mirror of
https://github.com/bashclub/zamba-lxc-toolbox.git
synced 2024-12-24 11:20:13 +01:00
Merge pull request #1 from bashclub/dev
Sync with upstream bashclub/zamba-lxc-toolbox dev changes
This commit is contained in:
commit
ab85dd6238
@ -32,6 +32,9 @@ LXC_SHAREFS_MOUNTPOINT="tank"
|
||||
# Defines a the host system folder to be bind-mounted and shared by Zamba. Requires LXC_SHAREFS_SIZE > 0 but ignores the value. (AD member & standalone) (default: "")
|
||||
LXC_SHAREFS_BINDMOUNT=""
|
||||
|
||||
# cpu core count (default: 0 = unlimited)
|
||||
LXC_THREADS=0
|
||||
|
||||
# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
|
||||
LXC_MEM=1024
|
||||
|
||||
@ -89,6 +92,9 @@ LXC_VIM_BG_DARK=1
|
||||
# Default random password length
|
||||
LXC_RANDOMPWD=32
|
||||
|
||||
# Move lxc to specific ressource pool
|
||||
LXC_RESSOURCE_POOL=""
|
||||
|
||||
# Automatically add meta tags to lxc container
|
||||
LXC_AUTOTAG=1
|
||||
|
||||
@ -175,6 +181,10 @@ KOPANO_MAILGW="192.168.100.254"
|
||||
KOPANO_REPKEY="1234567890abcdefghijklmno"
|
||||
|
||||
############### vaultwarden Section ###############
|
||||
|
||||
# Enable/disable signups (true/false)
|
||||
VW_SIGNUPS_ALLOWED=false
|
||||
|
||||
# Hostname of your mailserver
|
||||
VW_SMTP_HOST=mail.bashclub.org
|
||||
|
||||
@ -198,3 +208,15 @@ VW_SMTP_USERNAME=vaultwarden@bashclub.org
|
||||
|
||||
# password of your mailbox
|
||||
VW_SMTP_PASSWORD='<yourEmailPassword>'
|
||||
|
||||
############### ansible-semaphore Section ###############
|
||||
|
||||
SEMAPHORE_ADMIN=admin
|
||||
SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
|
||||
SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
|
||||
SEMAPHORE_ADMIN_PASSWORD='Start123'
|
||||
|
||||
############### docker Section ###############
|
||||
|
||||
# Install Portainer (=full), Protainer Agent (=agent) or none
|
||||
PORTAINER=none
|
18
install.sh
18
install.sh
@ -130,16 +130,26 @@ else
|
||||
fi
|
||||
echo "Will now create LXC Container $LXC_NBR!";
|
||||
|
||||
if [ $LXC_THREADS -gt 0 ]; then
|
||||
LXC_CORES=--cores\ $LXC_THREADS
|
||||
fi
|
||||
|
||||
|
||||
if [[ $LXC_RESSOURCE_POOL != "" ]]; then
|
||||
LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
|
||||
fi
|
||||
|
||||
|
||||
# Create the container
|
||||
set +u
|
||||
pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
|
||||
pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
|
||||
set -u
|
||||
sleep 2;
|
||||
|
||||
# Check vlan configuration
|
||||
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
|
||||
# Reconfigure conatiner
|
||||
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
|
||||
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
|
||||
if [ $LXC_DHCP == true ]; then
|
||||
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
|
||||
else
|
||||
@ -187,3 +197,7 @@ elif [[ $service == "zmb-ad-join" ]]; then
|
||||
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
|
||||
fi
|
||||
pct start $LXC_NBR
|
||||
if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
|
||||
sleep 5
|
||||
pct exec $LXC_NBR /usr/local/bin/smb-backup 7
|
||||
fi
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
|
@ -52,6 +52,9 @@ fi
|
||||
EOF
|
||||
chmod +x /usr/local/bin/update-semaphore
|
||||
|
||||
useradd -m -r -s /bin/bash semaphore
|
||||
sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
|
||||
|
||||
cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
|
||||
DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
|
||||
EOF
|
||||
@ -70,6 +73,8 @@ ExecReload=/bin/kill -HUP \$MAINPID
|
||||
ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
|
||||
SyslogIdentifier=semaphore
|
||||
Restart=always
|
||||
User=semaphore
|
||||
Group=semaphore
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -207,8 +212,11 @@ echo "source <(semaphore completion bash)" >> /root/.bashrc
|
||||
semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
|
||||
|
||||
|
||||
openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
generate_dhparam
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable --now semaphore.service
|
||||
systemctl restart nginx.service
|
||||
|
||||
|
||||
echo -e "\n######################################################################\n\n Please note this user and password for the semaphore login:\n '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n Enjoy your semaphore intallation.\n\n######################################################################"
|
||||
|
29
src/authentik/constants-service.conf
Normal file
29
src/authentik/constants-service.conf
Normal file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
# This file contains the project constants on service level
|
||||
|
||||
# Debian Version, which will be installed
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="0"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="1"
|
||||
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="1"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=2048
|
||||
|
||||
# service dependent meta tags
|
||||
SERVICE_TAGS="docker"
|
107
src/authentik/install-service.sh
Normal file
107
src/authentik/install-service.sh
Normal file
@ -0,0 +1,107 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
# Add Docker's official GPG key:
|
||||
install -m 0755 -d /etc/apt/keyrings
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||
chmod a+r /etc/apt/keyrings/docker.gpg
|
||||
|
||||
# Add the repository to Apt sources:
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
|
||||
|
||||
SECRET=$(random_password)
|
||||
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
|
||||
|
||||
install_portainer_full() {
|
||||
mkdir -p /opt/portainer/data
|
||||
cd /opt/portainer
|
||||
cat << EOF > /opt/portainer/docker-compose.yml
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
portainer:
|
||||
restart: always
|
||||
image: portainer/portainer:latest
|
||||
volumes:
|
||||
- ./data:/data
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
ports:
|
||||
- "8000:8000"
|
||||
- "9443:9443"
|
||||
command: --admin-password-file=/data/admin_password
|
||||
EOF
|
||||
echo -n "$SECRET" > ./data/admin_password
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
|
||||
|
||||
}
|
||||
|
||||
install_portainer_agent() {
|
||||
mkdir -p /opt/portainer-agent/data
|
||||
cd /opt/portainer-agent
|
||||
cat << EOF > /opt/portainer-agent/docker-compose.yml
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
portainer:
|
||||
restart: always
|
||||
image: portainer/agent:latest
|
||||
volumes:
|
||||
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
ports:
|
||||
- "9001:9001"
|
||||
EOF
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
|
||||
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
|
||||
|
||||
}
|
||||
|
||||
mkdir -p /opt/authentik
|
||||
wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
|
||||
cd /opt/authentik
|
||||
cat << EOF > .env
|
||||
PG_PASS=$(pwgen -s 40 1)
|
||||
AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK=false
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED=false
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
|
||||
AUTHENTIK_AVATARS=initials
|
||||
COMPOSE_PORT_HTTP=80
|
||||
COMPOSE_PORT_HTTPS=443
|
||||
AUTHENTIK_EMAIL__HOST=
|
||||
AUTHENTIK_EMAIL__PORT=
|
||||
AUTHENTIK_EMAIL__USERNAME=
|
||||
AUTHENTIK_EMAIL__PASSWORD=
|
||||
# Use StartTLS
|
||||
AUTHENTIK_EMAIL__USE_TLS=false
|
||||
# Use SSL
|
||||
AUTHENTIK_EMAIL__USE_SSL=false
|
||||
AUTHENTIK_EMAIL__TIMEOUT=10
|
||||
# Email address authentik will send from, should have a correct @domain
|
||||
AUTHENTIK_EMAIL__FROM=
|
||||
EOF
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
|
||||
case $PORTAINER in
|
||||
full) install_portainer_full ;;
|
||||
agent) install_portainer_agent ;;
|
||||
*) echo -e "\n######################################################################\n\n Enjoy your authentik intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
|
||||
esac
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
|
@ -19,8 +19,11 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# checkmk version
|
||||
CMK_VERSION=2.2.0p7
|
||||
CMK_VERSION=2.2.0p14
|
||||
# build number of the debian package (needs to start with underscore)
|
||||
CMK_BUILD=_0
|
||||
|
||||
@ -28,4 +31,4 @@ CMK_BUILD=_0
|
||||
LXC_MEM_MIN=2048
|
||||
|
||||
# service dependent meta tags
|
||||
SERVICE_TAGS="apache2"
|
||||
SERVICE_TAGS="apache2"
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=512
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=512
|
||||
|
||||
|
29
src/docker/constants-service.conf
Normal file
29
src/docker/constants-service.conf
Normal file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
# This file contains the project constants on service level
|
||||
|
||||
# Debian Version, which will be installed
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="0"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="1"
|
||||
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="1"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=2048
|
||||
|
||||
# service dependent meta tags
|
||||
SERVICE_TAGS=""
|
79
src/docker/install-service.sh
Normal file
79
src/docker/install-service.sh
Normal file
@ -0,0 +1,79 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
# Add Docker's official GPG key:
|
||||
install -m 0755 -d /etc/apt/keyrings
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||
chmod a+r /etc/apt/keyrings/docker.gpg
|
||||
|
||||
# Add the repository to Apt sources:
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||
|
||||
SECRET=$(random_password)
|
||||
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
|
||||
|
||||
install_portainer_full() {
|
||||
mkdir -p /opt/portainer/data
|
||||
cd /opt/portainer
|
||||
cat << EOF > /opt/portainer/docker-compose.yml
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
portainer:
|
||||
restart: always
|
||||
image: portainer/portainer:latest
|
||||
volumes:
|
||||
- ./data:/data
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
ports:
|
||||
- "8000:8000"
|
||||
- "9443:9443"
|
||||
command: --admin-password-file=/data/admin_password
|
||||
EOF
|
||||
echo -n "$SECRET" > ./data/admin_password
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||
|
||||
}
|
||||
|
||||
install_portainer_agent() {
|
||||
mkdir -p /opt/portainer-agent/data
|
||||
cd /opt/portainer-agent
|
||||
cat << EOF > /opt/portainer-agent/docker-compose.yml
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
portainer:
|
||||
restart: always
|
||||
image: portainer/agent:latest
|
||||
volumes:
|
||||
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
ports:
|
||||
- "9001:9001"
|
||||
EOF
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
|
||||
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||
|
||||
}
|
||||
|
||||
case $PORTAINER in
|
||||
full) install_portainer_full ;;
|
||||
agent) install_portainer_agent ;;
|
||||
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
|
||||
esac
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# set ecodms release version
|
||||
ECODMS_RELEASE=ecodms_230164
|
||||
|
||||
|
@ -5,5 +5,16 @@ LXC_RANDOMPWD=32
|
||||
|
||||
random_password() {
|
||||
set +o pipefail
|
||||
C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
|
||||
}
|
||||
LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
|
||||
}
|
||||
|
||||
generate_dhparam() {
|
||||
openssl dhparam -out /etc/nginx/dhparam.pem 2048
|
||||
cat << EOF > /etc/cron.monthly/generate-dhparams
|
||||
#!/bin/bash
|
||||
openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
|
||||
mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
|
||||
systemctl restart nginx
|
||||
EOF
|
||||
chmod +x /etc/cron.monthly/generate-dhparams
|
||||
}
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Defines the IP from the SQL server
|
||||
GITEA_DB_IP="127.0.0.1"
|
||||
|
||||
|
@ -181,7 +181,7 @@ server {
|
||||
}
|
||||
|
||||
EOF
|
||||
openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
generate_dhparam
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable --now gitea
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||
#KIMAI_VERSION="main"
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||
KOPANO_VERSION="latest"
|
||||
|
||||
|
@ -149,7 +149,7 @@ sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kop
|
||||
#### Adjust nginx settings ####
|
||||
|
||||
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
|
||||
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
|
||||
generate_dhparam
|
||||
|
||||
#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
|
||||
|
||||
@ -187,7 +187,7 @@ server {
|
||||
ssl_prefer_server_ciphers on;
|
||||
#
|
||||
# ssl_dhparam require you to create a dhparam.pem, this takes a long time
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
#
|
||||
|
||||
# add headers
|
||||
|
29
src/mailcow/constants-service.conf
Normal file
29
src/mailcow/constants-service.conf
Normal file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
# This file contains the project constants on service level
|
||||
|
||||
# Debian Version, which will be installed
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="1"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="1"
|
||||
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="1"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=8192
|
||||
|
||||
# service dependent meta tags
|
||||
SERVICE_TAGS="docker"
|
438
src/mailcow/install-service.sh
Normal file
438
src/mailcow/install-service.sh
Normal file
@ -0,0 +1,438 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
# Add Docker's official GPG key:
|
||||
install -m 0755 -d /etc/apt/keyrings
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||
chmod a+r /etc/apt/keyrings/docker.gpg
|
||||
|
||||
# Add the repository to Apt sources:
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
|
||||
|
||||
SECRET=$(random_password)
|
||||
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
|
||||
|
||||
install_portainer_full() {
|
||||
mkdir -p /opt/portainer/data
|
||||
cd /opt/portainer
|
||||
cat << EOF > /opt/portainer/docker-compose.yml
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
portainer:
|
||||
restart: always
|
||||
image: portainer/portainer:latest
|
||||
volumes:
|
||||
- ./data:/data
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
ports:
|
||||
- "8000:8000"
|
||||
- "9443:9443"
|
||||
command: --admin-password-file=/data/admin_password
|
||||
EOF
|
||||
echo -n "$SECRET" > ./data/admin_password
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||
|
||||
}
|
||||
|
||||
install_portainer_agent() {
|
||||
mkdir -p /opt/portainer-agent/data
|
||||
cd /opt/portainer-agent
|
||||
cat << EOF > /opt/portainer-agent/docker-compose.yml
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
portainer:
|
||||
restart: always
|
||||
image: portainer/agent:latest
|
||||
volumes:
|
||||
- /var/lib/docker/volumes:/var/lib/docker/volumes
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
ports:
|
||||
- "9001:9001"
|
||||
EOF
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
|
||||
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
|
||||
|
||||
}
|
||||
|
||||
cd /opt
|
||||
git clone https://github.com/mailcow/mailcow-dockerized
|
||||
cd mailcow-dockerized
|
||||
|
||||
cat << EOF > mailcow.conf
|
||||
# ------------------------------
|
||||
# mailcow web ui configuration
|
||||
# ------------------------------
|
||||
# example.org is _not_ a valid hostname, use a fqdn here.
|
||||
# Default admin user is "admin"
|
||||
# Default password is "moohoo"
|
||||
|
||||
MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
|
||||
|
||||
# Password hash algorithm
|
||||
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
|
||||
# see https://docs.mailcow.email/models/model-passwd/
|
||||
MAILCOW_PASS_SCHEME=BLF-CRYPT
|
||||
|
||||
# ------------------------------
|
||||
# SQL database configuration
|
||||
# ------------------------------
|
||||
|
||||
DBNAME=mailcow
|
||||
DBUSER=mailcow
|
||||
|
||||
# Please use long, random alphanumeric strings (A-Za-z0-9)
|
||||
|
||||
DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||
DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||
|
||||
# ------------------------------
|
||||
# HTTP/S Bindings
|
||||
# ------------------------------
|
||||
|
||||
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
|
||||
# Might be important: This will also change the binding within the container.
|
||||
# If you use a proxy within Docker, point it to the ports you set below.
|
||||
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
|
||||
# IMPORTANT: Do not use port 8081, 9081 or 65510!
|
||||
# Example: HTTP_BIND=1.2.3.4
|
||||
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
|
||||
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
|
||||
|
||||
HTTP_PORT=80
|
||||
HTTP_BIND=
|
||||
|
||||
HTTPS_PORT=443
|
||||
HTTPS_BIND=
|
||||
|
||||
# ------------------------------
|
||||
# Other bindings
|
||||
# ------------------------------
|
||||
# You should leave that alone
|
||||
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
|
||||
|
||||
SMTP_PORT=25
|
||||
SMTPS_PORT=465
|
||||
SUBMISSION_PORT=587
|
||||
IMAP_PORT=143
|
||||
IMAPS_PORT=993
|
||||
POP_PORT=110
|
||||
POPS_PORT=995
|
||||
SIEVE_PORT=4190
|
||||
DOVEADM_PORT=127.0.0.1:19991
|
||||
SQL_PORT=127.0.0.1:13306
|
||||
SOLR_PORT=127.0.0.1:18983
|
||||
REDIS_PORT=127.0.0.1:7654
|
||||
|
||||
# Your timezone
|
||||
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
|
||||
# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
|
||||
|
||||
TZ=${LXC_TIMEZONE}
|
||||
|
||||
# Fixed project name
|
||||
# Please use lowercase letters only
|
||||
|
||||
COMPOSE_PROJECT_NAME=mailcowdockerized
|
||||
|
||||
# Used Docker Compose version
|
||||
# Switch here between native (compose plugin) and standalone
|
||||
# For more informations take a look at the mailcow docs regarding the configuration options.
|
||||
# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
|
||||
# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
|
||||
|
||||
DOCKER_COMPOSE_VERSION=native
|
||||
|
||||
# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
|
||||
# When enabled, ACL can be created, that apply to "All authenticated users"
|
||||
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
|
||||
# Otherwise a user might share data with too many other users.
|
||||
ACL_ANYONE=disallow
|
||||
|
||||
# Garbage collector cleanup
|
||||
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
|
||||
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
|
||||
# Check interval is hourly
|
||||
|
||||
MAILDIR_GC_TIME=7200
|
||||
|
||||
# Additional SAN for the certificate
|
||||
#
|
||||
# You can use wildcard records to create specific names for every domain you add to mailcow.
|
||||
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
|
||||
#ADDITIONAL_SAN=imap.*,smtp.*
|
||||
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
|
||||
# plus every domain you add in the future.
|
||||
#
|
||||
# You can also just add static names...
|
||||
#ADDITIONAL_SAN=srv1.example.net
|
||||
# ...or combine wildcard and static names:
|
||||
#ADDITIONAL_SAN=imap.*,srv1.example.com
|
||||
#
|
||||
|
||||
ADDITIONAL_SAN=
|
||||
|
||||
# Additional server names for mailcow UI
|
||||
#
|
||||
# Specify alternative addresses for the mailcow UI to respond to
|
||||
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
|
||||
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
|
||||
# You can understand this as server_name directive in Nginx.
|
||||
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
|
||||
|
||||
ADDITIONAL_SERVER_NAMES=
|
||||
|
||||
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
|
||||
|
||||
SKIP_LETS_ENCRYPT=y
|
||||
|
||||
# Create seperate certificates for all domains - y/n
|
||||
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
|
||||
# see https://doc.dovecot.org/admin_manual/ssl/sni_support
|
||||
ENABLE_SSL_SNI=n
|
||||
|
||||
# Skip IPv4 check in ACME container - y/n
|
||||
|
||||
SKIP_IP_CHECK=n
|
||||
|
||||
# Skip HTTP verification in ACME container - y/n
|
||||
|
||||
SKIP_HTTP_VERIFICATION=n
|
||||
|
||||
# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
|
||||
|
||||
SKIP_CLAMD=n
|
||||
|
||||
# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
|
||||
|
||||
SKIP_SOGO=n
|
||||
|
||||
# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
|
||||
|
||||
SKIP_SOLR=n
|
||||
|
||||
# Solr heap size in MB, there is no recommendation, please see Solr docs.
|
||||
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
|
||||
|
||||
SOLR_HEAP=1024
|
||||
|
||||
# Allow admins to log into SOGo as email user (without any password)
|
||||
|
||||
ALLOW_ADMIN_EMAIL_LOGIN=n
|
||||
|
||||
# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
|
||||
|
||||
USE_WATCHDOG=y
|
||||
|
||||
# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
|
||||
# CAUTION:
|
||||
# 1. You should use external recipients
|
||||
# 2. Mails are sent unsigned (no DKIM)
|
||||
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
|
||||
# Multiple rcpts allowed, NO quotation marks, NO spaces
|
||||
|
||||
#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
|
||||
#WATCHDOG_NOTIFY_EMAIL=
|
||||
|
||||
# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
|
||||
# You can use this to send notifications to services like Discord, Slack and others.
|
||||
#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# JSON body included in the webhook POST request. Needs to be in single quotes.
|
||||
# Following variables are available: SUBJECT, BODY
|
||||
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
|
||||
|
||||
# Notify about banned IP (includes whois lookup)
|
||||
WATCHDOG_NOTIFY_BAN=n
|
||||
|
||||
# Send a notification when the watchdog is started.
|
||||
WATCHDOG_NOTIFY_START=y
|
||||
|
||||
# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
|
||||
#WATCHDOG_SUBJECT=
|
||||
|
||||
# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
|
||||
# https://www.servercow.de/mailcow?lang=en
|
||||
# https://www.servercow.de/mailcow?lang=de
|
||||
# No data is collected. Opt-in and anonymous.
|
||||
# Will only work with unmodified mailcow setups.
|
||||
WATCHDOG_EXTERNAL_CHECKS=n
|
||||
|
||||
# Enable watchdog verbose logging
|
||||
WATCHDOG_VERBOSE=n
|
||||
|
||||
# Max log lines per service to keep in Redis logs
|
||||
|
||||
LOG_LINES=9999
|
||||
|
||||
# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
|
||||
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
|
||||
|
||||
IPV4_NETWORK=172.22.1
|
||||
|
||||
# Internal IPv6 subnet in fc00::/7
|
||||
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
|
||||
|
||||
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
|
||||
|
||||
# Use this IPv4 for outgoing connections (SNAT)
|
||||
|
||||
#SNAT_TO_SOURCE=
|
||||
|
||||
# Use this IPv6 for outgoing connections (SNAT)
|
||||
|
||||
#SNAT6_TO_SOURCE=
|
||||
|
||||
# Create or override an API key for the web UI
|
||||
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
|
||||
# An API key defined as API_KEY has read-write access
|
||||
# An API key defined as API_KEY_READ_ONLY has read-only access
|
||||
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
|
||||
# You can define API_KEY and/or API_KEY_READ_ONLY
|
||||
|
||||
#API_KEY=
|
||||
#API_KEY_READ_ONLY=
|
||||
#API_ALLOW_FROM=172.22.1.1,127.0.0.1
|
||||
|
||||
# mail_home is ~/Maildir
|
||||
MAILDIR_SUB=Maildir
|
||||
|
||||
# SOGo session timeout in minutes
|
||||
SOGO_EXPIRE_SESSION=480
|
||||
|
||||
# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
|
||||
# Empty by default to auto-generate master user and password on start.
|
||||
# User expands to DOVECOT_MASTER_USER@mailcow.local
|
||||
# LEAVE EMPTY IF UNSURE
|
||||
DOVECOT_MASTER_USER=
|
||||
# LEAVE EMPTY IF UNSURE
|
||||
DOVECOT_MASTER_PASS=
|
||||
|
||||
# Let's Encrypt registration contact information
|
||||
# Optional: Leave empty for none
|
||||
# This value is only used on first order!
|
||||
# Setting it at a later point will require the following steps:
|
||||
# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
|
||||
ACME_CONTACT=
|
||||
|
||||
# WebAuthn device manufacturer verification
|
||||
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
|
||||
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
|
||||
WEBAUTHN_ONLY_TRUSTED_VENDORS=n
|
||||
|
||||
# Spamhaus Data Query Service Key
|
||||
# Optional: Leave empty for none
|
||||
# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
|
||||
# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
|
||||
# Otherwise it will work normally.
|
||||
SPAMHAUS_DQS_KEY=
|
||||
|
||||
EOF
|
||||
|
||||
cat << EOF > data/conf/nginx/redirect.conf
|
||||
server {
|
||||
root /web;
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
include /etc/nginx/conf.d/server_name.active;
|
||||
if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
allow all;
|
||||
default_type "text/plain";
|
||||
}
|
||||
location / {
|
||||
return 301 https://\$host\$uri\$is_args\$args;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/cron.daily/mailcowbackup
|
||||
#!/bin/sh
|
||||
|
||||
# Backup mailcow data
|
||||
# https://docs.mailcow.email/backup_restore/b_n_r-backup/
|
||||
|
||||
set -e
|
||||
|
||||
OUT="\$(mktemp)"
|
||||
export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
|
||||
SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
|
||||
PARAMETERS="backup all"
|
||||
OPTIONS="--delete-days 7"
|
||||
mkdir -p \$MAILCOW_BACKUP_LOCATION
|
||||
|
||||
# run command
|
||||
set +e
|
||||
"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
|
||||
RESULT=\$?
|
||||
|
||||
if [ \$RESULT -ne 0 ]
|
||||
then
|
||||
echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
|
||||
echo "RESULT=\$RESULT"
|
||||
echo "STDOUT / STDERR:"
|
||||
cat "\$OUT"
|
||||
fi
|
||||
EOF
|
||||
|
||||
chmod +x /etc/cron.daily/mailcowbackup
|
||||
|
||||
cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
|
||||
#!/bin/bash
|
||||
if ! which check_mk_agent ; then
|
||||
cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
|
||||
status=\$?
|
||||
if [ \$status -eq 3 ]; then
|
||||
state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
|
||||
elif [ \$status -eq 0 ]; then
|
||||
state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
|
||||
else
|
||||
state="3 \"mailcow_update\" - Unknown output from update script ..."
|
||||
fi
|
||||
echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
|
||||
mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
|
||||
fi
|
||||
exit
|
||||
EOF
|
||||
chmod +x /etc/cron.daily/checkmk-mailcow-update-check
|
||||
|
||||
chmod 600 mailcow.conf
|
||||
|
||||
mkdir -p data/assets/ssl
|
||||
|
||||
openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
|
||||
|
||||
openssl dhparam -out data/assets/ssl/dhparams.pem 2048
|
||||
cat << EOF > /etc/cron.monthly/generate-dhparams
|
||||
#!/bin/bash
|
||||
openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
|
||||
mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
|
||||
systemctl restart nginx
|
||||
EOF
|
||||
chmod +x /etc/cron.monthly/generate-dhparams
|
||||
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
|
||||
case $PORTAINER in
|
||||
full) install_portainer_full ;;
|
||||
agent) install_portainer_agent ;;
|
||||
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
|
||||
esac
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||
PILER_VERSION="1.3.12"
|
||||
# Defines the version of sphinx to install
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
|
||||
NEXTCLOUD_VERSION="latest"
|
||||
|
||||
|
@ -90,7 +90,7 @@ sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/
|
||||
|
||||
mkdir -p /etc/nginx/ssl
|
||||
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
|
||||
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
|
||||
generate_dhparam
|
||||
|
||||
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
|
||||
|
||||
@ -160,7 +160,7 @@ ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
|
||||
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
|
||||
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
|
||||
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=2048
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
ONLYOFFICE_DB_HOST=localhost
|
||||
|
||||
ONLYOFFICE_DB_NAME=onlyoffice
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Backup ubdir where Urbackup will store backups
|
||||
PBS_DATA="backup"
|
||||
|
||||
|
45
src/rei3/constants-service.conf
Normal file
45
src/rei3/constants-service.conf
Normal file
@ -0,0 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
# This file contains the project constants on service level
|
||||
|
||||
# Debian Version, which will be installed
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="0"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="1"
|
||||
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
|
||||
# Defines the IP from the SQL server
|
||||
REI3_DB_IP="127.0.0.1"
|
||||
|
||||
# Defines the PORT from the SQL server
|
||||
REI3_DB_PORT="5432"
|
||||
|
||||
# Defines the name from the SQL database
|
||||
REI3_DB_NAME="app"
|
||||
|
||||
# Defines the name from the SQL user
|
||||
REI3_DB_USR="rei3"
|
||||
|
||||
# Build a strong password for the SQL user - could be overwritten with something fixed
|
||||
REI3_DB_PWD="$(random_password)"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=4096
|
||||
|
||||
# service dependent meta tags
|
||||
SERVICE_TAGS="postgresql"
|
42
src/rei3/install-service.sh
Normal file
42
src/rei3/install-service.sh
Normal file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
mkdir /opt/rei3
|
||||
wget -c https://rei3.de/downloads/REI3_3.4.2_x64_linux.tar.gz -O - | tar -zx -C /opt/rei3
|
||||
|
||||
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgres.gpg
|
||||
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
|
||||
|
||||
apt update
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
|
||||
|
||||
timedatectl set-timezone ${LXC_TIMEZONE}
|
||||
|
||||
systemctl enable --now postgresql
|
||||
|
||||
su - postgres <<EOF
|
||||
psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
|
||||
psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
|
||||
psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
|
||||
echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
|
||||
EOF
|
||||
|
||||
cp /opt/rei3/config_template.json /opt/rei3/config.json
|
||||
chmod u+x /opt/rei3/r3
|
||||
|
||||
sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json
|
||||
sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json
|
||||
|
||||
/opt/rei3/r3 -install
|
||||
#/opt/rei/r3 -newadmin
|
||||
systemctl start rei3
|
@ -9,6 +9,8 @@
|
||||
|
||||
# Debian Version, which will be installed
|
||||
LXC_TEMPLATE_VERSION="debian-11-standard"
|
||||
# !!!! Leave at debian 11, currently unifi depends on mongodb-server <= 4.4 and libssl1.1
|
||||
# libssl1.1 is unsupported on debian bookworm
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="0"
|
||||
@ -19,6 +21,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=2048
|
||||
|
||||
|
@ -11,10 +11,10 @@ source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
|
||||
wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://pgp.mongodb.com/server-4.4.asc
|
||||
wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
|
||||
|
||||
echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
|
||||
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
|
||||
echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
|
||||
|
||||
apt update
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Backup ubdir where Urbackup will store backups
|
||||
URBACKUP_DATA="urbackup"
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Defines the name from the SQL database
|
||||
VAULTWARDEN_DB_NAME="vaultwarden"
|
||||
|
||||
|
@ -40,7 +40,7 @@ ORG_CREATION_USERS=admin@$LXC_DOMAIN
|
||||
# Use `openssl rand -base64 48` to generate
|
||||
ADMIN_TOKEN=$admin_token
|
||||
# Uncomment this once vaults restored
|
||||
SIGNUPS_ALLOWED=false
|
||||
SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
|
||||
SMTP_HOST=$VW_SMTP_HOST
|
||||
SMTP_FROM=$VW_SMTP_FROM
|
||||
SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
|
||||
@ -154,7 +154,10 @@ server {
|
||||
}
|
||||
|
||||
EOF
|
||||
openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
|
||||
generate_dhparam
|
||||
|
||||
unlink /etc/nginx/sites-enabled/default
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable --now vaultwarden
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
|
||||
# Defines the IP from the SQL server
|
||||
ZABBIX_DB_IP="127.0.0.1"
|
||||
|
@ -10,7 +10,7 @@ source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
|
||||
echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ $(lsb_release -cs) main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
|
||||
echo "deb https://repo.zabbix.com/zabbix/6.5/debian/ $(lsb_release -cs) main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.5.list
|
||||
|
||||
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
|
||||
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
|
||||
@ -222,7 +222,7 @@ zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psq
|
||||
|
||||
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
|
||||
|
||||
openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
generate_dhparam
|
||||
|
||||
systemctl enable --now zabbix-server zabbix-agent nginx php8.2-fpm
|
||||
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="1"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=4096
|
||||
|
||||
|
@ -157,7 +157,7 @@ EOF
|
||||
|
||||
ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
|
||||
|
||||
openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
generate_dhparam
|
||||
|
||||
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
|
||||
|
||||
|
@ -11,7 +11,7 @@
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="0"
|
||||
LXC_MP="1"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="0"
|
||||
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# add optional features to samba ad dc
|
||||
|
||||
# CURRENTLY SUPPORTED:
|
||||
@ -29,7 +32,7 @@ LXC_NESTING="1"
|
||||
# Example:
|
||||
# OPTIONAL_FEATURES=(wsdd)
|
||||
# OPTIONAL_FEATURES=(wsdd splitdns)
|
||||
OPTIONAL_FEATURES=(wsdd splitdns)
|
||||
OPTIONAL_FEATURES=(wsdd)
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
@ -27,36 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
|
||||
fi
|
||||
done
|
||||
|
||||
## configure ntp
|
||||
cat << EOF > /etc/ntp.conf
|
||||
# Local clock. Note that is not the "localhost" address!
|
||||
server 127.127.1.0
|
||||
fudge 127.127.1.0 stratum 10
|
||||
# Where to retrieve the time from
|
||||
server 0.de.pool.ntp.org iburst prefer
|
||||
server 1.de.pool.ntp.org iburst prefer
|
||||
server 2.de.pool.ntp.org iburst prefer
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
logfile /var/log/ntp
|
||||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
|
||||
# Access control
|
||||
# Default restriction: Allow clients only to query the time
|
||||
restrict default kod nomodify notrap nopeer mssntp
|
||||
# No restrictions for "localhost"
|
||||
restrict 127.0.0.1
|
||||
# Enable the time sources to only provide time to this host
|
||||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||
tinker panic 0
|
||||
EOF
|
||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||
|
||||
# update packages
|
||||
apt update
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||
# install required packages
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
|
||||
|
||||
mkdir -p /etc/chrony/conf.d
|
||||
mkdir -p /etc/systemd/system/chrony.service.d
|
||||
|
||||
cat << EOF > /etc/default/chrony
|
||||
# This is a configuration file for /etc/init.d/chrony and
|
||||
# /lib/systemd/system/chrony.service; it allows you to pass various options to
|
||||
# the chrony daemon without editing the init script or service file.
|
||||
|
||||
# Options to pass to chrony.
|
||||
DAEMON_OPTS="-x -F 1"
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
|
||||
[Unit]
|
||||
ConditionCapability=
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/chrony/conf.d/samba.conf
|
||||
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
|
||||
server de.pool.ntp.org iburst
|
||||
server europe.pool.ntp.org iburst
|
||||
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
|
||||
ntpsigndsocket /var/lib/samba/ntp_signd
|
||||
EOF
|
||||
|
||||
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
||||
cat << EOF > /etc/nginx/sites-available/default
|
||||
server {
|
||||
@ -119,12 +123,16 @@ cat > /etc/krb5.conf <<EOF
|
||||
EOF
|
||||
|
||||
# stop + disable samba services and remove default config
|
||||
systemctl disable --now smbd nmbd winbind systemd-resolved
|
||||
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
|
||||
rm -f /etc/samba/smb.conf
|
||||
|
||||
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
|
||||
samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
|
||||
|
||||
|
||||
rm /etc/krb5.conf
|
||||
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
||||
|
||||
mkdir -p /mnt/sysvol
|
||||
|
||||
cat << EOF > /root/.smbcredentials
|
||||
@ -138,13 +146,75 @@ echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0"
|
||||
mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
|
||||
|
||||
cat > /etc/cron.d/sysvol-sync << EOF
|
||||
*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
|
||||
*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
|
||||
EOF
|
||||
|
||||
/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
|
||||
|
||||
if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
|
||||
samba-tool ntacl sysvolreset
|
||||
fi
|
||||
|
||||
ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
|
||||
|
||||
systemctl unmask samba-ad-dc
|
||||
systemctl enable samba-ad-dc
|
||||
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
|
||||
|
||||
# configure ad backup
|
||||
cat << EOF > /usr/local/bin/smb-backup
|
||||
#!/bin/bash
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
rc=0
|
||||
keep=$1
|
||||
if \$1 ; then
|
||||
keep=\$1
|
||||
fi
|
||||
|
||||
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
|
||||
|
||||
prune () {
|
||||
backup_type=\$1
|
||||
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
|
||||
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
|
||||
fi
|
||||
}
|
||||
|
||||
echo "\$(date) Starting samba-ad-dc online backup"
|
||||
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
|
||||
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
|
||||
prune online
|
||||
else
|
||||
echo "\$(date) samba-ad-dc online backup failed"
|
||||
rc=\$((\$rc + 1))
|
||||
fi
|
||||
|
||||
echo "\$(date) Starting samba-ad-dc offline backup"
|
||||
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
|
||||
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
|
||||
prune offline
|
||||
else
|
||||
echo "S(date) samba-ad-dc offline backup failed"
|
||||
rc=\$((\$rc + 1))
|
||||
fi
|
||||
|
||||
exit \$rc
|
||||
EOF
|
||||
chmod +x /usr/local/bin/smb-backup
|
||||
|
||||
cat << EOF > /etc/cron.d/smb-backup
|
||||
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/logrotate.d/smb-backup
|
||||
/var/log/smb-backup.log {
|
||||
weekly
|
||||
rotate 12
|
||||
compress
|
||||
delaycompress
|
||||
missingok
|
||||
notifempty
|
||||
create 644 root root
|
||||
}
|
||||
EOF
|
||||
|
@ -11,7 +11,7 @@
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="0"
|
||||
LXC_MP="1"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="0"
|
||||
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# add optional features to samba ad dc
|
||||
|
||||
# CURRENTLY SUPPORTED:
|
||||
@ -29,7 +32,7 @@ LXC_NESTING="1"
|
||||
# Example:
|
||||
# OPTIONAL_FEATURES=(wsdd)
|
||||
# OPTIONAL_FEATURES=(wsdd splitdns)
|
||||
OPTIONAL_FEATURES=(wsdd splitdns)
|
||||
OPTIONAL_FEATURES=(wsdd)
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
@ -27,42 +27,39 @@ for f in ${OPTIONAL_FEATURES[@]}; do
|
||||
fi
|
||||
done
|
||||
|
||||
## configure ntp
|
||||
cat << EOF > /etc/ntp.conf
|
||||
# Local clock. Note that is not the "localhost" address!
|
||||
server 127.127.1.0
|
||||
fudge 127.127.1.0 stratum 10
|
||||
|
||||
# Where to retrieve the time from
|
||||
server 0.de.pool.ntp.org iburst prefer
|
||||
server 1.de.pool.ntp.org iburst prefer
|
||||
server 2.de.pool.ntp.org iburst prefer
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
logfile /var/log/ntp
|
||||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
|
||||
|
||||
# Access control
|
||||
# Default restriction: Allow clients only to query the time
|
||||
restrict default kod nomodify notrap nopeer mssntp
|
||||
|
||||
# No restrictions for "localhost"
|
||||
restrict 127.0.0.1
|
||||
|
||||
# Enable the time sources to only provide time to this host
|
||||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
|
||||
|
||||
tinker panic 0
|
||||
EOF
|
||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||
|
||||
# update packages
|
||||
apt update
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||
# install required packages
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
|
||||
|
||||
mkdir -p /etc/chrony/conf.d
|
||||
mkdir -p /etc/systemd/system/chrony.service.d
|
||||
|
||||
cat << EOF > /etc/default/chrony
|
||||
# This is a configuration file for /etc/init.d/chrony and
|
||||
# /lib/systemd/system/chrony.service; it allows you to pass various options to
|
||||
# the chrony daemon without editing the init script or service file.
|
||||
|
||||
# Options to pass to chrony.
|
||||
DAEMON_OPTS="-x -F 1"
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
|
||||
[Unit]
|
||||
ConditionCapability=
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/chrony/conf.d/samba.conf
|
||||
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
|
||||
server de.pool.ntp.org iburst
|
||||
server europe.pool.ntp.org iburst
|
||||
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
|
||||
ntpsigndsocket /var/lib/samba/ntp_signd
|
||||
EOF
|
||||
|
||||
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
||||
cat << EOF > /etc/nginx/sites-available/default
|
||||
@ -121,20 +118,76 @@ EOF
|
||||
mkdir -p /var/lib/samba/bind-dns/dns
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# stop + disable samba services and remove default config
|
||||
systemctl disable --now smbd nmbd winbind systemd-resolved
|
||||
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
|
||||
rm -f /etc/samba/smb.conf
|
||||
rm -f /etc/krb5.conf
|
||||
|
||||
# provision zamba domain
|
||||
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
|
||||
|
||||
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
||||
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
||||
|
||||
# disable password expiry for administrator
|
||||
samba-tool user setexpiry Administrator --noexpiry
|
||||
|
||||
systemctl unmask samba-ad-dc
|
||||
systemctl enable samba-ad-dc
|
||||
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
|
||||
|
||||
# configure ad backup
|
||||
cat << EOF > /usr/local/bin/smb-backup
|
||||
#!/bin/bash
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
rc=0
|
||||
keep=\$1
|
||||
|
||||
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
|
||||
|
||||
prune () {
|
||||
backup_type=\$1
|
||||
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
|
||||
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
|
||||
fi
|
||||
}
|
||||
|
||||
echo "\$(date) Starting samba-ad-dc online backup"
|
||||
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
|
||||
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
|
||||
prune online
|
||||
else
|
||||
echo "\$(date) samba-ad-dc online backup failed"
|
||||
rc=\$((\$rc + 1))
|
||||
fi
|
||||
|
||||
echo "\$(date) Starting samba-ad-dc offline backup"
|
||||
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
|
||||
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
|
||||
prune offline
|
||||
else
|
||||
echo "S(date) samba-ad-dc offline backup failed"
|
||||
rc=\$((\$rc + 1))
|
||||
fi
|
||||
|
||||
exit \$rc
|
||||
EOF
|
||||
chmod +x /usr/local/bin/smb-backup
|
||||
|
||||
cat << EOF > /etc/cron.d/smb-backup
|
||||
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/logrotate.d/smb-backup
|
||||
/var/log/smb-backup.log {
|
||||
weekly
|
||||
rotate 12
|
||||
compress
|
||||
delaycompress
|
||||
missingok
|
||||
notifempty
|
||||
create 644 root root
|
||||
}
|
||||
EOF
|
||||
|
||||
exit 0
|
29
src/zmb-cups/constants-service.conf
Normal file
29
src/zmb-cups/constants-service.conf
Normal file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
