-9)
+
+DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
+# ------------------------------
+# HTTP/S Bindings
+# ------------------------------
+
+# You should use HTTPS, but in case of SSL offloaded reverse proxies:
+# Might be important: This will also change the binding within the container.
+# If you use a proxy within Docker, point it to the ports you set below.
+# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
+# IMPORTANT: Do not use port 8081, 9081 or 65510!
+# Example: HTTP_BIND=1.2.3.4
+# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
+# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
+
+HTTP_PORT=80
+HTTP_BIND=
+
+HTTPS_PORT=443
+HTTPS_BIND=
+
+# ------------------------------
+# Other bindings
+# ------------------------------
+# You should leave that alone
+# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
+
+SMTP_PORT=25
+SMTPS_PORT=465
+SUBMISSION_PORT=587
+IMAP_PORT=143
+IMAPS_PORT=993
+POP_PORT=110
+POPS_PORT=995
+SIEVE_PORT=4190
+DOVEADM_PORT=127.0.0.1:19991
+SQL_PORT=127.0.0.1:13306
+SOLR_PORT=127.0.0.1:18983
+REDIS_PORT=127.0.0.1:7654
+
+# Your timezone
+# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
+# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
+
+TZ=${LXC_TIMEZONE}
+
+# Fixed project name
+# Please use lowercase letters only
+
+COMPOSE_PROJECT_NAME=mailcowdockerized
+
+# Used Docker Compose version
+# Switch here between native (compose plugin) and standalone
+# For more informations take a look at the mailcow docs regarding the configuration options.
+# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
+# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
+
+DOCKER_COMPOSE_VERSION=native
+
+# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
+# When enabled, ACL can be created, that apply to "All authenticated users"
+# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+# Otherwise a user might share data with too many other users.
+ACL_ANYONE=disallow
+
+# Garbage collector cleanup
+# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
+# How long should objects remain in the garbage until they are being deleted? (value in minutes)
+# Check interval is hourly
+
+MAILDIR_GC_TIME=7200
+
+# Additional SAN for the certificate
+#
+# You can use wildcard records to create specific names for every domain you add to mailcow.
+# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
+#ADDITIONAL_SAN=imap.*,smtp.*
+# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
+# plus every domain you add in the future.
+#
+# You can also just add static names...
+#ADDITIONAL_SAN=srv1.example.net
+# ...or combine wildcard and static names:
+#ADDITIONAL_SAN=imap.*,srv1.example.com
+#
+
+ADDITIONAL_SAN=
+
+# Additional server names for mailcow UI
+#
+# Specify alternative addresses for the mailcow UI to respond to
+# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
+# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
+# You can understand this as server_name directive in Nginx.
+# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
+
+ADDITIONAL_SERVER_NAMES=
+
+# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
+
+SKIP_LETS_ENCRYPT=y
+
+# Create seperate certificates for all domains - y/n
+# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
+# see https://doc.dovecot.org/admin_manual/ssl/sni_support
+ENABLE_SSL_SNI=n
+
+# Skip IPv4 check in ACME container - y/n
+
+SKIP_IP_CHECK=n
+
+# Skip HTTP verification in ACME container - y/n
+
+SKIP_HTTP_VERIFICATION=n
+
+# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
+
+SKIP_CLAMD=n
+
+# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
+
+SKIP_SOGO=n
+
+# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
+
+SKIP_SOLR=n
+
+# Solr heap size in MB, there is no recommendation, please see Solr docs.
+# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
+
+SOLR_HEAP=1024
+
+# Allow admins to log into SOGo as email user (without any password)
+
+ALLOW_ADMIN_EMAIL_LOGIN=n
+
+# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
+
+USE_WATCHDOG=y
+
+# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
+# CAUTION:
+# 1. You should use external recipients
+# 2. Mails are sent unsigned (no DKIM)
+# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
+# Multiple rcpts allowed, NO quotation marks, NO spaces
+
+#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
+#WATCHDOG_NOTIFY_EMAIL=
+
+# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
+# You can use this to send notifications to services like Discord, Slack and others.
+#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# JSON body included in the webhook POST request. Needs to be in single quotes.
+# Following variables are available: SUBJECT, BODY
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+
+# Notify about banned IP (includes whois lookup)
+WATCHDOG_NOTIFY_BAN=n
+
+# Send a notification when the watchdog is started.
+WATCHDOG_NOTIFY_START=y
+
+# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
+#WATCHDOG_SUBJECT=
+
+# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
+# https://www.servercow.de/mailcow?lang=en
+# https://www.servercow.de/mailcow?lang=de
+# No data is collected. Opt-in and anonymous.
+# Will only work with unmodified mailcow setups.
+WATCHDOG_EXTERNAL_CHECKS=n
+
+# Enable watchdog verbose logging
+WATCHDOG_VERBOSE=n
+
+# Max log lines per service to keep in Redis logs
+
+LOG_LINES=9999
+
+# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
+# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
+
+IPV4_NETWORK=172.22.1
+
+# Internal IPv6 subnet in fc00::/7
+# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
+
+IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
+
+# Use this IPv4 for outgoing connections (SNAT)
+
+#SNAT_TO_SOURCE=
+
+# Use this IPv6 for outgoing connections (SNAT)
+
+#SNAT6_TO_SOURCE=
+
+# Create or override an API key for the web UI
+# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
+# An API key defined as API_KEY has read-write access
+# An API key defined as API_KEY_READ_ONLY has read-only access
+# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
+# You can define API_KEY and/or API_KEY_READ_ONLY
+
+#API_KEY=
+#API_KEY_READ_ONLY=
+#API_ALLOW_FROM=172.22.1.1,127.0.0.1
+
+# mail_home is ~/Maildir
+MAILDIR_SUB=Maildir
+
+# SOGo session timeout in minutes
+SOGO_EXPIRE_SESSION=480
+
+# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
+# Empty by default to auto-generate master user and password on start.
+# User expands to DOVECOT_MASTER_USER@mailcow.local
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_USER=
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_PASS=
+
+# Let's Encrypt registration contact information
+# Optional: Leave empty for none
+# This value is only used on first order!
+# Setting it at a later point will require the following steps:
+# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
+ACME_CONTACT=
+
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+
+# Spamhaus Data Query Service Key
+# Optional: Leave empty for none
+# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. 
+# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
+# Otherwise it will work normally.
+SPAMHAUS_DQS_KEY=
+
+EOF
+
+cat << EOF > data/conf/nginx/redirect.conf
+server {
+  root /web;
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  include /etc/nginx/conf.d/server_name.active;
+  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+  }
+  location / {
+    return 301 https://\$host\$uri\$is_args\$args;
+  }
+}
+EOF
+
+cat << EOF > /etc/cron.daily/mailcowbackup
+#!/bin/sh
+
+# Backup mailcow data
+# https://docs.mailcow.email/backup_restore/b_n_r-backup/
+
+set -e
+
+OUT="\$(mktemp)"
+export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
+SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
+PARAMETERS="backup all"
+OPTIONS="--delete-days 7"
+mkdir -p \$MAILCOW_BACKUP_LOCATION
+
+# run command
+set +e
+"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
+RESULT=\$?
+
+if [ \$RESULT -ne 0 ]
+    then
+            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
+            echo "RESULT=\$RESULT"
+            echo "STDOUT / STDERR:"
+            cat "\$OUT"
+fi
+EOF
+
+chmod +x /etc/cron.daily/mailcowbackup
+
+cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
+#!/bin/bash
+if ! which check_mk_agent ; then
+  cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
+  status=\$?
+  if [ \$status -eq 3 ]; then
+    state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
+  elif [ \$status -eq 0 ]; then
+    state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
+  else
+    state="3 \"mailcow_update\" - Unknown output from update script ..."
+  fi
+  echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
+  mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
+fi
+exit
+EOF
+chmod +x /etc/cron.daily/checkmk-mailcow-update-check
+
+chmod 600 mailcow.conf
+
+mkdir -p data/assets/ssl
+
+openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
+
+openssl dhparam -out data/assets/ssl/dhparams.pem 2048
+cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
+mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
+systemctl restart nginx
+EOF
+chmod +x /etc/cron.monthly/generate-dhparams
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac
--- a/src/mailpiler/install-service.sh
+++ b/src/mailpiler/install-service.sh
@ -1,189 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/functions.sh
-source /root/zamba.conf
-source /root/constants-service.conf
-
-HOSTNAME=$(hostname -f)
-
-echo "Ensure your Hostname is set to your Piler FQDN!"
-
-echo $HOSTNAME
-
-if 
-    [ "$HOSTNAME" != "$PILER_FQDN" ]
-then
-        echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
-else
-        echo "Hostname matches $PILER_FQDN, so starting installation."
-fi
-
-# install php
-wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
-echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
-
-apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
-add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
-
-apt update
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
-unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
-mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
-php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
-
-cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
-innodb_buffer_pool_size=256M
-innodb_flush_log_at_trx_commit=1
-innodb_log_buffer_size=64M
-innodb_log_file_size=16M
-query_cache_size=0
-query_cache_type=0
-query_cache_limit=2M
-EOF
-
-systemctl restart mariadb
-
-cd /tmp
-wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
-tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
-
-groupadd piler
-useradd -g piler -m -s /bin/bash -d /var/piler piler
-usermod -L piler
-chmod 755 /var/piler
-
-if [[ "$PILER_VERSION" == "latest" ]]; then
-        URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
-        PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
-        wget -O piler-$PILER_VERSION.tar.gz $URL
-else
-        wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
-fi
-tar -xvzf piler-$PILER_VERSION.tar.gz
-cd piler-$PILER_VERSION/
-./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
-make
-make install
-ldconfig
-
-cp util/postinstall.sh util/postinstall.sh.bak
-sed -i "s/   PILER_SMARTHOST=.*/   PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
-sed -i 's/   WWWGROUP=.*/   WWWGROUP="www-data"/' util/postinstall.sh
-
-make postinstall
-
-cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
-sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
-sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
-
-su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
-
-/etc/init.d/rc.piler start
-/etc/init.d/rc.searchd start
-
-update-rc.d rc.piler defaults
-update-rc.d rc.searchd defaults
-
-mkdir -p /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
-
-cd /etc/nginx/sites-available
-cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
-ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
-
-sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
-sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/server_name.*/a \\
-        listen 443 ssl http2;\n\n\
-        ssl_certificate /etc/nginx/ssl/piler.crt;\n\
-        ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
-        ssl_session_timeout 1d;\n\
-        ssl_session_cache shared:SSL:15m;\n\
-        ssl_session_tickets off;\n\n\
-        # modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
-        ssl_protocols TLSv1.2 TLSv1.3;\n\
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
-        ssl_prefer_server_ciphers off;\n\n\
-        add_header X-Frame-Options SAMEORIGIN;\n\
-        add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/^server {.*/i\
-server {\n\
-        listen 80;\n\
-        server_name _;\n\
-        server_tokens off;\n\
-        # HTTP to HTTPS redirect.\n\
-        return 301 https://$PILER_FQDN;\n\
-}" /etc/nginx/sites-available/piler-nginx.conf
-
-unlink /etc/nginx/sites-enabled/default
-
-cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
-sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
-cat >> /usr/local/etc/piler/config-site.php <<EOF
-
-// CUSTOM
-\$config['PROVIDED_BY'] = '$PILER_FQDN';
-\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
-\$config['COMPATIBILITY'] = '';
-
-// fancy features.
-\$config['ENABLE_INSTANT_SEARCH'] = 1;
-\$config['ENABLE_TABLE_RESIZE'] = 1;
-
-\$config['ENABLE_DELETE'] = 1;
-\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
-
-// general settings.
-\$config['TIMEZONE'] = '$LXC_TIMEZONE';
-
-// authentication
-// Enable authentication against an imap server
-//\$config['ENABLE_IMAP_AUTH'] = 1;
-//\$config['RESTORE_OVER_IMAP'] = 1;
-//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
-//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
-//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['IMAP_PORT'] =  993;
-//\$config['IMAP_SSL'] = true;
-
-// authentication against an ldap directory (disabled by default)
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 389;
-//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_MAIL_ATTR'] = 'mail';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
-
-// authentication against an Uninvention based ldap directory 
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 7389;
-//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
-//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
-
-// special settings.
-\$config['MEMCACHED_ENABLED'] = 1;
-\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
-EOF
-
-nginx -t && systemctl restart nginx
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@ -8,7 +8,7 @@
 # This file contains the project constants on service level

