Update and rename check_zambaconf_trmm.sh to check_zambaconfonpve_trmm.sh

Update check_zambaconf_trmm.sh
also recognizes forgotten zamba.confs in lxcs root
2025-06-15 14:27:01 +02:00 · 2025-06-05 22:32:26 +02:00 · 2025-06-05 22:05:15 +02:00 · 2025-06-04 11:01:30 +02:00 · 2025-06-04 10:47:50 +02:00 · 2025-05-22 15:56:06 +02:00
17 changed files with 875 additions and 422 deletions
--- a/check_zambaconfonpve_trmm.sh
+++ b/check_zambaconfonpve_trmm.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+
+export LC_ALL=C
+ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
+
+if [[ -f "$ZAMBA_CONF" ]]; then
+    # Prüfen, ob die Datei älter als 3 Tage ist
+    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
+        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
+        rm -f "$ZAMBA_CONF"
+        exit 0
+    else
+        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
+        exit 2
+    fi
+else
+    echo "✅ OK: zamba.conf ist nicht vorhanden"
+    exit 0
+fi
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@ -99,17 +99,21 @@ LXC_TAGS="linux,debian,${service}"

 ############### Zamba-Server-Section ###############

-# Defines the REALM for the Active Directory (AD DC, AD member)
+# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
 ZMB_REALM="ZMB.ROCKS"
-# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
+# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_DOMAIN="ZMB"

-# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_ADMIN_USER="administrator"
+
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
 ZMB_ADMIN_PASS='Start!123'

+# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
+ZMB_DOMAIN_ADMINS="domain admins"
+
 # Defines the name of your Zamba share
 ZMB_SHARE="share"

--- a/install.sh
+++ b/install.sh
@ -102,6 +102,15 @@ source "$config"

 source "$PWD/src/$service/constants-service.conf"

+if [[ $service == "zmb-ad-restore" ]]; then
+  if find ./ | grep samba-backup*.tar.bz2 ; then
+    sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
+  else
+    echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
+    exit 1
+  fi
+fi
+
 if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
  LXC_MEM=$LXC_MEM_MIN
 fi
@ -184,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf

+if [[ $service == "zmb-ad-restore" ]]; then
+    pct exec $LXC_NBR -- mkdir -p /backup/online
+    pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
+fi
+
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi

 echo "Installing basic container setup..."
@ -195,6 +209,9 @@ pct shutdown $LXC_NBR
 if [[ $service == "zmb-ad" ]]; then
  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-restore" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-join" ]]; then
  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
--- a/scripts/nextcloud-update
+++ b/scripts/nextcloud-update
@ -1,17 +1,47 @@
 #!/bin/bash
-#
-# Update nextcloud
-# place in /etc/cron.daily and make executable with chmod +x  /etc/cron.daily/nextcloud-update
-user=www-data
-phpversion=php8.0
-path=/var/www/nextcloud

-alias ncc="sudo -u $user $phpversion $path/occ"
-alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
+# Update Nextcloud
+# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
+
+user=www-data
+phpversion=php8.2
+path=/var/www/nextcloud
+logfile="/var/log/nextcloud-update.log"
+
+ncc() {
+  sudo -u "$user" "$phpversion" "$path/occ" "$@"
+}
+
+updater() {
+  sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
+}
+
+{
+  echo "===== $(date): Nextcloud Update Start ====="

  updater --no-backup --no-interaction

-subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
-for cmd in ${subcommands[@]}; do
+  subcommands=(
+    "db:add-missing-primary-keys"
+    "db:add-missing-indices"
+    "db:add-missing-columns"
+    "db:convert-filecache-bigint"
+    "files:scan-app-data"
+    "upgrade"
+  )
+
+  for cmd in "${subcommands[@]}"; do
+    echo "Running: occ $cmd"
    ncc -n $cmd
  done
+
+  # App Updates
+  echo "Updating apps..."
+  apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
+  for app in $apps; do
+    echo "Updating app: $app"
+    ncc app:update "$app"
+  done
+
+  echo "===== $(date): Nextcloud Update Finished ====="
+} >> "$logfile" 2>&1
--- a/src/functions.sh
+++ b/src/functions.sh
@ -9,7 +9,7 @@ random_password() {
 }

 generate_dhparam() {
-    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
    cat << EOF > /etc/cron.monthly/generate-dhparams
 #!/bin/bash
 openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
@ -27,5 +27,26 @@ apt_repo() {

