Merge pull request #1 from bashclub/dev

Sync with upstream bashclub/zamba-lxc-toolbox dev changes

conf/zamba.conf.example

@@ -32,6 +32,9 @@ LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines a the host system folder to be bind-mounted and shared by Zamba. Requires LXC_SHAREFS_SIZE > 0 but ignores the value. (AD member & standalone) (default: "")
 LXC_SHAREFS_BINDMOUNT=""
 
+# cpu core count (default: 0 = unlimited)
+LXC_THREADS=0
+
 # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
 LXC_MEM=1024
 
@@ -89,6 +92,9 @@ LXC_VIM_BG_DARK=1
 # Default random password length
 LXC_RANDOMPWD=32
 
+# Move lxc to specific ressource pool
+LXC_RESSOURCE_POOL=""
+
 # Automatically add meta tags to lxc container
 LXC_AUTOTAG=1
 
@@ -175,6 +181,10 @@ KOPANO_MAILGW="192.168.100.254"
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 
 ############### vaultwarden Section ###############
+
+# Enable/disable signups (true/false)
+VW_SIGNUPS_ALLOWED=false
+
 # Hostname of your mailserver
 VW_SMTP_HOST=mail.bashclub.org
 
@@ -198,3 +208,15 @@ VW_SMTP_USERNAME=vaultwarden@bashclub.org
 
 # password of your mailbox
 VW_SMTP_PASSWORD='<yourEmailPassword>'
+
+############### ansible-semaphore Section ###############
+
+SEMAPHORE_ADMIN=admin
+SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
+SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
+SEMAPHORE_ADMIN_PASSWORD='Start123'
+
+############### docker Section ###############
+
+# Install Portainer (=full), Protainer Agent (=agent) or none
+PORTAINER=none

install.sh

@@ -130,16 +130,26 @@ else
 fi
 echo "Will now create LXC Container $LXC_NBR!";
 
+if [ $LXC_THREADS -gt 0 ]; then
+  LXC_CORES=--cores\ $LXC_THREADS
+fi
+
+
+if [[ $LXC_RESSOURCE_POOL != "" ]]; then
+  LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
+fi
+
+
 # Create the container
 set +u
-pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
 set -u
 sleep 2;
 
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
 if [ $LXC_DHCP == true ]; then
  pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
 else
@@ -187,3 +197,7 @@ elif [[ $service == "zmb-ad-join" ]]; then
   pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
 pct start $LXC_NBR
+if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
+  sleep 5
+  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
+fi

src/ansible-semaphore/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/ansible-semaphore/install-service.sh

@@ -52,6 +52,9 @@ fi
 EOF
 chmod +x /usr/local/bin/update-semaphore
 
+useradd -m -r -s /bin/bash semaphore
+sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
+
 cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
 DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
 EOF
@@ -70,6 +73,8 @@ ExecReload=/bin/kill -HUP \$MAINPID
 ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
 SyslogIdentifier=semaphore
 Restart=always
+User=semaphore
+Group=semaphore
 
 [Install]
 WantedBy=multi-user.target
@@ -207,8 +212,11 @@ echo "source <(semaphore completion bash)" >> /root/.bashrc
 semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
 
 
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 
 systemctl daemon-reload
 systemctl enable --now semaphore.service
 systemctl restart nginx.service
+
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the semaphore login:\n        '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n                Enjoy your semaphore intallation.\n\n######################################################################"

src/authentik/constants-service.conf

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="docker"

src/authentik/install-service.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+mkdir -p /opt/authentik
+wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
+cd /opt/authentik
+cat << EOF > .env
+PG_PASS=$(pwgen -s 40 1)
+AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_AVATARS=initials
+COMPOSE_PORT_HTTP=80
+COMPOSE_PORT_HTTPS=443
+AUTHENTIK_EMAIL__HOST=
+AUTHENTIK_EMAIL__PORT=
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=
+EOF
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
+esac

src/bookstack/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/checkmk/constants-service.conf

@@ -19,8 +19,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # checkmk version
-CMK_VERSION=2.2.0p7
+CMK_VERSION=2.2.0p14
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
 