 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"

 # Create sharefs mountpoint
 LXC_MP="1"
@ -19,11 +19,14 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 NEXTCLOUD_VERSION="latest"

 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.1"
+NEXTCLOUD_PHP_VERSION="8.2"

 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@ -14,19 +14,19 @@ source /root/constants-service.conf

 HOSTNAME=$(hostname -f)

-wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
 echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list

-wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list

-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list

 apt update

 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
-postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
+postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}

 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@ -76,7 +76,7 @@ sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXT
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
@ -113,6 +113,9 @@ set_real_ip_from 127.0.0.1;
 real_ip_header X-Forwarded-For;
 real_ip_recursive on;
 include /etc/nginx/mime.types;
+types {
+        text/javascript mjs;
+    }
 default_type application/octet-stream;
 sendfile on;
 send_timeout 3600;
@ -136,6 +139,10 @@ cat > /etc/nginx/conf.d/http.conf << EOF
 upstream php-handler {
 server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
 }
+map \$arg_v \$asset_immutable {
+    "" "";
+    default "immutable";
+}
 server {
 listen 80 default_server;
 listen [::]:80 default_server;
@ -171,13 +178,15 @@ ssl_prefer_server_ciphers on;
 ssl_stapling on;
 ssl_stapling_verify on;
 client_max_body_size 5120M;
+client_body_timeout 300s;
+client_body_buffer_size 512k;
 fastcgi_buffers 64 4K;
 gzip on;
 gzip_vary on;
 gzip_comp_level 4;
 gzip_min_length 256;
 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
 add_header Permissions-Policy                   "interest-cohort=()";
 add_header Referrer-Policy                      "no-referrer"   always;
@ -230,10 +239,13 @@ fastcgi_pass php-handler;
 fastcgi_intercept_errors on;
 fastcgi_request_buffering off;
 }
-location ~ \.(?:css|js|svg|gif)\$ {
+location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
 try_files \$uri /index.php\$request_uri;
 expires 6M;
 access_log off;
+    location ~ \.wasm$ {
+            default_type application/wasm;
+        }
 }
 location ~ \.woff2?\$ {
 try_files \$uri /index.php\$request_uri;
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048

--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 ONLYOFFICE_DB_HOST=localhost

 ONLYOFFICE_DB_NAME=onlyoffice
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

--- a/src/piler/constants-service.conf
+++ b/src/piler/constants-service.conf
@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"
--- a/src/piler/install-service.sh
+++ b/src/piler/install-service.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
+
+echo -e "Installation of piler finished."
+echo -e "\nFor administration please visit the following Website:"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
+echo -e "\nLogin with following credentials:"
+echo -e "\tUser: admin@local"
+echo -e "\tPass: pilerrocks"
+echo -e "\n\nPlease have a look the the GOBD notes (in German):"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Backup ubdir where Urbackup will store backups
 PBS_DATA="backup"

--- a/src/rei3/constants-service.conf
+++ b/src/rei3/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+

 # Defines the IP from the SQL server
 REI3_DB_IP="127.0.0.1"
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@ -9,6 +9,8 @@

 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
+# !!!! Leave at debian 11, currently unifi depends on mongodb-server <= 4.4 and libssl1.1
+# libssl1.1 is unsupported on debian bookworm

 # Create sharefs mountpoint
 LXC_MP="0"
@ -19,6 +21,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048

--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@ -11,10 +11,10 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf

-wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
+wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://pgp.mongodb.com/server-4.4.asc
 wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg

-echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
+echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
 echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 

 apt update
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Backup ubdir where Urbackup will store backups
 URBACKUP_DATA="urbackup"

--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the name from the SQL database
 VAULTWARDEN_DB_NAME="vaultwarden"

--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@ -64,7 +64,6 @@ Group=vaultwarden
 EnvironmentFile=/var/lib/vaultwarden/.env
 ExecStart=/opt/vaultwarden/vaultwarden
 LimitNOFILE=1048576
-LimitNPROC=64
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
@ -161,4 +160,4 @@ unlink /etc/nginx/sites-enabled/default

 systemctl daemon-reload
 systemctl enable --now vaultwarden
-systemctl restart nginx
+systemctl restart nginx
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+

 # Defines the IP from the SQL server
 ZABBIX_DB_IP="127.0.0.1"
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096

--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # add optional features to samba ad dc

 # CURRENTLY SUPPORTED:
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@ -27,38 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
  fi
 done

-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-# No restrictions for "localhost"
-restrict 127.0.0.1
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-tinker panic 0
-EOF
-
-echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list

 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # add optional features to samba ad dc

 # CURRENTLY SUPPORTED:
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@ -27,45 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
  fi
 done

-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-
-# No restrictions for "localhost"
-restrict 127.0.0.1
-
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-
-tinker panic 0
-EOF
-
-echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list

 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils

+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
 server {
--- a/src/zmb-cups/constants-service.conf
+++ b/src/zmb-cups/constants-service.conf
@ -19,8 +19,11 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

 # service dependent meta tags
-SERVICE_TAGS="samba,member,fileserver"
+SERVICE_TAGS="samba,member,cups,printserver"
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@ -9,7 +9,7 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf

-echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list

 apt update

@ -106,4 +106,4 @@ systemctl disable --now cups-browsed.service

 cupsctl --remote-admin

-systemctl restart cups smbd nmbd winbind wsdd
+systemctl restart cups smbd nmbd winbind wsdd
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"

+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@ -12,7 +12,7 @@ source /root/constants-service.conf
 apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list

-echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list

 apt update