    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
-
+}
+#### Set repo and install Nginx ####
+inst_nginx() {
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
+}
+#### Set repo and install PHP ####
+inst_php() {
+    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
+    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
+}
+#### Set repo and install Postgresql ####
+inst_postgresql() {
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
+}
+#### Set repo and install Crowdsec ####
+inst_crowdsec() {
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@ -13,7 +13,7 @@ LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"

--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@ -17,7 +17,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix

 SECRET=$(random_password)
@ -139,7 +139,6 @@ POPS_PORT=995
 SIEVE_PORT=4190
 DOVEADM_PORT=127.0.0.1:19991
 SQL_PORT=127.0.0.1:13306
-SOLR_PORT=127.0.0.1:18983
 REDIS_PORT=127.0.0.1:7654

 # Your timezone
@ -225,15 +224,6 @@ SKIP_CLAMD=n

 SKIP_SOGO=n

-# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
-
-SKIP_SOLR=n
-
-# Solr heap size in MB, there is no recommendation, please see Solr docs.
-# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
-
-SOLR_HEAP=1024
-
 # Allow admins to log into SOGo as email user (without any password)

 ALLOW_ADMIN_EMAIL_LOGIN=n
@ -344,6 +334,37 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 # Otherwise it will work normally.
 SPAMHAUS_DQS_KEY=

+# Obtain certificates for autodiscover.* and autoconfig.* domains.
+# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
+# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
+# between services. So acme-mailcow obtains for maildomains and all web-things get handled
+# in the reverse proxy.
+AUTODISCOVER_SAN=y
+# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
+SKIP_UNBOUND_HEALTHCHECK=n
+# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
+# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
+DISABLE_NETFILTER_ISOLATION_RULE=n
+
+# ------------------------------
+# REDIS configuration
+# ------------------------------
+
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
+# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
+# Please always monitor your Resource consumption!
+FTS_HEAP=128
+# Controls how many processes the Dovecot indexing process can spawn at max.
+# Too many indexing processes can use a lot of CPU and Disk I/O
+# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
+FTS_PROCS=1
+# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
+# Dovecot inside mailcow use Flatcurve as FTS Backend.
+SKIP_FTS=y
+# Redirect HTTP connections to HTTPS - y/n
+HTTP_REDIRECT=y
+
 EOF

 cat << EOF > data/conf/nginx/redirect.conf
@ -364,32 +385,11 @@ server {
 EOF

 cat << EOF > /etc/cron.daily/mailcowbackup
-#!/bin/sh
-
-# Backup mailcow data
-# https://docs.mailcow.email/backup_restore/b_n_r-backup/
-
-set -e
-
-OUT="\$(mktemp)"
-export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
-SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
-PARAMETERS="backup all"
-OPTIONS="--delete-days 7"
-mkdir -p \$MAILCOW_BACKUP_LOCATION
-
-# run command
-set +e
-"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
-RESULT=\$?
-
-if [ \$RESULT -ne 0 ]
-    then
-            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
-            echo "RESULT=\$RESULT"
-            echo "STDOUT / STDERR:"
-            cat "\$OUT"
-fi
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
+40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
+5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
 EOF

 chmod +x /etc/cron.daily/mailcowbackup
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@ -30,7 +30,10 @@ LXC_KEYCTL="0"
 NEXTCLOUD_VERSION="latest"

 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.2"
+NEXTCLOUD_PHP_VERSION="8.3"
+
+# Defines the postgresql version to install
+POSTGRES_VERSION=16 

 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@ -5,117 +5,55 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+set -euo pipefail
+
 source /root/functions.sh
-
-NEXTCLOUD_ADMIN_PWD=$(random_password)
-
 source /root/zamba.conf
 source /root/constants-service.conf

