bashclub/zamba-lxc-toolbox
2
0
Fork 1
mirror of https://github.com/bashclub/zamba-lxc-toolbox.git synced 2024-11-07 19:31:58 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #77 from bashclub/release-1.1

Browse Source 
Release 1.1
This commit is contained in:
Thorsten Spille 2023-02-12 16:10:47 +01:00 committed by GitHub
commit a082e03c59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 2378 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -7,17 +7,28 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna
### Requirements
Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
### Included services:
- `checkmk` => Check_MK 2.0 Monitoring Server
- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
- `debian-priv` => Debian privileged container with basic toolset
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
- `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
- `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
- `unifi` => Unifi Controller [ui.com](https://ui.com)
- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
## Usage

7
conf/README.md
View File

@ -40,13 +40,14 @@ LXC_SHAREFS_MOUNTPOINT="tank"
```
### LXC_MEM
Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
If a service needs more minimum memory, LXC_MEM will be overwritten.
```bash
LXC_MEM="1024"
LXC_MEM=1024
```
### LXC_SWAP
Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
```bash
LXC_SWAP="1024"
LXC_SWAP=1024
```
### LXC_HOSTNAME
Defines the hostname of your LXC container (Default: Name of installed Service)
@ -220,7 +221,7 @@ NEXTCLOUD_ADMIN_USR="zmb-admin"
### NEXTCLOUD_ADMIN_PWD
Build a strong password for this user. Username and password will shown at the end of the instalation.
```bash
NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
NEXTCLOUD_ADMIN_PWD="$(random_password)"
```
### NEXTCLOUD_DATA
Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT

56
conf/zamba.conf.example
View File

@ -28,10 +28,10 @@ LXC_SHAREFS_STORAGE="local-zfs"
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
LXC_MEM="1024"
LXC_MEM=1024
# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
LXC_SWAP="1024"
LXC_SWAP=1024
# Defines the hostname of your LXC container
LXC_HOSTNAME="${service}"
@ -57,7 +57,7 @@ LXC_DNS="192.168.100.254"
LXC_BRIDGE="vmbr0"
# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
LXC_VLAN=
LXC_VLAN=NONE
# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
LXC_PWD='Start!123'
@ -81,6 +81,15 @@ LXC_LOCALE="de_DE.UTF-8"
# Set dark background for vim syntax highlighting (0 or 1)
LXC_VIM_BG_DARK=1
# Default random password length
LXC_RANDOMPWD=32
# Automatically add meta tags to lxc container
LXC_AUTOTAG=1
# Add meta tags to linux container
LXC_TAGS="linux,debian,${service}"
############### Zamba-Server-Section ###############
# Defines the REALM for the Active Directory (AD DC, AD member)
@ -126,8 +135,8 @@ NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
# The initial admin-user which will be configured
NEXTCLOUD_ADMIN_USR="zmb-admin"
# Build a strong password for this user. Username and password will shown at the end of the instalation.
NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
# Build a strong password for this user. Username and password will shown at the end of the installation.
# NEXTCLOUD_ADMIN_PWD='very_secure_password'
# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
NEXTCLOUD_DATA="nc_data"
@ -147,3 +156,40 @@ CMK_ADMIN_PW='Start!123'
# raw = completely free
# free = limited version of the enterprise edition (25 hosts, 1 instance)
CMK_EDITION=raw
############### Kopano-Section ###############
# Define the FQDN of your Nextcloud server
KOPANO_FQDN="kopano.zmb.rocks"
# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
KOPANO_MAILGW="192.168.100.254"
# Kopano test- or subscription-key offerd from
# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
KOPANO_REPKEY="1234567890abcdefghijklmno"
############### vaultwarden Section ###############
# Hostname of your mailserver
VW_SMTP_HOST=mail.bashclub.org
# email address to send from
VW_SMTP_FROM="vaultwarden@bashclub.org"
# display name to send from
VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
# port of your mailserver
VW_SMTP_PORT=587
# use ssl?
VW_SMTP_SSL=true
# use starttls?
VW_SMTP_EXPLICIT_TLS=false
# username of your mailbox
VW_SMTP_USERNAME=vaultwarden@bashclub.org
# password of your mailbox
VW_SMTP_PASSWORD='<yourEmailPassword>'

95
install.sh
View File

@ -1,4 +1,5 @@
#!/bin/bash
set -euo pipefail
# This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
# On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@ -15,15 +16,16 @@
# Please adjust th settings in 'zamba.conf' to your needs before running the script
############### ZAMBA INSTALL SCRIPT ###############
prog="$(basename "$0")"
prog="$(basename $0)"
usage() {
cat >&2 <<-EOF
usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE]
usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
installs a preconfigured lxc container on your proxmox server
-i CTID provide a container id instead of auto detection
-s SERVICE provide the service name and skip the selection dialog
-c CFGFILE use a different config file than 'zamba.conf'
-d Debug mode inside LXC container
-h displays this help text
---------------------------------------------------------------------------
(C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
@ -36,26 +38,27 @@ usage() {
ctid=0
service=ask
config=$PWD/conf/zamba.conf
verbose=0
debug=0
while getopts "hi:s:c:" opt; do
while getopts "hi:s:c:d" opt; do
case $opt in
h) usage 0 ;;
i) ctid=$OPTARG ;;
s) service=$OPTARG ;;
c) config=$OPTARG ;;
d) debug=1 ;;
*) usage 1 ;;
esac
done
shift $((OPTIND-1))
OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a)
OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)
valid=0
if [[ "$service" == "ask" ]]; then
select svc in $OPTS quit; do
if [[ "$svc" != "quit" ]]; then
for line in $(echo $OPTS); do
for line in $OPTS; do
if [[ "$svc" == "$line" ]]; then
service=$svc
echo "Installation of $service selected."
@ -72,7 +75,7 @@ if [[ "$service" == "ask" ]]; then
fi
done
else
for line in $(echo $OPTS); do
for line in $OPTS; do
if [[ "$service" == "$line" ]]; then
echo "Installation of $service selected."
valid=1
@ -88,23 +91,30 @@ fi
# Load configuration file
echo "Loading config file '$config'..."
source $config
source $PWD/src/$service/constants-service.conf
# CHeck is the newest template available, else download it.
DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
if [[ $DEB_LOC == $DEB_REP ]];
then
echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists.";
else
echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP.";
pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
if [ ! -e "$config" ]; then
echo "Configuration files does not exist"
exit 1
fi
source "src/functions.sh"
source "$config"
source "$PWD/src/$service/constants-service.conf"
if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
LXC_MEM=$LXC_MEM_MIN
fi
if [ $LXC_AUTOTAG -gt 0 ]; then
TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
fi
# Check is the newest template available, else download it.
pveam update
TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
if [ $ctid -gt 99 ]; then
LXC_CHK=$ctid
else
@ -121,17 +131,17 @@ fi
echo "Will now create LXC Container $LXC_NBR!";
# Create the container
pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
sleep 2;
# Check vlan configuration
if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
# Reconfigure conatiner
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
if [ $LXC_DHCP == true ]; then
pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN;
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
else
pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN;
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
fi
sleep 2
@ -144,23 +154,30 @@ PS3="Select the Server-Function: "
pct start $LXC_NBR;
sleep 5;
# Set the root password and key
echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
lxc-attach -n$LXC_NBR mkdir /root/.ssh;
# Set the root ssh key
pct exec $LXC_NBR -- mkdir /root/.ssh
pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
pct push $LXC_NBR $config /root/zamba.conf
pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf
pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh
pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh
pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf
pct push $LXC_NBR "$config" /root/zamba.conf
pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
echo "Installing basic container setup..."
lxc-attach -n$LXC_NBR bash /root/lxc-base.sh
pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
echo "Install '$service'!"
lxc-attach -n$LXC_NBR bash /root/install-service.sh
pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
pct shutdown $LXC_NBR
if [[ $service == "zmb-ad" ]]; then
pct stop $LXC_NBR
pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
pct start $LXC_NBR
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
elif [[ $service == "zmb-ad-join" ]]; then
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
fi
pct start $LXC_NBR

6
sources.list
View File

@ -1,6 +0,0 @@
deb http://ftp.de.debian.org/debian buster main contrib
deb http://ftp.de.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib

26
src/bookstack/constants-service.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

186
src/bookstack/install-service.sh Normal file
View File

@ -0,0 +1,186 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
BOOKSTACK_DB_PWD=$(random_password)
webroot=/var/www/bookstack/public
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
client_max_body_size 100M;
fastcgi_buffers 64 4K;
client_body_timeout 120s;
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl default_server;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl_certificate /etc/nginx/ssl/open3a.crt;
ssl_certificate_key /etc/nginx/ssl/open3a.key;
access_log /var/log/nginx/bookstack.access.log;
error_log /var/log/nginx/bookstack.error.log;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.ht {
deny all;
}
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
EOF
mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
CREATE DATABASE IF NOT EXISTS bookstack;
GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
FLUSH PRIVILEGES;"
sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
>&2 echo 'ERROR: Invalid composer installer checksum'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
rm composer-setup.php
# Move composer to global installation
mv composer.phar /usr/local/bin/composer
cd /var/www
git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
cd bookstack
# Install BookStack composer dependencies
export COMPOSER_ALLOW_SUPERUSER=1
php /usr/local/bin/composer install --no-dev --no-plugins
# Copy and update BookStack environment variables
cp .env.example .env
sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
cat << EOF >> .env
QUEUE_CONNECTION=database
STORAGE_TYPE=local_secure
APP_LANG=de_informal
FILE_UPLOAD_SIZE_LIMIT=100
SESSION_SECURE_COOKIE=true
CACHE_DRIVER=redis
SESSION_DRIVER=redis
REDIS_SERVERS=127.0.0.1:6379:0
WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
ALLOW_UNTRUSTED_SERVER_FETCHING=true
EOF
# Generate the application key
php artisan key:generate --no-interaction --force
# Migrate the databases
php artisan migrate --no-interaction --force
php artisan bookstack:db-utf8mb4 > dbupgrade.sql
mysql -u root < dbupgrade.sql
chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
cat << EOF > /etc/systemd/system/bookstack-queue.service
[Unit]
Description=BookStack Queue Worker
[Service]
User=www-data
Group=www-data
Restart=always
ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server
systemctl restart php7.4-fpm nginx bookstack-queue redis-server
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"

8
src/checkmk/constants-service.conf
View File

@ -20,6 +20,12 @@ LXC_UNPRIVILEGED="1"
LXC_NESTING="1"
# checkmk version
CMK_VERSION=2.0.0p33
CMK_VERSION=2.1.0p21
# build number of the debian package (needs to start with underscore)
CMK_BUILD=_0
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="apache2"

1
src/checkmk/install-service.sh
View File

@ -5,6 +5,7 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf

2
src/constants.conf
View File

@ -8,4 +8,4 @@
# This file contains the project constants on container level
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common"
LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget"

8
src/debian-priv/constants-service.conf
View File

@ -17,4 +17,10 @@ LXC_MP="0"
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=512
# service dependent meta tags
SERVICE_TAGS="privileged"

8
src/debian-unpriv/constants-service.conf
View File

@ -17,4 +17,10 @@ LXC_MP="0"
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=512
# service dependent meta tags
SERVICE_TAGS=""

29
src/ecodms/constants-service.conf Normal file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# set ecodms release version
ECODMS_RELEASE=ecodms_220864
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=6144
# service dependent meta tags
SERVICE_TAGS="java,postgresql"

21
src/ecodms/install-service.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver

9
src/functions.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
#
# This script has basic functions like a random password generator
LXC_RANDOMPWD=32
random_password() {
set +o pipefail
C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
}

41
src/gitea/constants-service.conf Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the IP from the SQL server
GITEA_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
GITEA_DB_PORT="5432"
# Defines the name from the SQL database
GITEA_DB_NAME="gitea"
# Defines the name from the SQL user
GITEA_DB_USR="gitea"
# Build a strong password for the SQL user - could be overwritten with something fixed
GITEA_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql"

184
src/gitea/install-service.sh Normal file
View File

@ -0,0 +1,184 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
EOF
adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
chmod +x /usr/local/bin/gitea
mkdir -p /etc/gitea
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
cat << EOF > /usr/local/bin/update-gitea
PATH="/bin:/usr/bin:/usr/local/bin"
echo "Checking github for new gitea version"
current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
echo "Installed gitea version is \$installed_version"
if [ \$installed_version != \$current_version ]; then
echo "New gitea version \$current_version available. Stopping gitea.service"
systemctl stop gitea.service
echo "Downloading gitea version \$current_version..."
curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
chmod +x /usr/local/bin/gitea
echo "Starting gitea.service..."
systemctl start gitea.service
echo "gitea update finished!"
else
echo "gitea version is up-to-date!"
fi
EOF
chmod +x /usr/local/bin/update-gitea
cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
EOF
chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
cat << EOF > /etc/systemd/system/gitea.service
[Unit]
Description=Gitea
After=syslog.target
After=network.target
After=postgresql.service
[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/gitea/app.ini
RUN_MODE = prod
RUN_USER = git
[repository]
ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
[repository.local]
LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
[database]
DB_TYPE=postgres
HOST=localhost
NAME=${GITEA_DB_NAME}
USER=${GITEA_DB_USR}
PASSWD=${GITEA_DB_PWD}
SSL_MODE=disable
[server]
APP_DATA_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea
DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN}
SSH_DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN}
HTTP_HOST = localhost
HTTP_PORT = 3000
ROOT_URL = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
EOF
chown -R root:git /etc/gitea
chmod 770 /etc/gitea
chmod 770 /etc/gitea/app.ini
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:3000;
proxy_read_timeout 90;
}
}
EOF
openssl dhparam -out /etc/nginx/dhparam.pem 4096
systemctl daemon-reload
systemctl enable --now gitea
systemctl restart nginx

32
src/kimai/constants-service.conf Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
KIMAI_VERSION="main"
# Defines the php version to install
KIMAI_PHP_VERSION="8.1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

167
src/kimai/install-service.sh Normal file
View File

@ -0,0 +1,167 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
KIMAI_DB_PWD=$(random_password)
webroot=/var/www/kimai/public
wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
PHP_VERSION=${PHP_VERSION:0:3}
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
client_max_body_size 2M;
fastcgi_buffers 64 4K;
client_body_timeout 120s;
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl default_server;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl_certificate /etc/nginx/ssl/kimai.crt;
ssl_certificate_key /etc/nginx/ssl/kimai.key;
access_log /var/log/nginx/kimai.access.log;
error_log /var/log/nginx/kimai.error.log;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.ht {
deny all;
}
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
EOF
mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
CREATE DATABASE IF NOT EXISTS kimai;
GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
FLUSH PRIVILEGES;"
sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
>&2 echo 'ERROR: Invalid composer installer checksum'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
rm composer-setup.php
# Move composer to global installation
mv composer.phar /usr/local/bin/composer
cd /var/www
git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1
cd kimai
# Install kimai composer dependencies
export COMPOSER_ALLOW_SUPERUSER=1
/usr/local/bin/composer install --optimize-autoloader -n
# Copy and update kimai environment variables
cat << EOF > .env
# For more infos about the variables, see .env.dist
DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8
MAILER_FROM=admin@$LXC_DOMAIN
MAILER_URL=null://null
APP_ENV=prod
APP_SECRET=$(random_password)
CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
EOF
chown -R www-data:www-data .
chmod -R g+r .
chmod -R g+rw var/
bin/console kimai:install -n
bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
systemctl daemon-reload
systemctl enable --now php${PHP_VERSION}-fpm nginx
systemctl restart php${PHP_VERSION}-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"

46
src/kopano-core/constants-service.conf Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
KOPANO_VERSION="latest"
# Defines the php version to install
KOPANO_PHP_VERSION="7.4"
# Defines Maria DB Version
MARIA_DB_VERS="10.5"
# Defines the name from the SQL database
MARIA_DB_NAME="kopano"
# Defines the name from the SQL user
MARIA_DB_USER="kopano"
# Build a strong password for the SQL user - could be overwritten with something fixed
MARIA_ROOT_PWD=$(random_password)
MARIA_USER_PWD=$(random_password)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

276
src/kopano-core/install-service.sh Normal file
View File

@ -0,0 +1,276 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
#timedatectl set-timezone Europe/Berlin
#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#### Secure Maria Instance ####
mysqladmin -u root password "[$MARIA_ROOT_PWD]"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
#### Create user and DB for Kopano ####
mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
echo "root-password: $MARIA_ROOT_PWD,\
db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
cat > /etc/apt/sources.list.d/kopano.list << EOF
# Kopano Core
deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
# Kopano WebApp
deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
# Kopano MobileDeviceManagement
deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
# Kopano Files
deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
# Z-Push
deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
EOF
cat > /etc/apt/auth.conf.d/kopano.conf << EOF
machine download.kopano.io
login serial
password $KOPANO_REPKEY
EOF
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
apt update && apt full-upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files
#### Adjust kopano settings ####
cat > /etc/kopano/ldap.cfg << EOF
!include /usr/share/kopano/ldap.active-directory.cfg
ldap_uri = ldap://192.168.100.100:389
ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
ldap_bind_passwd = Start123!
ldap_search_base = dc=zmb,dc=rocks
#ldap_user_search_filter = (kopanoAccount=1)
EOF
cat > /etc/kopano/server.cfg << EOF
server_listen = *:236
local_admin_users = root kopano
#database_engine = mysql
#mysql_host = localhost
#mysql_port = 3306
mysql_user = $MARIA_DB_USER
mysql_password = $MARIA_USER_PWD
mysql_database = $MARIA_DB_NAME
#user_plugin = ldap
#user_plugin_config = /etc/kopano/ldap.cfg
EOF
#### Adjust php settings ####
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
[webapp]
listen = 127.0.0.1:9002
user = www-data
group = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 150
pm.start_servers = 35
pm.min_spare_servers = 20
pm.max_spare_servers = 50
pm.max_requests = 200
listen.backlog = -1
request_terminate_timeout = 120s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes
EOF
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
#### Adjust nginx settings ####
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/sites-available/webapp.conf << EOF
upstream php-handler {
#server 127.0.0.1:9002;
#server unix:/var/run/php5-fpm.sock;
server unix:/var/run/php/php7.4-fpm.sock;
}
server{
listen 80;
charset utf-8;
listen [::]:80;
server_name _;
location / {
rewrite ^(.*) https://\$server_name\$1 permanent;
}
}
server {
charset utf-8;
listen 443;
listen [::]:443 ssl;
server_name _;
ssl on;
client_max_body_size 1024m;
ssl_certificate /etc/ssl/certs/kopano.crt;
ssl_certificate_key /etc/ssl/private/kopano.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
#
# ssl_dhparam require you to create a dhparam.pem, this takes a long time
ssl_dhparam /etc/ssl/certs/dhparam.pem;
#
# add headers
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location /webapp {
alias /usr/share/kopano-webapp/;
index index.php;
location ~ /webapp/presence/ {
rewrite ^/webapp/presence(/.*)$ \$1 break;
proxy_pass http://localhost:1234;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
location ~* ^/webapp/(.+\.php)$ {
alias /usr/share/kopano-webapp/;
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
fastcgi_param PHP_VALUE "
register_globals=off
magic_quotes_gpc=off
magic_quotes_runtime=off
post_max_size=31M
upload_max_filesize=30M
";
fastcgi_param PHP_VALUE "post_max_size=31M
upload_max_filesize=30M
max_execution_time=3660
";
include fastcgi_params;
fastcgi_index index.php;
#fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME \$document_root\$1;
fastcgi_pass php-handler;
access_log /var/log/nginx/kopano-webapp-access.log;
error_log /var/log/nginx/kopano-webapp-error.log;
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# All (static) resources set to 2 months expiration time.
location ~* \.(?:jpg|gif|png)\$ {
expires 2M;
access_log off;
add_header Cache-Control "public";
}
# enable gzip compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css application/json;
gzip_vary on;
}
}
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
EOF
ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
phpenmod kopano
systemctl restart php7.4-fpm nginx

15
src/lxc-base.sh
View File

@ -1,4 +1,5 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
@ -7,6 +8,7 @@
# load configuration
echo "Loading configuration..."
source /root/functions.sh
source /root/zamba.conf
source /root/constants.conf
source /root/constants-service.conf
@ -14,6 +16,7 @@ source /root/constants-service.conf
echo "Updating locales"
# update locales
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
@ -24,23 +27,23 @@ locale-gen $LXC_LOCALE
if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian bullseye main contrib
deb http://debian.inf.tu-dresden.de/debian bullseye main contrib
deb http://ftp.de.debian.org/debian bullseye-updates main contrib
deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
# security updates
deb http://security.debian.org bullseye-security main contrib
deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian buster main contrib
deb http://debian.inf.tu-dresden.de/debian buster main contrib
deb http://ftp.de.debian.org/debian buster-updates main contrib
deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib
deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
EOF
else echo "LXC Debian Version false. Please check configuration files!" ; exit
fi

6
src/mailpiler/constants-service.conf
View File

@ -25,3 +25,9 @@ PILER_VERSION="1.3.12"
PILER_SPHINX_VERSION="3.3.1"
# Defines the php version to install
PILER_PHP_VERSION="7.4"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"

1
src/mailpiler/install-service.sh
View File

@ -5,6 +5,7 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf

7
src/matrix/constants-service.conf
View File

@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Define the version of Element Web
MATRIX_ELEMENT_VERSION="v1.9.9"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,element-web"

41
src/matrix/install-service.sh
View File

@ -5,14 +5,17 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
MRX_PKE=$(random_password)
ELE_DBNAME="synapse_db"
ELE_DBUSER="synapse_user"
ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
ELE_DBPASS=$(random_password)
ELE_PATH=/var/www/element-web
WEBROOT=/var/www
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
@ -66,7 +69,7 @@ server {
ssl_certificate_key /etc/nginx/ssl/matrix.key;
# If you don't wanna serve a site, comment this out
root /var/www/$MATRIX_FQDN;
root $ELE_PATH;
index index.html index.htm;
location / {
@ -101,7 +104,7 @@ server {
ssl_certificate_key /etc/nginx/ssl/matrix.key;
# If you don't wanna serve a site, comment this out
root /var/www/$MATRIX_ELEMENT_FQDN/element;
root $ELE_PATH;
index index.html index.htm;
}
@ -112,21 +115,23 @@ ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$
systemctl restart nginx
mkdir /var/www/$MATRIX_ELEMENT_FQDN
cd /var/www/$MATRIX_ELEMENT_FQDN
wget https://packages.riot.im/element-release-key.asc
cd /var/www
wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
gpg --import element-release-key.asc
wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
ln -s element-$MATRIX_ELEMENT_VERSION element
chown www-data:www-data -R element
cp ./element/config.sample.json ./element/config.json
sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
chown www-data:www-data -R $ELE_PATH
cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json
su postgres <<EOF
psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@ -144,10 +149,8 @@ sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\
systemctl restart matrix-synapse
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p '$MATRIX_ADMIN_PASSWORD' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
#apt update
#apt install -y jitsi-meet
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"

10
src/nextcloud/constants-service.conf
View File

@ -23,7 +23,7 @@ LXC_NESTING="1"
NEXTCLOUD_VERSION="latest"
# Defines the php version to install
NEXTCLOUD_PHP_VERSION="8.0"
NEXTCLOUD_PHP_VERSION="8.1"
# Defines the IP from the SQL server
NEXTCLOUD_DB_IP="127.0.0.1"
@ -38,4 +38,10 @@ NEXTCLOUD_DB_NAME="nextcloud_db"
NEXTCLOUD_DB_USR="nextcloud"
# Build a strong password for the SQL user - could be overwritten with something fixed
NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
NEXTCLOUD_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

10
src/nextcloud/install-service.sh
View File

@ -5,6 +5,10 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
NEXTCLOUD_ADMIN_PWD=$(random_password)
source /root/zamba.conf
source /root/constants-service.conf
@ -21,7 +25,7 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
timedatectl set-timezone $LXC_TIMEZONE
@ -398,7 +402,9 @@ array (
'updater.release.channel' => 'stable',
'trusted_proxies' =>
array (
'$NEXTCLOUD_REVPROX'
'$NEXTCLOUD_REVPROX',
'127.0.0.1',
'::1',
),
);
EOF

26
src/omada/constants-service.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"

29
src/omada/install-service.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org
DL=$(wget -O - -q https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6)
wget -O /tmp/omada.deb -q $DL
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb

8
src/onlyoffice/constants-service.conf
View File

@ -23,4 +23,10 @@ ONLYOFFICE_DB_HOST=localhost
ONLYOFFICE_DB_NAME=onlyoffice
ONLYOFFICE_DB_USER=onlyoffice
ONLYOFFICE_DB_USER=onlyoffice
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,rabbitmq"

25
src/onlyoffice/fix-update.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
cat > /usr/local/bin/ods-apt-pre-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds-ssl.conf
systemctl stop nginx.service
DFOE
chmod +x /usr/local/bin/ods-apt-pre-hook
cat > /usr/local/bin/ods-apt-post-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx
DFOE
chmod +x /usr/local/bin/ods-apt-post-hook
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
EOF
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
EOF

39
src/onlyoffice/install-service.sh
View File

@ -1,7 +1,15 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ONLYOFFICE_DB_PASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
ONLYOFFICE_DB_PASS=$(random_password)
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
@ -36,8 +44,33 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/only
rm /etc/nginx/conf.d/ds.conf
cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf
sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf
cat > /usr/local/bin/ods-apt-pre-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds-ssl.conf
systemctl stop nginx.service
DFOE
chmod +x /usr/local/bin/ods-apt-pre-hook
cat > /usr/local/bin/ods-apt-post-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx
DFOE
chmod +x /usr/local/bin/ods-apt-post-hook
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
EOF
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
EOF
systemctl restart nginx

8
src/open3a/constants-service.conf
View File

@ -17,4 +17,10 @@ LXC_MP="0"
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

16
src/open3a/install-service.sh
View File

@ -5,12 +5,14 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
webroot=/var/www/html
MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)"
LXC_RANDOMPWD=20
MYSQL_PASSWORD="$(random_password)"
apt update
@ -55,7 +57,7 @@ CREATE DATABASE IF NOT EXISTS open3a;
GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
cd $webroot
wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip
wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip
unzip open3a.zip
rm open3a.zip
chmod 666 system/DBData/Installation.pfdb.php
@ -66,7 +68,17 @@ chown -R www-data:www-data $webroot
echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
chmod +x /etc/cron.daily/open3a-backup
cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
<?php echo "This is a database-file."; /*
host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)
localhost &%%%&open3a &%%%&$MYSQL_PASSWORD&%%%&open3a &%%%&* %%&&&
*/ ?>
EOF
systemctl enable --now php7.4-fpm
systemctl restart php7.4-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"

8
src/proxmox-pbs/constants-service.conf
View File

@ -20,4 +20,10 @@ LXC_UNPRIVILEGED="1"
LXC_NESTING="1"
# Backup ubdir where Urbackup will store backups
PBS_DATA="backup"
PBS_DATA="backup"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="backup"

3
src/proxmox-pbs/install-service.sh
View File

@ -5,6 +5,7 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@ -20,3 +21,5 @@ apt update && apt upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
systemctl disable --now zfs-mount.service zfs-share.service

6
src/sources.list
View File

@ -1,6 +0,0 @@
deb http://ftp.de.debian.org/debian buster main contrib
deb http://ftp.de.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib

26
src/unifi/constants-service.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"

22
src/unifi/install-service.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi

10
src/urbackup/constants-service.conf
View File

@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-10-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="1"
@ -23,4 +23,10 @@ LXC_NESTING="1"
URBACKUP_DATA="urbackup"
# OS codename for opensuse / urbackup repo
REPO_CODENAME="Debian_10"
REPO_CODENAME="Debian_11"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx"

1
src/urbackup/install-service.sh
View File

@ -5,6 +5,7 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf

35
src/vaultwarden/constants-service.conf Normal file
View File

@ -0,0 +1,35 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the name from the SQL database
VAULTWARDEN_DB_NAME="vaultwarden"
# Defines the name from the SQL user
VAULTWARDEN_DB_USR="vaultwarden"
# Build a strong password for the SQL user - could be overwritten with something fixed
VAULTWARDEN_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql"

161
src/vaultwarden/install-service.sh Normal file
View File

@ -0,0 +1,161 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
admin_token=$(openssl rand -base64 48)
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
systemctl enable --now postgresql
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:alpine
mkdir /opt/vaultwarden
mkdir -p /var/lib/vaultwarden/data
useradd vaultwarden
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
mv output/vaultwarden /opt/vaultwarden
mv output/web-vault /var/lib/vaultwarden/
rm -Rf output
rm -Rf docker-image-extract
su - postgres <<EOF
psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
EOF
cat << EOF > /var/lib/vaultwarden/.env
DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
ORG_CREATION_USERS=admin@$LXC_DOMAIN
# Use `openssl rand -base64 48` to generate
ADMIN_TOKEN=$admin_token
# Uncomment this once vaults restored
SIGNUPS_ALLOWED=false
SMTP_HOST=$VW_SMTP_HOST
SMTP_FROM=$VW_SMTP_FROM
SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
SMTP_PORT=$VW_SMTP_PORT # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
SMTP_SSL=$VW_SMTP_SSL # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
SMTP_USERNAME=$VW_SMTP_USERNAME
SMTP_PASSWORD=$VW_SMTP_PASSWORD
SMTP_TIMEOUT=15
EOF
cat << EOF > /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/var/lib/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
EOF
cat << EOF > /var/lib/vaultwarden/update.sh
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:alpine
mv output/vaultwarden /opt/vaultwarden
systemctl stop vaultwarden.service
cp -rlf output/web-vault /var/lib/vaultwarden/
rm -Rf output
rm -Rf docker-image-extract
systemctl start vaultwarden.service
EOF
chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
chmod +x /var/lib/vaultwarden/update.sh
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/vaultwarden.access.log;
error_log /var/log/nginx/vaultwarden.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/vaultwarden.access.log;
error_log /var/log/nginx/vaultwarden.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
proxy_read_timeout 90;
}
}
EOF
openssl dhparam -out /etc/nginx/dhparam.pem 4096
systemctl daemon-reload
systemctl enable --now vaultwarden
systemctl restart nginx

42
src/zabbix/constants-service.conf Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Defines the IP from the SQL server
ZABBIX_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
ZABBIX_DB_PORT="5432"
# Defines the name from the SQL database
ZABBIX_DB_NAME="zabbix"
# Defines the name from the SQL user
ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

229
src/zabbix/install-service.sh Normal file
View File

@ -0,0 +1,229 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert
unlink /etc/nginx/sites-enabled/default
cat << EOF > /etc/zabbix/nginx.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
server_tokens off;
access_log /var/log/nginx/zabbix.access.log;
error_log /var/log/nginx/zabbix.error.log;
location /.well-known/ {
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
root /usr/share/zabbix;
index index.php;
location = /favicon.ico {
log_not_found off;
}
location / {
try_files \$uri \$uri/ =404;
}
location /assets {
access_log off;
expires 10d;
}
location ~ /\.ht {
deny all;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
location /vendor {
deny all;
return 404;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/var/run/php/zabbix.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING \$query_string;
fastcgi_param REQUEST_METHOD \$request_method;
fastcgi_param CONTENT_TYPE \$content_type;
fastcgi_param CONTENT_LENGTH \$content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}
EOF
cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
[zabbix]
user = www-data
group = www-data
listen = /var/run/php/zabbix.sock
listen.owner = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 200
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/sessions/
php_value[max_execution_time] = 300
php_value[memory_limit] = 128M
php_value[post_max_size] = 16M
php_value[upload_max_filesize] = 2M
php_value[max_input_time] = 300
php_value[max_input_vars] = 10000
EOF
cat << EOF > /etc/zabbix/web/zabbix.conf.php
<?php
// Zabbix GUI configuration file.
\$DB['TYPE'] = 'POSTGRESQL';
\$DB['SERVER'] = 'localhost';
\$DB['PORT'] = '0';
\$DB['DATABASE'] = '${ZABBIX_DB_NAME}';
\$DB['USER'] = '${ZABBIX_DB_USR}';
\$DB['PASSWORD'] = '${ZABBIX_DB_PWD}';
// Schema name. Used for PostgreSQL.
\$DB['SCHEMA'] = '';
// Used for TLS connection.
\$DB['ENCRYPTION'] = true;
\$DB['KEY_FILE'] = '';
\$DB['CERT_FILE'] = '';
\$DB['CA_FILE'] = '';
\$DB['VERIFY_HOST'] = false;
\$DB['CIPHER_LIST'] = '';
// Vault configuration. Used if database credentials are stored in Vault secrets manager.
\$DB['VAULT_URL'] = '';
\$DB['VAULT_DB_PATH'] = '';
\$DB['VAULT_TOKEN'] = '';
// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
// This option is enabled by default for new Zabbix installations.
// For upgraded installations, please read database upgrade notes before enabling this option.
\$DB['DOUBLE_IEEE754'] = true;
// Uncomment and set to desired values to override Zabbix hostname/IP and port.
// \$ZBX_SERVER = '';
// \$ZBX_SERVER_PORT = '';
\$ZBX_SERVER_NAME = '${LXC_HOSTNAME}';
\$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;
// Uncomment this block only if you are using Elasticsearch.
// Elasticsearch url (can be string if same url is used for all types).
//\$HISTORY['url'] = [
// 'uint' => 'http://localhost:9200',
// 'text' => 'http://localhost:9200'
//];
// Value types stored in Elasticsearch.
//\$HISTORY['types'] = ['uint', 'text'];
// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
//\$SSO['SP_KEY'] = 'conf/certs/sp.key';
//\$SSO['SP_CERT'] = 'conf/certs/sp.crt';
//\$SSO['IDP_CERT'] = 'conf/certs/idp.crt';
//\$SSO['SETTINGS'] = [];
EOF
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
openssl dhparam -out /etc/nginx/dhparam.pem 4096
systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm
systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm

26
src/zammad/constants-service.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,elasticsearch"

170
src/zammad/install-service.sh Normal file
View File

@ -0,0 +1,170 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
cat << EOF >>/etc/hosts
0.0.0.0 image.zammad.com
0.0.0.0 images.zammad.com
0.0.0.0 geo.zammad.com
0.0.0.0 www.zammad.com
0.0.0.0 www.zammad.org
0.0.0.0 www.zammad.net
0.0.0.0 www.zammad.de
0.0.0.0 zammad.com
0.0.0.0 zammad.org
0.0.0.0 zammad.net
0.0.0.0 zammad.de
#
127.0.0.1 elasticsearch
0.0.0.0 geoip.elastic.co
EOF
# Java set startup environment
mkdir -p /etc/elasticsearch/jvm.options.d
cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
-Xms1g
-Xmx1g
EOF
# configurwe nginx
rm -f /etc/nginx/sites-enabled/default
cat << EOF > /etc/nginx/sites-available/zammad.conf
upstream zammad-railsserver {
server 127.0.0.1:3000;
}
upstream zammad-websocket {
server 127.0.0.1:6042;
}
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
#
# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
#
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
add_header Referrer-Policy "strict-origin";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
add_header Strict-Transport-Security "max-age=31536000" always;
location = /robots.txt {
access_log off; log_not_found off;
}
location = /favicon.ico {
access_log off; log_not_found off;
}
root /opt/zammad/public;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}
location / {
proxy_set_header Host \$http_host;
proxy_set_header CLIENT_IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
# change this line in an SSO setup
proxy_set_header X-Forwarded-User "";
proxy_read_timeout 180;
proxy_pass http://zammad-railsserver;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
EOF
ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
openssl dhparam -out /etc/nginx/dhparam.pem 4096
systemctl enable elasticsearch.service
systemctl restart nginx elasticsearch.service
# Elasticsearch conntact to Zammad
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
systemctl restart elasticsearch.service
zammad run rake searchindex:rebuild

38
src/zmb-ad-join/constants-service.conf Normal file
View File

@ -0,0 +1,38 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd splitdns)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"

154
src/zmb-ad-join/install-service.sh Normal file
View File

@ -0,0 +1,154 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
## configure ntp
cat << EOF > /etc/ntp.conf
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.de.pool.ntp.org iburst prefer
server 1.de.pool.ntp.org iburst prefer
server 2.de.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = $ZMB_REALM
ticket_lifetime = 600
dns_lookup_realm = true
dns_lookup_kdc = true
renew_lifetime = 7d
EOF
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved
rm -f /etc/samba/smb.conf
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
mkdir -p /mnt/sysvol
cat << EOF > /root/.smbcredentials
username=$ZMB_ADMIN_USER
password=$ZMB_ADMIN_PASS
domain=$ZMB_DOMAIN
EOF
echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
cat > /etc/cron.d/sysvol-sync << EOF
*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
EOF
/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES

8
src/zmb-ad/constants-service.conf
View File

@ -29,4 +29,10 @@ LXC_NESTING="1"
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=()
OPTIONAL_FEATURES=(wsdd splitdns)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"

6
src/zmb-ad/install-service.sh
View File

@ -5,6 +5,7 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@ -58,11 +59,14 @@ restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default

8
src/zmb-member/constants-service.conf
View File

@ -17,4 +17,10 @@ LXC_MP="1"
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,member,fileserver"

4
src/zmb-member/install-service.sh
View File

@ -5,16 +5,18 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# add wsdd package repo
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF

8
src/zmb-standalone/constants-service.conf
View File

@ -17,4 +17,10 @@ LXC_MP="1"
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
LXC_NESTING="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"

77
src/zmb-standalone/install-service.sh
View File

@ -5,23 +5,39 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# add wsdd package repo
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
cat << EOF > /etc/apt/preferences.d/samba
Package: samba*
Pin: release a=$(lsb_release -cs)-backports
Pin-Priority: 900
EOF
cat << EOF > /etc/apt/preferences.d/winbind
Package: winbind*
Pin: release a=$(lsb_release -cs)-backports
Pin-Priority: 900
EOF
cat << EOF > /etc/apt/preferences.d/cockpit
Package: cockpit*
Pin: release a=$(lsb_release -cs)-backports
Pin-Priority: 900
EOF
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit
mkdir /usr/share/cockpit/smb
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
@ -29,23 +45,52 @@ echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
cat << EOF >> /etc/samba/smb.conf
[$ZMB_SHARE]
comment = Main Share
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
read only = No
vfs objects = shadow_copy2
create mask = 0660
directory mask = 0770
usermod -aG sudo $USER
cat << EOF | sudo tee -i /etc/samba/smb.conf
[global]
include = registry
EOF
cat << EOF | sudo tee -i /etc/samba/import.template
[global]
workgroup = WORKGROUP
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
log level = 3
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
fruit:encoding = native
fruit:metadata = stream
fruit:zero_file_id = yes
fruit:nfs_aces = no
EOF
net conf import /etc/samba/import.template
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf setparm $ZMB_SHARE readonly no
net conf setparm $ZMB_SHARE browseable yes
net conf setparm $ZMB_SHARE createmask 0660
net conf setparm $ZMB_SHARE directorymask 0770
systemctl restart smbd nmbd wsdd