@@ -28,4 +31,4 @@ CMK_BUILD=_0
 LXC_MEM_MIN=2048
 
 # service dependent meta tags
-SERVICE_TAGS="apache2"
+SERVICE_TAGS="apache2"

src/debian-priv/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
 

src/debian-unpriv/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
 

src/docker/constants-service.conf

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS=""

src/docker/install-service.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac

src/ecodms/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # set ecodms release version
 ECODMS_RELEASE=ecodms_230164
 

src/functions.sh

@@ -5,5 +5,16 @@ LXC_RANDOMPWD=32
 
 random_password() {
     set +o pipefail
-    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
-}
+    LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+}
+
+generate_dhparam() {
+    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
+mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
+systemctl restart nginx
+EOF
+    chmod +x /etc/cron.monthly/generate-dhparams
+}

src/gitea/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the IP from the SQL server
 GITEA_DB_IP="127.0.0.1"
 

src/gitea/install-service.sh

@@ -181,7 +181,7 @@ server {
 }
 
 EOF
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 
 systemctl daemon-reload
 systemctl enable --now gitea

src/kimai/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 #KIMAI_VERSION="main"
 

src/kopano-core/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"
 

src/kopano-core/install-service.sh

@@ -149,7 +149,7 @@ sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kop
 #### Adjust nginx settings ####
 
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
-openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+generate_dhparam
 
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 
@@ -187,7 +187,7 @@ server {
     ssl_prefer_server_ciphers on;
     #
     # ssl_dhparam require you to create a dhparam.pem, this takes a long time
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_dhparam /etc/nginx/dhparam.pem;
     #
  
     # add headers

src/mailcow/constants-service.conf

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="docker"

