Merge pull request #77 from bashclub/release-1.1

Release 1.1
2025-11-04 08:02:28 +01:00 · 2023-02-12 16:10:47 +01:00
parent ae23a8a4f6 fcafa72655
commit a082e03c59
56 changed files with 2378 additions and 126 deletions
--- a/README.md
+++ b/README.md
@@ -7,17 +7,28 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna
 ### Requirements
 Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 ### Included services:
- `checkmk` => Check_MK 2.0 Monitoring Server
+- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
 - `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
 - `debian-priv` => Debian privileged container with basic toolset
 - `debian-unpriv` => Debian unprivileged container with basic toolset
 - `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
 - `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
 - `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
 - `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
 - `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
 - `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
 - `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
 - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
 - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
 - `unifi` => Unifi Controller [ui.com](https://ui.com)
 - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
 - `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
 - `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
 - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
 - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
 - `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
 - `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
 - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
 ## Usage
--- a/conf/README.md
+++ b/conf/README.md
@@ -40,13 +40,14 @@ LXC_SHAREFS_MOUNTPOINT="tank"
 ```
 ### LXC_MEM
 Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
 If a service needs more minimum memory, LXC_MEM will be overwritten.
 ```bash
-LXC_MEM="1024"
+LXC_MEM=1024
 ```
 ### LXC_SWAP
 Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
 ```bash
-LXC_SWAP="1024"
+LXC_SWAP=1024
 ```
 ### LXC_HOSTNAME
 Defines the hostname of your LXC container (Default: Name of installed Service)
@@ -220,7 +221,7 @@ NEXTCLOUD_ADMIN_USR="zmb-admin"
 ### NEXTCLOUD_ADMIN_PWD
 Build a strong password for this user. Username and password will shown at the end of the instalation. 
 ```bash
-NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
 ```
 ### NEXTCLOUD_DATA
 Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@@ -28,10 +28,10 @@ LXC_SHAREFS_STORAGE="local-zfs"
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
-LXC_MEM="1024"
+LXC_MEM=1024
 # Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
-LXC_SWAP="1024"
+LXC_SWAP=1024
 # Defines the hostname of your LXC container
 LXC_HOSTNAME="${service}"
@@ -57,7 +57,7 @@ LXC_DNS="192.168.100.254"
 LXC_BRIDGE="vmbr0"
 # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
-LXC_VLAN=
+LXC_VLAN=NONE
 # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
 LXC_PWD='Start!123'
@@ -81,6 +81,15 @@ LXC_LOCALE="de_DE.UTF-8"
 # Set dark background for vim syntax highlighting (0 or 1)
 LXC_VIM_BG_DARK=1
 # Default random password length
 LXC_RANDOMPWD=32
 # Automatically add meta tags to lxc container
 LXC_AUTOTAG=1
 # Add meta tags to linux container
 LXC_TAGS="linux,debian,${service}"
 ############### Zamba-Server-Section ###############
 # Defines the REALM for the Active Directory (AD DC, AD member)
@@ -126,8 +135,8 @@ NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
 # The initial admin-user which will be configured
 NEXTCLOUD_ADMIN_USR="zmb-admin"
-# Build a strong password for this user. Username and password will shown at the end of the instalation. 
+# Build a strong password for this user. Username and password will shown at the end of the installation. 
-NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+# NEXTCLOUD_ADMIN_PWD='very_secure_password'
 # Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
 NEXTCLOUD_DATA="nc_data"
@@ -147,3 +156,40 @@ CMK_ADMIN_PW='Start!123'
 # raw = completely free
 # free = limited version of the enterprise edition (25 hosts, 1 instance)
 CMK_EDITION=raw
 ############### Kopano-Section ###############
 # Define the FQDN of your Nextcloud server
 KOPANO_FQDN="kopano.zmb.rocks"
 # Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
 KOPANO_MAILGW="192.168.100.254"
 # Kopano test- or subscription-key offerd from 
 # https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 ############### vaultwarden Section ###############
 # Hostname of your mailserver
 VW_SMTP_HOST=mail.bashclub.org
 # email address to send from
 VW_SMTP_FROM="vaultwarden@bashclub.org"
 # display name to send from
 VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
 # port of your mailserver
 VW_SMTP_PORT=587
 # use ssl?
 VW_SMTP_SSL=true
 # use starttls?
 VW_SMTP_EXPLICIT_TLS=false
 # username of your mailbox
 VW_SMTP_USERNAME=vaultwarden@bashclub.org
 # password of your mailbox
 VW_SMTP_PASSWORD='<yourEmailPassword>'
--- a/install.sh
+++ b/install.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 set -euo pipefail
 # This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
 # On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@@ -15,15 +16,16 @@
 # Please adjust th settings in 'zamba.conf' to your needs before running the script
 ############### ZAMBA INSTALL SCRIPT ###############
-prog="$(basename "$0")"
+prog="$(basename $0)"
 usage() {
 	cat >&2 <<-EOF
-	usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
 	  installs a preconfigured lxc container on your proxmox server
    -i CTID      provide a container id instead of auto detection
    -s SERVICE   provide the service name and skip the selection dialog
    -c CFGFILE   use a different config file than 'zamba.conf'
    -d           Debug mode inside LXC container
    -h           displays this help text
  ---------------------------------------------------------------------------
    (C) 2021     zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
@@ -36,26 +38,27 @@ usage() {
 ctid=0
 service=ask
 config=$PWD/conf/zamba.conf
-verbose=0
+debug=0
-while getopts "hi:s:c:" opt; do
+while getopts "hi:s:c:d" opt; do
  case $opt in
    h) usage 0 ;;
    i) ctid=$OPTARG ;;
    s) service=$OPTARG ;;
    c) config=$OPTARG ;;
    d) debug=1 ;;
    *) usage 1 ;;
  esac
 done
 shift $((OPTIND-1))
-OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a)
+OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)
 valid=0
 if [[ "$service" == "ask" ]]; then
  select svc in $OPTS quit; do
    if [[ "$svc" != "quit" ]]; then
-       for line in $(echo $OPTS); do
+       for line in $OPTS; do
        if [[ "$svc" == "$line" ]]; then
          service=$svc
          echo "Installation of $service selected."
@@ -72,7 +75,7 @@ if [[ "$service" == "ask" ]]; then
    fi
  done
 else
-  for line in $(echo $OPTS); do
+  for line in $OPTS; do
    if [[ "$service" == "$line" ]]; then
      echo "Installation of $service selected."
      valid=1
@@ -88,23 +91,30 @@ fi
 # Load configuration file
 echo "Loading config file '$config'..."
-source $config
+if [ ! -e "$config" ]; then
-
+  echo "Configuration files does not exist"
-source $PWD/src/$service/constants-service.conf
+  exit 1
 # CHeck is the newest template available, else download it.
 DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
 DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
 TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
 if [[ $DEB_LOC == $DEB_REP ]];
 then
  echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists.";
 else
  echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP.";
  pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
 fi
 source "src/functions.sh"
 source "$config"
 source "$PWD/src/$service/constants-service.conf"
 if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
  LXC_MEM=$LXC_MEM_MIN
 fi
 if [ $LXC_AUTOTAG -gt 0 ]; then
  TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
 fi
 # Check is the newest template available, else download it.
 pveam update
 TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
 pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
 if [ $ctid -gt 99 ]; then
  LXC_CHK=$ctid
 else
@@ -121,17 +131,17 @@ fi
 echo "Will now create LXC Container $LXC_NBR!";
 # Create the container
-pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
 sleep 2;
 # Check vlan configuration
-if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
+if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
 pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
 if [ $LXC_DHCP == true ]; then
- pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN;
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
 else
- pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN;
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
 fi
 sleep 2
@@ -144,23 +154,30 @@ PS3="Select the Server-Function: "
 pct start $LXC_NBR;
 sleep 5;
-# Set the root password and key
+# Set the root ssh key
-echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
+pct exec $LXC_NBR -- mkdir /root/.ssh
 lxc-attach -n$LXC_NBR mkdir /root/.ssh;
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
-pct push $LXC_NBR $config /root/zamba.conf
+pct push $LXC_NBR "$config" /root/zamba.conf
-pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf
+pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
-pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh
+pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
-pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh
+pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
-pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf
+pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
 pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
 echo "Installing basic container setup..."
-lxc-attach -n$LXC_NBR bash /root/lxc-base.sh
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
 echo "Install '$service'!"
-lxc-attach -n$LXC_NBR bash /root/install-service.sh
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
 pct shutdown $LXC_NBR
 if [[ $service == "zmb-ad" ]]; then
-  pct stop $LXC_NBR
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
-  pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
-  pct start $LXC_NBR
+elif [[ $service == "zmb-ad-join" ]]; then
  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
 pct start $LXC_NBR
--- a/sources.list
+++ b/sources.list
@@ -1,6 +0,0 @@
 deb http://ftp.de.debian.org/debian buster main contrib
 deb http://ftp.de.debian.org/debian buster-updates main contrib
 # security updates
 deb http://security.debian.org buster/updates main contrib
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@@ -0,0 +1,26 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@@ -0,0 +1,186 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 BOOKSTACK_DB_PWD=$(random_password)
 webroot=/var/www/bookstack/public
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
 wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb
 mkdir /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
 cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
 }
 server {
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;
    client_body_timeout 120s;
    listen 443 http2 ssl default_server;
    listen [::]:443 http2 ssl default_server;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    root $webroot;
    index index.php;
    ssl_certificate /etc/nginx/ssl/open3a.crt;
    ssl_certificate_key /etc/nginx/ssl/open3a.key;
    access_log  /var/log/nginx/bookstack.access.log;
    error_log   /var/log/nginx/bookstack.error.log;
    location / {
        try_files \$uri \$uri/ /index.php?\$query_string;
    }
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    location ~ /\.ht {
        deny all;
    }
    fastcgi_hide_header X-Powered-By;
    fastcgi_read_timeout 3600;
    fastcgi_send_timeout 3600;
    fastcgi_connect_timeout 3600;
    add_header Permissions-Policy                   "interest-cohort=()";
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 }
 EOF
 mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
 CREATE DATABASE IF NOT EXISTS bookstack;
 GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
 FLUSH PRIVILEGES;"
 sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini
 sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
 EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
 php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
 ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
 if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
 then
    >&2 echo 'ERROR: Invalid composer installer checksum'
    rm composer-setup.php
    exit 1
 fi
 php composer-setup.php --quiet
 rm composer-setup.php
 # Move composer to global installation
 mv composer.phar /usr/local/bin/composer
 cd /var/www
 git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
 cd bookstack
 # Install BookStack composer dependencies
 export COMPOSER_ALLOW_SUPERUSER=1
 php /usr/local/bin/composer install --no-dev --no-plugins
 # Copy and update BookStack environment variables
 cp .env.example .env
 sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
 sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
 sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
 sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
 cat << EOF >> .env
 QUEUE_CONNECTION=database
 STORAGE_TYPE=local_secure
 APP_LANG=de_informal
 FILE_UPLOAD_SIZE_LIMIT=100
 SESSION_SECURE_COOKIE=true
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis
 REDIS_SERVERS=127.0.0.1:6379:0
 WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
 ALLOW_UNTRUSTED_SERVER_FETCHING=true
 EOF
 # Generate the application key
 php artisan key:generate --no-interaction --force
 # Migrate the databases
 php artisan migrate --no-interaction --force
 php artisan bookstack:db-utf8mb4 > dbupgrade.sql
 mysql -u root < dbupgrade.sql
 chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
 cat << EOF > /etc/systemd/system/bookstack-queue.service
 [Unit]
 Description=BookStack Queue Worker
 [Service]
 User=www-data
 Group=www-data
 Restart=always
 ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl daemon-reload
 systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server
 systemctl restart php7.4-fpm nginx bookstack-queue redis-server
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"
--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@@ -20,6 +20,12 @@ LXC_UNPRIVILEGED="1"
 LXC_NESTING="1"
 # checkmk version
-CMK_VERSION=2.0.0p33
+CMK_VERSION=2.1.0p21
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="apache2"
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/constants.conf
+++ b/src/constants.conf
@@ -8,4 +8,4 @@
 # This file contains the project constants on container level
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common"
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget"
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@@ -17,4 +17,10 @@ LXC_MP="0"
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
-LXC_NESTING="1"
+LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
 # service dependent meta tags
 SERVICE_TAGS="privileged"
--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@@ -17,4 +17,10 @@ LXC_MP="0"
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
-LXC_NESTING="1"
+LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
 # service dependent meta tags
 SERVICE_TAGS=""
--- a/src/ecodms/constants-service.conf
+++ b/src/ecodms/constants-service.conf
@@ -0,0 +1,29 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # set ecodms release version
 ECODMS_RELEASE=ecodms_220864
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=6144
 # service dependent meta tags
 SERVICE_TAGS="java,postgresql"
--- a/src/ecodms/install-service.sh
+++ b/src/ecodms/install-service.sh
@@ -0,0 +1,21 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
 echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
 echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
 wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver
--- a/src/functions.sh
+++ b/src/functions.sh
@@ -0,0 +1,9 @@
 #!/bin/bash
 #
 # This script has basic functions like a random password generator
 LXC_RANDOMPWD=32
 random_password() {
    set +o pipefail
    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
 }
--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@@ -0,0 +1,41 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="1"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Defines the IP from the SQL server
 GITEA_DB_IP="127.0.0.1"
 # Defines the PORT from the SQL server
 GITEA_DB_PORT="5432"
 # Defines the name from the SQL database
 GITEA_DB_NAME="gitea"
 # Defines the name from the SQL user
 GITEA_DB_USR="gitea"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 GITEA_DB_PWD="$(random_password)"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,postgresql"
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@@ -0,0 +1,184 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
 systemctl enable --now postgresql
 su - postgres <<EOF
 psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
 psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
 echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
 EOF
 adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
 curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
 chmod +x /usr/local/bin/gitea
 mkdir -p /etc/gitea
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
 chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
 chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
 cat << EOF > /usr/local/bin/update-gitea
 PATH="/bin:/usr/bin:/usr/local/bin"
 echo "Checking github for new gitea version"
 current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
 installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
 echo "Installed gitea version is \$installed_version"
 if [ \$installed_version != \$current_version ]; then
  echo "New gitea version \$current_version available. Stopping gitea.service"
  systemctl stop gitea.service
  echo "Downloading gitea version \$current_version..."
  curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
  chmod +x /usr/local/bin/gitea
  echo "Starting gitea.service..."
  systemctl start gitea.service
  echo "gitea update finished!"
 else
  echo "gitea version is up-to-date!"
 fi
 EOF
 chmod +x /usr/local/bin/update-gitea
 cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
 DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
 EOF
 chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
 cat << EOF > /etc/systemd/system/gitea.service
 [Unit]
 Description=Gitea
 After=syslog.target
 After=network.target
 After=postgresql.service
 [Service]
 RestartSec=2s
 Type=simple
 User=git
 Group=git
 WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
 ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
 Restart=always
 Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /etc/gitea/app.ini
 RUN_MODE = prod
 RUN_USER = git
 [repository]
 ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
 [repository.local]
 LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
 [repository.upload]
 TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
 [database]
 DB_TYPE=postgres
 HOST=localhost
 NAME=${GITEA_DB_NAME}
 USER=${GITEA_DB_USR}
 PASSWD=${GITEA_DB_PWD}
 SSL_MODE=disable
 [server]
 APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
 DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
 SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
 HTTP_HOST        = localhost
 HTTP_PORT        = 3000
 ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
 DISABLE_SSH      = false
 SSH_PORT         = 22
 SSH_LISTEN_PORT  = 22
 EOF
 chown -R root:git /etc/gitea
 chmod 770 /etc/gitea
 chmod 770 /etc/gitea/app.ini
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    server_tokens off;
    access_log /var/log/nginx/gitea.access.log;
    error_log /var/log/nginx/gitea.error.log;
    location /.well-known/ {
        root /var/www/html;
    }
    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
 }
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
    server_tokens off;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
    add_header Strict-Transport-Security "max-age=31536000" always;
    access_log /var/log/nginx/gitea.access.log;
    error_log  /var/log/nginx/gitea.error.log;
    client_max_body_size 50M;
    location / {
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:3000;
        proxy_read_timeout 90;
    }
 }
 EOF
 openssl dhparam -out /etc/nginx/dhparam.pem 4096
 systemctl daemon-reload
 systemctl enable --now gitea
 systemctl restart nginx
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@@ -0,0 +1,32 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="1"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KIMAI_VERSION="main"
 # Defines the php version to install
 KIMAI_PHP_VERSION="8.1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@@ -0,0 +1,167 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
 wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl
 mkdir /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
 PHP_VERSION=${PHP_VERSION:0:3}
 cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
 }
 server {
    client_max_body_size 2M;
    fastcgi_buffers 64 4K;
    client_body_timeout 120s;
    listen 443 http2 ssl default_server;
    listen [::]:443 http2 ssl default_server;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    root $webroot;
    index index.php;
    ssl_certificate /etc/nginx/ssl/kimai.crt;
    ssl_certificate_key /etc/nginx/ssl/kimai.key;
    access_log  /var/log/nginx/kimai.access.log;
    error_log   /var/log/nginx/kimai.error.log;
    location / {
        try_files \$uri \$uri/ /index.php?\$query_string;
    }
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    location ~ /\.ht {
        deny all;
    }
    fastcgi_hide_header X-Powered-By;
    fastcgi_read_timeout 3600;
    fastcgi_send_timeout 3600;
    fastcgi_connect_timeout 3600;
    add_header Permissions-Policy                   "interest-cohort=()";
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 }
 EOF
 mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
 CREATE DATABASE IF NOT EXISTS kimai;
 GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
 FLUSH PRIVILEGES;"
 sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
 EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
 php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
 ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
 if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
 then
    >&2 echo 'ERROR: Invalid composer installer checksum'
    rm composer-setup.php
    exit 1
 fi
 php composer-setup.php --quiet
 rm composer-setup.php
 # Move composer to global installation
 mv composer.phar /usr/local/bin/composer
 cd /var/www
 git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1
 cd kimai
 # Install kimai composer dependencies
 export COMPOSER_ALLOW_SUPERUSER=1
 /usr/local/bin/composer install --optimize-autoloader -n
 # Copy and update kimai environment variables
 cat << EOF > .env
 # For more infos about the variables, see .env.dist
 DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8
 MAILER_FROM=admin@$LXC_DOMAIN
 MAILER_URL=null://null
 APP_ENV=prod
 APP_SECRET=$(random_password)
 CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
 EOF
 chown -R www-data:www-data .
 chmod -R g+r .
 chmod -R g+rw var/
 bin/console kimai:install -n
 bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
 systemctl daemon-reload
 systemctl enable --now php${PHP_VERSION}-fpm nginx
 systemctl restart php${PHP_VERSION}-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"
--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@@ -0,0 +1,46 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"
 # Defines the php version to install
 KOPANO_PHP_VERSION="7.4"
 # Defines Maria DB Version
 MARIA_DB_VERS="10.5"
 # Defines the name from the SQL database
 MARIA_DB_NAME="kopano"
 # Defines the name from the SQL user
 MARIA_DB_USER="kopano"
 # Build a strong password for the SQL user - could be overwritten with something fixed 
 MARIA_ROOT_PWD=$(random_password)
 MARIA_USER_PWD=$(random_password)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kopano-core/install-service.sh
+++ b/src/kopano-core/install-service.sh
@@ -0,0 +1,276 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 HOSTNAME=$(hostname -f)
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
 echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
 apt update
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 #php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 #timedatectl set-timezone Europe/Berlin
 #mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #### Secure Maria Instance ####
 mysqladmin -u root password "[$MARIA_ROOT_PWD]"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
 #mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 #### Create user and DB for Kopano ####
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 echo "root-password: $MARIA_ROOT_PWD,\
 db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
 cat > /etc/apt/sources.list.d/kopano.list << EOF
 # Kopano Core
 deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
 # Kopano WebApp
 deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
 # Kopano MobileDeviceManagement
 deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
 # Kopano Files
 deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
 # Z-Push
 deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
 EOF
 cat > /etc/apt/auth.conf.d/kopano.conf << EOF
 machine download.kopano.io
 login serial
 password $KOPANO_REPKEY
 EOF
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
 apt update && apt full-upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
 z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
 #### Adjust kopano settings ####
 cat > /etc/kopano/ldap.cfg << EOF
 !include /usr/share/kopano/ldap.active-directory.cfg
 ldap_uri = ldap://192.168.100.100:389
 ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
 ldap_bind_passwd = Start123!
 ldap_search_base = dc=zmb,dc=rocks
 #ldap_user_search_filter = (kopanoAccount=1)
 EOF
 cat > /etc/kopano/server.cfg << EOF
 server_listen = *:236
 local_admin_users = root kopano
 #database_engine = mysql
 #mysql_host = localhost
 #mysql_port = 3306
 mysql_user = $MARIA_DB_USER
 mysql_password = $MARIA_USER_PWD
 mysql_database = $MARIA_DB_NAME
 #user_plugin = ldap
 #user_plugin_config = /etc/kopano/ldap.cfg
 EOF
 #### Adjust php settings ####
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
 [webapp]
 listen = 127.0.0.1:9002
 user = www-data
 group = www-data
 listen.allowed_clients = 127.0.0.1
 pm = dynamic
 pm.max_children = 150
 pm.start_servers = 35
 pm.min_spare_servers = 20
 pm.max_spare_servers = 50
 pm.max_requests = 200
 listen.backlog = -1
 request_terminate_timeout = 120s
 rlimit_files = 131072
 rlimit_core = unlimited
 catch_workers_output = yes
 EOF
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 #### Adjust nginx settings ####
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
 openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 cat > /etc/nginx/sites-available/webapp.conf << EOF
 upstream php-handler {
    #server 127.0.0.1:9002;
    #server unix:/var/run/php5-fpm.sock;
    server unix:/var/run/php/php7.4-fpm.sock;
 }
 server{
    listen 80;
    charset utf-8;
    listen [::]:80;
    server_name _;
    location / {
        rewrite   ^(.*)   https://\$server_name\$1 permanent;
    }  
 }
 server {
    charset utf-8;
    listen 443;
    listen [::]:443 ssl;
    server_name _;
    ssl on;
    client_max_body_size 1024m;
    ssl_certificate /etc/ssl/certs/kopano.crt;
    ssl_certificate_key /etc/ssl/private/kopano.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    #
    # add headers
    server_tokens off;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
    location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ \$1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade \$http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                }
    }
    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;
        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;
        }
        fastcgi_param PHP_VALUE "
            register_globals=off
            magic_quotes_gpc=off
            magic_quotes_runtime=off
            post_max_size=31M
            upload_max_filesize=30M
        ";
        fastcgi_param PHP_VALUE "post_max_size=31M
                 upload_max_filesize=30M
                 max_execution_time=3660
        ";
        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;
        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
        }
        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)\$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";
        }
        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;
        }
 }
 map \$http_upgrade \$connection_upgrade {
        default upgrade;
        '' close;
 }
 EOF
 ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
 phpenmod kopano
 systemctl restart php7.4-fpm nginx
--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
@@ -7,6 +8,7 @@
 # load configuration
 echo "Loading configuration..."
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants.conf
 source /root/constants-service.conf
@@ -14,6 +16,7 @@ source /root/constants-service.conf
 echo "Updating locales"
 # update locales
 sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
 sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
 cat << EOF > /etc/default/locale
 LANG="$LXC_LOCALE"
 LANGUAGE=$LXC_LOCALE
@@ -24,23 +27,23 @@ locale-gen $LXC_LOCALE
 if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
-deb http://ftp.de.debian.org/debian bullseye main contrib
+deb http://debian.inf.tu-dresden.de/debian bullseye main contrib
-deb http://ftp.de.debian.org/debian bullseye-updates main contrib
+deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
 # security updates
-deb http://security.debian.org bullseye-security main contrib
+deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
-deb http://ftp.de.debian.org/debian buster main contrib
+deb http://debian.inf.tu-dresden.de/debian buster main contrib
-deb http://ftp.de.debian.org/debian buster-updates main contrib
+deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib
 # security updates
-deb http://security.debian.org buster/updates main contrib
+deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
 EOF
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi
--- a/src/mailpiler/constants-service.conf
+++ b/src/mailpiler/constants-service.conf
@@ -25,3 +25,9 @@ PILER_VERSION="1.3.12"
 PILER_SPHINX_VERSION="3.3.1"
 # Defines the php version to install
 PILER_PHP_VERSION="7.4"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"
--- a/src/mailpiler/install-service.sh
+++ b/src/mailpiler/install-service.sh
@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@@ -19,5 +19,8 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
-# Define the version of Element Web
+# Sets the minimum amount of RAM the service needs for operation
-MATRIX_ELEMENT_VERSION="v1.9.9"
+LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,postgresql,element-web"
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@@ -5,14 +5,17 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+MRX_PKE=$(random_password)
 ELE_DBNAME="synapse_db"
 ELE_DBUSER="synapse_user"
-ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ELE_DBPASS=$(random_password)
 ELE_PATH=/var/www/element-web
 WEBROOT=/var/www
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
@@ -66,7 +69,7 @@ server {
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_FQDN;
+    root $ELE_PATH;
    index index.html index.htm;
    location / {
@@ -101,7 +104,7 @@ server {
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_ELEMENT_FQDN/element;
+    root $ELE_PATH;
    index index.html index.htm;
 } 
@@ -112,21 +115,23 @@ ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$
 systemctl restart nginx
-mkdir /var/www/$MATRIX_ELEMENT_FQDN
+cd /var/www
-cd /var/www/$MATRIX_ELEMENT_FQDN
+
-wget https://packages.riot.im/element-release-key.asc
+wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
 gpg --import element-release-key.asc
-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+
 wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
 wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
-ln -s element-$MATRIX_ELEMENT_VERSION element
+mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
-chown www-data:www-data -R element
+chown www-data:www-data -R $ELE_PATH
-cp ./element/config.sample.json ./element/config.json
+cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
-sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
+sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
-sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
+sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json
 su postgres <<EOF
 psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@@ -144,10 +149,8 @@ sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\
 systemctl restart matrix-synapse
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p '$MATRIX_ADMIN_PASSWORD' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
+rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
-#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
 #echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
-#apt update
+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
 #apt install -y jitsi-meet
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@@ -23,7 +23,7 @@ LXC_NESTING="1"
 NEXTCLOUD_VERSION="latest"
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.0"
+NEXTCLOUD_PHP_VERSION="8.1"
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
@@ -38,4 +38,10 @@ NEXTCLOUD_DB_NAME="nextcloud_db"
 NEXTCLOUD_DB_USR="nextcloud"
 # Build a strong password for the SQL user - could be overwritten with something fixed 
-NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+NEXTCLOUD_DB_PWD="$(random_password)"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -5,6 +5,10 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 NEXTCLOUD_ADMIN_PWD=$(random_password)
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -21,7 +25,7 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
 postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
 timedatectl set-timezone $LXC_TIMEZONE
@@ -398,7 +402,9 @@ array (
 'updater.release.channel' => 'stable',
 'trusted_proxies' => 
 array (
-'$NEXTCLOUD_REVPROX'
+'$NEXTCLOUD_REVPROX',
 '127.0.0.1',
 '::1',
 ),
 );
 EOF
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@@ -0,0 +1,26 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="mongodb-server,java"
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@@ -0,0 +1,29 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
 add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
 wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc
 echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org
 DL=$(wget -O - -q  https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6)
 wget -O /tmp/omada.deb -q $DL
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb
--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@@ -23,4 +23,10 @@ ONLYOFFICE_DB_HOST=localhost
 ONLYOFFICE_DB_NAME=onlyoffice
-ONLYOFFICE_DB_USER=onlyoffice
+ONLYOFFICE_DB_USER=onlyoffice
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,postgresql,rabbitmq"
--- a/src/onlyoffice/fix-update.sh
+++ b/src/onlyoffice/fix-update.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 cat > /usr/local/bin/ods-apt-pre-hook << DFOE
 #!/bin/bash
 rm /etc/nginx/conf.d/ds-ssl.conf
 systemctl stop nginx.service
 DFOE
 chmod +x /usr/local/bin/ods-apt-pre-hook
 cat > /usr/local/bin/ods-apt-post-hook << DFOE
 #!/bin/bash
 rm /etc/nginx/conf.d/ds.conf
 ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
 systemctl restart nginx
 DFOE
 chmod +x /usr/local/bin/ods-apt-post-hook
 cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
 DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
 EOF
 cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
 DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
 EOF
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@@ -1,7 +1,15 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-ONLYOFFICE_DB_PASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ONLYOFFICE_DB_PASS=$(random_password)
 apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
@@ -36,8 +44,33 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/only
 rm /etc/nginx/conf.d/ds.conf
 cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
 sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
 sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
 ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
-sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
-sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf
+#!/bin/bash
 rm /etc/nginx/conf.d/ds-ssl.conf
 systemctl stop nginx.service
 DFOE
 chmod +x /usr/local/bin/ods-apt-pre-hook
 cat > /usr/local/bin/ods-apt-post-hook << DFOE
 #!/bin/bash
 rm /etc/nginx/conf.d/ds.conf
 ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
 systemctl restart nginx
 DFOE
 chmod +x /usr/local/bin/ods-apt-post-hook
 cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
 DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
 EOF
 cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
 DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
 EOF
 systemctl restart nginx
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@@ -17,4 +17,10 @@ LXC_MP="0"
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
-LXC_NESTING="1"
+LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@@ -5,12 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 webroot=/var/www/html
-MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)"
+LXC_RANDOMPWD=20
 MYSQL_PASSWORD="$(random_password)"
 apt update
@@ -55,7 +57,7 @@ CREATE DATABASE IF NOT EXISTS open3a;
 GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
 cd $webroot
-wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip
+wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip
 unzip open3a.zip
 rm open3a.zip
 chmod 666 system/DBData/Installation.pfdb.php
@@ -66,7 +68,17 @@ chown -R www-data:www-data $webroot
 echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
 chmod +x /etc/cron.daily/open3a-backup
 cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
 <?php echo "This is a database-file."; /*
 host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
 varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)                                                                                         
 localhost                               &%%%&open3a              &%%%&$MYSQL_PASSWORD&%%%&open3a                        &%%%&*                                       %%&&&
 */ ?>
 EOF
 systemctl enable --now php7.4-fpm
 systemctl restart php7.4-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@@ -20,4 +20,10 @@ LXC_UNPRIVILEGED="1"
 LXC_NESTING="1"
 # Backup ubdir where Urbackup will store backups
-PBS_DATA="backup"
+PBS_DATA="backup"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="backup"
--- a/src/proxmox-pbs/install-service.sh
+++ b/src/proxmox-pbs/install-service.sh
@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -20,3 +21,5 @@ apt update && apt upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
 proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
 systemctl disable --now zfs-mount.service zfs-share.service
--- a/src/sources.list
+++ b/src/sources.list
@@ -1,6 +0,0 @@
 deb http://ftp.de.debian.org/debian buster main contrib
 deb http://ftp.de.debian.org/debian buster-updates main contrib
 # security updates
 deb http://security.debian.org buster/updates main contrib
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@@ -0,0 +1,26 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="mongodb-server,java"
--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@@ -0,0 +1,22 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
 wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
 echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
 echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-10-standard"
+LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="1"
@@ -23,4 +23,10 @@ LXC_NESTING="1"
 URBACKUP_DATA="urbackup"
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_10"
+REPO_CODENAME="Debian_11"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx"
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@@ -0,0 +1,35 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Defines the name from the SQL database
 VAULTWARDEN_DB_NAME="vaultwarden"
 # Defines the name from the SQL user
 VAULTWARDEN_DB_USR="vaultwarden"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 VAULTWARDEN_DB_PWD="$(random_password)"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,postgresql"
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@@ -0,0 +1,161 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 admin_token=$(openssl rand -base64 48)
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
 systemctl enable --now postgresql
 wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
 chmod +x docker-image-extract
 ./docker-image-extract vaultwarden/server:alpine
 mkdir /opt/vaultwarden
 mkdir -p /var/lib/vaultwarden/data
 useradd vaultwarden
 chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
 mv output/vaultwarden /opt/vaultwarden
 mv output/web-vault /var/lib/vaultwarden/
 rm -Rf output
 rm -Rf docker-image-extract
 su - postgres <<EOF
 psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
 psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
 echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
 EOF
 cat << EOF > /var/lib/vaultwarden/.env
 DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
 DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
 ORG_CREATION_USERS=admin@$LXC_DOMAIN
 # Use `openssl rand -base64 48` to generate
 ADMIN_TOKEN=$admin_token
 # Uncomment this once vaults restored
 SIGNUPS_ALLOWED=false
 SMTP_HOST=$VW_SMTP_HOST
 SMTP_FROM=$VW_SMTP_FROM
 SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
 SMTP_PORT=$VW_SMTP_PORT          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
 SMTP_SSL=$VW_SMTP_SSL          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
 SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
 SMTP_USERNAME=$VW_SMTP_USERNAME
 SMTP_PASSWORD=$VW_SMTP_PASSWORD
 SMTP_TIMEOUT=15
 EOF
 cat << EOF > /etc/systemd/system/vaultwarden.service
 [Unit]
 Description=Bitwarden Server (Rust Edition)
 Documentation=https://github.com/dani-garcia/vaultwarden
 After=network.target
 [Service]
 User=vaultwarden
 Group=vaultwarden
 EnvironmentFile=/var/lib/vaultwarden/.env
 ExecStart=/opt/vaultwarden/vaultwarden
 LimitNOFILE=1048576
 LimitNPROC=64
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 ProtectSystem=strict
 WorkingDirectory=/var/lib/vaultwarden
 ReadWriteDirectories=/var/lib/vaultwarden
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
 DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
 EOF
 cat << EOF > /var/lib/vaultwarden/update.sh
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
 chmod +x docker-image-extract
 ./docker-image-extract vaultwarden/server:alpine
 mv output/vaultwarden /opt/vaultwarden
 systemctl stop vaultwarden.service
 cp -rlf output/web-vault /var/lib/vaultwarden/
 rm -Rf output
 rm -Rf docker-image-extract
 systemctl start vaultwarden.service
 EOF
 chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
 chmod +x /var/lib/vaultwarden/update.sh
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    server_tokens off;
    access_log /var/log/nginx/vaultwarden.access.log;
    error_log /var/log/nginx/vaultwarden.error.log;
    location /.well-known/ {
        root /var/www/html;
    }
    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
 }
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
    server_tokens off;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
    add_header Strict-Transport-Security "max-age=31536000" always;
    access_log /var/log/nginx/vaultwarden.access.log;
    error_log  /var/log/nginx/vaultwarden.error.log;
    client_max_body_size 50M;
    location / {
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8000;
        proxy_read_timeout 90;
    }
 }
 EOF
 openssl dhparam -out /etc/nginx/dhparam.pem 4096
 systemctl daemon-reload
 systemctl enable --now vaultwarden
 systemctl restart nginx
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@@ -0,0 +1,42 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Defines the IP from the SQL server
 ZABBIX_DB_IP="127.0.0.1"
 # Defines the PORT from the SQL server
 ZABBIX_DB_PORT="5432"
 # Defines the name from the SQL database
 ZABBIX_DB_NAME="zabbix"
 # Defines the name from the SQL user
 ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/zabbix/install-service.sh
+++ b/src/zabbix/install-service.sh
@@ -0,0 +1,229 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
 echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert
 unlink /etc/nginx/sites-enabled/default
 cat << EOF > /etc/zabbix/nginx.conf
 server {
        listen          80 default_server;
        listen          [::]:80 default_server;
        server_name _;
        server_tokens off;
        access_log /var/log/nginx/zabbix.access.log;
        error_log /var/log/nginx/zabbix.error.log;
        location /.well-known/ {
        }
        return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
        }
 server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
        server_tokens off;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 180m;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 1.0.0.1;
        add_header Strict-Transport-Security "max-age=31536000" always;
        root    /usr/share/zabbix;
        index   index.php;
        location = /favicon.ico {
                log_not_found   off;
        }
        location / {
                try_files       \$uri \$uri/ =404;
        }
        location /assets {
                access_log      off;
                expires         10d;
        }
        location ~ /\.ht {
                deny            all;
        }
        location ~ /(api\/|conf[^\.]|include|locale) {
                deny            all;
                return          404;
        }
        location /vendor {
                deny            all;
                return          404;
        }
        location ~ [^/]\.php(/|$) {
                fastcgi_pass    unix:/var/run/php/zabbix.sock;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index   index.php;
                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
                include fastcgi_params;
                fastcgi_param   QUERY_STRING    \$query_string;
                fastcgi_param   REQUEST_METHOD  \$request_method;
                fastcgi_param   CONTENT_TYPE    \$content_type;
                fastcgi_param   CONTENT_LENGTH  \$content_length;
                fastcgi_intercept_errors        on;
                fastcgi_ignore_client_abort     off;
                fastcgi_connect_timeout         60;
                fastcgi_send_timeout            180;
                fastcgi_read_timeout            180;
                fastcgi_buffer_size             128k;
                fastcgi_buffers                 4 256k;
                fastcgi_busy_buffers_size       256k;
                fastcgi_temp_file_write_size    256k;
        }
 }
 EOF
 cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
 [zabbix]
 user = www-data
 group = www-data
 listen = /var/run/php/zabbix.sock
 listen.owner = www-data
 listen.allowed_clients = 127.0.0.1
 pm = dynamic
 pm.max_children = 50
 pm.start_servers = 5
 pm.min_spare_servers = 5
 pm.max_spare_servers = 35
 pm.max_requests = 200
 php_value[session.save_handler] = files
 php_value[session.save_path]    = /var/lib/php/sessions/
 php_value[max_execution_time] = 300
 php_value[memory_limit] = 128M
 php_value[post_max_size] = 16M
 php_value[upload_max_filesize] = 2M
 php_value[max_input_time] = 300
 php_value[max_input_vars] = 10000
 EOF
 cat << EOF > /etc/zabbix/web/zabbix.conf.php 
 <?php
 // Zabbix GUI configuration file.
 \$DB['TYPE']				= 'POSTGRESQL';
 \$DB['SERVER']			= 'localhost';
 \$DB['PORT']				= '0';
 \$DB['DATABASE']			= '${ZABBIX_DB_NAME}';
 \$DB['USER']				= '${ZABBIX_DB_USR}';
 \$DB['PASSWORD']			= '${ZABBIX_DB_PWD}';
 // Schema name. Used for PostgreSQL.
 \$DB['SCHEMA']			= '';
 // Used for TLS connection.
 \$DB['ENCRYPTION']		= true;
 \$DB['KEY_FILE']			= '';
 \$DB['CERT_FILE']		= '';
 \$DB['CA_FILE']			= '';
 \$DB['VERIFY_HOST']		= false;
 \$DB['CIPHER_LIST']		= '';
 // Vault configuration. Used if database credentials are stored in Vault secrets manager.
 \$DB['VAULT_URL']		= '';
 \$DB['VAULT_DB_PATH']	= '';
 \$DB['VAULT_TOKEN']		= '';
 // Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
 // This option is enabled by default for new Zabbix installations.
 // For upgraded installations, please read database upgrade notes before enabling this option.
 \$DB['DOUBLE_IEEE754']	= true;
 // Uncomment and set to desired values to override Zabbix hostname/IP and port.
 // \$ZBX_SERVER			= '';
 // \$ZBX_SERVER_PORT		= '';
 \$ZBX_SERVER_NAME		= '${LXC_HOSTNAME}';
 \$IMAGE_FORMAT_DEFAULT	= IMAGE_FORMAT_PNG;
 // Uncomment this block only if you are using Elasticsearch.
 // Elasticsearch url (can be string if same url is used for all types).
 //\$HISTORY['url'] = [
 //	'uint' => 'http://localhost:9200',
 //	'text' => 'http://localhost:9200'
 //];
 // Value types stored in Elasticsearch.
 //\$HISTORY['types'] = ['uint', 'text'];
 // Used for SAML authentication.
 // Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
 //\$SSO['SP_KEY']			= 'conf/certs/sp.key';
 //\$SSO['SP_CERT']			= 'conf/certs/sp.crt';
 //\$SSO['IDP_CERT']		= 'conf/certs/idp.crt';
 //\$SSO['SETTINGS']		= [];
 EOF
 timedatectl set-timezone ${LXC_TIMEZONE}
 systemctl enable --now postgresql
 su - postgres <<EOF
 psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
 psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
 sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
 zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
 openssl dhparam -out /etc/nginx/dhparam.pem 4096
 systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm 
 systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm 
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@@ -0,0 +1,26 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="nginx,postgresql,elasticsearch"
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@@ -0,0 +1,170 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
 apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
 wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
 echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
 cat << EOF >>/etc/hosts
 0.0.0.0 image.zammad.com
 0.0.0.0 images.zammad.com
 0.0.0.0 geo.zammad.com
 0.0.0.0 www.zammad.com
 0.0.0.0 www.zammad.org
 0.0.0.0 www.zammad.net
 0.0.0.0 www.zammad.de
 0.0.0.0 zammad.com
 0.0.0.0 zammad.org
 0.0.0.0 zammad.net
 0.0.0.0 zammad.de
 #
 127.0.0.1 elasticsearch
 0.0.0.0 geoip.elastic.co
 EOF
 # Java set startup environment 
 mkdir -p /etc/elasticsearch/jvm.options.d
 cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
 # INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
 # max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
 -Xms1g
 -Xmx1g
 EOF
 # configurwe nginx
 rm -f /etc/nginx/sites-enabled/default
 cat << EOF > /etc/nginx/sites-available/zammad.conf
 upstream zammad-railsserver {
  server 127.0.0.1:3000;
 }
 upstream zammad-websocket {
  server 127.0.0.1:6042;
 }
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    server_tokens off;
    access_log /var/log/nginx/zammad.access.log;
    error_log /var/log/nginx/zammad.error.log;
    location /.well-known/ {
        root /var/www/html;
    }
    return 301 https://\$host\$request_uri;
 }
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;
    server_tokens off;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
 #
 #  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
 #
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
    add_header Referrer-Policy "strict-origin";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Strict-Transport-Security "max-age=31536000" always;
    location = /robots.txt  {
    access_log off; log_not_found off;
    }
    location = /favicon.ico {
    access_log off; log_not_found off;
    }
    root /opt/zammad/public;
    access_log /var/log/nginx/zammad.access.log;
    error_log  /var/log/nginx/zammad.error.log;
    client_max_body_size 50M;
    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
    expires max;
    }
    location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto	\$scheme;
    proxy_read_timeout 86400;
    proxy_pass http://zammad-websocket;
    }
    location / {
    proxy_set_header Host \$http_host;
    proxy_set_header CLIENT_IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto	\$scheme;
    # change this line in an SSO setup
    proxy_set_header X-Forwarded-User "";
    proxy_read_timeout 180;
    proxy_pass http://zammad-railsserver;
    gzip on;
    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
    gzip_proxied any;
    }
 }
 EOF
 ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
 openssl dhparam -out /etc/nginx/dhparam.pem 4096
 systemctl enable elasticsearch.service
 systemctl restart nginx elasticsearch.service
 # Elasticsearch conntact to Zammad
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
 zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
 zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
 zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
 systemctl restart elasticsearch.service
 zammad run rake searchindex:rebuild
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@@ -0,0 +1,38 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP="0"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd splitdns)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@@ -0,0 +1,154 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
  elif [[ "$f" == "splitdns" ]]; then
      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
      ZMB_DNS_BACKEND="BIND9_DLZ"
      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
      echo "Unsupported optional feature $f"
  fi
 done
 ## configure ntp
 cat << EOF > /etc/ntp.conf
 # Local clock. Note that is not the "localhost" address!
 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 # Where to retrieve the time from
 server 0.de.pool.ntp.org     iburst prefer
 server 1.de.pool.ntp.org     iburst prefer
 server 2.de.pool.ntp.org     iburst prefer
 driftfile       /var/lib/ntp/ntp.drift
 logfile         /var/log/ntp
 ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
 # Access control
 # Default restriction: Allow clients only to query the time
 restrict default kod nomodify notrap nopeer mssntp
 # No restrictions for "localhost"
 restrict 127.0.0.1
 # Enable the time sources to only provide time to this host
 restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
 [libdefaults]
 	default_realm = $ZMB_REALM
 	ticket_lifetime = 600
 	dns_lookup_realm = true
 	dns_lookup_kdc = true
 	renew_lifetime = 7d
 EOF
 # stop + disable samba services and remove default config
 systemctl disable --now smbd nmbd winbind systemd-resolved
 rm -f /etc/samba/smb.conf
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
 mkdir -p /mnt/sysvol
 cat << EOF > /root/.smbcredentials
 username=$ZMB_ADMIN_USER
 password=$ZMB_ADMIN_PASS
 domain=$ZMB_DOMAIN
 EOF
 echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
 mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
 cat > /etc/cron.d/sysvol-sync << EOF
 */15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
 EOF
 /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
 ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@@ -29,4 +29,10 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=()
+OPTIONAL_FEATURES=(wsdd splitdns)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -58,11 +59,14 @@ restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@@ -17,4 +17,10 @@ LXC_MP="1"
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
-LXC_NESTING="1"
+LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="samba,member,fileserver"
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@@ -5,16 +5,18 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # add wsdd package repo
 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
 echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@@ -17,4 +17,10 @@ LXC_MP="1"
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
-LXC_NESTING="1"
+LXC_NESTING="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@@ -5,23 +5,39 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # add wsdd package repo
 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
 apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
 echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 cat << EOF > /etc/apt/preferences.d/samba
 Package: samba*
 Pin: release a=$(lsb_release -cs)-backports
 Pin-Priority: 900
 EOF
 cat << EOF > /etc/apt/preferences.d/winbind
 Package: winbind*
 Pin: release a=$(lsb_release -cs)-backports
 Pin-Priority: 900
 EOF
 cat << EOF > /etc/apt/preferences.d/cockpit
 Package: cockpit*
 Pin: release a=$(lsb_release -cs)-backports
 Pin-Priority: 900
 EOF
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 mkdir /usr/share/cockpit/smb
 wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html
 wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json
 wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
 useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
@@ -29,23 +45,52 @@ echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
 smbpasswd -x $USER
 (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
-cat << EOF >> /etc/samba/smb.conf
+usermod -aG sudo $USER
-[$ZMB_SHARE]
+
-    comment = Main Share
+cat << EOF | sudo tee -i /etc/samba/smb.conf
-    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+[global]
-    read only = No
+    include = registry
-    vfs objects = shadow_copy2
+EOF
-	create mask = 0660
+
-	directory mask = 0770
+cat << EOF | sudo tee -i /etc/samba/import.template
 [global]
    workgroup = WORKGROUP
    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    panic action = /usr/share/samba/panic-action %d
    log level = 3
    server role = standalone server
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    map to guest = bad user
    vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
    map acl inherit = yes
    acl_xattr:ignore system acls = yes
    shadow: snapdir = .zfs/snapshot
    shadow: sort = desc
    shadow: format = -%Y-%m-%d-%H%M
-    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
    shadow: delimiter = -20
    fruit:encoding = native
    fruit:metadata = stream
    fruit:zero_file_id = yes
    fruit:nfs_aces = no
 EOF
 net conf import /etc/samba/import.template
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 net conf setparm $ZMB_SHARE readonly no
 net conf setparm $ZMB_SHARE browseable yes
 net conf setparm $ZMB_SHARE createmask 0660
 net conf setparm $ZMB_SHARE directorymask 0770
 systemctl restart smbd nmbd wsdd