# This file contains the project constants on service level
|
||||
|
||||
# Debian Version, which will be installed
|
||||
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||
|
||||
# Create sharefs mountpoint
|
||||
LXC_MP="1"
|
||||
|
||||
# Create unprivileged container
|
||||
LXC_UNPRIVILEGED="0"
|
||||
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
# service dependent meta tags
|
||||
SERVICE_TAGS="samba,member,cups,printserver"
|
109
src/zmb-cups/install-service.sh
Normal file
109
src/zmb-cups/install-service.sh
Normal file
@ -0,0 +1,109 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Authors:
|
||||
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||
|
||||
source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||
|
||||
apt update
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
|
||||
|
||||
mv /etc/krb5.conf /etc/krb5.conf.bak
|
||||
cat > /etc/krb5.conf <<EOF
|
||||
[libdefaults]
|
||||
default_realm = $ZMB_REALM
|
||||
ticket_lifetime = 600
|
||||
dns_lookup_realm = true
|
||||
dns_lookup_kdc = true
|
||||
renew_lifetime = 7d
|
||||
EOF
|
||||
|
||||
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
|
||||
klist
|
||||
|
||||
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
|
||||
cat > /etc/samba/smb.conf <<EOF
|
||||
[global]
|
||||
workgroup = $ZMB_DOMAIN
|
||||
security = ADS
|
||||
realm = $ZMB_REALM
|
||||
server string = %h server
|
||||
|
||||
vfs objects = acl_xattr shadow_copy2
|
||||
map acl inherit = Yes
|
||||
store dos attributes = Yes
|
||||
idmap config *:backend = tdb
|
||||
idmap config *:range = 3000000-4000000
|
||||
idmap config *:schema_mode = rfc2307
|
||||
|
||||
winbind refresh tickets = Yes
|
||||
winbind use default domain = Yes
|
||||
winbind separator = /
|
||||
winbind nested groups = yes
|
||||
winbind nss info = rfc2307
|
||||
|
||||
pam password change = Yes
|
||||
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
||||
passwd program = /usr/bin/passwd %u
|
||||
|
||||
template homedir = /home/%U
|
||||
template shell = /bin/bash
|
||||
bind interfaces only = Yes
|
||||
interfaces = lo eth0
|
||||
log file = /var/log/samba/log.%m
|
||||
logging = syslog
|
||||
max log size = 1000
|
||||
panic action = /usr/share/samba/panic-action %d
|
||||
|
||||
dns proxy = No
|
||||
shadow: snapdir = .zfs/snapshot
|
||||
shadow: sort = desc
|
||||
shadow: format = -%Y-%m-%d-%H%M
|
||||
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
|
||||
shadow: delimiter = -20
|
||||
|
||||
printing = CUPS
|
||||
rpcd_spoolss:idle_seconds=300
|
||||
rpcd_spoolss:num_workers = 10
|
||||
spoolss: architecture = Windows x64
|
||||
|
||||
[printers]
|
||||
path = /${LXC_SHAREFS_MOUNTPOINT}/spool
|
||||
printable = yes
|
||||
|
||||
[print$]
|
||||
path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
read only = no
|
||||
|
||||
EOF
|
||||
|
||||
systemctl restart smbd
|
||||
|
||||
echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
|
||||
sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
|
||||
sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
|
||||
echo -e "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
|
||||
|
||||
systemctl restart winbind nmbd
|
||||
|
||||
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
|
||||
cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
|
||||
chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
|
||||
systemctl disable --now cups-browsed.service
|
||||
|
||||
cupsctl --remote-admin
|
||||
|
||||
systemctl restart cups smbd nmbd winbind wsdd
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
|
@ -9,9 +9,11 @@ source /root/functions.sh
|
||||
source /root/zamba.conf
|
||||
source /root/constants-service.conf
|
||||
|
||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||
|
||||
apt update
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
|
||||
|
||||
mv /etc/krb5.conf /etc/krb5.conf.bak
|
||||
cat > /etc/krb5.conf <<EOF
|
||||
|
@ -19,6 +19,9 @@ LXC_UNPRIVILEGED="0"
|
||||
# enable nesting feature
|
||||
LXC_NESTING="1"
|
||||
|
||||
# enable keyctl feature
|
||||
LXC_KEYCTL="0"
|
||||
|
||||
# Sets the minimum amount of RAM the service needs for operation
|
||||
LXC_MEM_MIN=1024
|
||||
|
||||
|
@ -12,10 +12,12 @@ source /root/constants-service.conf
|
||||
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
|
||||
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
|
||||
|
||||
echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||
|
||||
apt update
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
|
||||
|
||||
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
|
||||
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
|
||||
|
Loading…
Reference in New Issue
Block a user