Merge pull request #20 from bashclub/devel

Reworked install.sh, implemented #6, updated doc, created .gitignore
Preparing first release

.gitignore

@@ -0,0 +1,2 @@
+*__pycache__*
+.vscode/*

CHANGELOG.md

@@ -0,0 +1,12 @@
+**** Zamba LXC Toolbox v0.1 ****
+- `locales` are now configured noninteractive #21
+- timezone is now configured with `pct set` command in `install.sh` #22
+- changed command sequence in `install.sh` - select container first, then start the installation
+- improved / updated documentation
+- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
+- (un)privileged now defined as constant based on created service #6
+- improved log messages in `install.sh`
+- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
+- changed `mailpiler` version to 1.3.11
+- changed `element-web` version to 1.7.25
+- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)

README.md

@@ -7,12 +7,13 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna
 ### Requirements
 Proxmox VE Server with at least one configured ZFS Pool.
 ### Included services:
-- `just-lxc` => Debian LXC Container only
-- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
-- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
 - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
+- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
+- `debian-unpriv` => Debian unprivileged container with basic toolset
+- `debian-unpriv` => Debian privileged container with basic toolset
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash

debian-unpriv.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+dpkg-reconfigure locales
+
+source /root/zamba.conf
+
+# Set Timezone
+ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
+sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

install.sh

@@ -17,7 +17,60 @@
 ############### ZAMBA INSTALL SCRIPT ###############
 
 # Load configuration file
-source ./zamba.conf
+source $PWD/zamba.conf
+
+LXC_MP="0"
+LXC_UNPRIVILEGED="1"
+LXC_NESTING="0"
+
+select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
+  case $opt in
+    debian-unpriv)
+      echo "Debian-only LXC container unprivileged mode selected"
+      break
+      ;;
+    debian-priv)
+      echo "Debian-only LXC container privileged mode selected"
+      LXC_UNPRIVILEGED="0"
+      break
+      ;;
+    zmb-standalone)
+      echo "Configuring LXC container '$opt'!"
+      LXC_MP="1"
+      LXC_UNPRIVILEGED="0"
+      break
+      ;;
+    zmb-member)
+      echo "Configuring LXC container '$opt'!"
+      LXC_MP="1"
+      LXC_UNPRIVILEGED="0"
+      break
+      ;;
+    zmb-ad)
+      echo "Selected Zamba AD DC"
+      LXC_NESTING="1"
+      LXC_UNPRIVILEGED="0"
+      break
+      ;;
+    mailpiler)
+      echo "Configuring LXC container for '$opt'!"
+      LXC_NESTING="1"
+      break
+      ;;
+    matrix)
+      echo "Install Matrix chat server and element web service"
+      break
+      ;;
+    quit)
+      echo "Script aborted by user interaction."
+      exit 0
+      ;;
+    *)
+      echo "Invalid option! Exiting..."
+      exit 1
+      ;;
+    esac
+done
 
 # CHeck is the newest template available, else download it.
 DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
@@ -53,66 +106,30 @@ else
  VLAN=""
 fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
+sleep 2
+
+if [ $LXC_MP -gt 0 ]; then
+  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
+fi
 sleep 2;
 
 PS3="Select the Server-Function: "
 
-select opt in just_lxc zmb-standalone zmb-member zmb-ad mailpiler matrix quit; do
-  case $opt in
-    just_lxc)
-      echo "Debian-only LXC container selected"
-      break
-      ;;
-    zmb-standalone)
-      echo "Configuring LXC container '$opt'!"
-      pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
-      sleep 2;
-      break
-      ;;
-    zmb-member)
-      echo "Configuring LXC container '$opt'!"
-      pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
-      sleep 2;
-      break
-      ;;
-    zmb-ad)
-      echo "Selected Zamba AD DC"
-      # Enable nesting for ntp service
-      pct set $LXC_NBR -features nesting=1
-      sleep 2
-      break
-      ;;
-    mailpiler)
-      echo "Configuring LXC container for '$opt'!"
-      pct set $LXC_NBR -features nesting=1
-      sleep 2;
-      break
-      ;;
-    matrix)
-      echo "Install Matrix chat server and element web service"
-      break
-      ;;
-    quit)
-      echo "Script aborted by user interaction."
-      exit 0
-      ;;
-    *)
-      echo "Invalid option! Exiting..."
-      exit 1
-      ;;
-    esac
-done
-
-
 pct start $LXC_NBR;
 sleep 5;
 # Set the root password and key
+echo "Setting root password"
 echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
+echo "Creating /root/.ssh"
 lxc-attach -n$LXC_NBR mkdir /root/.ssh;
-echo -e "$LXC_AUTHORIZED_KEY" | lxc-attach -n$LXC_NBR tee /root/.ssh/authorized_keys;
+echo "Copying authorized_keys"
+pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
+echo "Copying sources.list"
 pct push $LXC_NBR ./sources.list /etc/apt/sources.list
+echo "Copying zamba.conf"
 pct push $LXC_NBR ./zamba.conf /root/zamba.conf
+echo "Copying install script"
 pct push $LXC_NBR ./$opt.sh /root/$opt.sh
 echo "Install '$opt'!"
 lxc-attach -n$LXC_NBR bash /root/$opt.sh

mailpiler.sh

@@ -94,7 +94,7 @@ cd /etc/nginx/sites-available
 cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
 ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
 
-sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
+sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
 sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
 
 sed -i "/server_name.*/a \\
@@ -114,10 +114,10 @@ sed -i "/server_name.*/a \\
 sed -i "/^server {.*/i\
 server {\n\
         listen 80;\n\
-        server_name $PILER_FQDN;\n\
+        server_name $PILER_FQDN default_host;\n\
         server_tokens off;\n\
         # HTTP to HTTPS redirect.\n\
-        return 301 https://$PILER_FQDN;\n\
+        return 301 https://\$host\$request_uri;\n\
 }" /etc/nginx/sites-available/piler-nginx.conf
 
 cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
@@ -137,7 +137,7 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
 \$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
 
 // general settings.
-\$config['TIMEZONE'] = 'Europe/Berlin';
+\$config['TIMEZONE'] = '$LXC_TIMEZONE';
 
 // authentication
 // Enable authentication against an imap server
@@ -179,9 +179,9 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
 \$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
 EOF
 
+rm /etc/nginx/sites-enabled/default
+
 nginx -t && systemctl restart nginx
 
 apt autoremove -y
 apt clean -y
-
-

zamba.conf

@@ -11,59 +11,62 @@
 
 ############### Linux Container Section ###############
 
-# The storage, where your container tmeplates are located (in most cases: local)
+# Defines the Proxmox storage where your LXC container template are stored (default: local)
 LXC_TEMPLATE_STORAGE="local"
 
-# Define the size and storage location of the container's root filesystem
+# Defines the size in GB of the LXC container's root filesystem (default: 32)
+# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`.
 LXC_ROOTFS_SIZE="32"
+# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs)
 LXC_ROOTFS_STORAGE="local-zfs"
 
-# Define the size, storage location and mountpoint of the container's shared filesystem (required for 'zmb_standalone' and 'zmb_member') 
+# Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100)
 LXC_SHAREFS_SIZE="100"
+# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
 LXC_SHAREFS_STORAGE="local-zfs"
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 
-# Define whether the container will be created in unprivileged (1) or privileged (0) mode
-# For 'zmb_standalone', 'zmb_pdc', 'zmb_member' and 'mailpiler' the container needs to be created with 'unprivileged=0'
-LXC_UNPRIVILEGED="0"
-
-# Size of the RAM assigned to the container
+# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
 LXC_MEM="1024"
 
-# Size of the SWAP assigned to the container
+# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
 LXC_SWAP="1024"
 
-# The hostname (eg. zamba1 or mailpiler1)
+# Defines the hostname of your LXC container
 LXC_HOSTNAME="zamba"
 
-# The domain suffix (the domain name / search domain of th container, results to the FQDN 'LXC_HOTNAME.LXC_DOMAIN')
+# Defines the domain name / search domain of your LXC container
 LXC_DOMAIN="zmb.rocks"
 
-# IP-address and subnet
-LXC_IP="10.10.80.20/24"
+# Defines the local IP address and subnet of your LXC container in CIDR format
+LXC_IP="192.168.100.200/24"
 
-# Gateway
-LXC_GW="10.10.80.10"
+# Defines the default gateway IP address of your LXC container
+LXC_GW="192.168.100.254"
 
-# DNS-server (should be your AD DC)
-LXC_DNS="10.10.80.10"
+# Defines the DNS server ip address of your LXC container
+# `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
+# For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
+LXC_DNS="192.168.100.254"
 
-# Networkbridge for this container
+# Defines the network bridge to bind the network adapter of your LXC container
 LXC_BRIDGE="vmbr0"
 
-# Optional VLAN number for this container
-LXC_VLAN=""
+# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
+LXC_VLAN=
 
-# root password - take care to delete from this file. Please use 'single quatation marks' to avoid unexpected behaviour.
+# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
 LXC_PWD='S3cr3tp@ssw0rd'
 
-# SSH-Key to add to authorized_keys
-LXC_AUTHORIZED_KEY="ssh-rsa xxxxxxxx"
+# Defines an authorized_keys file to push into the LXC container.
+# By default the authorized_keys will be inherited from your proxmox host.
+LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys
 
-# Define some optional packages to install (your favourite tools on linux systems)
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git"
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
 
-# Define system timezone on LXC container
+# Define the local timezone of your LXC container (default: Euroe/Berlin)
 LXC_TIMEZONE="Europe/Berlin"
 
 # Define system language on LXC container (locales)
@@ -71,40 +74,46 @@ LXC_LOCALE=de_DE.UTF-8
 
 ############### Zamba-Server-Section ###############
 
-# Domain Entries to samba/smb.conf. Will be also uses for samba domain-provisioning when zmb-pdc will choosen.
+# Defines the REALM for the Active Directory (AD DC, AD member)
 ZMB_REALM="ZMB.ROCKS"
+# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
 ZMB_DOMAIN="ZMB"
 
-# Select the Zamba AD DNS backend, supported are SAMBA_INTERNAL or BIND9_DLZ
+# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 
-# The Domain-Admin and password for zamba installation
-ZMB_ADMIN_USER="Administrator"
-# The Domain admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour.
-ZMB_ADMIN_PASS='MYPASSWORD'
+# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+ZMB_ADMIN_USER="administrator"
+# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
+# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
+ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
 
-# Name of the Zamba Share
+# Defines the name of your Zamba share
 ZMB_SHARE="share"
 
 ############### Mailpiler-Section ###############
 
-# The FQDN vor the Hostname. This must be exactly the same like the LXC_HOSTNAME / LXC_DOMAIN at section above.
+# Defines the (public) FQDN of your piler mail archive
 PILER_FQDN="piler.zmb.rocks"
-PILER_SMARTHOST="10.10.80.20"
-PILER_VERSION="1.3.10"
+# Defines the smarthost for piler mail archive
+PILER_SMARTHOST="your.mailserver.tld"
+# Defines the version number of piler mail archive to install
+PILER_VERSION="1.3.11"
+# Defines the version of sphinx to install
 PILER_SPHINX_VERSION="3.3.1"
+# Defines the php version to install
 PILER_PHP_VERSION="7.4"
 
 ############### Matrix-Section ###############
 
-# The FQDN vor the Hostname. This should be the same like the LXC_HOSTNAME / LXC_DOMAIN at section above.
+# Define the FQDN of your Matrix server
 MATRIX_FQDN="matrix.zmb.rocks"
 
-# Virtual host to run the Element Web messenger
+# Define the FQDN for the Element Web virtual host
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 
-# Element Web version
-MATRIX_ELEMENT_VERSION="v1.7.24"
+# Define the version of Element Web
+MATRIX_ELEMENT_VERSION="v1.7.25"
 
-# Virtuel host to run the Jitsi Meet
+# Define the FQDN for the Jitsi Meet virtual host
 MATRIX_JITSI_FQDN="meet.zmb.rocks"

zamba.conf.md

@@ -37,13 +37,6 @@ Defines the mountpoint of the filesystem shared by Zamba inside your LXC contain
 ```bash
 LXC_SHAREFS_MOUNTPOINT="tank"
 ```
-### LXC_UNPRIVILEGED
-Defines if the LXC container will be created in `unpprivileged` or `privileged` mode (default: 1)
-```bash
-LXC_UNPRIVILEGED="1"
-```
-Privileged also means the container runs as `root` user. Set this option only, if it's required for the service.
-`Zamba AD DC`, `Zamba AD member`, `Zamba standalone` and `mailpiler` are required to run in privileged mode.
 ### LXC_MEM
 Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
 ```bash
@@ -60,7 +53,7 @@ Defines the hostname of your LXC container
 LXC_SWAP="zamba"
 ```
 ### LXC_DOMAIN
-Defines the domain name /search domain of your LXC container
+Defines the domain name / search domain of your LXC container
 ```bash
 LXC_DOMAIN="zmb.rocks"
 ```
@@ -75,12 +68,14 @@ Defines the default gateway IP address of your LXC container
 LXC_GW="10.10.80.254"
 ```
 ### LXC_DNS
-Defines the DNS server ip addres of your LXC container
+Defines the DNS server ip address of your LXC container
 ```bash
 LXC_DNS="10.10.80.254"
 ```
+`zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
+For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
 ### LXC_BRIDGE
-Defines the network bridge to bind the network adapter of your LXC container to
+Defines the network bridge to bind the network adapter of your LXC container
 ```bash
 LXC_BRIDGE="vmbr0"
 ```
@@ -90,19 +85,20 @@ Defines the vlan id of the LXC container's network interface, if the network ada
 LXC_VLAN="80"
 ```
 ### LXC_PWD
-Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
+Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
 ```bash
 LXC_PWD="S3cr3tp@ssw0rd"
 ```
 ### LXC_AUTHORIZED_KEY
-If you have a SSH key to add to the LXC container's `root` account authorized_keys, you can paste it here.
+Defines an authorized_keys file to push into the LXC container.
+By default the authorized_keys will be inherited from your proxmox host.
 ```bash
-LXC_AUTHORIZED_KEY="ssh-rsa xxxxxxxx"
+LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
 ```
 ### LXC_TOOLSET
-Define your (administrative) tools, you always want to have instlled into yout LXC container
+Define your (administrative) tools, you always want to have installed into your LXC container
 ```bash
-LXC_TOOLSET="net-tools dnsutils mc sysstat lsb-release curl git"
+LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
 ```
 ### LXC_TIMEZONE
 Define the local timezone of your LXC container (default: Euroe/Berlin)
@@ -110,7 +106,7 @@ Define the local timezone of your LXC container (default: Euroe/Berlin)
 LXC_TIMEZONE="Europe/Berlin"
 ```
 ### LXC_LOCALE
-Define system language on LXC container
+Define system language on LXC container (locales)
 ```bash
 LXC_LOCALE="de_DE.utf8"
 ```
@@ -137,21 +133,17 @@ Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 ```
 ### ZMB_ADMIN_USER
-Defines the name of your domain administrator account (AD DC, AD member)
+Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ```bash
 ZMB_ADMIN_USER="Administrator"
 ```
 ### ZMB_ADMIN_PASS
-Defines the domain administrator's password (AD DC, AD member). Please use 'single quatation marks' to avoid unexpected behaviour.
+Defines the domain administrator's password (AD DC, AD member).
 ```bash
 ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
 ```
-### ZMB_DOMAIN_ADMINS_GROUP
-Defines the domain admins group of your active directory.
-```bash
-ZMB_DOMAIN_ADMINS_GROUP="domain admins"
-```
-On Windows Servers this group depends on the configured OS language.
+Please use 'single quotation marks' to avoid unexpected behaviour.
+`zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
 ### ZMB_SHARE
 Defines the name of your Zamba share
 ```bash