src/mailcow/install-service.sh

@@ -0,0 +1,438 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+cd /opt
+git clone https://github.com/mailcow/mailcow-dockerized
+cd mailcow-dockerized
+
+cat << EOF > mailcow.conf
+# ------------------------------
+# mailcow web ui configuration
+# ------------------------------
+# example.org is _not_ a valid hostname, use a fqdn here.
+# Default admin user is "admin"
+# Default password is "moohoo"
+
+MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
+
+# Password hash algorithm
+# Only certain password hash algorithm are supported. For a fully list of supported schemes,
+# see https://docs.mailcow.email/models/model-passwd/
+MAILCOW_PASS_SCHEME=BLF-CRYPT
+
+# ------------------------------
+# SQL database configuration
+# ------------------------------
+
+DBNAME=mailcow
+DBUSER=mailcow
+
+# Please use long, random alphanumeric strings (A-Za-z0-9)
+
+DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
+# ------------------------------
+# HTTP/S Bindings
+# ------------------------------
+
+# You should use HTTPS, but in case of SSL offloaded reverse proxies:
+# Might be important: This will also change the binding within the container.
+# If you use a proxy within Docker, point it to the ports you set below.
+# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
+# IMPORTANT: Do not use port 8081, 9081 or 65510!
+# Example: HTTP_BIND=1.2.3.4
+# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
+# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
+
+HTTP_PORT=80
+HTTP_BIND=
+
+HTTPS_PORT=443
+HTTPS_BIND=
+
+# ------------------------------
+# Other bindings
+# ------------------------------
+# You should leave that alone
+# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
+
+SMTP_PORT=25
+SMTPS_PORT=465
+SUBMISSION_PORT=587
+IMAP_PORT=143
+IMAPS_PORT=993
+POP_PORT=110
+POPS_PORT=995
+SIEVE_PORT=4190
+DOVEADM_PORT=127.0.0.1:19991
+SQL_PORT=127.0.0.1:13306
+SOLR_PORT=127.0.0.1:18983
+REDIS_PORT=127.0.0.1:7654
+
+# Your timezone
+# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
+# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
+
+TZ=${LXC_TIMEZONE}
+
+# Fixed project name
+# Please use lowercase letters only
+
+COMPOSE_PROJECT_NAME=mailcowdockerized
+
+# Used Docker Compose version
+# Switch here between native (compose plugin) and standalone
+# For more informations take a look at the mailcow docs regarding the configuration options.
+# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
+# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
+
+DOCKER_COMPOSE_VERSION=native
+
+# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
+# When enabled, ACL can be created, that apply to "All authenticated users"
+# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+# Otherwise a user might share data with too many other users.
+ACL_ANYONE=disallow
+
+# Garbage collector cleanup
+# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
+# How long should objects remain in the garbage until they are being deleted? (value in minutes)
+# Check interval is hourly
+
+MAILDIR_GC_TIME=7200
+
+# Additional SAN for the certificate
+#
+# You can use wildcard records to create specific names for every domain you add to mailcow.
+# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
+#ADDITIONAL_SAN=imap.*,smtp.*
+# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
+# plus every domain you add in the future.
+#
+# You can also just add static names...
+#ADDITIONAL_SAN=srv1.example.net
+# ...or combine wildcard and static names:
+#ADDITIONAL_SAN=imap.*,srv1.example.com
+#
+
+ADDITIONAL_SAN=
+
+# Additional server names for mailcow UI
+#
+# Specify alternative addresses for the mailcow UI to respond to
+# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
+# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
+# You can understand this as server_name directive in Nginx.
+# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
+
+ADDITIONAL_SERVER_NAMES=
+
+# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
+
+SKIP_LETS_ENCRYPT=y
+
+# Create seperate certificates for all domains - y/n
+# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
+# see https://doc.dovecot.org/admin_manual/ssl/sni_support
+ENABLE_SSL_SNI=n
+
+# Skip IPv4 check in ACME container - y/n
+
+SKIP_IP_CHECK=n
+
+# Skip HTTP verification in ACME container - y/n
+
+SKIP_HTTP_VERIFICATION=n
+
+# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
+
+SKIP_CLAMD=n
+
+# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
+
+SKIP_SOGO=n
+
+# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
+
+SKIP_SOLR=n
+
+# Solr heap size in MB, there is no recommendation, please see Solr docs.
+# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
+
+SOLR_HEAP=1024
+
+# Allow admins to log into SOGo as email user (without any password)
+
+ALLOW_ADMIN_EMAIL_LOGIN=n
+
+# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
+
+USE_WATCHDOG=y
+
+# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
+# CAUTION:
+# 1. You should use external recipients
+# 2. Mails are sent unsigned (no DKIM)
+# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
+# Multiple rcpts allowed, NO quotation marks, NO spaces
+
+#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
+#WATCHDOG_NOTIFY_EMAIL=
+
+# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
+# You can use this to send notifications to services like Discord, Slack and others.
+#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# JSON body included in the webhook POST request. Needs to be in single quotes.
+# Following variables are available: SUBJECT, BODY
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+
+# Notify about banned IP (includes whois lookup)
+WATCHDOG_NOTIFY_BAN=n
+
+# Send a notification when the watchdog is started.
+WATCHDOG_NOTIFY_START=y
+
+# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
+#WATCHDOG_SUBJECT=
+
+# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
+# https://www.servercow.de/mailcow?lang=en
+# https://www.servercow.de/mailcow?lang=de
+# No data is collected. Opt-in and anonymous.
+# Will only work with unmodified mailcow setups.
+WATCHDOG_EXTERNAL_CHECKS=n
+
+# Enable watchdog verbose logging
+WATCHDOG_VERBOSE=n
+
+# Max log lines per service to keep in Redis logs
+
+LOG_LINES=9999
+
+# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
+# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
+
+IPV4_NETWORK=172.22.1
+
+# Internal IPv6 subnet in fc00::/7
+# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
+
+IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
+
+# Use this IPv4 for outgoing connections (SNAT)
+
+#SNAT_TO_SOURCE=
+
+# Use this IPv6 for outgoing connections (SNAT)
+
+#SNAT6_TO_SOURCE=
+
+# Create or override an API key for the web UI
+# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
+# An API key defined as API_KEY has read-write access
+# An API key defined as API_KEY_READ_ONLY has read-only access
+# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
+# You can define API_KEY and/or API_KEY_READ_ONLY
+
+#API_KEY=
+#API_KEY_READ_ONLY=
+#API_ALLOW_FROM=172.22.1.1,127.0.0.1
+
+# mail_home is ~/Maildir
+MAILDIR_SUB=Maildir
+
+# SOGo session timeout in minutes
+SOGO_EXPIRE_SESSION=480
+
+# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
+# Empty by default to auto-generate master user and password on start.
+# User expands to DOVECOT_MASTER_USER@mailcow.local
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_USER=
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_PASS=
+
+# Let's Encrypt registration contact information
+# Optional: Leave empty for none
+# This value is only used on first order!
+# Setting it at a later point will require the following steps:
+# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
+ACME_CONTACT=
+
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+
+# Spamhaus Data Query Service Key
+# Optional: Leave empty for none
+# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. 
+# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
+# Otherwise it will work normally.
+SPAMHAUS_DQS_KEY=
+
+EOF
+
+cat << EOF > data/conf/nginx/redirect.conf
+server {
+  root /web;
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  include /etc/nginx/conf.d/server_name.active;
+  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+  }
+  location / {
+    return 301 https://\$host\$uri\$is_args\$args;
+  }
+}
+EOF
+
+cat << EOF > /etc/cron.daily/mailcowbackup
+#!/bin/sh
+
+# Backup mailcow data
+# https://docs.mailcow.email/backup_restore/b_n_r-backup/
+
+set -e
+
+OUT="\$(mktemp)"
+export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
+SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
+PARAMETERS="backup all"
+OPTIONS="--delete-days 7"
+mkdir -p \$MAILCOW_BACKUP_LOCATION
+
+# run command
+set +e
+"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
+RESULT=\$?
+
+if [ \$RESULT -ne 0 ]
+    then
+            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
+            echo "RESULT=\$RESULT"
+            echo "STDOUT / STDERR:"
+            cat "\$OUT"
+fi
+EOF
+
+chmod +x /etc/cron.daily/mailcowbackup
+
+cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
+#!/bin/bash
+if ! which check_mk_agent ; then
+  cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
+  status=\$?
+  if [ \$status -eq 3 ]; then
+    state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
+  elif [ \$status -eq 0 ]; then
+    state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
+  else
+    state="3 \"mailcow_update\" - Unknown output from update script ..."
+  fi
+  echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
+  mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
+fi
+exit
+EOF
+chmod +x /etc/cron.daily/checkmk-mailcow-update-check
+
+chmod 600 mailcow.conf
+
+mkdir -p data/assets/ssl
+
+openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
+
+openssl dhparam -out data/assets/ssl/dhparams.pem 2048
+cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
+mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
+systemctl restart nginx
+EOF
+chmod +x /etc/cron.monthly/generate-dhparams
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac

src/mailpiler/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 PILER_VERSION="1.3.12"
 # Defines the version of sphinx to install

src/matrix/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/nextcloud/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 NEXTCLOUD_VERSION="latest"
 

src/nextcloud/install-service.sh

@@ -90,7 +90,7 @@ sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/
 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
-openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+generate_dhparam
 
 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 
@@ -160,7 +160,7 @@ ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
 #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
 #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
 #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
-ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_dhparam /etc/nginx/dhparam.pem;
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;

src/omada/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 

src/onlyoffice/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 ONLYOFFICE_DB_HOST=localhost
 
 ONLYOFFICE_DB_NAME=onlyoffice

src/open3a/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/proxmox-pbs/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Backup ubdir where Urbackup will store backups
 PBS_DATA="backup"
 

src/rei3/constants-service.conf

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+REI3_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+REI3_DB_PORT="5432"
+
+# Defines the name from the SQL database
+REI3_DB_NAME="app"
+
+# Defines the name from the SQL user
+REI3_DB_USR="rei3"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+REI3_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql"

src/rei3/install-service.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir /opt/rei3
+wget -c https://rei3.de/downloads/REI3_3.4.2_x64_linux.tar.gz -O - | tar -zx -C /opt/rei3
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgres.gpg
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
+psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
+psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
+echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
+EOF
+
+cp /opt/rei3/config_template.json /opt/rei3/config.json
+chmod u+x /opt/rei3/r3
+
+sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json 
+sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json 
+
+/opt/rei3/r3 -install
+#/opt/rei/r3 -newadmin
+systemctl start rei3

src/unifi/constants-service.conf

@@ -9,6 +9,8 @@
 
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
+# !!!! Leave at debian 11, currently unifi depends on mongodb-server <= 4.4 and libssl1.1
+# libssl1.1 is unsupported on debian bookworm
 
 # Create sharefs mountpoint
 LXC_MP="0"
@@ -19,6 +21,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 

src/unifi/install-service.sh

@@ -11,10 +11,10 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
+wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://pgp.mongodb.com/server-4.4.asc
 wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
 
-echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
+echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
 echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
 
 apt update

src/urbackup/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Backup ubdir where Urbackup will store backups
 URBACKUP_DATA="urbackup"
 

src/vaultwarden/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Defines the name from the SQL database
 VAULTWARDEN_DB_NAME="vaultwarden"
 

src/vaultwarden/install-service.sh

@@ -40,7 +40,7 @@ ORG_CREATION_USERS=admin@$LXC_DOMAIN
 # Use `openssl rand -base64 48` to generate
 ADMIN_TOKEN=$admin_token
 # Uncomment this once vaults restored
-SIGNUPS_ALLOWED=false
+SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
 SMTP_HOST=$VW_SMTP_HOST
 SMTP_FROM=$VW_SMTP_FROM
 SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
@@ -154,7 +154,10 @@ server {
 }
 
 EOF
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+generate_dhparam
+
+unlink /etc/nginx/sites-enabled/default
 
 systemctl daemon-reload
 systemctl enable --now vaultwarden

src/zabbix/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 
 # Defines the IP from the SQL server
 ZABBIX_DB_IP="127.0.0.1"

src/zabbix/install-service.sh

@@ -10,7 +10,7 @@ source /root/zamba.conf
 source /root/constants-service.conf
 
 apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
-echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ $(lsb_release -cs) main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
+echo "deb https://repo.zabbix.com/zabbix/6.5/debian/ $(lsb_release -cs) main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.5.list
 
