bug: 20 Character (pwd)

Defines the amount of RAM for elasticsearch (Java option)

README.md

@@ -5,11 +5,13 @@ Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC contai
 The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes.
 The package also provides LXC container installers for `mailpiler`, `matrix-synapse` + `element-web` and more services will follow in future releases.
 ### Requirements
-Proxmox VE Server with at least one configured ZFS Pool.
+Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 ### Included services:
 - `checkmk` => Check_MK 2.0 Monitoring Server
 - `debian-priv` => Debian privileged container with basic toolset
 - `debian-unpriv` => Debian unprivileged container with basic toolset
+- `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
+- `kopano-core` => Kopano Core Grouoware [kopano.io](https://kopano.io/)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
 - `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
@@ -17,7 +19,10 @@ Proxmox VE Server with at least one configured ZFS Pool.
 - `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
 - `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
 - `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
+- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
+- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
 - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
+- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
 - `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
 - `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
 ## Usage

conf/README.md

@@ -51,7 +51,7 @@ LXC_SWAP="1024"
 ### LXC_HOSTNAME
 Defines the hostname of your LXC container (Default: Name of installed Service)
 ```bash
-LXC_SWAP="zamba"
+LXC_HOSTNAME="zamba"
 ```
 ### LXC_DOMAIN
 Defines the domain name / search domain of your LXC container
@@ -220,7 +220,7 @@ NEXTCLOUD_ADMIN_USR="zmb-admin"
 ### NEXTCLOUD_ADMIN_PWD
 Build a strong password for this user. Username and password will shown at the end of the instalation. 
 ```bash
-NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
 ```
 ### NEXTCLOUD_DATA
 Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT

conf/zamba.conf.example

@@ -57,7 +57,7 @@ LXC_DNS="192.168.100.254"
 LXC_BRIDGE="vmbr0"
 
 # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
-LXC_VLAN=
+LXC_VLAN=NONE
 
 # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
 LXC_PWD='Start!123'
@@ -100,9 +100,9 @@ ZMB_SHARE="share"
 ############### Mailpiler-Section ###############
 
 # Defines the (public) FQDN of your piler mail archive
-PILER_FQDN="piler.zmb.rocks"
+PILER_FQDN="mailpiler.zmb.rocks"
 # Defines the smarthost for piler mail archive
-PILER_SMARTHOST="your.mailserver.tld"
+PILER_SMARTHOST="mail.zmb.rocks"
 
 ############### Matrix-Section ###############
 
@@ -121,13 +121,13 @@ MATRIX_ADMIN_PASSWORD="Start!123"
 ############### Nextcloud-Section ###############
 
 # Define the FQDN of your Nextcloud server
-NEXTCLOUD_FQDN="nc1.zmb.rocks"
+NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
 
 # The initial admin-user which will be configured
 NEXTCLOUD_ADMIN_USR="zmb-admin"
 
-# Build a strong password for this user. Username and password will shown at the end of the instalation. 
-NEXTCLOUD_ADMIN_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+# Build a strong password for this user. Username and password will shown at the end of the installation. 
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
 
 # Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
 NEXTCLOUD_DATA="nc_data"
@@ -147,3 +147,15 @@ CMK_ADMIN_PW='Start!123'
 # raw = completely free
 # free = limited version of the enterprise edition (25 hosts, 1 instance)
 CMK_EDITION=raw
+
+############### Kopano-Section ###############
+
+# Define the FQDN of your Nextcloud server
+KOPANO_FQDN="kopano.zmb.rocks"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+KOPANO_MAILGW="192.168.100.254"
+
+# Kopano test- or subscription-key offerd from 
+# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
+KOPANO_REPKEY="1234567890abcdefghijklmno"

install.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail
 
 # This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
 # On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@@ -15,7 +16,7 @@
 # Please adjust th settings in 'zamba.conf' to your needs before running the script
 
 ############### ZAMBA INSTALL SCRIPT ###############
-prog="$(basename "$0")"
+prog="$(basename $0)"
 
 usage() {
 	cat >&2 <<-EOF
@@ -36,7 +37,6 @@ usage() {
 ctid=0
 service=ask
 config=$PWD/conf/zamba.conf
-verbose=0
 
 while getopts "hi:s:c:" opt; do
   case $opt in
@@ -49,17 +49,13 @@ while getopts "hi:s:c:" opt; do
 done
 shift $((OPTIND-1))
 
-# Load configuration file
-echo "Loading config file '$config'..."
-source $config
-
-OPTS=$(ls -d $PWD/src/*/ | grep -v __ | xargs basename -a)
+OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)
 
 valid=0
 if [[ "$service" == "ask" ]]; then
   select svc in $OPTS quit; do
     if [[ "$svc" != "quit" ]]; then
-       for line in $(echo $OPTS); do
+       for line in $OPTS; do
         if [[ "$svc" == "$line" ]]; then
           service=$svc
           echo "Installation of $service selected."
@@ -76,7 +72,7 @@ if [[ "$service" == "ask" ]]; then
     fi
   done
 else
-  for line in $(echo $OPTS); do
+  for line in $OPTS; do
     if [[ "$service" == "$line" ]]; then
       echo "Installation of $service selected."
       valid=1
@@ -90,18 +86,30 @@ if [[ "$valid" != "1" ]]; then
   usage 1
 fi
 