+NEXTCLOUD_ADMIN_PWD=$(random_password)
+NEXTCLOUD_REDIS_PWD=$(random_password)
 HOSTNAME=$(hostname -f)
+HOST_IP=$(hostname -i)

-wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
-
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
-echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
-echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
-
-apt update
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
-postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
-
-timedatectl set-timezone $LXC_TIMEZONE
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-
-#### Create database for nextcloud ####
-
-su - postgres <<EOF
-psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
-psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
-echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
-EOF
-
-#### Adjust php settings ####
-
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
-sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
-sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
-
-#### Adjust nginx settings ####
-
-mkdir -p /etc/nginx/ssl
+#### Modify Nginx for Nextcloud ####
+mod_nginx() {
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
 generate_dhparam

 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

-
 cat > /etc/nginx/nginx.conf <<EOF
 user www-data;
 worker_processes auto;
 pid /var/run/nginx.pid;
 events {
-worker_connections 1024;
-multi_accept on; use epoll;
+  worker_connections 2048;
+  multi_accept on;
+  use epoll;
 }
 http {
+  log_format bashclub escape=json
+  '{'
+    '"time_local":"\$time_local",'
+    '"remote_addr":"\$remote_addr",'
+    '"remote_user":"\$remote_user",'
+    '"request":"\$request",'
+    '"status": "\$status",'
+    '"body_bytes_sent":"\$body_bytes_sent",'
+    '"request_time":"\$request_time",'
+    '"http_referrer":"\$http_referer",'
+    '"http_user_agent":"\$http_user_agent"'
+  '}';
  server_names_hash_bucket_size 64;
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log warn;
  set_real_ip_from 127.0.0.1;
-#optional, Sie können das eigene Subnetz ergänzen, bspw.:
-# set_real_ip_from $LXC_IP;
+  # optional, set reverse proxy ip, if used:
+  # set_real_ip_from $NEXTCLOUD_REVPROX;
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;
  include /etc/nginx/mime.types;
-types {
-        text/javascript mjs;
-    }
  default_type application/octet-stream;
  sendfile on;
  send_timeout 3600;
@ -126,7 +64,7 @@ open_file_cache_errors on;
  keepalive_timeout 65;
  reset_timedout_connection on;
  server_tokens off;
-resolver 127.0.0.53 valid=30s;
+  resolver $NEXTCLOUD_REVPROX valid=30s;
  resolver_timeout 5s;
  include /etc/nginx/conf.d/*.conf;
 }
@ -148,6 +86,10 @@ listen 80 default_server;
  listen [::]:80 default_server;
  server_name $NEXTCLOUD_FQDN;
  root /var/www;
+  location ^~ /.well-known/acme-challenge {
+    default_type text/plain;
+    root /var/www/letsencrypt;
+  }
  location / {
    return 301 https://\$host\$request_uri;
  }  
@ -155,9 +97,16 @@ return 301 https://\$host\$request_uri;
 EOF

 cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
 server {
-listen 443      ssl http2;
-listen [::]:443 ssl http2;
+  listen 443 ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+  #listen 443 quic reuseport;
+  #listen [::]:443 quic reuseport;
+  #http3 on;
+  #http3_hq on;
+  #quic_retry on;
  server_name $NEXTCLOUD_FQDN;
  ssl_certificate /etc/ssl/certs/nextcloud.crt;
  ssl_certificate_key /etc/ssl/private/nextcloud.key;
@ -173,12 +122,11 @@ ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
-ssl_ecdh_curve X448:secp521r1:secp384r1;
  ssl_prefer_server_ciphers on;
  ssl_stapling on;
  ssl_stapling_verify on;
-client_max_body_size 5120M;
-client_body_timeout 300s;
+  client_max_body_size 10G;
+  client_body_timeout 3600s;
  client_body_buffer_size 512k;
  fastcgi_buffers 64 4K;
  gzip on;
@ -186,7 +134,7 @@ gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
  add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
  add_header Permissions-Policy                   "interest-cohort=()";
  add_header Referrer-Policy                      "no-referrer"   always;
@ -196,13 +144,16 @@ add_header X-Frame-Options                      "SAMEORIGIN"    always;
  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
  add_header X-Robots-Tag                         "noindex, nofollow" always;
  add_header X-XSS-Protection                     "1; mode=block" always;
+  add_header Alt-Svc                              'h3=":\$server_port"; ma=86400';
+  add_header x-quic                               'h3';
+  add_header Alt-Svc                              'h3-29=":\$server_port"';
  fastcgi_hide_header X-Powered-By;
-fastcgi_read_timeout 3600;
-fastcgi_send_timeout 3600;
-fastcgi_connect_timeout 3600;
+  include mime.types;
+  types {
+    text/javascript mjs;
+  }
  root /var/www/nextcloud;
  index index.php index.html /index.php\$request_uri;
-expires 1m;
  location = / {
    if ( \$http_user_agent ~ ^DavClnt ) {
      return 302 /remote.php/webdav/\$is_args\$args;
@ -213,20 +164,18 @@ allow all;
    log_not_found off;
    access_log off;
  }
-location ^~ /apps/rainloop/app/data {
-deny all;
-}
  location ^~ /.well-known {
    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-location ^~ /.well-known            { return 301 /index.php/\$uri; }
-try_files \$uri \$uri/ =404;
+    location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
+    location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
+    return 301 /index.php\$request_uri;
  }
-location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-location ~ \.php(?:\$|/) {
-rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
-fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+  location ~ \.php(?:$|/) {
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set \$path_info \$fastcgi_path_info;
    try_files \$fastcgi_script_name =404;
    include fastcgi_params;
@ -238,25 +187,49 @@ fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+    fastcgi_max_temp_file_size 0;
  }
-location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
+  location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
    try_files \$uri /index.php\$request_uri;
+    add_header Cache-Control                     "public, max-age=15768000, \$asset_immutable";
+    add_header Permissions-Policy                "interest-cohort=()";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    add_header Alt-Svc                           'h3=":\$server_port"; ma=86400';
+    add_header x-quic                            'h3';
+    add_header Alt-Svc                           'h3-29=":\$server_port"';
+    access_log off;
    expires 6M;
    access_log off;
    location ~ \.wasm$ {
      default_type application/wasm;
    }
  }
-location ~ \.woff2?\$ {
+  location ~ \.(otf|woff2?)$ {
    try_files \$uri /index.php\$request_uri;
    expires 7d;
    access_log off;
  }
+  location /remote {
+    return 301 /remote.php\$request_uri;
+  }
+  location /login {
+    limit_req zone=NextcloudRateLimit burst=5 nodelay;
+    limit_req_status 429;
+    try_files \$uri \$uri/ /index.php\$request_uri;
+  }
  location / {
    try_files \$uri \$uri/ /index.php\$request_uri;
  }
-location /push/ {
-proxy_pass http://localhost:7867/;
+  location ^~ /push/ {
+    proxy_pass http://127.0.0.1:7867/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
@ -265,42 +238,147 @@ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  }
 }
 EOF
+}

-systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+#### Modify php settings for Nextcloud ####
+mod_php() {
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
+cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak

-#### Adjust redis settings ####
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini

+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+
+sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+
+sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+
+sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+
+sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+
+sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+}
+
+#### Modify Postgresql for Nextcloud ####
+mod_postgresql() {
+su - postgres <<EOF
+    psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+    psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+    echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+    cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
+    max_connections = 200
+    shared_buffers = 1GB
+    effective_cache_size = 3GB
+    maintenance_work_mem = 256MB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 2621kB
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+    max_worker_processes = 4
+    max_parallel_workers_per_gather = 2
+    max_parallel_workers = 4
+    max_parallel_maintenance_workers = 2
+EOF
+}
+
+#### Install and modify Redis-server ####
+inst_redis() {
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
+}
+mod_redis() {
 cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
 sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
 sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
 sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
-sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
+sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
-
-#### Adjust sysctl.conf settings ####
-
 cp /etc/sysctl.conf /etc/sysctl.conf.bak
-echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
-systemctl restart redis
+sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
+}

-#### HIER MÜSSTE EIN REBOOT REIN ####
-
-
-#### Install nextcloud ####
+#### Install some more packages
+inst_packages() {
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+}

+#### Install and modify Nextcloud ####
+inst_nextcloud() {
 cd /usr/local/src
-
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5

-md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
-
-tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
+md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*

 cat > /root/permissions.sh << EOF
 #!/bin/bash
 find /var/www/ -type f -print0 | xargs -0 chmod 0640
 find /var/www/ -type d -print0 | xargs -0 chmod 0750
+if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
+chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
+fi
+chmod -R 770 /etc/letsencrypt 
 chown -R www-data:www-data /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 chmod 0644 /var/www/nextcloud/.htaccess
@ -310,39 +388,14 @@ EOF

 chmod +x /root/permissions.sh
 /root/permissions.sh
-
-#### install fail2ban ####
-
-cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
-[Definition]
-_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-EOF
-
-cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
-[nextcloud]
-backend = auto
-enabled = true
-port = 80,443
-protocol = tcp
-filter = nextcloud
-maxretry = 5
-bantime = 3600
-findtime = 36000
-logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
-EOF
-
-systemctl restart fail2ban
+}

 #### Create configuration script for nextcloud, which will be executet as user www-data
+mod_nextcloudconfig() {

-cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+systemctl stop nginx

-#!/bin/bash 
-
-php /var/www/nextcloud/occ maintenance:install --database pgsql \
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --database-host $NEXTCLOUD_DB_IP \
 --database-port $NEXTCLOUD_DB_PORT \
 --database-name $NEXTCLOUD_DB_NAME \
@ -352,17 +405,17 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --admin-pass $NEXTCLOUD_ADMIN_PWD \
 --data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA

-php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
-php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
-
-cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 sed -i '/);/d' /var/www/nextcloud/config/config.php
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+

 cat >> /var/www/nextcloud/config/config.php << EOF
  'activity_expire_days' => 14,
+  'allow_local_remote_servers' => true,
  'auth.bruteforce.protection.enabled' => true,
-'blacklisted_files' => 
+  'forbidden_filenames' =>
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
@ -373,37 +426,43 @@ array (
  'enable_previews' => true,
  'enabledPreviewProviders' =>
  array (
-0 => 'OC\Preview\PNG',
-1 => 'OC\Preview\JPEG',
-2 => 'OC\Preview\GIF',
-3 => 'OC\Preview\BMP',
-4 => 'OC\Preview\XBitmap',
-5 => 'OC\Preview\Movie',
-6 => 'OC\Preview\PDF',
-7 => 'OC\Preview\MP3',
-8 => 'OC\Preview\TXT',
-9 => 'OC\Preview\MarkDown',
+    0 => 'OC\\Preview\\PNG',
+    1 => 'OC\\Preview\\JPEG',
+    2 => 'OC\\Preview\\GIF',
+    3 => 'OC\\Preview\\BMP',
+    4 => 'OC\\Preview\\XBitmap',
+    5 => 'OC\\Preview\\Movie',
+    6 => 'OC\\Preview\\PDF',
+    7 => 'OC\\Preview\\MP3',
+    8 => 'OC\\Preview\\TXT',
+    9 => 'OC\\Preview\\MarkDown',
+    10 => 'OC\\Preview\\HEIC',
+    11 => 'OC\\Preview\\Movie',
+    12 => 'OC\\Preview\\MKV',
+    13 => 'OC\\Preview\\MP4',
+    14 => 'OC\\Preview\\AVI',
    ),
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
-'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+  'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
  'loglevel' => 2,
  'logtimezone' => '$LXC_TIMEZONE',
  'log_rotate_size' => 104857600,
-'maintenance' => false,
  'memcache.local' => '\OC\Memcache\APCu',
  'memcache.locking' => '\OC\Memcache\Redis',
  'overwriteprotocol' => 'https',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
+  'profile.enabled' => false,
  'redis' => 
  array (
-'host' => '/var/run/redis/redis-server.sock',
+    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
+    'password' => '$NEXTCLOUD_REDIS_PWD',
    'timeout' => 0.0,
  ),
  'quota_include_external_storage' => false,
@ -412,50 +471,110 @@ array (
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
-'trusted_proxies' => 
+  'maintenance_window_start' => 1,
+  'maintenance' => false,
+  'mail_smtpmode' => 'sendmail',
+  'mail_sendmailmode' => 'smtp',
+  'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
+  'mail_domain' => '$NEXTCLOUD_FQDN',
+  'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
+  'overwritehost' => '$NEXTCLOUD_FQDN',
+  'trusted_domains' => 
  array (
-'$NEXTCLOUD_REVPROX',
-'127.0.0.1',
-'::1',
+    0 => '$HOST_IP',
+    1 => '$NEXTCLOUD_FQDN',
  ),
+
 );
 EOF

-sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
-php /var/www/nextcloud/occ app:disable survey_client
-php /var/www/nextcloud/occ app:disable firstrunwizard
-php /var/www/nextcloud/occ app:enable admin_audit
-php /var/www/nextcloud/occ app:enable notify_push
-php /var/www/nextcloud/occ app:enable files_pdfviewer
-php /var/www/nextcloud/occ background:cron
-DFOE
-
 /root/permissions.sh

-su -s /bin/bash www-data <<EOF
-bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
-EOF
+sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
+#sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
+sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini

-#### Create file for high performance backend
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
+systemctl start nginx

 cat > /etc/systemd/system/notify_push.service << EOF
 [Unit]
 Description = Push daemon for Nextcloud clients
+After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
+
 [Service]
 Environment=PORT=7867
 Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
 Environment=ALLOW_SELF_SIGNED=true
 ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
 User=www-data
+
 [Install]
 WantedBy = multi-user.target
 EOF

 systemctl daemon-reload
-systemctl enable --now notify_push
+systemctl enable notify_push
+}

-echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+#### Modifying Crowdsec ####
+mod_crowdsec() {
+systemctl restart crowdsec
+cscli collections install crowdsecurity/nginx
+cscli collections install crowdsecurity/nextcloud
+cscli collections install crowdsecurity/sshd
+
+cat >> /etc/crowdsec/acquis.yaml << EOF
+filenames:
+ - /var/log/nextcloud/nextcloud.log
+labels:
+  type: Nextcloud
+---
+EOF
+systemctl reload crowdsec
+}
+#### Install the system !####
+echo "=> Installing Nginx ..."
+inst_nginx
+echo "=> Modifying Nginx config for Nextcloud ..."
+mod_nginx
+
+echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
+inst_php
+echo "=> Modifying PHP config for Nextcloud ..."
+mod_php
+
+echo "=> Installing Postgresql $POSTGRES_VERSION ..."
+inst_postgresql
+echo "=> Modifying Postgresql config for Nextcloud ..."
+mod_postgresql
+
+echo "=> Installing Redis-server ..."
+inst_redis
+echo "=> Modifying Redis-server for Nextcloud ..."
+mod_redis
+
+echo "=> Installing some more packages ..."
+inst_packages
+
+echo "=> Installing Nextcloud ..."
+inst_nextcloud
+echo "=> Modifying Nextcloud ..."
+mod_nextcloudconfig
+
+echo "=> Installing Crowdsec ..."
+inst_crowdsec
+echo "=> Modifying Crowdsec ..."
+mod_crowdsec

 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
-
 shutdown -r now
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@ -8,7 +8,7 @@
 # This file contains the project constants on service level

 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"

 # Create sharefs mountpoint
 LXC_MP=0
@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"

 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=2048
+LXC_MEM_MIN=4096

 # service dependent meta tags
 SERVICE_TAGS="mongodb-server,java"
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@ -10,14 +10,14 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
+# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
-wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
+wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
-echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
-echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
+# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
+echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list

 apt update

-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@ -205,7 +205,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup

 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF

 cat << EOF > /etc/logrotate.d/smb-backup
--- a/src/zmb-ad-restore/constants-service.conf
+++ b/src/zmb-ad-restore/constants-service.conf
@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-restore/install-service.sh
+++ b/src/zmb-ad-restore/install-service.sh
@ -0,0 +1,195 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+
+  forwarders {
+    $LXC_DNS;
+  };
+
+  allow-query {  any;};
+  dnssec-validation no;
+
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+rm -f /etc/krb5.conf
+
+rm -r /var/lib/samba/*
+
+backupfile=$(find /backup/online -name samba-backup* | tail -1)
+samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
+
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
+exit 0
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@ -176,7 +176,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup

 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF

 cat << EOF > /etc/logrotate.d/smb-backup
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@ -96,13 +96,13 @@ systemctl restart winbind nmbd

 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
 cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
 chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
 systemctl disable --now cups-browsed.service

 cupsctl --remote-admin
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@ -99,9 +99,9 @@ wbinfo -g
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

 systemctl restart smbd nmbd winbind wsdd
Author	SHA1	Message	Date
Chriz	49d96dd3eb	Update and rename check_zambaconf_trmm.sh to check_zambaconfonpve_trmm.sh	2025-06-05 22:32:26 +02:00
Chriz	c8c898f047	Update check_zambaconf_trmm.sh also recognizes forgotten zamba.confs in lxcs root	2025-06-05 22:05:15 +02:00
Chriz	c9fd96a681	Update check_zambaconf_trmm.sh delete after three days	2025-06-04 11:01:30 +02:00
Chriz	077735aa03	Create check_zambaconf_trmm.sh TRMM check if you forgot to delete your zamba.conf with Passwords!	2025-06-04 10:47:50 +02:00
Chriz	8d22b06bd5	Update nextcloud-update updated tested version with php 8.2	2025-05-22 15:56:06 +02:00
Chriz	df45fc5e39	Update install-service.sh missing php-ldap	2025-05-21 19:10:30 +02:00
Thorsten Spille	e53a1854b3	Merge pull request #127 from bashclub/main merge semaphore changes to dev	2025-05-17 10:11:06 +02:00
thorstenspille	f0de34102b	replace backup cronjob	2025-04-28 13:09:55 +02:00
thorstenspille	203e4bdc28	fix description for variable	2025-04-28 12:44:27 +02:00
thorstenspille	8f182ac9f8	add permissions for domain admins group	2025-04-28 12:43:42 +02:00
thorstenspille	ab363d5793	mailcow: fis backup path	2025-04-28 12:43:14 +02:00
thorstenspille	d64a81b185	Fix permissions on zmb-cups	2025-04-28 12:42:37 +02:00
thorstenspille	73a70918d4	fix smb backup jobs for dcs	2025-04-28 12:41:58 +02:00
thorstenspille	3bbd1d98b5	update mailcow.conf, fix backup storage	2025-04-28 12:41:26 +02:00
DerFossiBaer	26cef69e6b	Update install-service.sh	2025-01-30 12:57:51 +01:00
DerFossiBaer	f481a7a7f4	Update install-service.sh	2025-01-29 18:11:54 +01:00
DerFossiBaer	472cb5b777	Update install-service.sh	2025-01-29 18:09:08 +01:00
DerFossiBaer	12a9c39873	Update functions.sh Added some functions for installations	2025-01-29 18:07:04 +01:00
DerFossiBaer	6876e6f459	Update install-service.sh nearly completely new installation is now generated in functions, witch are added at the end of the script.	2025-01-29 18:02:48 +01:00
DerFossiBaer	a10e16633a	Update constants-service.conf change php to 8.3 added postgresql version	2025-01-29 17:58:14 +01:00
DerFossiBaer	23c4166e18	Update constants-service.conf Due to oom-killers set MEM to 4096MB	2025-01-07 16:05:46 +01:00
DerFossiBaer	3fe94152cc	Update install-service.sh With Omada 5.15 mongodb 7.0 and default jre are possible.	2025-01-06 23:05:43 +01:00
Thorsten Spille	d50b7a93c2	Update constants-service.conf Change Omada to Debian bookworm	2025-01-06 21:32:36 +01:00
Thorsten Spille	8cf9c45f79	set domain admins group in zmb.conf, add zmb-ad-restore container	2024-11-28 21:27:56 +01:00