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
@@ -222,7 +222,7 @@ zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psq
 
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
 
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 
 systemctl enable --now zabbix-server zabbix-agent nginx php8.2-fpm 
 

src/zammad/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 

src/zammad/install-service.sh

@@ -157,7 +157,7 @@ EOF
 
 ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
 
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
 

src/zmb-ad-join/constants-service.conf

@@ -11,7 +11,7 @@
 LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP="1"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # add optional features to samba ad dc
 
 # CURRENTLY SUPPORTED:
@@ -29,7 +32,7 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

src/zmb-ad-join/install-service.sh

@@ -27,36 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
   fi
 done
 
-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-# No restrictions for "localhost"
-restrict 127.0.0.1
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-tinker panic 0
-EOF
+echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
@@ -119,12 +123,16 @@ cat > /etc/krb5.conf <<EOF
 EOF
 
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
 
+
+rm /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
 mkdir -p /mnt/sysvol
 
 cat << EOF > /root/.smbcredentials
@@ -138,13 +146,75 @@ echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0"
 mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
 
 cat > /etc/cron.d/sysvol-sync << EOF
-*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
 EOF
 
 /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
 
+if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
+  samba-tool ntacl sysvolreset
+fi
+
 ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=$1
+if \$1 ; then
+  keep=\$1
+fi
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF

src/zmb-ad/constants-service.conf

@@ -11,7 +11,7 @@
 LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP="1"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # add optional features to samba ad dc
 
 # CURRENTLY SUPPORTED:
@@ -29,7 +32,7 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024

src/zmb-ad/install-service.sh

@@ -27,42 +27,39 @@ for f in ${OPTIONAL_FEATURES[@]}; do
   fi
 done
 
-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-
-# No restrictions for "localhost"
-restrict 127.0.0.1
-
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-
-tinker panic 0
-EOF
+echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
 
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
   cat << EOF > /etc/nginx/sites-available/default
@@ -121,20 +118,76 @@ EOF
   mkdir -p /var/lib/samba/bind-dns/dns
 fi
 
-
-
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 
 # provision zamba domain
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
 
-cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
 exit 0

src/zmb-cups/constants-service.conf

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,cups,printserver"

src/zmb-cups/install-service.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist
+
+mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+cat > /etc/samba/smb.conf <<EOF
+[global]
+	workgroup = $ZMB_DOMAIN
+	security = ADS
+	realm = $ZMB_REALM
+	server string = %h server
+
+	vfs objects = acl_xattr shadow_copy2
+	map acl inherit = Yes
+	store dos attributes = Yes
+	idmap config *:backend = tdb
+	idmap config *:range = 3000000-4000000
+	idmap config *:schema_mode = rfc2307
+
+	winbind refresh tickets = Yes
+	winbind use default domain = Yes
+	winbind separator = /
+	winbind nested groups = yes
+	winbind nss info = rfc2307
+
+	pam password change = Yes
+	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+	passwd program = /usr/bin/passwd %u
+
+	template homedir = /home/%U
+	template shell = /bin/bash
+	bind interfaces only = Yes
+	interfaces = lo eth0
+	log file = /var/log/samba/log.%m
+	logging = syslog
+	max log size = 1000
+	panic action = /usr/share/samba/panic-action %d
+
+	dns proxy = No
+	shadow: snapdir = .zfs/snapshot
+	shadow: sort = desc
+	shadow: format = -%Y-%m-%d-%H%M
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+	shadow: delimiter = -20
+	
+	printing = CUPS
+	rpcd_spoolss:idle_seconds=300
+	rpcd_spoolss:num_workers = 10
+	spoolss: architecture = Windows x64
+
+[printers]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/spool
+	printable = yes
+
+[print$]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+	read only = no
+
+EOF
+
+systemctl restart smbd
+
+echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
+sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
+sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
+echo -e "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
+
+systemctl restart winbind nmbd
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
+cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
+chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+systemctl disable --now cups-browsed.service
+
+cupsctl --remote-admin
+
+systemctl restart cups smbd nmbd winbind wsdd

src/zmb-member/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/zmb-member/install-service.sh

@@ -9,9 +9,11 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
+echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF

src/zmb-standalone/constants-service.conf

@@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 
+# enable keyctl feature
+LXC_KEYCTL="0"
+
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 

src/zmb-standalone/install-service.sh

@@ -12,10 +12,12 @@ source /root/constants-service.conf
 apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
 
+echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
 useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER