mirror of
https://github.com/bashclub/zamba-lxc-toolbox.git
synced 2024-12-25 11:40:12 +01:00
Merge branch 'dev' of https://github.com/bashclub/zamba-lxc-toolbox into dev
This commit is contained in:
commit
70b8561798
@ -114,10 +114,7 @@ ZMB_SHARE="share"
|
|||||||
|
|
||||||
############### Mailpiler-Section ###############
|
############### Mailpiler-Section ###############
|
||||||
|
|
||||||
# Defines the (public) FQDN of your piler mail archive
|
PILER_BRANCH=release
|
||||||
PILER_FQDN="mailpiler.zmb.rocks"
|
|
||||||
# Defines the smarthost for piler mail archive
|
|
||||||
PILER_SMARTHOST="mail.zmb.rocks"
|
|
||||||
|
|
||||||
############### Matrix-Section ###############
|
############### Matrix-Section ###############
|
||||||
|
|
||||||
@ -210,3 +207,8 @@ SEMAPHORE_ADMIN=admin
|
|||||||
SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
|
SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
|
||||||
SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
|
SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
|
||||||
SEMAPHORE_ADMIN_PASSWORD='Start123'
|
SEMAPHORE_ADMIN_PASSWORD='Start123'
|
||||||
|
|
||||||
|
############### docker Section ###############
|
||||||
|
|
||||||
|
# Install Portainer (=full), Protainer Agent (=agent) or none
|
||||||
|
PORTAINER=none
|
@ -149,7 +149,7 @@ sleep 2;
|
|||||||
# Check vlan configuration
|
# Check vlan configuration
|
||||||
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
|
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
|
||||||
# Reconfigure conatiner
|
# Reconfigure conatiner
|
||||||
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
|
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
|
||||||
if [ $LXC_DHCP == true ]; then
|
if [ $LXC_DHCP == true ]; then
|
||||||
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
|
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
|
||||||
else
|
else
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
# This file contains the project constants on service level
|
# This file contains the project constants on service level
|
||||||
|
|
||||||
# Debian Version, which will be installed
|
# Debian Version, which will be installed
|
||||||
LXC_TEMPLATE_VERSION="debian-11-standard"
|
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||||
|
|
||||||
# Create sharefs mountpoint
|
# Create sharefs mountpoint
|
||||||
LXC_MP="0"
|
LXC_MP="0"
|
||||||
@ -19,15 +19,11 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
# enable keyctl feature
|
||||||
PILER_VERSION="1.3.12"
|
LXC_KEYCTL="1"
|
||||||
# Defines the version of sphinx to install
|
|
||||||
PILER_SPHINX_VERSION="3.3.1"
|
|
||||||
# Defines the php version to install
|
|
||||||
PILER_PHP_VERSION="7.4"
|
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=2048
|
||||||
|
|
||||||
# service dependent meta tags
|
# service dependent meta tags
|
||||||
SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"
|
SERVICE_TAGS="docker"
|
107
src/authentik/install-service.sh
Normal file
107
src/authentik/install-service.sh
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
source /root/functions.sh
|
||||||
|
source /root/zamba.conf
|
||||||
|
source /root/constants-service.conf
|
||||||
|
|
||||||
|
# Add Docker's official GPG key:
|
||||||
|
install -m 0755 -d /etc/apt/keyrings
|
||||||
|
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||||
|
chmod a+r /etc/apt/keyrings/docker.gpg
|
||||||
|
|
||||||
|
# Add the repository to Apt sources:
|
||||||
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
|
||||||
|
|
||||||
|
SECRET=$(random_password)
|
||||||
|
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
|
||||||
|
|
||||||
|
install_portainer_full() {
|
||||||
|
mkdir -p /opt/portainer/data
|
||||||
|
cd /opt/portainer
|
||||||
|
cat << EOF > /opt/portainer/docker-compose.yml
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
portainer:
|
||||||
|
restart: always
|
||||||
|
image: portainer/portainer:latest
|
||||||
|
volumes:
|
||||||
|
- ./data:/data
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
ports:
|
||||||
|
- "8000:8000"
|
||||||
|
- "9443:9443"
|
||||||
|
command: --admin-password-file=/data/admin_password
|
||||||
|
EOF
|
||||||
|
echo -n "$SECRET" > ./data/admin_password
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
install_portainer_agent() {
|
||||||
|
mkdir -p /opt/portainer-agent/data
|
||||||
|
cd /opt/portainer-agent
|
||||||
|
cat << EOF > /opt/portainer-agent/docker-compose.yml
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
portainer:
|
||||||
|
restart: always
|
||||||
|
image: portainer/agent:latest
|
||||||
|
volumes:
|
||||||
|
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
ports:
|
||||||
|
- "9001:9001"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
|
||||||
|
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
mkdir -p /opt/authentik
|
||||||
|
wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
|
||||||
|
cd /opt/authentik
|
||||||
|
cat << EOF > .env
|
||||||
|
PG_PASS=$(pwgen -s 40 1)
|
||||||
|
AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
|
||||||
|
AUTHENTIK_DISABLE_UPDATE_CHECK=false
|
||||||
|
AUTHENTIK_ERROR_REPORTING__ENABLED=false
|
||||||
|
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
|
||||||
|
AUTHENTIK_AVATARS=initials
|
||||||
|
COMPOSE_PORT_HTTP=80
|
||||||
|
COMPOSE_PORT_HTTPS=443
|
||||||
|
AUTHENTIK_EMAIL__HOST=
|
||||||
|
AUTHENTIK_EMAIL__PORT=
|
||||||
|
AUTHENTIK_EMAIL__USERNAME=
|
||||||
|
AUTHENTIK_EMAIL__PASSWORD=
|
||||||
|
# Use StartTLS
|
||||||
|
AUTHENTIK_EMAIL__USE_TLS=false
|
||||||
|
# Use SSL
|
||||||
|
AUTHENTIK_EMAIL__USE_SSL=false
|
||||||
|
AUTHENTIK_EMAIL__TIMEOUT=10
|
||||||
|
# Email address authentik will send from, should have a correct @domain
|
||||||
|
AUTHENTIK_EMAIL__FROM=
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
|
||||||
|
case $PORTAINER in
|
||||||
|
full) install_portainer_full ;;
|
||||||
|
agent) install_portainer_agent ;;
|
||||||
|
*) echo -e "\n######################################################################\n\n Enjoy your authentik intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
|
||||||
|
esac
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
@ -19,8 +19,11 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# checkmk version
|
# checkmk version
|
||||||
CMK_VERSION=2.2.0p7
|
CMK_VERSION=2.2.0p14
|
||||||
# build number of the debian package (needs to start with underscore)
|
# build number of the debian package (needs to start with underscore)
|
||||||
CMK_BUILD=_0
|
CMK_BUILD=_0
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=512
|
LXC_MEM_MIN=512
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=512
|
LXC_MEM_MIN=512
|
||||||
|
|
||||||
|
29
src/docker/constants-service.conf
Normal file
29
src/docker/constants-service.conf
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
# This file contains the project constants on service level
|
||||||
|
|
||||||
|
# Debian Version, which will be installed
|
||||||
|
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||||
|
|
||||||
|
# Create sharefs mountpoint
|
||||||
|
LXC_MP="0"
|
||||||
|
|
||||||
|
# Create unprivileged container
|
||||||
|
LXC_UNPRIVILEGED="1"
|
||||||
|
|
||||||
|
# enable nesting feature
|
||||||
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="1"
|
||||||
|
|
||||||
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
|
LXC_MEM_MIN=2048
|
||||||
|
|
||||||
|
# service dependent meta tags
|
||||||
|
SERVICE_TAGS=""
|
79
src/docker/install-service.sh
Normal file
79
src/docker/install-service.sh
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
source /root/functions.sh
|
||||||
|
source /root/zamba.conf
|
||||||
|
source /root/constants-service.conf
|
||||||
|
|
||||||
|
# Add Docker's official GPG key:
|
||||||
|
install -m 0755 -d /etc/apt/keyrings
|
||||||
|
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||||
|
chmod a+r /etc/apt/keyrings/docker.gpg
|
||||||
|
|
||||||
|
# Add the repository to Apt sources:
|
||||||
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||||
|
|
||||||
|
SECRET=$(random_password)
|
||||||
|
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
|
||||||
|
|
||||||
|
install_portainer_full() {
|
||||||
|
mkdir -p /opt/portainer/data
|
||||||
|
cd /opt/portainer
|
||||||
|
cat << EOF > /opt/portainer/docker-compose.yml
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
portainer:
|
||||||
|
restart: always
|
||||||
|
image: portainer/portainer:latest
|
||||||
|
volumes:
|
||||||
|
- ./data:/data
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
ports:
|
||||||
|
- "8000:8000"
|
||||||
|
- "9443:9443"
|
||||||
|
command: --admin-password-file=/data/admin_password
|
||||||
|
EOF
|
||||||
|
echo -n "$SECRET" > ./data/admin_password
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
install_portainer_agent() {
|
||||||
|
mkdir -p /opt/portainer-agent/data
|
||||||
|
cd /opt/portainer-agent
|
||||||
|
cat << EOF > /opt/portainer-agent/docker-compose.yml
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
portainer:
|
||||||
|
restart: always
|
||||||
|
image: portainer/agent:latest
|
||||||
|
volumes:
|
||||||
|
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
ports:
|
||||||
|
- "9001:9001"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
|
||||||
|
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
case $PORTAINER in
|
||||||
|
full) install_portainer_full ;;
|
||||||
|
agent) install_portainer_agent ;;
|
||||||
|
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
|
||||||
|
esac
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# set ecodms release version
|
# set ecodms release version
|
||||||
ECODMS_RELEASE=ecodms_230164
|
ECODMS_RELEASE=ecodms_230164
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Defines the IP from the SQL server
|
# Defines the IP from the SQL server
|
||||||
GITEA_DB_IP="127.0.0.1"
|
GITEA_DB_IP="127.0.0.1"
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||||
#KIMAI_VERSION="main"
|
#KIMAI_VERSION="main"
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||||
KOPANO_VERSION="latest"
|
KOPANO_VERSION="latest"
|
||||||
|
|
||||||
|
@ -27,9 +27,9 @@ locale-gen $LXC_LOCALE
|
|||||||
if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
|
if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
|
||||||
|
|
||||||
cat << EOF > /etc/apt/sources.list
|
cat << EOF > /etc/apt/sources.list
|
||||||
deb http://ftp.halifax.rwth-aachen.de/debian/ buster main contrib
|
deb http://deb.debian.org/debian/ buster main contrib
|
||||||
|
|
||||||
deb http://ftp.halifax.rwth-aachen.de/debian/ buster-updates main contrib
|
deb http://deb.debian.org/debian/ buster-updates main contrib
|
||||||
|
|
||||||
# security updates
|
# security updates
|
||||||
deb http://security.debian.org/debian-security buster/updates main contrib
|
deb http://security.debian.org/debian-security buster/updates main contrib
|
||||||
@ -38,9 +38,9 @@ EOF
|
|||||||
elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
|
elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
|
||||||
|
|
||||||
cat << EOF > /etc/apt/sources.list
|
cat << EOF > /etc/apt/sources.list
|
||||||
deb http://ftp.halifax.rwth-aachen.de/debian/ bullseye main contrib
|
deb http://deb.debian.org/debian/ bullseye main contrib
|
||||||
|
|
||||||
deb http://ftp.halifax.rwth-aachen.de/debian/ bullseye-updates main contrib
|
deb http://deb.debian.org/debian/ bullseye-updates main contrib
|
||||||
|
|
||||||
# security updates
|
# security updates
|
||||||
deb http://security.debian.org/debian-security bullseye-security main contrib
|
deb http://security.debian.org/debian-security bullseye-security main contrib
|
||||||
@ -49,9 +49,9 @@ EOF
|
|||||||
elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
|
elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
|
||||||
|
|
||||||
cat << EOF > /etc/apt/sources.list
|
cat << EOF > /etc/apt/sources.list
|
||||||
deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm main contrib
|
deb http://deb.debian.org/debian/ bookworm main contrib
|
||||||
|
|
||||||
deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-updates main contrib
|
deb http://deb.debian.org/debian/ bookworm-updates main contrib
|
||||||
|
|
||||||
# security updates
|
# security updates
|
||||||
deb http://security.debian.org/debian-security bookworm-security main contrib
|
deb http://security.debian.org/debian-security bookworm-security main contrib
|
||||||
|
29
src/mailcow/constants-service.conf
Normal file
29
src/mailcow/constants-service.conf
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
# This file contains the project constants on service level
|
||||||
|
|
||||||
|
# Debian Version, which will be installed
|
||||||
|
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||||
|
|
||||||
|
# Create sharefs mountpoint
|
||||||
|
LXC_MP="1"
|
||||||
|
|
||||||
|
# Create unprivileged container
|
||||||
|
LXC_UNPRIVILEGED="1"
|
||||||
|
|
||||||
|
# enable nesting feature
|
||||||
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="1"
|
||||||
|
|
||||||
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
|
LXC_MEM_MIN=8192
|
||||||
|
|
||||||
|
# service dependent meta tags
|
||||||
|
SERVICE_TAGS="docker"
|
438
src/mailcow/install-service.sh
Normal file
438
src/mailcow/install-service.sh
Normal file
@ -0,0 +1,438 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
source /root/functions.sh
|
||||||
|
source /root/zamba.conf
|
||||||
|
source /root/constants-service.conf
|
||||||
|
|
||||||
|
# Add Docker's official GPG key:
|
||||||
|
install -m 0755 -d /etc/apt/keyrings
|
||||||
|
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||||
|
chmod a+r /etc/apt/keyrings/docker.gpg
|
||||||
|
|
||||||
|
# Add the repository to Apt sources:
|
||||||
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
|
||||||
|
|
||||||
|
SECRET=$(random_password)
|
||||||
|
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
|
||||||
|
|
||||||
|
install_portainer_full() {
|
||||||
|
mkdir -p /opt/portainer/data
|
||||||
|
cd /opt/portainer
|
||||||
|
cat << EOF > /opt/portainer/docker-compose.yml
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
portainer:
|
||||||
|
restart: always
|
||||||
|
image: portainer/portainer:latest
|
||||||
|
volumes:
|
||||||
|
- ./data:/data
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
ports:
|
||||||
|
- "8000:8000"
|
||||||
|
- "9443:9443"
|
||||||
|
command: --admin-password-file=/data/admin_password
|
||||||
|
EOF
|
||||||
|
echo -n "$SECRET" > ./data/admin_password
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
install_portainer_agent() {
|
||||||
|
mkdir -p /opt/portainer-agent/data
|
||||||
|
cd /opt/portainer-agent
|
||||||
|
cat << EOF > /opt/portainer-agent/docker-compose.yml
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
portainer:
|
||||||
|
restart: always
|
||||||
|
image: portainer/agent:latest
|
||||||
|
volumes:
|
||||||
|
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
ports:
|
||||||
|
- "9001:9001"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
|
||||||
|
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
cd /opt
|
||||||
|
git clone https://github.com/mailcow/mailcow-dockerized
|
||||||
|
cd mailcow-dockerized
|
||||||
|
|
||||||
|
cat << EOF > mailcow.conf
|
||||||
|
# ------------------------------
|
||||||
|
# mailcow web ui configuration
|
||||||
|
# ------------------------------
|
||||||
|
# example.org is _not_ a valid hostname, use a fqdn here.
|
||||||
|
# Default admin user is "admin"
|
||||||
|
# Default password is "moohoo"
|
||||||
|
|
||||||
|
MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
|
||||||
|
|
||||||
|
# Password hash algorithm
|
||||||
|
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
|
||||||
|
# see https://docs.mailcow.email/models/model-passwd/
|
||||||
|
MAILCOW_PASS_SCHEME=BLF-CRYPT
|
||||||
|
|
||||||
|
# ------------------------------
|
||||||
|
# SQL database configuration
|
||||||
|
# ------------------------------
|
||||||
|
|
||||||
|
DBNAME=mailcow
|
||||||
|
DBUSER=mailcow
|
||||||
|
|
||||||
|
# Please use long, random alphanumeric strings (A-Za-z0-9)
|
||||||
|
|
||||||
|
DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||||
|
DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||||
|
|
||||||
|
# ------------------------------
|
||||||
|
# HTTP/S Bindings
|
||||||
|
# ------------------------------
|
||||||
|
|
||||||
|
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
|
||||||
|
# Might be important: This will also change the binding within the container.
|
||||||
|
# If you use a proxy within Docker, point it to the ports you set below.
|
||||||
|
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
|
||||||
|
# IMPORTANT: Do not use port 8081, 9081 or 65510!
|
||||||
|
# Example: HTTP_BIND=1.2.3.4
|
||||||
|
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
|
||||||
|
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
|
||||||
|
|
||||||
|
HTTP_PORT=80
|
||||||
|
HTTP_BIND=
|
||||||
|
|
||||||
|
HTTPS_PORT=443
|
||||||
|
HTTPS_BIND=
|
||||||
|
|
||||||
|
# ------------------------------
|
||||||
|
# Other bindings
|
||||||
|
# ------------------------------
|
||||||
|
# You should leave that alone
|
||||||
|
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
|
||||||
|
|
||||||
|
SMTP_PORT=25
|
||||||
|
SMTPS_PORT=465
|
||||||
|
SUBMISSION_PORT=587
|
||||||
|
IMAP_PORT=143
|
||||||
|
IMAPS_PORT=993
|
||||||
|
POP_PORT=110
|
||||||
|
POPS_PORT=995
|
||||||
|
SIEVE_PORT=4190
|
||||||
|
DOVEADM_PORT=127.0.0.1:19991
|
||||||
|
SQL_PORT=127.0.0.1:13306
|
||||||
|
SOLR_PORT=127.0.0.1:18983
|
||||||
|
REDIS_PORT=127.0.0.1:7654
|
||||||
|
|
||||||
|
# Your timezone
|
||||||
|
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
|
||||||
|
# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
|
||||||
|
|
||||||
|
TZ=${LXC_TIMEZONE}
|
||||||
|
|
||||||
|
# Fixed project name
|
||||||
|
# Please use lowercase letters only
|
||||||
|
|
||||||
|
COMPOSE_PROJECT_NAME=mailcowdockerized
|
||||||
|
|
||||||
|
# Used Docker Compose version
|
||||||
|
# Switch here between native (compose plugin) and standalone
|
||||||
|
# For more informations take a look at the mailcow docs regarding the configuration options.
|
||||||
|
# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
|
||||||
|
# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
|
||||||
|
|
||||||
|
DOCKER_COMPOSE_VERSION=native
|
||||||
|
|
||||||
|
# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
|
||||||
|
# When enabled, ACL can be created, that apply to "All authenticated users"
|
||||||
|
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
|
||||||
|
# Otherwise a user might share data with too many other users.
|
||||||
|
ACL_ANYONE=disallow
|
||||||
|
|
||||||
|
# Garbage collector cleanup
|
||||||
|
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
|
||||||
|
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
|
||||||
|
# Check interval is hourly
|
||||||
|
|
||||||
|
MAILDIR_GC_TIME=7200
|
||||||
|
|
||||||
|
# Additional SAN for the certificate
|
||||||
|
#
|
||||||
|
# You can use wildcard records to create specific names for every domain you add to mailcow.
|
||||||
|
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
|
||||||
|
#ADDITIONAL_SAN=imap.*,smtp.*
|
||||||
|
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
|
||||||
|
# plus every domain you add in the future.
|
||||||
|
#
|
||||||
|
# You can also just add static names...
|
||||||
|
#ADDITIONAL_SAN=srv1.example.net
|
||||||
|
# ...or combine wildcard and static names:
|
||||||
|
#ADDITIONAL_SAN=imap.*,srv1.example.com
|
||||||
|
#
|
||||||
|
|
||||||
|
ADDITIONAL_SAN=
|
||||||
|
|
||||||
|
# Additional server names for mailcow UI
|
||||||
|
#
|
||||||
|
# Specify alternative addresses for the mailcow UI to respond to
|
||||||
|
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
|
||||||
|
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
|
||||||
|
# You can understand this as server_name directive in Nginx.
|
||||||
|
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
|
||||||
|
|
||||||
|
ADDITIONAL_SERVER_NAMES=
|
||||||
|
|
||||||
|
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
|
||||||
|
|
||||||
|
SKIP_LETS_ENCRYPT=y
|
||||||
|
|
||||||
|
# Create seperate certificates for all domains - y/n
|
||||||
|
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
|
||||||
|
# see https://doc.dovecot.org/admin_manual/ssl/sni_support
|
||||||
|
ENABLE_SSL_SNI=n
|
||||||
|
|
||||||
|
# Skip IPv4 check in ACME container - y/n
|
||||||
|
|
||||||
|
SKIP_IP_CHECK=n
|
||||||
|
|
||||||
|
# Skip HTTP verification in ACME container - y/n
|
||||||
|
|
||||||
|
SKIP_HTTP_VERIFICATION=n
|
||||||
|
|
||||||
|
# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
|
||||||
|
|
||||||
|
SKIP_CLAMD=n
|
||||||
|
|
||||||
|
# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
|
||||||
|
|
||||||
|
SKIP_SOGO=n
|
||||||
|
|
||||||
|
# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
|
||||||
|
|
||||||
|
SKIP_SOLR=n
|
||||||
|
|
||||||
|
# Solr heap size in MB, there is no recommendation, please see Solr docs.
|
||||||
|
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
|
||||||
|
|
||||||
|
SOLR_HEAP=1024
|
||||||
|
|
||||||
|
# Allow admins to log into SOGo as email user (without any password)
|
||||||
|
|
||||||
|
ALLOW_ADMIN_EMAIL_LOGIN=n
|
||||||
|
|
||||||
|
# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
|
||||||
|
|
||||||
|
USE_WATCHDOG=y
|
||||||
|
|
||||||
|
# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
|
||||||
|
# CAUTION:
|
||||||
|
# 1. You should use external recipients
|
||||||
|
# 2. Mails are sent unsigned (no DKIM)
|
||||||
|
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
|
||||||
|
# Multiple rcpts allowed, NO quotation marks, NO spaces
|
||||||
|
|
||||||
|
#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
|
||||||
|
#WATCHDOG_NOTIFY_EMAIL=
|
||||||
|
|
||||||
|
# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
|
||||||
|
# You can use this to send notifications to services like Discord, Slack and others.
|
||||||
|
#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||||
|
# JSON body included in the webhook POST request. Needs to be in single quotes.
|
||||||
|
# Following variables are available: SUBJECT, BODY
|
||||||
|
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
|
||||||
|
|
||||||
|
# Notify about banned IP (includes whois lookup)
|
||||||
|
WATCHDOG_NOTIFY_BAN=n
|
||||||
|
|
||||||
|
# Send a notification when the watchdog is started.
|
||||||
|
WATCHDOG_NOTIFY_START=y
|
||||||
|
|
||||||
|
# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
|
||||||
|
#WATCHDOG_SUBJECT=
|
||||||
|
|
||||||
|
# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
|
||||||
|
# https://www.servercow.de/mailcow?lang=en
|
||||||
|
# https://www.servercow.de/mailcow?lang=de
|
||||||
|
# No data is collected. Opt-in and anonymous.
|
||||||
|
# Will only work with unmodified mailcow setups.
|
||||||
|
WATCHDOG_EXTERNAL_CHECKS=n
|
||||||
|
|
||||||
|
# Enable watchdog verbose logging
|
||||||
|
WATCHDOG_VERBOSE=n
|
||||||
|
|
||||||
|
# Max log lines per service to keep in Redis logs
|
||||||
|
|
||||||
|
LOG_LINES=9999
|
||||||
|
|
||||||
|
# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
|
||||||
|
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
|
||||||
|
|
||||||
|
IPV4_NETWORK=172.22.1
|
||||||
|
|
||||||
|
# Internal IPv6 subnet in fc00::/7
|
||||||
|
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
|
||||||
|
|
||||||
|
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
|
||||||
|
|
||||||
|
# Use this IPv4 for outgoing connections (SNAT)
|
||||||
|
|
||||||
|
#SNAT_TO_SOURCE=
|
||||||
|
|
||||||
|
# Use this IPv6 for outgoing connections (SNAT)
|
||||||
|
|
||||||
|
#SNAT6_TO_SOURCE=
|
||||||
|
|
||||||
|
# Create or override an API key for the web UI
|
||||||
|
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
|
||||||
|
# An API key defined as API_KEY has read-write access
|
||||||
|
# An API key defined as API_KEY_READ_ONLY has read-only access
|
||||||
|
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
|
||||||
|
# You can define API_KEY and/or API_KEY_READ_ONLY
|
||||||
|
|
||||||
|
#API_KEY=
|
||||||
|
#API_KEY_READ_ONLY=
|
||||||
|
#API_ALLOW_FROM=172.22.1.1,127.0.0.1
|
||||||
|
|
||||||
|
# mail_home is ~/Maildir
|
||||||
|
MAILDIR_SUB=Maildir
|
||||||
|
|
||||||
|
# SOGo session timeout in minutes
|
||||||
|
SOGO_EXPIRE_SESSION=480
|
||||||
|
|
||||||
|
# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
|
||||||
|
# Empty by default to auto-generate master user and password on start.
|
||||||
|
# User expands to DOVECOT_MASTER_USER@mailcow.local
|
||||||
|
# LEAVE EMPTY IF UNSURE
|
||||||
|
DOVECOT_MASTER_USER=
|
||||||
|
# LEAVE EMPTY IF UNSURE
|
||||||
|
DOVECOT_MASTER_PASS=
|
||||||
|
|
||||||
|
# Let's Encrypt registration contact information
|
||||||
|
# Optional: Leave empty for none
|
||||||
|
# This value is only used on first order!
|
||||||
|
# Setting it at a later point will require the following steps:
|
||||||
|
# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
|
||||||
|
ACME_CONTACT=
|
||||||
|
|
||||||
|
# WebAuthn device manufacturer verification
|
||||||
|
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
|
||||||
|
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
|
||||||
|
WEBAUTHN_ONLY_TRUSTED_VENDORS=n
|
||||||
|
|
||||||
|
# Spamhaus Data Query Service Key
|
||||||
|
# Optional: Leave empty for none
|
||||||
|
# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
|
||||||
|
# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
|
||||||
|
# Otherwise it will work normally.
|
||||||
|
SPAMHAUS_DQS_KEY=
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > data/conf/nginx/redirect.conf
|
||||||
|
server {
|
||||||
|
root /web;
|
||||||
|
listen 80 default_server;
|
||||||
|
listen [::]:80 default_server;
|
||||||
|
include /etc/nginx/conf.d/server_name.active;
|
||||||
|
if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
|
||||||
|
location ^~ /.well-known/acme-challenge/ {
|
||||||
|
allow all;
|
||||||
|
default_type "text/plain";
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
return 301 https://\$host\$uri\$is_args\$args;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/cron.daily/mailcowbackup
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Backup mailcow data
|
||||||
|
# https://docs.mailcow.email/backup_restore/b_n_r-backup/
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
OUT="\$(mktemp)"
|
||||||
|
export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
|
||||||
|
SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
|
||||||
|
PARAMETERS="backup all"
|
||||||
|
OPTIONS="--delete-days 7"
|
||||||
|
mkdir -p \$MAILCOW_BACKUP_LOCATION
|
||||||
|
|
||||||
|
# run command
|
||||||
|
set +e
|
||||||
|
"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
|
||||||
|
RESULT=\$?
|
||||||
|
|
||||||
|
if [ \$RESULT -ne 0 ]
|
||||||
|
then
|
||||||
|
echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
|
||||||
|
echo "RESULT=\$RESULT"
|
||||||
|
echo "STDOUT / STDERR:"
|
||||||
|
cat "\$OUT"
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod +x /etc/cron.daily/mailcowbackup
|
||||||
|
|
||||||
|
cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
|
||||||
|
#!/bin/bash
|
||||||
|
if ! which check_mk_agent ; then
|
||||||
|
cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
|
||||||
|
status=\$?
|
||||||
|
if [ \$status -eq 3 ]; then
|
||||||
|
state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
|
||||||
|
elif [ \$status -eq 0 ]; then
|
||||||
|
state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
|
||||||
|
else
|
||||||
|
state="3 \"mailcow_update\" - Unknown output from update script ..."
|
||||||
|
fi
|
||||||
|
echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
|
||||||
|
mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
|
||||||
|
fi
|
||||||
|
exit
|
||||||
|
EOF
|
||||||
|
chmod +x /etc/cron.daily/checkmk-mailcow-update-check
|
||||||
|
|
||||||
|
chmod 600 mailcow.conf
|
||||||
|
|
||||||
|
mkdir -p data/assets/ssl
|
||||||
|
|
||||||
|
openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
|
||||||
|
|
||||||
|
openssl dhparam -out data/assets/ssl/dhparams.pem 2048
|
||||||
|
cat << EOF > /etc/cron.monthly/generate-dhparams
|
||||||
|
#!/bin/bash
|
||||||
|
openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
|
||||||
|
mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
|
||||||
|
systemctl restart nginx
|
||||||
|
EOF
|
||||||
|
chmod +x /etc/cron.monthly/generate-dhparams
|
||||||
|
|
||||||
|
docker compose pull
|
||||||
|
docker compose up -d
|
||||||
|
|
||||||
|
case $PORTAINER in
|
||||||
|
full) install_portainer_full ;;
|
||||||
|
agent) install_portainer_agent ;;
|
||||||
|
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
|
||||||
|
esac
|
@ -1,189 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Authors:
|
|
||||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
|
||||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
|
||||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
|
||||||
|
|
||||||
source /root/functions.sh
|
|
||||||
source /root/zamba.conf
|
|
||||||
source /root/constants-service.conf
|
|
||||||
|
|
||||||
HOSTNAME=$(hostname -f)
|
|
||||||
|
|
||||||
echo "Ensure your Hostname is set to your Piler FQDN!"
|
|
||||||
|
|
||||||
echo $HOSTNAME
|
|
||||||
|
|
||||||
if
|
|
||||||
[ "$HOSTNAME" != "$PILER_FQDN" ]
|
|
||||||
then
|
|
||||||
echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
|
|
||||||
else
|
|
||||||
echo "Hostname matches $PILER_FQDN, so starting installation."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# install php
|
|
||||||
wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
|
|
||||||
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
|
|
||||||
|
|
||||||
apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
|
|
||||||
add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
|
|
||||||
|
|
||||||
apt update
|
|
||||||
|
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
|
|
||||||
unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
|
|
||||||
mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
|
|
||||||
php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
|
|
||||||
|
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
|
|
||||||
|
|
||||||
cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
|
|
||||||
innodb_buffer_pool_size=256M
|
|
||||||
innodb_flush_log_at_trx_commit=1
|
|
||||||
innodb_log_buffer_size=64M
|
|
||||||
innodb_log_file_size=16M
|
|
||||||
query_cache_size=0
|
|
||||||
query_cache_type=0
|
|
||||||
query_cache_limit=2M
|
|
||||||
EOF
|
|
||||||
|
|
||||||
systemctl restart mariadb
|
|
||||||
|
|
||||||
cd /tmp
|
|
||||||
wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
|
|
||||||
tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
|
|
||||||
|
|
||||||
groupadd piler
|
|
||||||
useradd -g piler -m -s /bin/bash -d /var/piler piler
|
|
||||||
usermod -L piler
|
|
||||||
chmod 755 /var/piler
|
|
||||||
|
|
||||||
if [[ "$PILER_VERSION" == "latest" ]]; then
|
|
||||||
URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
|
|
||||||
PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
|
|
||||||
wget -O piler-$PILER_VERSION.tar.gz $URL
|
|
||||||
else
|
|
||||||
wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
|
|
||||||
fi
|
|
||||||
tar -xvzf piler-$PILER_VERSION.tar.gz
|
|
||||||
cd piler-$PILER_VERSION/
|
|
||||||
./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
|
|
||||||
make
|
|
||||||
make install
|
|
||||||
ldconfig
|
|
||||||
|
|
||||||
cp util/postinstall.sh util/postinstall.sh.bak
|
|
||||||
sed -i "s/ PILER_SMARTHOST=.*/ PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
|
|
||||||
sed -i 's/ WWWGROUP=.*/ WWWGROUP="www-data"/' util/postinstall.sh
|
|
||||||
|
|
||||||
make postinstall
|
|
||||||
|
|
||||||
cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
|
|
||||||
sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
|
|
||||||
sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
|
|
||||||
|
|
||||||
su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
|
|
||||||
|
|
||||||
/etc/init.d/rc.piler start
|
|
||||||
/etc/init.d/rc.searchd start
|
|
||||||
|
|
||||||
update-rc.d rc.piler defaults
|
|
||||||
update-rc.d rc.searchd defaults
|
|
||||||
|
|
||||||
mkdir -p /etc/nginx/ssl
|
|
||||||
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
|
|
||||||
|
|
||||||
cd /etc/nginx/sites-available
|
|
||||||
cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
|
|
||||||
ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
|
|
||||||
|
|
||||||
sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
|
|
||||||
sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
|
|
||||||
|
|
||||||
sed -i "/server_name.*/a \\
|
|
||||||
listen 443 ssl http2;\n\n\
|
|
||||||
ssl_certificate /etc/nginx/ssl/piler.crt;\n\
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
|
|
||||||
ssl_session_timeout 1d;\n\
|
|
||||||
ssl_session_cache shared:SSL:15m;\n\
|
|
||||||
ssl_session_tickets off;\n\n\
|
|
||||||
# modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;\n\
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
|
|
||||||
ssl_prefer_server_ciphers off;\n\n\
|
|
||||||
add_header X-Frame-Options SAMEORIGIN;\n\
|
|
||||||
add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
|
|
||||||
|
|
||||||
sed -i "/^server {.*/i\
|
|
||||||
server {\n\
|
|
||||||
listen 80;\n\
|
|
||||||
server_name _;\n\
|
|
||||||
server_tokens off;\n\
|
|
||||||
# HTTP to HTTPS redirect.\n\
|
|
||||||
return 301 https://$PILER_FQDN;\n\
|
|
||||||
}" /etc/nginx/sites-available/piler-nginx.conf
|
|
||||||
|
|
||||||
unlink /etc/nginx/sites-enabled/default
|
|
||||||
|
|
||||||
cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
|
|
||||||
sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
|
|
||||||
cat >> /usr/local/etc/piler/config-site.php <<EOF
|
|
||||||
|
|
||||||
// CUSTOM
|
|
||||||
\$config['PROVIDED_BY'] = '$PILER_FQDN';
|
|
||||||
\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
|
|
||||||
\$config['COMPATIBILITY'] = '';
|
|
||||||
|
|
||||||
// fancy features.
|
|
||||||
\$config['ENABLE_INSTANT_SEARCH'] = 1;
|
|
||||||
\$config['ENABLE_TABLE_RESIZE'] = 1;
|
|
||||||
|
|
||||||
\$config['ENABLE_DELETE'] = 1;
|
|
||||||
\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
|
|
||||||
|
|
||||||
// general settings.
|
|
||||||
\$config['TIMEZONE'] = '$LXC_TIMEZONE';
|
|
||||||
|
|
||||||
// authentication
|
|
||||||
// Enable authentication against an imap server
|
|
||||||
//\$config['ENABLE_IMAP_AUTH'] = 1;
|
|
||||||
//\$config['RESTORE_OVER_IMAP'] = 1;
|
|
||||||
//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
|
|
||||||
//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
|
|
||||||
//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
|
|
||||||
//\$config['IMAP_PORT'] = 993;
|
|
||||||
//\$config['IMAP_SSL'] = true;
|
|
||||||
|
|
||||||
// authentication against an ldap directory (disabled by default)
|
|
||||||
//\$config['ENABLE_LDAP_AUTH'] = 1;
|
|
||||||
//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
|
|
||||||
//\$config['LDAP_PORT'] = 389;
|
|
||||||
//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
|
|
||||||
//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
|
|
||||||
//\$config['LDAP_MAIL_ATTR'] = 'mail';
|
|
||||||
//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
|
|
||||||
//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
|
|
||||||
//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
|
|
||||||
|
|
||||||
// authentication against an Uninvention based ldap directory
|
|
||||||
//\$config['ENABLE_LDAP_AUTH'] = 1;
|
|
||||||
//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
|
|
||||||
//\$config['LDAP_PORT'] = 7389;
|
|
||||||
//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
|
|
||||||
//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
|
|
||||||
//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
|
|
||||||
//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
|
|
||||||
//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
|
|
||||||
//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
|
|
||||||
//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
|
|
||||||
//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
|
|
||||||
//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
|
|
||||||
|
|
||||||
// special settings.
|
|
||||||
\$config['MEMCACHED_ENABLED'] = 1;
|
|
||||||
\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
|
|
||||||
EOF
|
|
||||||
|
|
||||||
nginx -t && systemctl restart nginx
|
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
# This file contains the project constants on service level
|
# This file contains the project constants on service level
|
||||||
|
|
||||||
# Debian Version, which will be installed
|
# Debian Version, which will be installed
|
||||||
LXC_TEMPLATE_VERSION="debian-11-standard"
|
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||||
|
|
||||||
# Create sharefs mountpoint
|
# Create sharefs mountpoint
|
||||||
LXC_MP="1"
|
LXC_MP="1"
|
||||||
@ -19,11 +19,14 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||||
NEXTCLOUD_VERSION="latest"
|
NEXTCLOUD_VERSION="latest"
|
||||||
|
|
||||||
# Defines the php version to install
|
# Defines the php version to install
|
||||||
NEXTCLOUD_PHP_VERSION="8.1"
|
NEXTCLOUD_PHP_VERSION="8.2"
|
||||||
|
|
||||||
# Defines the IP from the SQL server
|
# Defines the IP from the SQL server
|
||||||
NEXTCLOUD_DB_IP="127.0.0.1"
|
NEXTCLOUD_DB_IP="127.0.0.1"
|
||||||
|
@ -14,19 +14,19 @@ source /root/constants-service.conf
|
|||||||
|
|
||||||
HOSTNAME=$(hostname -f)
|
HOSTNAME=$(hostname -f)
|
||||||
|
|
||||||
wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
|
wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
|
||||||
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
|
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
|
||||||
|
|
||||||
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
|
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
|
||||||
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
|
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
|
||||||
|
|
||||||
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
|
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
|
||||||
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
|
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
|
||||||
|
|
||||||
apt update
|
apt update
|
||||||
|
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
|
||||||
postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
|
postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
|
||||||
|
|
||||||
timedatectl set-timezone $LXC_TIMEZONE
|
timedatectl set-timezone $LXC_TIMEZONE
|
||||||
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
|
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
|
||||||
@ -76,7 +76,7 @@ sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXT
|
|||||||
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
|
||||||
@ -113,6 +113,9 @@ set_real_ip_from 127.0.0.1;
|
|||||||
real_ip_header X-Forwarded-For;
|
real_ip_header X-Forwarded-For;
|
||||||
real_ip_recursive on;
|
real_ip_recursive on;
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
|
types {
|
||||||
|
text/javascript mjs;
|
||||||
|
}
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
sendfile on;
|
sendfile on;
|
||||||
send_timeout 3600;
|
send_timeout 3600;
|
||||||
@ -136,6 +139,10 @@ cat > /etc/nginx/conf.d/http.conf << EOF
|
|||||||
upstream php-handler {
|
upstream php-handler {
|
||||||
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
|
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
|
||||||
}
|
}
|
||||||
|
map \$arg_v \$asset_immutable {
|
||||||
|
"" "";
|
||||||
|
default "immutable";
|
||||||
|
}
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
@ -171,13 +178,15 @@ ssl_prefer_server_ciphers on;
|
|||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
client_max_body_size 5120M;
|
client_max_body_size 5120M;
|
||||||
|
client_body_timeout 300s;
|
||||||
|
client_body_buffer_size 512k;
|
||||||
fastcgi_buffers 64 4K;
|
fastcgi_buffers 64 4K;
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_vary on;
|
gzip_vary on;
|
||||||
gzip_comp_level 4;
|
gzip_comp_level 4;
|
||||||
gzip_min_length 256;
|
gzip_min_length 256;
|
||||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||||
add_header Permissions-Policy "interest-cohort=()";
|
add_header Permissions-Policy "interest-cohort=()";
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
add_header Referrer-Policy "no-referrer" always;
|
||||||
@ -230,10 +239,13 @@ fastcgi_pass php-handler;
|
|||||||
fastcgi_intercept_errors on;
|
fastcgi_intercept_errors on;
|
||||||
fastcgi_request_buffering off;
|
fastcgi_request_buffering off;
|
||||||
}
|
}
|
||||||
location ~ \.(?:css|js|svg|gif)\$ {
|
location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
|
||||||
try_files \$uri /index.php\$request_uri;
|
try_files \$uri /index.php\$request_uri;
|
||||||
expires 6M;
|
expires 6M;
|
||||||
access_log off;
|
access_log off;
|
||||||
|
location ~ \.wasm$ {
|
||||||
|
default_type application/wasm;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
location ~ \.woff2?\$ {
|
location ~ \.woff2?\$ {
|
||||||
try_files \$uri /index.php\$request_uri;
|
try_files \$uri /index.php\$request_uri;
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=2048
|
LXC_MEM_MIN=2048
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
ONLYOFFICE_DB_HOST=localhost
|
ONLYOFFICE_DB_HOST=localhost
|
||||||
|
|
||||||
ONLYOFFICE_DB_NAME=onlyoffice
|
ONLYOFFICE_DB_NAME=onlyoffice
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
27
src/piler/constants-service.conf
Normal file
27
src/piler/constants-service.conf
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
# This file contains the project constants on service level
|
||||||
|
|
||||||
|
# Debian Version, which will be installed
|
||||||
|
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||||
|
|
||||||
|
# Create sharefs mountpoint
|
||||||
|
LXC_MP="0"
|
||||||
|
|
||||||
|
# Create unprivileged container
|
||||||
|
LXC_UNPRIVILEGED="1"
|
||||||
|
|
||||||
|
# enable nesting feature
|
||||||
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
# service dependent meta tags
|
||||||
|
SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"
|
23
src/piler/install-service.sh
Normal file
23
src/piler/install-service.sh
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Author:
|
||||||
|
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
source zamba.conf
|
||||||
|
|
||||||
|
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
|
||||||
|
|
||||||
|
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
|
||||||
|
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
|
||||||
|
apt update
|
||||||
|
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
|
||||||
|
|
||||||
|
echo -e "Installation of piler finished."
|
||||||
|
echo -e "\nFor administration please visit the following Website:"
|
||||||
|
echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
|
||||||
|
echo -e "\nLogin with following credentials:"
|
||||||
|
echo -e "\tUser: admin@local"
|
||||||
|
echo -e "\tPass: pilerrocks"
|
||||||
|
echo -e "\n\nPlease have a look the the GOBD notes (in German):"
|
||||||
|
echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Backup ubdir where Urbackup will store backups
|
# Backup ubdir where Urbackup will store backups
|
||||||
PBS_DATA="backup"
|
PBS_DATA="backup"
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
|
|
||||||
# Defines the IP from the SQL server
|
# Defines the IP from the SQL server
|
||||||
REI3_DB_IP="127.0.0.1"
|
REI3_DB_IP="127.0.0.1"
|
||||||
|
@ -9,6 +9,8 @@
|
|||||||
|
|
||||||
# Debian Version, which will be installed
|
# Debian Version, which will be installed
|
||||||
LXC_TEMPLATE_VERSION="debian-11-standard"
|
LXC_TEMPLATE_VERSION="debian-11-standard"
|
||||||
|
# !!!! Leave at debian 11, currently unifi depends on mongodb-server <= 4.4 and libssl1.1
|
||||||
|
# libssl1.1 is unsupported on debian bookworm
|
||||||
|
|
||||||
# Create sharefs mountpoint
|
# Create sharefs mountpoint
|
||||||
LXC_MP="0"
|
LXC_MP="0"
|
||||||
@ -19,6 +21,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=2048
|
LXC_MEM_MIN=2048
|
||||||
|
|
||||||
|
@ -11,10 +11,10 @@ source /root/functions.sh
|
|||||||
source /root/zamba.conf
|
source /root/zamba.conf
|
||||||
source /root/constants-service.conf
|
source /root/constants-service.conf
|
||||||
|
|
||||||
wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
|
wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://pgp.mongodb.com/server-4.4.asc
|
||||||
wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
|
wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
|
||||||
|
|
||||||
echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
|
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
|
||||||
echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
|
echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
|
||||||
|
|
||||||
apt update
|
apt update
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Backup ubdir where Urbackup will store backups
|
# Backup ubdir where Urbackup will store backups
|
||||||
URBACKUP_DATA="urbackup"
|
URBACKUP_DATA="urbackup"
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Defines the name from the SQL database
|
# Defines the name from the SQL database
|
||||||
VAULTWARDEN_DB_NAME="vaultwarden"
|
VAULTWARDEN_DB_NAME="vaultwarden"
|
||||||
|
|
||||||
|
@ -64,7 +64,6 @@ Group=vaultwarden
|
|||||||
EnvironmentFile=/var/lib/vaultwarden/.env
|
EnvironmentFile=/var/lib/vaultwarden/.env
|
||||||
ExecStart=/opt/vaultwarden/vaultwarden
|
ExecStart=/opt/vaultwarden/vaultwarden
|
||||||
LimitNOFILE=1048576
|
LimitNOFILE=1048576
|
||||||
LimitNPROC=64
|
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
PrivateDevices=true
|
PrivateDevices=true
|
||||||
ProtectHome=true
|
ProtectHome=true
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
|
|
||||||
# Defines the IP from the SQL server
|
# Defines the IP from the SQL server
|
||||||
ZABBIX_DB_IP="127.0.0.1"
|
ZABBIX_DB_IP="127.0.0.1"
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=4096
|
LXC_MEM_MIN=4096
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# add optional features to samba ad dc
|
# add optional features to samba ad dc
|
||||||
|
|
||||||
# CURRENTLY SUPPORTED:
|
# CURRENTLY SUPPORTED:
|
||||||
|
@ -27,38 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
## configure ntp
|
echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||||
cat << EOF > /etc/ntp.conf
|
|
||||||
# Local clock. Note that is not the "localhost" address!
|
|
||||||
server 127.127.1.0
|
|
||||||
fudge 127.127.1.0 stratum 10
|
|
||||||
# Where to retrieve the time from
|
|
||||||
server 0.de.pool.ntp.org iburst prefer
|
|
||||||
server 1.de.pool.ntp.org iburst prefer
|
|
||||||
server 2.de.pool.ntp.org iburst prefer
|
|
||||||
driftfile /var/lib/ntp/ntp.drift
|
|
||||||
logfile /var/log/ntp
|
|
||||||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
|
|
||||||
# Access control
|
|
||||||
# Default restriction: Allow clients only to query the time
|
|
||||||
restrict default kod nomodify notrap nopeer mssntp
|
|
||||||
# No restrictions for "localhost"
|
|
||||||
restrict 127.0.0.1
|
|
||||||
# Enable the time sources to only provide time to this host
|
|
||||||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
tinker panic 0
|
|
||||||
EOF
|
|
||||||
|
|
||||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
|
||||||
|
|
||||||
# update packages
|
# update packages
|
||||||
apt update
|
apt update
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||||
# install required packages
|
# install required packages
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
|
||||||
|
|
||||||
|
mkdir -p /etc/chrony/conf.d
|
||||||
|
mkdir -p /etc/systemd/system/chrony.service.d
|
||||||
|
|
||||||
|
cat << EOF > /etc/default/chrony
|
||||||
|
# This is a configuration file for /etc/init.d/chrony and
|
||||||
|
# /lib/systemd/system/chrony.service; it allows you to pass various options to
|
||||||
|
# the chrony daemon without editing the init script or service file.
|
||||||
|
|
||||||
|
# Options to pass to chrony.
|
||||||
|
DAEMON_OPTS="-x -F 1"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
|
||||||
|
[Unit]
|
||||||
|
ConditionCapability=
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/chrony/conf.d/samba.conf
|
||||||
|
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
|
||||||
|
server de.pool.ntp.org iburst
|
||||||
|
server europe.pool.ntp.org iburst
|
||||||
|
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
|
||||||
|
ntpsigndsocket /var/lib/samba/ntp_signd
|
||||||
|
EOF
|
||||||
|
|
||||||
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
||||||
cat << EOF > /etc/nginx/sites-available/default
|
cat << EOF > /etc/nginx/sites-available/default
|
||||||
server {
|
server {
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# add optional features to samba ad dc
|
# add optional features to samba ad dc
|
||||||
|
|
||||||
# CURRENTLY SUPPORTED:
|
# CURRENTLY SUPPORTED:
|
||||||
|
@ -27,45 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
## configure ntp
|
echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||||
cat << EOF > /etc/ntp.conf
|
|
||||||
# Local clock. Note that is not the "localhost" address!
|
|
||||||
server 127.127.1.0
|
|
||||||
fudge 127.127.1.0 stratum 10
|
|
||||||
|
|
||||||
# Where to retrieve the time from
|
|
||||||
server 0.de.pool.ntp.org iburst prefer
|
|
||||||
server 1.de.pool.ntp.org iburst prefer
|
|
||||||
server 2.de.pool.ntp.org iburst prefer
|
|
||||||
|
|
||||||
driftfile /var/lib/ntp/ntp.drift
|
|
||||||
logfile /var/log/ntp
|
|
||||||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
|
|
||||||
|
|
||||||
# Access control
|
|
||||||
# Default restriction: Allow clients only to query the time
|
|
||||||
restrict default kod nomodify notrap nopeer mssntp
|
|
||||||
|
|
||||||
# No restrictions for "localhost"
|
|
||||||
restrict 127.0.0.1
|
|
||||||
|
|
||||||
# Enable the time sources to only provide time to this host
|
|
||||||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
|
||||||
|
|
||||||
tinker panic 0
|
|
||||||
EOF
|
|
||||||
|
|
||||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
|
||||||
|
|
||||||
# update packages
|
# update packages
|
||||||
apt update
|
apt update
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||||
# install required packages
|
# install required packages
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
|
||||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
|
||||||
|
|
||||||
|
mkdir -p /etc/chrony/conf.d
|
||||||
|
mkdir -p /etc/systemd/system/chrony.service.d
|
||||||
|
|
||||||
|
cat << EOF > /etc/default/chrony
|
||||||
|
# This is a configuration file for /etc/init.d/chrony and
|
||||||
|
# /lib/systemd/system/chrony.service; it allows you to pass various options to
|
||||||
|
# the chrony daemon without editing the init script or service file.
|
||||||
|
|
||||||
|
# Options to pass to chrony.
|
||||||
|
DAEMON_OPTS="-x -F 1"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
|
||||||
|
[Unit]
|
||||||
|
ConditionCapability=
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/chrony/conf.d/samba.conf
|
||||||
|
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
|
||||||
|
server de.pool.ntp.org iburst
|
||||||
|
server europe.pool.ntp.org iburst
|
||||||
|
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
|
||||||
|
ntpsigndsocket /var/lib/samba/ntp_signd
|
||||||
|
EOF
|
||||||
|
|
||||||
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
||||||
cat << EOF > /etc/nginx/sites-available/default
|
cat << EOF > /etc/nginx/sites-available/default
|
||||||
server {
|
server {
|
||||||
|
@ -19,8 +19,11 @@ LXC_UNPRIVILEGED="0"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
# service dependent meta tags
|
# service dependent meta tags
|
||||||
SERVICE_TAGS="samba,member,fileserver"
|
SERVICE_TAGS="samba,member,cups,printserver"
|
@ -9,7 +9,7 @@ source /root/functions.sh
|
|||||||
source /root/zamba.conf
|
source /root/zamba.conf
|
||||||
source /root/constants-service.conf
|
source /root/constants-service.conf
|
||||||
|
|
||||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||||
|
|
||||||
apt update
|
apt update
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
|||||||
# enable nesting feature
|
# enable nesting feature
|
||||||
LXC_NESTING="1"
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
# Sets the minimum amount of RAM the service needs for operation
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
LXC_MEM_MIN=1024
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@ source /root/constants-service.conf
|
|||||||
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
|
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
|
||||||
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
|
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
|
||||||
|
|
||||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||||
|
|
||||||
apt update
|
apt update
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user