-source $PWD/src/$service/constants-service.conf
+# Load configuration file
+echo "Loading config file '$config'..."
+if [ ! -e "$config" ]; then
+  echo "Configuration files does not exist"
+  exit 1
+fi
+
+source "src/functions.sh"
+
+source "$config"
+
+source "$PWD/src/$service/constants-service.conf"
 
 # CHeck is the newest template available, else download it.
-DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | cut -d'_' -f2)
-DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | cut -d'_' -f2)
+DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
+DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
+TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
 
 if [[ $DEB_LOC == $DEB_REP ]];
 then
-  echo "Newest Version of $LXC_TEMPLATE_VERSION $DEP_REP exists.";
+  echo "Newest Version of $LXC_TEMPLATE_VERSION $DEB_REP exists.";
 else
   echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP.";
-  pveam download $LXC_TEMPLATE_STORAGE "$LXC_TEMPLATE_VERSION"_$DEB_REP\_amd64.tar.gz
+  pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
 fi
 
 if [ $ctid -gt 99 ]; then
@@ -120,17 +128,17 @@ fi
 echo "Will now create LXC Container $LXC_NBR!";
 
 # Create the container
-pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/"$LXC_TEMPLATE_VERSION"_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
 sleep 2;
 
 # Check vlan configuration
-if [[ $LXC_VLAN != "" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
+if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
 pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
 if [ $LXC_DHCP == true ]; then
- pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN;
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
 else
- pct set $LXC_NBR -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN;
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
 fi
 sleep 2
 
@@ -143,15 +151,15 @@ PS3="Select the Server-Function: "
 
 pct start $LXC_NBR;
 sleep 5;
-# Set the root password and key
-echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
-lxc-attach -n$LXC_NBR mkdir /root/.ssh;
+# Set the root ssh key
+pct exec $LXC_NBR -- mkdir /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
-pct push $LXC_NBR $config /root/zamba.conf
-pct push $LXC_NBR $PWD/src/constants.conf /root/constants.conf
-pct push $LXC_NBR $PWD/src/lxc-base.sh /root/lxc-base.sh
-pct push $LXC_NBR $PWD/src/$service/install-service.sh /root/install-service.sh
-pct push $LXC_NBR $PWD/src/$service/constants-service.conf /root/constants-service.conf
+pct push $LXC_NBR "$config" /root/zamba.conf
+pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
+pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
+pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
+pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
+pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 
 echo "Installing basic container setup..."
 lxc-attach -n$LXC_NBR bash /root/lxc-base.sh
@@ -160,6 +168,7 @@ lxc-attach -n$LXC_NBR bash /root/install-service.sh
 
 if [[ $service == "zmb-ad" ]]; then
   pct stop $LXC_NBR
-  pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
   pct start $LXC_NBR
-fi
+fi

new-config.py

@@ -1,136 +0,0 @@
-#!/usr/bin/python3
-import os
-from src import config_base, menu
-
-# Check installation of zfs-auto-snapshot, if not installed, just notify user
-config_base.check_zfs_autosnapshot()
-    
-cfg = {}
-# set template storage
-t_storages = config_base.get_pve_storages(content=config_base.PveStorageContent.vztmpl)
-if len(t_storages.keys()) > 1:
-    t_stors={}
-    for st in t_storages.keys():
-        t_stors[st] = f"driver: {t_storages[st]['driver']}\tfree space: {int(t_storages[st]['available'])/1024/1024:.2f} GB"
-    cfg['LXC_TEMPLATE_STORAGE'] = menu.radiolist("Select container template storage", "Please choose the storage, where your container templates are stored.", t_stors)
-elif len(t_storages.keys()) == 1:
-    cfg['LXC_TEMPLATE_STORAGE'] = next(iter(t_storages))
-else:
-    print("Could not find any storage enabled for container templates. Please ensure your storages are configured properly.")
-    os._exit(1)
-
-# get zmb service
-cfg['ZMB_SERVICE'] = menu.radiolist("Select service","Please choose the service to install:", config_base.get_zmb_services())
-
-# get static ct features
-ct_features = config_base.get_ct_features(cfg["ZMB_SERVICE"])
-cfg['LXC_UNPRIVILEGED'] = ct_features['unprivileged']
-# get ct id
-cfg['LXC_NBR'] = menu.question("Container ID", f"Please select an ID for the {cfg['ZMB_SERVICE']} container.", menu.qType.Integer, config_base.get_ct_id(), config_base.validate_ct_id)
-
-# configure rootfs
-r_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir)
-if len(r_storages.keys()) > 1:
-    r_stors = {}
-    for st in r_storages.keys():
-        r_stors[st] = f"driver: {r_storages[st]['driver']}\tfree space: {int(r_storages[st]['available'])/1024/1024:.2f} GB"
-    cfg['LXC_ROOTFS_STORAGE'] = menu.radiolist("Select rootfs storage", "Please choose the storage for your container's rootfs",r_stors)
-elif len(r_storages.keys()) == 1:
-    cfg['LXC_ROOTFS_STORAGE'] = next(iter(r_storages))
-else:
-    print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.")
-    os._exit(1)
-
-cfg['LXC_ROOTFS_SIZE'] = menu.question("Set rootfs size","Please type in the desired rootfs size (GB)", menu.qType.Integer,32)
-
-# create additional mountpoints
-if 'size' in ct_features['sharefs'].keys():
-    f_storages = config_base.get_pve_storages(driver=config_base.PveStorageType.zfspool,content=config_base.PveStorageContent.rootdir)
-    if len(f_storages.keys()) > 1:
-        f_stors = {}
-        for st in f_storages.keys():
-            f_stors[st] = f"driver: {f_storages[st]['driver']}\tfree space: {int(f_storages[st]['available'])/1024/1024:.2f} GB"
-        cfg['LXC_SHAREFS_STORAGE'] = menu.radiolist("Select sharefs storage", "Please choose the storage of your shared filesystem", f_stors)
-    elif len(r_storages.keys()) == 1:
-        cfg['LXC_SHAREFS_STORAGE'] = next(iter(f_storages))
-    else:
-        print("Could not find any storage enabled for container filesystems. Please ensure your storages are configured properly.")
-        os._exit(1)
-    cfg['LXC_SHAREFS_SIZE'] = menu.question("Select sharefs size","Please type in the desired size (GB) of your shared filesystem", menu.qType.Integer,ct_features['sharefs']['size'])
-    cfg['LXC_SHAREFS_MOUNTPOINT'] = menu.question("Select sharefs mountpoint","Please type in the folder where to mount your shared filesystem inside the container.", menu.qType.String,ct_features['sharefs']['mountpoint'])
-
-# configure ram and swap
-cfg['LXC_MEM'] = menu.question("Set container RAM", "Please type in the desired amount of RAM for the container (MB)",menu.qType.Integer,ct_features["mem"])
-cfg['LXC_SWAP'] = menu.question("Set container Swap", "Please type in the desired amount of Swap for the container (MB)",menu.qType.Integer,ct_features["swap"])
-cfg['LXC_HOSTNAME'] = menu.question("Set container Hostname", "Please type in the desired hostname of the container",menu.qType.String,ct_features['hostname'])
-cfg['LXC_DOMAIN'] = menu.question("Set container search domain", "Please type in the search domain of your network.", menu.qType.String,ct_features['domain'])
-cfg['LXC_TIMEZONE'] = 'host' # TODO
-cfg['LXC_LOCALE'] = "de_DE.utf8" # TODO
-
-# get pve bridge
-bridges = config_base.get_pve_bridges()
-if len(bridges) > 1:
-    cfg['LXC_BRIDGE'] = menu.radiolist("Select PVE Network Bridge", f"Please select the network bridge to connect the {cfg['ZMB_SERVICE']} container",bridges)
-elif len(bridges) == 1:
-    cfg['LXC_BRIDGE'] = bridges[0]
-else:
-    print("Could not find any bridge device to connect container. Please ensure your networksettings are configured properly.")
-    os._exit(1)
-
-cfg['LXC_VLAN'] = menu.question("Set vlan tag", "You you want to tag your container's network to a vlan? (0 = untagged, 1 - 4094 = tagged vlan id)",menu.qType.Integer,0, config_base.validate_vlan)
-
-# configure network interface
-if  cfg['ZMB_SERVICE'] != 'zmb-ad':
-    enable_dhcp = menu.question("Set network mode", "Do you want to configure the network interface in dhcp mode?",menu.qType.Boolean,default=True)
-else:
-    enable_dhcp = False
-if enable_dhcp == True:
-    cfg["LXC_NET_MODE"] = 'dhcp'
-else:
-    cfg["LXC_NET_MODE"] = 'static'
-    cfg["LXC_IP"] = menu.question("Set interface IP Addess", "Pleace type in the containers IP address (CIDR Format).",menu.qType.String,default='10.10.10.10/8')
-    cfg["LXC_GW"] = menu.question("Set interface default gateway", "Pleace type in the containers default gateway.",menu.qType.String,default='10.10.10.1')
-cfg['LXC_DNS']  = menu.question("Set containers dns server", "Pleace type in the containers dns server. ZMB AD will use this as dns forwarder",menu.qType.String,default='10.10.10.1')
-
-cfg['LXC_PWD'] = menu.question("Set root password", "Please type in the containers root password", menu.qType.String,default='')
-cfg['LXC_AUTHORIZED_KEY'] = menu.question ("Set authorized_keys file to import", "Please select authorized_keys file to import.", menu.qType.String, default='~/.ssh/authorized_keys')
-
-os.system('clear')
-print (f"#### Zamba LXC Toolbox ####\n")
-print (f"GLOBAL CONFIGURATION:")
-print (f"\tct template storage:\t{cfg['LXC_TEMPLATE_STORAGE']}")
-print (f"\nCONTAINER CONFIGURATION:")
-print (f"\tzmb service:\t\t{cfg['ZMB_SERVICE']}")
-print (f"\tcontainer id:\t\t{cfg['LXC_NBR']}")
-print (f"\tunprivileged:\t\t{cfg['LXC_UNPRIVILEGED']}")
-for feature in ct_features['features'].keys():
-    if feature == 'nesting':
-        cfg['LXC_NESTING'] = ct_features['features'][feature]
-        print (f"\t{feature}:\t\t{cfg['LXC_NESTING']}")
-print (f"\tcontainer memory:\t{cfg['LXC_MEM']} MB")
-print (f"\tcontainer swap:\t\t{cfg['LXC_SWAP']} MB")
-print (f"\tcontainer hostname:\t{cfg['LXC_HOSTNAME']}")
-print (f"\tct search domain:\t{cfg['LXC_DOMAIN']}")
-print (f"\tcontainer timezone\t{cfg['LXC_TIMEZONE']}")
-print (f"\tcontainer language\t{cfg['LXC_LOCALE']}")
-print (f"\nSTORAGE CONFIGURATION:")
-print (f"\trootfs storage:\t\t{cfg['LXC_ROOTFS_STORAGE']}")
-print (f"\trootfs size:\t\t{cfg['LXC_ROOTFS_SIZE']} GB")
-if 'size' in ct_features['sharefs'].keys():
-    print (f"\tsharefs storage:\t{cfg['LXC_SHAREFS_STORAGE']}")
-    print (f"\tsharefs size:\t\t{cfg['LXC_SHAREFS_SIZE']} GB")
-    print (f"\tsharefs mountpoint:\t{cfg['LXC_SHAREFS_MOUNTPOINT']}")
-print (f"\nNETWORK CONFIGURATION:")
-print (f"\tpve bridge:\t\t{cfg['LXC_BRIDGE']}")
-if cfg['LXC_VLAN'] > 0:
-    print (f"\tcontainer vlan:\t\t{cfg['LXC_VLAN']}")
-else:
-    print (f"\tcontainer vlan:\t\tuntagged")
-print (f"\tnetwork mode:\t\t{cfg['LXC_NET_MODE']}")
-if enable_dhcp == False:
-    print (f"\tip address (CIDR):\t{cfg['LXC_IP']}")
-    print (f"\tdefault gateway:\t{cfg['LXC_GW']}")
-    print (f"\tdns server / forwarder:\t{cfg['LXC_GW']}")
-print (f"\nCONTAINER CREDENTIALS:")
-print (f"\troot password:\t\t{cfg['LXC_PWD']}")
-print (f"\tauthorized ssh keys:\t{cfg['LXC_AUTHORIZED_KEY']}")

proxmox.conf

@@ -1 +0,0 @@
-HOST_LOCALE=de_DE.UTF-8

sources.list

@@ -1,6 +0,0 @@
-deb http://ftp.de.debian.org/debian buster main contrib
-
-deb http://ftp.de.debian.org/debian buster-updates main contrib
-
-# security updates
-deb http://security.debian.org buster/updates main contrib

src/checkmk/constants-service.conf

@@ -20,6 +20,6 @@ LXC_UNPRIVILEGED="1"
 LXC_NESTING="1"
 
 # checkmk version
-CMK_VERSION=2.0.0p18
+CMK_VERSION=2.0.0p23
 # build number of the debian package (needs to start with underscore)
-CMK_BUILD=_0
+CMK_BUILD=_0

src/checkmk/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 

src/functions.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+# This script has basic functions like a random password generator
+
+random_password() {
+    set +o pipefail
+    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32
+}
+
+random_password_open3a() {
+    set +o pipefail
+    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c20
+}

src/gitea/constants-service.conf

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the IP from the SQL server
+GITEA_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+GITEA_DB_PORT="5432"
+
+# Defines the name from the SQL database
+GITEA_DB_NAME="gitea"
+
+# Defines the name from the SQL user
+GITEA_DB_USR="gitea"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+GITEA_DB_PWD="$(random_password)"

src/gitea/install-service.sh

@@ -0,0 +1,160 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
+psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
+echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
+EOF
+
+adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
+
+curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
+chmod +x /usr/local/bin/gitea
+mkdir -p /etc/gitea
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
+chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
+chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
+
+cat << EOF > /etc/systemd/system/gitea.service
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/gitea/app.ini
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
+
+[database]
+DB_TYPE=postgres
+HOST=localhost
+NAME=${GITEA_DB_NAME}
+USER=${GITEA_DB_USR}
+PASSWD=${GITEA_DB_PWD}
+SSL_MODE=disable
+
+[server]
+APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
+DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+HTTP_HOST        = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+SSH_LISTEN_PORT  = 22
+EOF
+
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 770 /etc/gitea/app.ini
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log /var/log/nginx/gitea.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log  /var/log/nginx/gitea.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl daemon-reload
+systemctl enable --now gitea
+systemctl restart nginx

src/kopano-core/constants-service.conf

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-10-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+KOPANO_VERSION="latest"
+
+# Defines the php version to install
+KOPANO_PHP_VERSION="7.3"
+
+# Defines Maria DB Version
+MARIA_DB_VERS="10.5"
+
+# Defines the name from the SQL database
+MARIA_DB_NAME="kopano"
+
+# Defines the name from the SQL user
+MARIA_DB_USER="kopano"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+
+MARIA_ROOT_PWD=$(random_password)
+MARIA_USER_PWD=$(random_password)
+

src/kopano-core/install-service.sh

@@ -0,0 +1,274 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
+echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
+php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
+
+#timedatectl set-timezone Europe/Berlin
+#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Secure Maria Instance ####
+
+mysqladmin -u root password "[$MARIA_ROOT_PWD]"
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+#### Create user and DB for Kopano ####
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+echo "root-password: $MARIA_ROOT_PWD,\
+db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
+
+cat > /etc/apt/sources.list.d/kopano.list << EOF
+
+# Kopano Core
+deb https://download.kopano.io/supported/core:/final/Debian_10/ ./
+
+# Kopano WebApp
+deb https://download.kopano.io/supported/webapp:/final/Debian_10/ ./
+
+# Kopano MobileDeviceManagement
+deb https://download.kopano.io/supported/mdm:/final/Debian_10/ ./
+
+# Kopano Files
+deb https://download.kopano.io/supported/files:/final/Debian_10/ ./
+
+# Z-Push
+deb https://download.kopano.io/zhub/z-push:/final/Debian_10/ ./
+
+EOF
+
+cat > /etc/apt/auth.conf.d/kopano.conf << EOF
+
+machine download.kopano.io
+login serial
+password $KOPANO_REPKEY
+
+EOF
+
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_10/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_10/Release.key | apt-key add -
+
+apt update && apt full-upgrade -y
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
+z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
+
+#### Adjust kopano settings ####
+
+cat > /etc/kopano/ldap.cfg << EOF
+
+!include /usr/share/kopano/ldap.active-directory.cfg
+
+ldap_uri = ldap://10.10.81.12:389
+ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
+ldap_bind_passwd = Start123!
+ldap_search_base = dc=zmb,dc=rocks
+
+#ldap_user_search_filter = (kopanoAccount=1)
+
+EOF
+
+cat > /etc/kopano/server.cfg << EOF
+
+server_listen = *:236
+local_admin_users = root kopano
+
+#database_engine = mysql
+#mysql_host = localhost
+#mysql_port = 3306
+mysql_user = $MARIA_DB_USER
+mysql_password = $MARIA_USER_PWD
+mysql_database = $MARIA_DB_NAME
+
+user_plugin = ldap
+user_plugin_config = /etc/kopano/ldap.cfg
+
+EOF
+
+#### Adjust php settings ####
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+cat > /etc/php/7.3/fpm/pool.d/webapp.conf << EOF
+
+[webapp]
+listen = 127.0.0.1:9002
+user = www-data
+group = www-data
+listen.allowed_clients = 127.0.0.1
+pm = dynamic
+pm.max_children = 150
+pm.start_servers = 35
+pm.min_spare_servers = 20
+pm.max_spare_servers = 50
+pm.max_requests = 200
+listen.backlog = -1
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+EOF
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+#### Adjust nginx settings ####
+
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
+openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+
+#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+cat > /etc/nginx/sites-available/webapp.conf << EOF
+upstream php-handler {
+    server 127.0.0.1:9002;
+    #server unix:/var/run/php5-fpm.sock;
+    #server unix:/var/run/php/php7.3-fpm.sock;
+}
+ 
+server{
+    listen 80;
+    charset utf-8;
+    listen [::]:80;
+    server_name _;
+ 
+    location / {
+        rewrite   ^(.*)   https://\$server_name\$1 permanent;
+    }  
+ }
+ 
+server {
+    charset utf-8;
+    listen 443;
+    listen [::]:443 ssl;
+    server_name _;
+    ssl on;
+    client_max_body_size 1024m;
+    ssl_certificate /etc/ssl/certs/kopano.crt;
+    ssl_certificate_key /etc/ssl/private/kopano.key;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_prefer_server_ciphers on;
+    #
+    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    #
+ 
+    # add headers
+    server_tokens off;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+  
+    location /webapp {
+        alias /usr/share/kopano-webapp/;
+        index index.php;
+     
+    location ~ /webapp/presence/ {
+                rewrite ^/webapp/presence(/.*)$ \$1 break;
+                proxy_pass http://localhost:1234;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_http_version 1.1;
+                }
+ 
+    }
+ 
+    location ~* ^/webapp/(.+\.php)$ {
+        alias /usr/share/kopano-webapp/;
+ 
+        # deny access to .htaccess files
+        location ~ /\.ht {
+                    deny all;
+        }
+  
+        fastcgi_param PHP_VALUE "
+            register_globals=off
+            magic_quotes_gpc=off
+            magic_quotes_runtime=off
+            post_max_size=31M
+            upload_max_filesize=30M
+        ";
+        fastcgi_param PHP_VALUE "post_max_size=31M
+                 upload_max_filesize=30M
+                 max_execution_time=3660
+        ";
+ 
+        include fastcgi_params;
+        fastcgi_index index.php;
+        #fastcgi_param HTTPS on;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
+        fastcgi_pass php-handler;
+        access_log /var/log/nginx/kopano-webapp-access.log;
+        error_log /var/log/nginx/kopano-webapp-error.log;
+ 
+        # CSS and Javascript
+        location ~* \.(?:css|js)$ {
+            expires 1y;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # All (static) resources set to 2 months expiration time.
+        location ~* \.(?:jpg|gif|png)\$ {
+            expires 2M;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # enable gzip compression
+        gzip on;
+        gzip_min_length  1100;
+        gzip_buffers  4 32k;
+        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
+        gzip_vary on;
+        }
+ 
+}
+ 
+map \$http_upgrade \$connection_upgrade {
+        default upgrade;
+        '' close;
+}
+EOF
+
+
+
+ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
+
+systemctl restart nginx
+

src/lxc-base.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail
 
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
@@ -7,6 +8,7 @@
 
 # load configuration
 echo "Loading configuration..."
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants.conf
 source /root/constants-service.conf
@@ -24,23 +26,23 @@ locale-gen $LXC_LOCALE
 if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
-deb http://ftp.de.debian.org/debian bullseye main contrib
+deb https://debian.inf.tu-dresden.de/debian bullseye main contrib
 
-deb http://ftp.de.debian.org/debian bullseye-updates main contrib
+deb https://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
 
 # security updates
-deb http://security.debian.org bullseye-security main contrib
+deb https://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
 EOF
 
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
-deb http://ftp.de.debian.org/debian buster main contrib
+deb https://debian.inf.tu-dresden.de/debian buster main contrib
 
-deb http://ftp.de.debian.org/debian buster-updates main contrib
+deb https://debian.inf.tu-dresden.de/debian buster-updates main contrib
 
 # security updates
-deb http://security.debian.org buster/updates main contrib
+deb https://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
 EOF
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi

src/mailpiler/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
@@ -143,7 +144,7 @@ cat >> /usr/local/etc/piler/config-site.php <<EOF
 \$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
 
 // general settings.
-\$config['TIMEZONE'] = 'Europe/Berlin';
+\$config['TIMEZONE'] = '$LXC_TIMEZONE';
 
 // authentication
 // Enable authentication against an imap server

src/matrix/constants-service.conf

@@ -20,4 +20,4 @@ LXC_UNPRIVILEGED="1"
 LXC_NESTING="1"
 
 # Define the version of Element Web
-MATRIX_ELEMENT_VERSION="v1.9.8"
+MATRIX_ELEMENT_VERSION="v1.9.9"

src/matrix/install-service.sh

@@ -5,14 +5,15 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+MRX_PKE=$(random_password)
 
 ELE_DBNAME="synapse_db"
 ELE_DBUSER="synapse_user"
-ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ELE_DBPASS=$(random_password)
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
 

src/nextcloud/constants-service.conf

@@ -38,4 +38,4 @@ NEXTCLOUD_DB_NAME="nextcloud_db"
 NEXTCLOUD_DB_USR="nextcloud"
 
 # Build a strong password for the SQL user - could be overwritten with something fixed 
-NEXTCLOUD_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+NEXTCLOUD_DB_PWD="$(random_password)"

src/nextcloud/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
@@ -21,10 +22,10 @@ echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils nfs-common cifs-utils redis-server imagemagick \
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
 postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
 
-timedatectl set-timezone Europe/Berlin
+timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 
@@ -60,14 +61,14 @@ sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
@@ -375,7 +376,7 @@ array (
 'knowledgebaseenabled' => false,
 'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
 'loglevel' => 2,
-'logtimezone' => 'Europe/Berlin',
+'logtimezone' => '$LXC_TIMEZONE',
 'log_rotate_size' => 104857600,
 'maintenance' => false,
 'memcache.local' => '\OC\Memcache\APCu',

src/onlyoffice/install-service.sh

@@ -1,7 +1,15 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-ONLYOFFICE_DB_PASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ONLYOFFICE_DB_PASS=$(random_password)
 
 apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list

src/open3a/install-service.sh

@@ -5,12 +5,13 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-
+LXC_IP=$(hostname -I)
 webroot=/var/www/html
 
-MYSQL_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)"
+MYSQL_PASSWORD="$(random_password_open3a)"
 
 apt update
 
@@ -69,4 +70,12 @@ chmod +x /etc/cron.daily/open3a-backup
 systemctl enable --now php7.4-fpm
 systemctl restart php7.4-fpm nginx
 
-echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$LXC_IP\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"
+cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
+<?php echo "This is a database-file."; /*
+host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
+varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)                                                                                         
+localhost                               &%%%&open3a              &%%%&$MYSQL_PASSWORD&%%%&open3a                        &%%%&*                                       %%&&&
+*/ ?>
+EOF
+
+echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"

src/proxmox-pbs/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 

src/sources.list

@@ -1,6 +0,0 @@
-deb http://ftp.de.debian.org/debian buster main contrib
-
-deb http://ftp.de.debian.org/debian buster-updates main contrib
-
-# security updates
-deb http://security.debian.org buster/updates main contrib

src/urbackup/constants-service.conf

@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-10-standard"
+LXC_TEMPLATE_VERSION="debian-11-standard"
 
 # Create sharefs mountpoint
 LXC_MP="1"
@@ -23,4 +23,4 @@ LXC_NESTING="1"
 URBACKUP_DATA="urbackup"
 
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_10"
+REPO_CODENAME="Debian_11"

src/urbackup/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 

src/zabbix/constants-service.conf

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"

src/zabbix/install-service.sh

@@ -0,0 +1,174 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
+echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-sql-scripts zabbix-agent sudo ssl-cert
+
+unlink /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/zabbix/nginx.conf
+server {
+        listen          80 default_server;
+        listen          [::]:80 default_server;
+        server_name _;
+
+        server_tokens off;
+
+        access_log /var/log/nginx/gitea.access.log;
+        error_log /var/log/nginx/gitea.error.log;
+
+        location /.well-known/ {
+        }
+
+        return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+        }
+
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+
+        server_tokens off;
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 180m;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 1.1.1.1 1.0.0.1;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        root    /usr/share/zabbix;
+
+        index   index.php;
+
+        location = /favicon.ico {
+                log_not_found   off;
+        }
+
+        location / {
+                try_files       \$uri \$uri/ =404;
+        }
+
+        location /assets {
+                access_log      off;
+                expires         10d;
+        }
+
+        location ~ /\.ht {
+                deny            all;
+        }
+
+        location ~ /(api\/|conf[^\.]|include|locale) {
+                deny            all;
+                return          404;
+        }
+
+        location /vendor {
+                deny            all;
+                return          404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+                fastcgi_pass    unix:/var/run/php/zabbix.sock;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index   index.php;
+
+                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
+                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
+                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
+
+                include fastcgi_params;
+                fastcgi_param   QUERY_STRING    \$query_string;
+                fastcgi_param   REQUEST_METHOD  \$request_method;
+                fastcgi_param   CONTENT_TYPE    \$content_type;
+                fastcgi_param   CONTENT_LENGTH  \$content_length;
+
+                fastcgi_intercept_errors        on;
+                fastcgi_ignore_client_abort     off;
+                fastcgi_connect_timeout         60;
+                fastcgi_send_timeout            180;
+                fastcgi_read_timeout            180;
+                fastcgi_buffer_size             128k;
+                fastcgi_buffers                 4 256k;
+                fastcgi_busy_buffers_size       256k;
+                fastcgi_temp_file_write_size    256k;
+        }
+}
+EOF
+
+ln -sf /etc/zabbix/nginx.conf /etc/nginx/sites-enabled/zabbix.conf
+
+cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
+[zabbix]
+user = www-data
+group = www-data
+
+listen = /var/run/php/zabbix.sock
+listen.owner = www-data
+listen.allowed_clients = 127.0.0.1
+
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+pm.max_requests = 200
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/sessions/
+
+php_value[max_execution_time] = 300
+php_value[memory_limit] = 128M
+php_value[post_max_size] = 16M
+php_value[upload_max_filesize] = 2M
+php_value[max_input_time] = 300
+php_value[max_input_vars] = 10000
+EOF
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ZABBIX WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+
+zcat /usr/share/doc/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql zabbix 
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm 
+
+systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm 

src/zammad/constants-service.conf

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+LXC_MEM="2048"

src/zammad/install-service.sh

@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+LXC_IP=$(hostname -I)
+
+apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
+apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
+
+cat << EOF >>/etc/hosts
+0.0.0.0 image.zammad.com
+0.0.0.0 images.zammad.com
+0.0.0.0 geo.zammad.com
+0.0.0.0 www.zammad.com
+0.0.0.0 www.zammad.org
+0.0.0.0 www.zammad.net
+0.0.0.0 www.zammad.de
+0.0.0.0 zammad.com
+0.0.0.0 zammad.org
+0.0.0.0 zammad.net
+0.0.0.0 zammad.de
+#
+127.0.0.1 elasticsearch
+0.0.0.0 geoip.elastic.co
+EOF
+
+# Java set startup environment 
+mkdir -p /etc/elasticsearch/jvm.options.d
+cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
+# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
+# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
+-Xms1g
+-Xmx1g
+EOF
+
+wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
+echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql
+
+# configurwe nginx
+rm -f /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/nginx/sites-available/zammad.conf
+upstream zammad-railsserver {
+  server 127.0.0.1:3000;
+}
+
+upstream zammad-websocket {
+  server 127.0.0.1:6042;
+}
+
+server {
+    listen 80;
+#EDIT no IPv6 ;-)   listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/zammad.access.log;
+    error_log /var/log/nginx/zammad.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://\$host\$request_uri;
+}
+server {
+    listen 443 ssl http2;
+#EDIT no IPv6 ;-)    listen [::]:443 ssl http2;
+
+    server_name _;
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+#
+#  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
+#
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
+    add_header Referrer-Policy "strict-origin";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
+    
+    location = /robots.txt  {
+    access_log off; log_not_found off;
+    }
+    
+    location = /favicon.ico {
+    access_log off; log_not_found off;
+    }
+
+    root /opt/zammad/public;
+
+    access_log /var/log/nginx/zammad.access.log;
+    error_log  /var/log/nginx/zammad.error.log;
+
+    client_max_body_size 50M;
+
+    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
+    expires max;
+    }
+
+    location /ws {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header CLIENT_IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto	\$scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad-websocket;
+    }
+
+    location / {
+    proxy_set_header Host \$http_host;
+    proxy_set_header CLIENT_IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto	\$scheme;
+
+    # change this line in an SSO setup
+    proxy_set_header X-Forwarded-User "";
+
+    proxy_read_timeout 180;
+    proxy_pass http://zammad-railsserver;
+
+    gzip on;
+    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
+    gzip_proxied any;
+    }
+}
+EOF
+
+#EDIT ADD
+echo -e "\n\n\n   >>> Warte 5 sek. und installier Zammad ...\n\n\n"
+sleep 5
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install zammad
+
+# SymLink nginx Zammad enable
+ln -s /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
+
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+
+systemctl restart nginx
+systemctl enable elasticsearch.service
+systemctl start elasticsearch.service
+
+# Elasticsearch conntact to Zammad
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
+zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
+zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
+
+systemctl restart elasticsearch.service
+zammad run rake searchindex:rebuild
+
+echo -e "Your Zammad installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\n"

src/zmb-ad-join/constants-service.conf

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+OPTIONAL_FEATURES=(wsdd splitdns)

src/zmb-ad-join/install-service.sh

@@ -0,0 +1,138 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
+      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
+  elif [[ "$f" == "splitdns" ]]; then
+      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+      ZMB_DNS_BACKEND="BIND9_DLZ"
+      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+      echo "Unsupported optional feature $f"
+  fi
+done
+
+## configure ntp
+cat << EOF > /etc/ntp.conf
+# Local clock. Note that is not the "localhost" address!
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+# Where to retrieve the time from
+server 0.de.pool.ntp.org     iburst prefer
+server 1.de.pool.ntp.org     iburst prefer
+server 2.de.pool.ntp.org     iburst prefer
+driftfile       /var/lib/ntp/ntp.drift
+logfile         /var/log/ntp
+ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
+# Access control
+# Default restriction: Allow clients only to query the time
+restrict default kod nomodify notrap nopeer mssntp
+# No restrictions for "localhost"
+restrict 127.0.0.1
+# Enable the time sources to only provide time to this host
+restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
+tinker panic 0
+EOF
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp cifs-utils samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+	  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+  forwarders {
+    $LXC_DNS;
+  };
+  allow-query {  any;};
+  dnssec-validation no;
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved
+rm -f /etc/samba/smb.conf
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
+
+cat > /etc/cron.d/sysvol-sync << EOF
+*/5 * * * * root /usr/bin/rsync -XAavz --delete-after root@$LXC_DNS:/var/lib/samba/sysvol/ /var/lib/samba/sysvol
+EOF
+
+ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES

src/zmb-ad/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 

src/zmb-member/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
@@ -99,9 +100,9 @@ wbinfo -g
 mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-systemctl restart smbd nmbd winbind wsdd
+systemctl restart smbd nmbd winbind wsdd

src/zmb-standalone/install-service.sh

@@ -5,6 +5,7 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf