diff --git a/README.md b/README.md index 0805f39..7d2ee2a 100644 --- a/README.md +++ b/README.md @@ -7,17 +7,28 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna ### Requirements Proxmox VE Server (>=6.30) with at least one configured ZFS Pool. ### Included services: -- `checkmk` => Check_MK 2.0 Monitoring Server +- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/) +- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/) - `debian-priv` => Debian privileged container with basic toolset - `debian-unpriv` => Debian unprivileged container with basic toolset +- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de) +- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io) +- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/) +- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/) - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/) - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web) - `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration +- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/) - `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com) - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de) - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server) +- `unifi` => Unifi Controller [ui.com](https://ui.com) - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org) +- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden) +- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com) +- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/) - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported +- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain - `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions) - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions) ## Usage diff --git a/conf/README.md b/conf/README.md index 36c232f..962b381 100644 --- a/conf/README.md +++ b/conf/README.md @@ -40,13 +40,14 @@ LXC_SHAREFS_MOUNTPOINT="tank" ``` ### LXC_MEM Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) +If a service needs more minimum memory, LXC_MEM will be overwritten. ```bash -LXC_MEM="1024" +LXC_MEM=1024 ``` ### LXC_SWAP Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024) ```bash -LXC_SWAP="1024" +LXC_SWAP=1024 ``` ### LXC_HOSTNAME Defines the hostname of your LXC container (Default: Name of installed Service) @@ -220,7 +221,7 @@ NEXTCLOUD_ADMIN_USR="zmb-admin" ### NEXTCLOUD_ADMIN_PWD Build a strong password for this user. Username and password will shown at the end of the instalation. ```bash -NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" +NEXTCLOUD_ADMIN_PWD="$(random_password)" ``` ### NEXTCLOUD_DATA Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index f6a0150..bcb1b98 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -28,10 +28,10 @@ LXC_SHAREFS_STORAGE="local-zfs" LXC_SHAREFS_MOUNTPOINT="tank" # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024) -LXC_MEM="1024" +LXC_MEM=1024 # Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024) -LXC_SWAP="1024" +LXC_SWAP=1024 # Defines the hostname of your LXC container LXC_HOSTNAME="${service}" @@ -57,7 +57,7 @@ LXC_DNS="192.168.100.254" LXC_BRIDGE="vmbr0" # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty. -LXC_VLAN= +LXC_VLAN=NONE # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour. LXC_PWD='Start!123' @@ -81,6 +81,15 @@ LXC_LOCALE="de_DE.UTF-8" # Set dark background for vim syntax highlighting (0 or 1) LXC_VIM_BG_DARK=1 +# Default random password length +LXC_RANDOMPWD=32 + +# Automatically add meta tags to lxc container +LXC_AUTOTAG=1 + +# Add meta tags to linux container +LXC_TAGS="linux,debian,${service}" + ############### Zamba-Server-Section ############### # Defines the REALM for the Active Directory (AD DC, AD member) @@ -126,8 +135,8 @@ NEXTCLOUD_FQDN="nextcloud.zmb.rocks" # The initial admin-user which will be configured NEXTCLOUD_ADMIN_USR="zmb-admin" -# Build a strong password for this user. Username and password will shown at the end of the instalation. -NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" +# Build a strong password for this user. Username and password will shown at the end of the installation. +# NEXTCLOUD_ADMIN_PWD='very_secure_password' # Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT NEXTCLOUD_DATA="nc_data" @@ -147,3 +156,40 @@ CMK_ADMIN_PW='Start!123' # raw = completely free # free = limited version of the enterprise edition (25 hosts, 1 instance) CMK_EDITION=raw + +############### Kopano-Section ############### + +# Define the FQDN of your Nextcloud server +KOPANO_FQDN="kopano.zmb.rocks" + +# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban +KOPANO_MAILGW="192.168.100.254" + +# Kopano test- or subscription-key offerd from +# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10 +KOPANO_REPKEY="1234567890abcdefghijklmno" + +############### vaultwarden Section ############### +# Hostname of your mailserver +VW_SMTP_HOST=mail.bashclub.org + +# email address to send from +VW_SMTP_FROM="vaultwarden@bashclub.org" + +# display name to send from +VW_SMTP_FROM_NAME="Vaultwarden Password Manager" + +# port of your mailserver +VW_SMTP_PORT=587 + +# use ssl? +VW_SMTP_SSL=true + +# use starttls? +VW_SMTP_EXPLICIT_TLS=false + +# username of your mailbox +VW_SMTP_USERNAME=vaultwarden@bashclub.org + +# password of your mailbox +VW_SMTP_PASSWORD='' \ No newline at end of file diff --git a/install.sh b/install.sh index addf0ef..1a0dfb1 100755 --- a/install.sh +++ b/install.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -euo pipefail # This script will create and fire up a standard debian buster lxc container on your Proxmox VE. # On a Proxmox cluster, the script will create the container on the local node, where it's executed. @@ -15,15 +16,16 @@ # Please adjust th settings in 'zamba.conf' to your needs before running the script ############### ZAMBA INSTALL SCRIPT ############### -prog="$(basename "$0")" +prog="$(basename $0)" usage() { cat >&2 <<-EOF - usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE] + usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] installs a preconfigured lxc container on your proxmox server -i CTID provide a container id instead of auto detection -s SERVICE provide the service name and skip the selection dialog -c CFGFILE use a different config file than 'zamba.conf' + -d Debug mode inside LXC container -h displays this help text --------------------------------------------------------------------------- (C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub) @@ -36,26 +38,27 @@ usage() { ctid=0 service=ask config=$PWD/conf/zamba.conf -verbose=0 +debug=0 -while getopts "hi:s:c:" opt; do +while getopts "hi:s:c:d" opt; do case $opt in h) usage 0 ;; i) ctid=$OPTARG ;; s) service=$OPTARG ;; c) config=$OPTARG ;; + d) debug=1 ;; *) usage 1 ;; esac done shift $((OPTIND-1)) -OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a) +OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n) valid=0 if [[ "$service" == "ask" ]]; then select svc in $OPTS quit; do if [[ "$svc" != "quit" ]]; then - for line in $(echo $OPTS); do + for line in $OPTS; do if [[ "$svc" == "$line" ]]; then service=$svc echo "Installation of $service selected." @@ -72,7 +75,7 @@ if [[ "$service" == "ask" ]]; then fi done else - for line in $(echo $OPTS); do + for line in $OPTS; do if [[ "$service" == "$line" ]]; then echo "Installation of $service selected." valid=1 @@ -88,23 +91,30 @@ fi # Load configuration file echo "Loading config file '$config'..." -source $config - -source $PWD/src/$service/constants-service.conf - -# CHeck is the newest template available, else download it. -DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) -DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2) -TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11) - -if [[ $DEB_LOC == $DEB_REP ]]; -then - echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists."; -else - echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP."; - pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME +if [ ! -e "$config" ]; then + echo "Configuration files does not exist" + exit 1 fi +source "src/functions.sh" + +source "$config" + +source "$PWD/src/$service/constants-service.conf" + +if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then + LXC_MEM=$LXC_MEM_MIN +fi + +if [ $LXC_AUTOTAG -gt 0 ]; then + TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}" +fi + +# Check is the newest template available, else download it. +pveam update +TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11) +pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME + if [ $ctid -gt 99 ]; then LXC_CHK=$ctid else @@ -121,17 +131,17 @@ fi echo "Will now create LXC Container $LXC_NBR!"; # Create the container -pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; +pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE; sleep 2; # Check vlan configuration -if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi +if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi # Reconfigure conatiner pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING; if [ $LXC_DHCP == true ]; then - pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN; + pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN" else - pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN; + pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN fi sleep 2 @@ -144,23 +154,30 @@ PS3="Select the Server-Function: " pct start $LXC_NBR; sleep 5; -# Set the root password and key -echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd; -lxc-attach -n$LXC_NBR mkdir /root/.ssh; +# Set the root ssh key +pct exec $LXC_NBR -- mkdir /root/.ssh pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys -pct push $LXC_NBR $config /root/zamba.conf -pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf -pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh -pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh -pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf +pct push $LXC_NBR "$config" /root/zamba.conf +pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf +pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf +pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh +pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf +pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh +pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh +pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf + +if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi echo "Installing basic container setup..." -lxc-attach -n$LXC_NBR bash /root/lxc-base.sh +pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh" echo "Install '$service'!" -lxc-attach -n$LXC_NBR bash /root/install-service.sh +pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh" +pct shutdown $LXC_NBR if [[ $service == "zmb-ad" ]]; then - pct stop $LXC_NBR - pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1) - pct start $LXC_NBR + ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format + pct set $LXC_NBR -nameserver ${LXC_IP%/*} +elif [[ $service == "zmb-ad-join" ]]; then + pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS" fi +pct start $LXC_NBR \ No newline at end of file diff --git a/sources.list b/sources.list deleted file mode 100644 index aa474ae..0000000 --- a/sources.list +++ /dev/null @@ -1,6 +0,0 @@ -deb http://ftp.de.debian.org/debian buster main contrib - -deb http://ftp.de.debian.org/debian buster-updates main contrib - -# security updates -deb http://security.debian.org buster/updates main contrib \ No newline at end of file diff --git a/src/bookstack/constants-service.conf b/src/bookstack/constants-service.conf new file mode 100644 index 0000000..6e865bd --- /dev/null +++ b/src/bookstack/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh new file mode 100644 index 0000000..1ac181a --- /dev/null +++ b/src/bookstack/install-service.sh @@ -0,0 +1,186 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +BOOKSTACK_DB_PWD=$(random_password) +webroot=/var/www/bookstack/public + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server +wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb + +mkdir /etc/nginx/ssl +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" + +PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2) + +cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN; +} + +server { + + client_max_body_size 100M; + fastcgi_buffers 64 4K; + client_body_timeout 120s; + + listen 443 http2 ssl default_server; + listen [::]:443 http2 ssl default_server; + server_name $LXC_HOSTNAME.$LXC_DOMAIN; + + root $webroot; + + index index.php; + + ssl_certificate /etc/nginx/ssl/open3a.crt; + ssl_certificate_key /etc/nginx/ssl/open3a.key; + + access_log /var/log/nginx/bookstack.access.log; + error_log /var/log/nginx/bookstack.error.log; + + location / { + try_files \$uri \$uri/ /index.php?\$query_string; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + location ~ /\.ht { + deny all; + } + + fastcgi_hide_header X-Powered-By; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_connect_timeout 3600; + + add_header Permissions-Policy "interest-cohort=()"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + +} + +EOF + +mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD'; +CREATE DATABASE IF NOT EXISTS bookstack; +GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD'; +FLUSH PRIVILEGES;" + +sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini + +EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" +php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" +if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ] +then + >&2 echo 'ERROR: Invalid composer installer checksum' + rm composer-setup.php + exit 1 +fi +php composer-setup.php --quiet +rm composer-setup.php +# Move composer to global installation +mv composer.phar /usr/local/bin/composer + +cd /var/www +git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack +cd bookstack + +# Install BookStack composer dependencies +export COMPOSER_ALLOW_SUPERUSER=1 +php /usr/local/bin/composer install --no-dev --no-plugins + + +# Copy and update BookStack environment variables +cp .env.example .env +sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env +sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env +sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env +sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env + +cat << EOF >> .env +QUEUE_CONNECTION=database +STORAGE_TYPE=local_secure +APP_LANG=de_informal +FILE_UPLOAD_SIZE_LIMIT=100 +SESSION_SECURE_COOKIE=true +CACHE_DRIVER=redis +SESSION_DRIVER=redis +REDIS_SERVERS=127.0.0.1:6379:0 +WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf +ALLOW_UNTRUSTED_SERVER_FETCHING=true +EOF + +# Generate the application key +php artisan key:generate --no-interaction --force +# Migrate the databases +php artisan migrate --no-interaction --force + +php artisan bookstack:db-utf8mb4 > dbupgrade.sql +mysql -u root < dbupgrade.sql + +chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage + +cat << EOF > /etc/systemd/system/bookstack-queue.service +[Unit] +Description=BookStack Queue Worker + +[Service] +User=www-data +Group=www-data +Restart=always +ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload +systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server +systemctl restart php7.4-fpm nginx bookstack-queue redis-server + +LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) + +echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n" \ No newline at end of file diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf index 4659e6f..0ba9409 100644 --- a/src/checkmk/constants-service.conf +++ b/src/checkmk/constants-service.conf @@ -20,6 +20,12 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # checkmk version -CMK_VERSION=2.0.0p33 +CMK_VERSION=2.1.0p21 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + +# service dependent meta tags +SERVICE_TAGS="apache2" \ No newline at end of file diff --git a/src/checkmk/install-service.sh b/src/checkmk/install-service.sh index d422a13..6822b58 100644 --- a/src/checkmk/install-service.sh +++ b/src/checkmk/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/constants.conf b/src/constants.conf index bc1838c..be08b75 100644 --- a/src/constants.conf +++ b/src/constants.conf @@ -8,4 +8,4 @@ # This file contains the project constants on container level # Define your (administrative) tools, you always want to have installed into your LXC container -LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common" \ No newline at end of file +LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget" \ No newline at end of file diff --git a/src/debian-priv/constants-service.conf b/src/debian-priv/constants-service.conf index 1f764d7..6c4691a 100644 --- a/src/debian-priv/constants-service.conf +++ b/src/debian-priv/constants-service.conf @@ -17,4 +17,10 @@ LXC_MP="0" LXC_UNPRIVILEGED="0" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=512 + +# service dependent meta tags +SERVICE_TAGS="privileged" \ No newline at end of file diff --git a/src/debian-unpriv/constants-service.conf b/src/debian-unpriv/constants-service.conf index 4f5ef36..7e5a29b 100644 --- a/src/debian-unpriv/constants-service.conf +++ b/src/debian-unpriv/constants-service.conf @@ -17,4 +17,10 @@ LXC_MP="0" LXC_UNPRIVILEGED="1" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=512 + +# service dependent meta tags +SERVICE_TAGS="" \ No newline at end of file diff --git a/src/ecodms/constants-service.conf b/src/ecodms/constants-service.conf new file mode 100644 index 0000000..06b8fa2 --- /dev/null +++ b/src/ecodms/constants-service.conf @@ -0,0 +1,29 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# set ecodms release version +ECODMS_RELEASE=ecodms_220864 + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=6144 + +# service dependent meta tags +SERVICE_TAGS="java,postgresql" \ No newline at end of file diff --git a/src/ecodms/install-service.sh b/src/ecodms/install-service.sh new file mode 100644 index 0000000..9eaf184 --- /dev/null +++ b/src/ecodms/install-service.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections +echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections + +echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list +wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg + +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver \ No newline at end of file diff --git a/src/functions.sh b/src/functions.sh new file mode 100644 index 0000000..5798afd --- /dev/null +++ b/src/functions.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# +# This script has basic functions like a random password generator +LXC_RANDOMPWD=32 + +random_password() { + set +o pipefail + C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD} +} \ No newline at end of file diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf new file mode 100644 index 0000000..4019690 --- /dev/null +++ b/src/gitea/constants-service.conf @@ -0,0 +1,41 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the IP from the SQL server +GITEA_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +GITEA_DB_PORT="5432" + +# Defines the name from the SQL database +GITEA_DB_NAME="gitea" + +# Defines the name from the SQL user +GITEA_DB_USR="gitea" + +# Build a strong password for the SQL user - could be overwritten with something fixed +GITEA_DB_PWD="$(random_password)" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh new file mode 100644 index 0000000..c49eba5 --- /dev/null +++ b/src/gitea/install-service.sh @@ -0,0 +1,184 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - +echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list + +wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip + +systemctl enable --now postgresql + +su - postgres < /usr/local/bin/update-gitea +PATH="/bin:/usr/bin:/usr/local/bin" +echo "Checking github for new gitea version" +current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4) +installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3)) +echo "Installed gitea version is \$installed_version" +if [ \$installed_version != \$current_version ]; then + echo "New gitea version \$current_version available. Stopping gitea.service" + systemctl stop gitea.service + echo "Downloading gitea version \$current_version..." + curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i - + chmod +x /usr/local/bin/gitea + echo "Starting gitea.service..." + systemctl start gitea.service + echo "gitea update finished!" +else + echo "gitea version is up-to-date!" +fi +EOF +chmod +x /usr/local/bin/update-gitea + +cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook +DPkg::Post-Invoke {"/usr/local/bin/update-gitea";}; +EOF +chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook + +cat << EOF > /etc/systemd/system/gitea.service +[Unit] +Description=Gitea +After=syslog.target +After=network.target +After=postgresql.service + +[Service] +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/ +ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/ + +[Install] +WantedBy=multi-user.target +EOF + +cat << EOF > /etc/gitea/app.ini +RUN_MODE = prod +RUN_USER = git + +[repository] +ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories + +[repository.local] +LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads + +[database] +DB_TYPE=postgres +HOST=localhost +NAME=${GITEA_DB_NAME} +USER=${GITEA_DB_USR} +PASSWD=${GITEA_DB_PWD} +SSL_MODE=disable + +[server] +APP_DATA_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea +DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +SSH_DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +HTTP_HOST = localhost +HTTP_PORT = 3000 +ROOT_URL = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/ +DISABLE_SSH = false +SSH_PORT = 22 +SSH_LISTEN_PORT = 22 +EOF + +chown -R root:git /etc/gitea +chmod 770 /etc/gitea +chmod 770 /etc/gitea/app.ini + +cat << EOF > /etc/nginx/conf.d/default.conf +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + client_max_body_size 50M; + + location / { + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:3000; + proxy_read_timeout 90; + } +} + +EOF +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl daemon-reload +systemctl enable --now gitea +systemctl restart nginx diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf new file mode 100644 index 0000000..12d6e1d --- /dev/null +++ b/src/kimai/constants-service.conf @@ -0,0 +1,32 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') +KIMAI_VERSION="main" + +# Defines the php version to install +KIMAI_PHP_VERSION="8.1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh new file mode 100644 index 0000000..c07e4ed --- /dev/null +++ b/src/kimai/install-service.sh @@ -0,0 +1,167 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +KIMAI_DB_PWD=$(random_password) +webroot=/var/www/kimai/public + +wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - +echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl + +mkdir /etc/nginx/ssl +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" + +PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2) +PHP_VERSION=${PHP_VERSION:0:3} + +cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN; +} + +server { + + client_max_body_size 2M; + fastcgi_buffers 64 4K; + client_body_timeout 120s; + + listen 443 http2 ssl default_server; + listen [::]:443 http2 ssl default_server; + server_name $LXC_HOSTNAME.$LXC_DOMAIN; + + root $webroot; + + index index.php; + + ssl_certificate /etc/nginx/ssl/kimai.crt; + ssl_certificate_key /etc/nginx/ssl/kimai.key; + + access_log /var/log/nginx/kimai.access.log; + error_log /var/log/nginx/kimai.error.log; + + location / { + try_files \$uri \$uri/ /index.php?\$query_string; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + location ~ /\.ht { + deny all; + } + + fastcgi_hide_header X-Powered-By; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_connect_timeout 3600; + + add_header Permissions-Policy "interest-cohort=()"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + +} + +EOF + +mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD'; +CREATE DATABASE IF NOT EXISTS kimai; +GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD'; +FLUSH PRIVILEGES;" + +sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini +sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini + +EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" +php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" +if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ] +then + >&2 echo 'ERROR: Invalid composer installer checksum' + rm composer-setup.php + exit 1 +fi +php composer-setup.php --quiet +rm composer-setup.php +# Move composer to global installation +mv composer.phar /usr/local/bin/composer + +cd /var/www +git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1 +cd kimai + +# Install kimai composer dependencies +export COMPOSER_ALLOW_SUPERUSER=1 +/usr/local/bin/composer install --optimize-autoloader -n + +# Copy and update kimai environment variables +cat << EOF > .env +# For more infos about the variables, see .env.dist +DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8 +MAILER_FROM=admin@$LXC_DOMAIN +MAILER_URL=null://null +APP_ENV=prod +APP_SECRET=$(random_password) +CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$ +EOF + +chown -R www-data:www-data . +chmod -R g+r . +chmod -R g+rw var/ + +bin/console kimai:install -n + +bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD + +systemctl daemon-reload +systemctl enable --now php${PHP_VERSION}-fpm nginx +systemctl restart php${PHP_VERSION}-fpm nginx + +LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) + +echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n" diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf new file mode 100644 index 0000000..d2e5808 --- /dev/null +++ b/src/kopano-core/constants-service.conf @@ -0,0 +1,46 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') +KOPANO_VERSION="latest" + +# Defines the php version to install +KOPANO_PHP_VERSION="7.4" + +# Defines Maria DB Version +MARIA_DB_VERS="10.5" + +# Defines the name from the SQL database +MARIA_DB_NAME="kopano" + +# Defines the name from the SQL user +MARIA_DB_USER="kopano" + +# Build a strong password for the SQL user - could be overwritten with something fixed + +MARIA_ROOT_PWD=$(random_password) +MARIA_USER_PWD=$(random_password) + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh new file mode 100644 index 0000000..b3644f4 --- /dev/null +++ b/src/kopano-core/install-service.sh @@ -0,0 +1,276 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +HOSTNAME=$(hostname -f) + +#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - +#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list + +wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - +echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list + +wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add - +echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list + +apt update + +#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ +#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ +php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} + +#timedatectl set-timezone Europe/Berlin +#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www +#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www + +#### Secure Maria Instance #### + +mysqladmin -u root password "[$MARIA_ROOT_PWD]" + +mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''" +mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" +#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'" +mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" + +#### Create user and DB for Kopano #### + +mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'" +mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'" +mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" + +echo "root-password: $MARIA_ROOT_PWD,\ +db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log + +cat > /etc/apt/sources.list.d/kopano.list << EOF + +# Kopano Core +deb https://download.kopano.io/supported/core:/final/Debian_11/ ./ + +# Kopano WebApp +deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./ + +# Kopano MobileDeviceManagement +deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./ + +# Kopano Files +deb https://download.kopano.io/supported/files:/final/Debian_11/ ./ + +# Z-Push +deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./ + +EOF + +cat > /etc/apt/auth.conf.d/kopano.conf << EOF + +machine download.kopano.io +login serial +password $KOPANO_REPKEY + +EOF + +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add - +curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add - + +apt update && apt full-upgrade -y + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \ +z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files + +#### Adjust kopano settings #### + +cat > /etc/kopano/ldap.cfg << EOF + +!include /usr/share/kopano/ldap.active-directory.cfg + +ldap_uri = ldap://192.168.100.100:389 +ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks +ldap_bind_passwd = Start123! +ldap_search_base = dc=zmb,dc=rocks + +#ldap_user_search_filter = (kopanoAccount=1) + +EOF + +cat > /etc/kopano/server.cfg << EOF + +server_listen = *:236 +local_admin_users = root kopano + +#database_engine = mysql +#mysql_host = localhost +#mysql_port = 3306 +mysql_user = $MARIA_DB_USER +mysql_password = $MARIA_USER_PWD +mysql_database = $MARIA_DB_NAME + +#user_plugin = ldap +#user_plugin_config = /etc/kopano/ldap.cfg + +EOF + +#### Adjust php settings #### + +sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php + +cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF + +[webapp] +listen = 127.0.0.1:9002 +user = www-data +group = www-data +listen.allowed_clients = 127.0.0.1 +pm = dynamic +pm.max_children = 150 +pm.start_servers = 35 +pm.min_spare_servers = 20 +pm.max_spare_servers = 50 +pm.max_requests = 200 +listen.backlog = -1 +request_terminate_timeout = 120s +rlimit_files = 131072 +rlimit_core = unlimited +catch_workers_output = yes + +EOF + +sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php + +#### Adjust nginx settings #### + +openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN" +openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 + +#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak + +cat > /etc/nginx/sites-available/webapp.conf << EOF +upstream php-handler { + #server 127.0.0.1:9002; + #server unix:/var/run/php5-fpm.sock; + server unix:/var/run/php/php7.4-fpm.sock; +} + +server{ + listen 80; + charset utf-8; + listen [::]:80; + server_name _; + + location / { + rewrite ^(.*) https://\$server_name\$1 permanent; + } + } + +server { + charset utf-8; + listen 443; + listen [::]:443 ssl; + server_name _; + ssl on; + client_max_body_size 1024m; + ssl_certificate /etc/ssl/certs/kopano.crt; + ssl_certificate_key /etc/ssl/private/kopano.key; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; + ssl_prefer_server_ciphers on; + # + # ssl_dhparam require you to create a dhparam.pem, this takes a long time + ssl_dhparam /etc/ssl/certs/dhparam.pem; + # + + # add headers + server_tokens off; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location /webapp { + alias /usr/share/kopano-webapp/; + index index.php; + + location ~ /webapp/presence/ { + rewrite ^/webapp/presence(/.*)$ \$1 break; + proxy_pass http://localhost:1234; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + } + + } + + location ~* ^/webapp/(.+\.php)$ { + alias /usr/share/kopano-webapp/; + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } + + fastcgi_param PHP_VALUE " + register_globals=off + magic_quotes_gpc=off + magic_quotes_runtime=off + post_max_size=31M + upload_max_filesize=30M + "; + fastcgi_param PHP_VALUE "post_max_size=31M + upload_max_filesize=30M + max_execution_time=3660 + "; + + include fastcgi_params; + fastcgi_index index.php; + #fastcgi_param HTTPS on; + fastcgi_param SCRIPT_FILENAME \$document_root\$1; + fastcgi_pass php-handler; + access_log /var/log/nginx/kopano-webapp-access.log; + error_log /var/log/nginx/kopano-webapp-error.log; + + # CSS and Javascript + location ~* \.(?:css|js)$ { + expires 1y; + access_log off; + add_header Cache-Control "public"; + } + + # All (static) resources set to 2 months expiration time. + location ~* \.(?:jpg|gif|png)\$ { + expires 2M; + access_log off; + add_header Cache-Control "public"; + } + + # enable gzip compression + gzip on; + gzip_min_length 1100; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/xml text/css application/json; + gzip_vary on; + } + +} + +map \$http_upgrade \$connection_upgrade { + default upgrade; + '' close; +} +EOF + + + +ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/ + +phpenmod kopano +systemctl restart php7.4-fpm nginx diff --git a/src/lxc-base.sh b/src/lxc-base.sh index b89d820..d26954f 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -euo pipefail # Authors: # (C) 2021 Idea an concept by Christian Zengel @@ -7,6 +8,7 @@ # load configuration echo "Loading configuration..." +source /root/functions.sh source /root/zamba.conf source /root/constants.conf source /root/constants-service.conf @@ -14,6 +16,7 @@ source /root/constants-service.conf echo "Updating locales" # update locales sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen +sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen cat << EOF > /etc/default/locale LANG="$LXC_LOCALE" LANGUAGE=$LXC_LOCALE @@ -24,23 +27,23 @@ locale-gen $LXC_LOCALE if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then cat << EOF > /etc/apt/sources.list -deb http://ftp.de.debian.org/debian bullseye main contrib +deb http://debian.inf.tu-dresden.de/debian bullseye main contrib -deb http://ftp.de.debian.org/debian bullseye-updates main contrib +deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib # security updates -deb http://security.debian.org bullseye-security main contrib +deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib EOF elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then cat << EOF > /etc/apt/sources.list -deb http://ftp.de.debian.org/debian buster main contrib +deb http://debian.inf.tu-dresden.de/debian buster main contrib -deb http://ftp.de.debian.org/debian buster-updates main contrib +deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib # security updates -deb http://security.debian.org buster/updates main contrib +deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib EOF else echo "LXC Debian Version false. Please check configuration files!" ; exit fi diff --git a/src/mailpiler/constants-service.conf b/src/mailpiler/constants-service.conf index c943bf2..4523fd3 100644 --- a/src/mailpiler/constants-service.conf +++ b/src/mailpiler/constants-service.conf @@ -25,3 +25,9 @@ PILER_VERSION="1.3.12" PILER_SPHINX_VERSION="3.3.1" # Defines the php version to install PILER_PHP_VERSION="7.4" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx" \ No newline at end of file diff --git a/src/mailpiler/install-service.sh b/src/mailpiler/install-service.sh index 035b852..217bfc6 100644 --- a/src/mailpiler/install-service.sh +++ b/src/mailpiler/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/matrix/constants-service.conf b/src/matrix/constants-service.conf index 292d2ce..9bfdb2d 100644 --- a/src/matrix/constants-service.conf +++ b/src/matrix/constants-service.conf @@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1" # enable nesting feature LXC_NESTING="1" -# Define the version of Element Web -MATRIX_ELEMENT_VERSION="v1.9.9" +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql,element-web" \ No newline at end of file diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index 1283d5b..fa15c4c 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -5,14 +5,17 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +MRX_PKE=$(random_password) ELE_DBNAME="synapse_db" ELE_DBUSER="synapse_user" -ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +ELE_DBPASS=$(random_password) +ELE_PATH=/var/www/element-web +WEBROOT=/var/www DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2 @@ -66,7 +69,7 @@ server { ssl_certificate_key /etc/nginx/ssl/matrix.key; # If you don't wanna serve a site, comment this out - root /var/www/$MATRIX_FQDN; + root $ELE_PATH; index index.html index.htm; location / { @@ -101,7 +104,7 @@ server { ssl_certificate_key /etc/nginx/ssl/matrix.key; # If you don't wanna serve a site, comment this out - root /var/www/$MATRIX_ELEMENT_FQDN/element; + root $ELE_PATH; index index.html index.htm; } @@ -112,21 +115,23 @@ ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$ systemctl restart nginx -mkdir /var/www/$MATRIX_ELEMENT_FQDN -cd /var/www/$MATRIX_ELEMENT_FQDN -wget https://packages.riot.im/element-release-key.asc +cd /var/www + +wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc gpg --import element-release-key.asc -wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz -wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc +MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4) + +wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz +wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz -ln -s element-$MATRIX_ELEMENT_VERSION element -chown www-data:www-data -R element -cp ./element/config.sample.json ./element/config.json -sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json -sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json +mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH +chown www-data:www-data -R $ELE_PATH +cp $ELE_PATH/config.sample.json $ELE_PATH/config.json +sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json +sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json su postgres < /usr/share/keyrings/jitsi-keyring.gpg' -#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null +register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008 -#apt update -#apt install -y jitsi-meet \ No newline at end of file +echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n" \ No newline at end of file diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index e7ba80a..51f9a33 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -23,7 +23,7 @@ LXC_NESTING="1" NEXTCLOUD_VERSION="latest" # Defines the php version to install -NEXTCLOUD_PHP_VERSION="8.0" +NEXTCLOUD_PHP_VERSION="8.1" # Defines the IP from the SQL server NEXTCLOUD_DB_IP="127.0.0.1" @@ -38,4 +38,10 @@ NEXTCLOUD_DB_NAME="nextcloud_db" NEXTCLOUD_DB_USR="nextcloud" # Build a strong password for the SQL user - could be overwritten with something fixed -NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" +NEXTCLOUD_DB_PWD="$(random_password)" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index 0137db9..4f7ab71 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -5,6 +5,10 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh + +NEXTCLOUD_ADMIN_PWD=$(random_password) + source /root/zamba.conf source /root/constants-service.conf @@ -21,7 +25,7 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \ +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \ postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline} timedatectl set-timezone $LXC_TIMEZONE @@ -398,7 +402,9 @@ array ( 'updater.release.channel' => 'stable', 'trusted_proxies' => array ( -'$NEXTCLOUD_REVPROX' +'$NEXTCLOUD_REVPROX', +'127.0.0.1', +'::1', ), ); EOF diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf new file mode 100644 index 0000000..ccb3471 --- /dev/null +++ b/src/omada/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + +# service dependent meta tags +SERVICE_TAGS="mongodb-server,java" \ No newline at end of file diff --git a/src/omada/install-service.sh b/src/omada/install-service.sh new file mode 100644 index 0000000..11efb2e --- /dev/null +++ b/src/omada/install-service.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add - +add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ + +wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc + +echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org + +DL=$(wget -O - -q https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6) + +wget -O /tmp/omada.deb -q $DL + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb \ No newline at end of file diff --git a/src/onlyoffice/constants-service.conf b/src/onlyoffice/constants-service.conf index bbaeda4..d135850 100644 --- a/src/onlyoffice/constants-service.conf +++ b/src/onlyoffice/constants-service.conf @@ -23,4 +23,10 @@ ONLYOFFICE_DB_HOST=localhost ONLYOFFICE_DB_NAME=onlyoffice -ONLYOFFICE_DB_USER=onlyoffice \ No newline at end of file +ONLYOFFICE_DB_USER=onlyoffice + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql,rabbitmq" \ No newline at end of file diff --git a/src/onlyoffice/fix-update.sh b/src/onlyoffice/fix-update.sh new file mode 100644 index 0000000..8d8f553 --- /dev/null +++ b/src/onlyoffice/fix-update.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +cat > /usr/local/bin/ods-apt-pre-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds-ssl.conf +systemctl stop nginx.service +DFOE +chmod +x /usr/local/bin/ods-apt-pre-hook + +cat > /usr/local/bin/ods-apt-post-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds.conf +ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf +systemctl restart nginx +DFOE +chmod +x /usr/local/bin/ods-apt-post-hook + + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook +DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";}; +EOF + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook +DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";}; +EOF diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh index c623bee..ae1018b 100644 --- a/src/onlyoffice/install-service.sh +++ b/src/onlyoffice/install-service.sh @@ -1,7 +1,15 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -ONLYOFFICE_DB_PASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +ONLYOFFICE_DB_PASS=$(random_password) apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list @@ -36,8 +44,33 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/only rm /etc/nginx/conf.d/ds.conf cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf + +sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf +sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf + ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf -sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf -sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf +cat > /usr/local/bin/ods-apt-pre-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds-ssl.conf +systemctl stop nginx.service +DFOE +chmod +x /usr/local/bin/ods-apt-pre-hook + +cat > /usr/local/bin/ods-apt-post-hook << DFOE +#!/bin/bash +rm /etc/nginx/conf.d/ds.conf +ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf +systemctl restart nginx +DFOE +chmod +x /usr/local/bin/ods-apt-post-hook + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook +DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";}; +EOF + +cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook +DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";}; +EOF + systemctl restart nginx \ No newline at end of file diff --git a/src/open3a/constants-service.conf b/src/open3a/constants-service.conf index 4f5ef36..6e865bd 100644 --- a/src/open3a/constants-service.conf +++ b/src/open3a/constants-service.conf @@ -17,4 +17,10 @@ LXC_MP="0" LXC_UNPRIVILEGED="1" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index 9b22d69..dba2277 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -5,12 +5,14 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf webroot=/var/www/html -MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)" +LXC_RANDOMPWD=20 +MYSQL_PASSWORD="$(random_password)" apt update @@ -55,7 +57,7 @@ CREATE DATABASE IF NOT EXISTS open3a; GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';" cd $webroot -wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip +wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip unzip open3a.zip rm open3a.zip chmod 666 system/DBData/Installation.pfdb.php @@ -66,7 +68,17 @@ chown -R www-data:www-data $webroot echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup chmod +x /etc/cron.daily/open3a-backup +cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php + +EOF + systemctl enable --now php7.4-fpm systemctl restart php7.4-fpm nginx +LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) + echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a" diff --git a/src/proxmox-pbs/constants-service.conf b/src/proxmox-pbs/constants-service.conf index b0609cd..e720f35 100644 --- a/src/proxmox-pbs/constants-service.conf +++ b/src/proxmox-pbs/constants-service.conf @@ -20,4 +20,10 @@ LXC_UNPRIVILEGED="1" LXC_NESTING="1" # Backup ubdir where Urbackup will store backups -PBS_DATA="backup" \ No newline at end of file +PBS_DATA="backup" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="backup" \ No newline at end of file diff --git a/src/proxmox-pbs/install-service.sh b/src/proxmox-pbs/install-service.sh index 4c3c121..6bcfa59 100644 --- a/src/proxmox-pbs/install-service.sh +++ b/src/proxmox-pbs/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf @@ -20,3 +21,5 @@ apt update && apt upgrade -y DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA + +systemctl disable --now zfs-mount.service zfs-share.service diff --git a/src/sources.list b/src/sources.list deleted file mode 100644 index aa474ae..0000000 --- a/src/sources.list +++ /dev/null @@ -1,6 +0,0 @@ -deb http://ftp.de.debian.org/debian buster main contrib - -deb http://ftp.de.debian.org/debian buster-updates main contrib - -# security updates -deb http://security.debian.org buster/updates main contrib \ No newline at end of file diff --git a/src/unifi/constants-service.conf b/src/unifi/constants-service.conf new file mode 100644 index 0000000..ccb3471 --- /dev/null +++ b/src/unifi/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + +# service dependent meta tags +SERVICE_TAGS="mongodb-server,java" \ No newline at end of file diff --git a/src/unifi/install-service.sh b/src/unifi/install-service.sh new file mode 100644 index 0000000..b09541f --- /dev/null +++ b/src/unifi/install-service.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc +wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg + +echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list +echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi \ No newline at end of file diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf index 6d9a772..d1511bb 100644 --- a/src/urbackup/constants-service.conf +++ b/src/urbackup/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-10-standard" +LXC_TEMPLATE_VERSION="debian-11-standard" # Create sharefs mountpoint LXC_MP="1" @@ -23,4 +23,10 @@ LXC_NESTING="1" URBACKUP_DATA="urbackup" # OS codename for opensuse / urbackup repo -REPO_CODENAME="Debian_10" \ No newline at end of file +REPO_CODENAME="Debian_11" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx" \ No newline at end of file diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh index b9ce29a..e35ddcf 100644 --- a/src/urbackup/install-service.sh +++ b/src/urbackup/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf new file mode 100644 index 0000000..65d4f55 --- /dev/null +++ b/src/vaultwarden/constants-service.conf @@ -0,0 +1,35 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the name from the SQL database +VAULTWARDEN_DB_NAME="vaultwarden" + +# Defines the name from the SQL user +VAULTWARDEN_DB_USR="vaultwarden" + +# Build a strong password for the SQL user - could be overwritten with something fixed +VAULTWARDEN_DB_PWD="$(random_password)" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql" \ No newline at end of file diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh new file mode 100644 index 0000000..bee4f3c --- /dev/null +++ b/src/vaultwarden/install-service.sh @@ -0,0 +1,161 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +admin_token=$(openssl rand -base64 48) + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert + +systemctl enable --now postgresql + +wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract +chmod +x docker-image-extract +./docker-image-extract vaultwarden/server:alpine +mkdir /opt/vaultwarden +mkdir -p /var/lib/vaultwarden/data +useradd vaultwarden +chown -R vaultwarden:vaultwarden /var/lib/vaultwarden +mv output/vaultwarden /opt/vaultwarden +mv output/web-vault /var/lib/vaultwarden/ +rm -Rf output +rm -Rf docker-image-extract + +su - postgres < /var/lib/vaultwarden/.env +DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden +DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN} +ORG_CREATION_USERS=admin@$LXC_DOMAIN +# Use `openssl rand -base64 48` to generate +ADMIN_TOKEN=$admin_token +# Uncomment this once vaults restored +SIGNUPS_ALLOWED=false +SMTP_HOST=$VW_SMTP_HOST +SMTP_FROM=$VW_SMTP_FROM +SMTP_FROM_NAME="$VW_SMTP_FROM_NAME" +SMTP_PORT=$VW_SMTP_PORT # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us> +SMTP_SSL=$VW_SMTP_SSL # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_> +SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o> +SMTP_USERNAME=$VW_SMTP_USERNAME +SMTP_PASSWORD=$VW_SMTP_PASSWORD +SMTP_TIMEOUT=15 +EOF + +cat << EOF > /etc/systemd/system/vaultwarden.service +[Unit] +Description=Bitwarden Server (Rust Edition) +Documentation=https://github.com/dani-garcia/vaultwarden +After=network.target + +[Service] +User=vaultwarden +Group=vaultwarden +EnvironmentFile=/var/lib/vaultwarden/.env +ExecStart=/opt/vaultwarden/vaultwarden +LimitNOFILE=1048576 +LimitNPROC=64 +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=strict +WorkingDirectory=/var/lib/vaultwarden +ReadWriteDirectories=/var/lib/vaultwarden +AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target +EOF + +cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook +DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";}; +EOF + +cat << EOF > /var/lib/vaultwarden/update.sh +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" +wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract +chmod +x docker-image-extract +./docker-image-extract vaultwarden/server:alpine +mv output/vaultwarden /opt/vaultwarden +systemctl stop vaultwarden.service +cp -rlf output/web-vault /var/lib/vaultwarden/ +rm -Rf output +rm -Rf docker-image-extract +systemctl start vaultwarden.service +EOF + +chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook +chmod +x /var/lib/vaultwarden/update.sh + +cat << EOF > /etc/nginx/conf.d/default.conf +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/vaultwarden.access.log; + error_log /var/log/nginx/vaultwarden.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + access_log /var/log/nginx/vaultwarden.access.log; + error_log /var/log/nginx/vaultwarden.error.log; + + client_max_body_size 50M; + + location / { + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:8000; + proxy_read_timeout 90; + } +} + +EOF +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl daemon-reload +systemctl enable --now vaultwarden +systemctl restart nginx \ No newline at end of file diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf new file mode 100644 index 0000000..8e267ce --- /dev/null +++ b/src/zabbix/constants-service.conf @@ -0,0 +1,42 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + + +# Defines the IP from the SQL server +ZABBIX_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +ZABBIX_DB_PORT="5432" + +# Defines the name from the SQL database +ZABBIX_DB_NAME="zabbix" + +# Defines the name from the SQL user +ZABBIX_DB_USR="zabbix" + +# Build a strong password for the SQL user - could be overwritten with something fixed +ZABBIX_DB_PWD="$(random_password)" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh new file mode 100644 index 0000000..db4a2e7 --- /dev/null +++ b/src/zabbix/install-service.sh @@ -0,0 +1,229 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key +echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list + +wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert + +unlink /etc/nginx/sites-enabled/default + +cat << EOF > /etc/zabbix/nginx.conf +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/zabbix.access.log; + error_log /var/log/nginx/zabbix.error.log; + + location /.well-known/ { + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; + } + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + root /usr/share/zabbix; + + index index.php; + + location = /favicon.ico { + log_not_found off; + } + + location / { + try_files \$uri \$uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /\.ht { + deny all; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + + location /vendor { + deny all; + return 404; + } + + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING \$query_string; + fastcgi_param REQUEST_METHOD \$request_method; + fastcgi_param CONTENT_TYPE \$content_type; + fastcgi_param CONTENT_LENGTH \$content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } +} +EOF + +cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf +[zabbix] +user = www-data +group = www-data + +listen = /var/run/php/zabbix.sock +listen.owner = www-data +listen.allowed_clients = 127.0.0.1 + +pm = dynamic +pm.max_children = 50 +pm.start_servers = 5 +pm.min_spare_servers = 5 +pm.max_spare_servers = 35 +pm.max_requests = 200 + +php_value[session.save_handler] = files +php_value[session.save_path] = /var/lib/php/sessions/ + +php_value[max_execution_time] = 300 +php_value[memory_limit] = 128M +php_value[post_max_size] = 16M +php_value[upload_max_filesize] = 2M +php_value[max_input_time] = 300 +php_value[max_input_vars] = 10000 +EOF + +cat << EOF > /etc/zabbix/web/zabbix.conf.php + 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//\$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//\$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//\$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//\$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//\$SSO['SETTINGS'] = []; +EOF + +timedatectl set-timezone ${LXC_TIMEZONE} + +systemctl enable --now postgresql + +su - postgres <> /etc/zabbix/zabbix_server.conf + +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm + +systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm \ No newline at end of file diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf new file mode 100644 index 0000000..823fde3 --- /dev/null +++ b/src/zammad/constants-service.conf @@ -0,0 +1,26 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=4096 + +# service dependent meta tags +SERVICE_TAGS="nginx,postgresql,elasticsearch" \ No newline at end of file diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh new file mode 100644 index 0000000..d71d113 --- /dev/null +++ b/src/zammad/install-service.sh @@ -0,0 +1,170 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key +apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch +wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo +echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad + + +cat << EOF >>/etc/hosts +0.0.0.0 image.zammad.com +0.0.0.0 images.zammad.com +0.0.0.0 geo.zammad.com +0.0.0.0 www.zammad.com +0.0.0.0 www.zammad.org +0.0.0.0 www.zammad.net +0.0.0.0 www.zammad.de +0.0.0.0 zammad.com +0.0.0.0 zammad.org +0.0.0.0 zammad.net +0.0.0.0 zammad.de +# +127.0.0.1 elasticsearch +0.0.0.0 geoip.elastic.co +EOF + +# Java set startup environment +mkdir -p /etc/elasticsearch/jvm.options.d +cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options +# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size +# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g +-Xms1g +-Xmx1g +EOF + +# configurwe nginx +rm -f /etc/nginx/sites-enabled/default + +cat << EOF > /etc/nginx/sites-available/zammad.conf +upstream zammad-railsserver { + server 127.0.0.1:3000; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://\$host\$request_uri; +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name _; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; +# +# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache +# + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; + add_header Referrer-Policy "strict-origin"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; + add_header Strict-Transport-Security "max-age=31536000" always; + + location = /robots.txt { + access_log off; log_not_found off; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + location / { + proxy_set_header Host \$http_host; + proxy_set_header CLIENT_IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + # change this line in an SSO setup + proxy_set_header X-Forwarded-User ""; + + proxy_read_timeout 180; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} +EOF + +ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/ + +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl enable elasticsearch.service +systemctl restart nginx elasticsearch.service + +# Elasticsearch conntact to Zammad +/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment +zammad run rails r "Setting.set('es_url', 'http://localhost:9200')" +zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')" +zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy" +systemctl restart elasticsearch.service +zammad run rake searchindex:rebuild \ No newline at end of file diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf new file mode 100644 index 0000000..712060f --- /dev/null +++ b/src/zmb-ad-join/constants-service.conf @@ -0,0 +1,38 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="0" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +# add optional features to samba ad dc + +# CURRENTLY SUPPORTED: +# wsdd = add windows service discovery +# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup +# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ + +# Example: +# OPTIONAL_FEATURES=(wsdd) +# OPTIONAL_FEATURES=(wsdd splitdns) +OPTIONAL_FEATURES=(wsdd splitdns) + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary" \ No newline at end of file diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh new file mode 100644 index 0000000..67b0798 --- /dev/null +++ b/src/zmb-ad-join/install-service.sh @@ -0,0 +1,154 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +ZMB_DNS_BACKEND="SAMBA_INTERNAL" + +for f in ${OPTIONAL_FEATURES[@]}; do + if [[ "$f" == "wsdd" ]]; then + ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" + apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key + echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list + elif [[ "$f" == "splitdns" ]]; then + ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" + elif [[ "$f" == "bind9dlz" ]]; then + ZMB_DNS_BACKEND="BIND9_DLZ" + ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" + else + echo "Unsupported optional feature $f" + fi +done + +## configure ntp +cat << EOF > /etc/ntp.conf +# Local clock. Note that is not the "localhost" address! +server 127.127.1.0 +fudge 127.127.1.0 stratum 10 +# Where to retrieve the time from +server 0.de.pool.ntp.org iburst prefer +server 1.de.pool.ntp.org iburst prefer +server 2.de.pool.ntp.org iburst prefer +driftfile /var/lib/ntp/ntp.drift +logfile /var/log/ntp +ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ +# Access control +# Default restriction: Allow clients only to query the time +restrict default kod nomodify notrap nopeer mssntp +# No restrictions for "localhost" +restrict 127.0.0.1 +# Enable the time sources to only provide time to this host +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +tinker panic 0 +EOF + +echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list + +# update packages +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +# install required packages +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils +if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then + cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + server_name _; + return 301 http://www.$LXC_DOMAIN\$request_uri; +} +EOF +fi + +if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then + # configure bind dns service + cat << EOF > /etc/default/bind9 +# +# run resolvconf? +RESOLVCONF=no +# startup options for the server +OPTIONS="-4 -u bind" +EOF + + cat << EOF > /etc/bind/named.conf.local +// +// Do any local configuration here +// +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +dlz "$LXC_DOMAIN" { + database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; +}; +EOF + + cat << EOF > /etc/bind/named.conf.options +options { + directory "/var/cache/bind"; + forwarders { + $LXC_DNS; + }; + allow-query { any;}; + dnssec-validation no; + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + listen-on { any; }; + tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; + minimal-responses yes; +}; +EOF + + mkdir -p /var/lib/samba/bind-dns/dns +fi + +mv /etc/krb5.conf /etc/krb5.conf.bak +cat > /etc/krb5.conf < /root/.smbcredentials +username=$ZMB_ADMIN_USER +password=$ZMB_ADMIN_PASS +domain=$ZMB_DOMAIN +EOF + +echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab + +mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials + +cat > /etc/cron.d/sysvol-sync << EOF +*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol +EOF + +/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol + +ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096 + +systemctl unmask samba-ad-dc +systemctl enable samba-ad-dc +systemctl restart samba-ad-dc $ADDITIONAL_SERVICES diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf index 415ffd0..79de74b 100644 --- a/src/zmb-ad/constants-service.conf +++ b/src/zmb-ad/constants-service.conf @@ -29,4 +29,10 @@ LXC_NESTING="1" # Example: # OPTIONAL_FEATURES=(wsdd) # OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=() \ No newline at end of file +OPTIONAL_FEATURES=(wsdd splitdns) + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary" \ No newline at end of file diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index c4c2845..2ba387f 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -5,6 +5,7 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf @@ -58,11 +59,14 @@ restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 EOF +echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list + # update packages apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then cat << EOF > /etc/nginx/sites-available/default diff --git a/src/zmb-member/constants-service.conf b/src/zmb-member/constants-service.conf index e650fc8..47f6a82 100644 --- a/src/zmb-member/constants-service.conf +++ b/src/zmb-member/constants-service.conf @@ -17,4 +17,10 @@ LXC_MP="1" LXC_UNPRIVILEGED="0" # enable nesting feature -LXC_NESTING="1" \ No newline at end of file +LXC_NESTING="1" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="samba,member,fileserver" \ No newline at end of file diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index 0cf017d..2dd69c3 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -5,16 +5,18 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf # add wsdd package repo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list +echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd mv /etc/krb5.conf /etc/krb5.conf.bak cat > /etc/krb5.conf < # (C) 2021 Script rework and documentation by Thorsten Spille +source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf # add wsdd package repo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key +apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc +echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list +cat << EOF > /etc/apt/preferences.d/samba +Package: samba* +Pin: release a=$(lsb_release -cs)-backports +Pin-Priority: 900 +EOF + +cat << EOF > /etc/apt/preferences.d/winbind +Package: winbind* +Pin: release a=$(lsb_release -cs)-backports +Pin-Priority: 900 +EOF + +cat << EOF > /etc/apt/preferences.d/cockpit +Package: cockpit* +Pin: release a=$(lsb_release -cs)-backports +Pin-Priority: 900 +EOF + apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit - -mkdir /usr/share/cockpit/smb -wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html -wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json -wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}') useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER @@ -29,23 +45,52 @@ echo "$USER:$ZMB_ADMIN_PASS" | chpasswd smbpasswd -x $USER (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER -cat << EOF >> /etc/samba/smb.conf -[$ZMB_SHARE] - comment = Main Share - path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE - read only = No - vfs objects = shadow_copy2 - create mask = 0660 - directory mask = 0770 +usermod -aG sudo $USER + +cat << EOF | sudo tee -i /etc/samba/smb.conf +[global] + include = registry +EOF + +cat << EOF | sudo tee -i /etc/samba/import.template +[global] + workgroup = WORKGROUP + log file = /var/log/samba/log.%m + max log size = 1000 + logging = file + panic action = /usr/share/samba/panic-action %d + log level = 3 + server role = standalone server + obey pam restrictions = yes + unix password sync = yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + pam password change = yes + map to guest = bad user + vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr + map acl inherit = yes + acl_xattr:ignore system acls = yes shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: format = -%Y-%m-%d-%H%M - shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\} + shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\} shadow: delimiter = -20 + fruit:encoding = native + fruit:metadata = stream + fruit:zero_file_id = yes + fruit:nfs_aces = no EOF +net conf import /etc/samba/import.template + mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +net conf setparm $ZMB_SHARE readonly no +net conf setparm $ZMB_SHARE browseable yes +net conf setparm $ZMB_SHARE createmask 0660 +net conf setparm $ZMB_SHARE directorymask 0770 + systemctl restart smbd nmbd wsdd