bashclub/zamba-lxc-toolbox
2
0
Fork 1
mirror of https://github.com/bashclub/zamba-lxc-toolbox.git synced 2025-06-15 14:27:01 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: bashclub:main
Branches Tags
bashclub:main bashclub:dev bashclub:release-1.2 bashclub:old_dev_2022 bashclub:release-1.1 bashclub:Release-1.0 bashclub:archive-devel-1.0 Rigo:dev Rigo:main Rigo:Release-1.0 Rigo:archive-devel-1.0
bashclub:v0.1 Rigo:v0.1
..
compare: Rigo:dev
Branches Tags
Rigo:dev Rigo:main Rigo:Release-1.0 Rigo:archive-devel-1.0 bashclub:main bashclub:dev bashclub:release-1.2 bashclub:old_dev_2022 bashclub:release-1.1 bashclub:Release-1.0 bashclub:archive-devel-1.0
Rigo:v0.1 bashclub:v0.1

6 Commits
main ... dev

Author SHA1 Message Date
Rigo
2fb27d6186 bug: 20 Character (pwd) 2022-06-06 13:59:20 +02:00
Rigo
8d43d3cf07 Defines the amount of RAM (default) 1GB ->2GB 
Defines the amount of RAM for elasticsearch (Java option)
 2022-05-31 10:15:44 +02:00
Rigo
208d0b7bc2 Java set startup environment & add "robots.txt - noLog" 2022-05-31 09:45:40 +02:00
Rigo
9790aa74c7 Elasticsearch conntact to Zammad & changed installation order 2022-05-31 09:37:59 +02:00
Rigo
5b64f1f7cb „src/open3a/install-service.sh“ ändern 
- add "get real IP" hostname
- add MySQL first Initiation of Open3A
 2022-05-31 09:16:14 +02:00
Rigo
d04c8efba1 "../src/functions.sh" vor erste ... 
add Open3A password length function for MySQL-DB
 2022-05-31 09:04:59 +02:00
77 changed files with 633 additions and 3953 deletions
Expand all files Collapse all files

24
README.md
View File

@ -7,30 +7,24 @@ The package also provides LXC container installers for `mailpiler`, `matrix-syna
### Requirements
Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
### Included services:
- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
- `checkmk` => Check_MK 2.0 Monitoring Server
- `debian-priv` => Debian privileged container with basic toolset
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
- `gitea`=> Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
- `kopano-core` => Kopano Core Grouoware [kopano.io](https://kopano.io/)
- `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
- `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
- `unifi` => Unifi Controller [ui.com](https://ui.com)
- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
## Usage
Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
```bash
@ -64,11 +58,3 @@ You can also view possible parameters with `install.sh -h`
After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.
Once the script has finished, the container is installed and running and you can continue with the service specific configuration.
# Authors
### Markus Helmke
[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/nettwarker)
### Thorsten Spille
[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/thorakel)

77
conf/README.md
View File

@ -40,14 +40,13 @@ LXC_SHAREFS_MOUNTPOINT="tank"
```
### LXC_MEM
Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
If a service needs more minimum memory, LXC_MEM will be overwritten.
```bash
LXC_MEM=1024
LXC_MEM="1024"
```
### LXC_SWAP
Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
```bash
LXC_SWAP=1024
LXC_SWAP="1024"
```
### LXC_HOSTNAME
Defines the hostname of your LXC container (Default: Name of installed Service)
@ -255,75 +254,3 @@ checkmk edition (raw or free)
```bash
CMK_EDITION=raw
```
### Kopano-Section
### KOPANO_FQDN
Define the FQDN of your Nextcloud server
```bash
KOPANO_FQDN="kopano.zmb.rocks
```
### KOPANO_MAILGW=
Define the host, to which mails will send.
```bash
KOPANO_MAILGW="192.168.100.254"
```
### KOPANO_REPKEY
Kopano test- or subscription-key offerd from
https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+11
```bash
KOPANO_REPKEY="1234567890abcdefghijklmno"
```
### vaultwarden Section
### VW_SMTP_HOST
Hostname of your mailserver
```bash
VW_SMTP_HOST=mail.bashclub.org
```
### VW_SMTP_FROM
email address to send from
```bash
VW_SMTP_FROM="vaultwarden@bashclub.org"
```
### VW_SMTP_FROM_NAME
display name to send from
```bash
VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
```
### VW_SMTP_PORT
Smtp-port of your mailserver
```bash
VW_SMTP_PORT=587
```
### VW_SMTP_SSL
Use ssl true/false
```bash
VW_SMTP_SSL=true
```
### VW_SMTP_EXPLICIT_TLS
Use starttls true/false
```bash
VW_SMTP_EXPLICIT_TLS=false
```
### VW_SMTP_USERNAME
Username of your mailbox
```bash
VW_SMTP_USERNAME=vaultwarden@bashclub.org
```
### VW_SMTP_PASSWORD
Password of your mailbox
```bash
VW_SMTP_PASSWORD='<yourEmailPassword>'
```

82
conf/zamba.conf.example
View File

@ -25,17 +25,13 @@ LXC_SHAREFS_SIZE="100"
# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
LXC_SHAREFS_STORAGE="local-zfs"
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
# Moved to constants-service.conf, be careful if you override this value
# LXC_SHAREFS_MOUNTPOINT="tank"
# cpu core count (default: 0 = unlimited)
LXC_THREADS=0
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
LXC_MEM=1024
LXC_MEM="1024"
# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
LXC_SWAP=1024
LXC_SWAP="1024"
# Defines the hostname of your LXC container
LXC_HOSTNAME="${service}"
@ -85,18 +81,6 @@ LXC_LOCALE="de_DE.UTF-8"
# Set dark background for vim syntax highlighting (0 or 1)
LXC_VIM_BG_DARK=1
# Default random password length
LXC_RANDOMPWD=32
# Move lxc to specific ressource pool
LXC_RESSOURCE_POOL=""
# Automatically add meta tags to lxc container
LXC_AUTOTAG=1
# Add meta tags to linux container
LXC_TAGS="linux,debian,${service}"
############### Zamba-Server-Section ###############
# Defines the REALM for the Active Directory (AD DC, AD member)
@ -115,7 +99,10 @@ ZMB_SHARE="share"
############### Mailpiler-Section ###############
PILER_BRANCH=release
# Defines the (public) FQDN of your piler mail archive
PILER_FQDN="mailpiler.zmb.rocks"
# Defines the smarthost for piler mail archive
PILER_SMARTHOST="mail.zmb.rocks"
############### Matrix-Section ###############
@ -129,7 +116,7 @@ MATRIX_ELEMENT_FQDN="element.zmb.rocks"
MATRIX_ADMIN_USER="admin"
# Define the admin password
MATRIX_ADMIN_PASSWORD='Start!123'
MATRIX_ADMIN_PASSWORD="Start!123"
############### Nextcloud-Section ###############
@ -140,7 +127,7 @@ NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
NEXTCLOUD_ADMIN_USR="zmb-admin"
# Build a strong password for this user. Username and password will shown at the end of the installation.
# NEXTCLOUD_ADMIN_PWD='very_secure_password'
NEXTCLOUD_ADMIN_PWD="$(random_password)"
# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
NEXTCLOUD_DATA="nc_data"
@ -172,54 +159,3 @@ KOPANO_MAILGW="192.168.100.254"
# Kopano test- or subscription-key offerd from
# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
KOPANO_REPKEY="1234567890abcdefghijklmno"
############### vaultwarden Section ###############
# Enable/disable signups (true/false)
VW_SIGNUPS_ALLOWED=false
# Hostname of your mailserver
VW_SMTP_HOST=mail.bashclub.org
# email address to send from
VW_SMTP_FROM="vaultwarden@bashclub.org"
# display name to send from
VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
# port of your mailserver
VW_SMTP_PORT=587
# use ssl?
VW_SMTP_SSL=true
# use starttls?
VW_SMTP_EXPLICIT_TLS=false
# username of your mailbox
VW_SMTP_USERNAME=vaultwarden@bashclub.org
# password of your mailbox
VW_SMTP_PASSWORD='<yourEmailPassword>'
############### ansible-semaphore Section ###############
SEMAPHORE_ADMIN=admin
SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
SEMAPHORE_ADMIN_PASSWORD='Start123'
############### docker Section ###############
# Install Portainer (=full), Protainer Agent (=agent) or none
PORTAINER=none
############### zabbix Section ###############
# (Zabbix Proxy) Name:Port of the zabbix server
ZBX_ADDR=zabbix.zmb.rocks:10051
############### freescout Section ################
FS_FIRSTNAME=Max
FS_LASTNAME=Mustermann
FS_EMAIL=mail@zmb.rocks

77
install.sh
View File

@ -20,12 +20,11 @@ prog="$(basename $0)"
usage() {
cat >&2 <<-EOF
usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
usage: $prog [-h] [-i CTID] [-s SERVICE] [-c CFGFILE]
installs a preconfigured lxc container on your proxmox server
-i CTID provide a container id instead of auto detection
-s SERVICE provide the service name and skip the selection dialog
-c CFGFILE use a different config file than 'zamba.conf'
-d Debug mode inside LXC container
-h displays this help text
---------------------------------------------------------------------------
(C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
@ -38,15 +37,13 @@ usage() {
ctid=0
service=ask
config=$PWD/conf/zamba.conf
debug=0
while getopts "hi:s:c:d" opt; do
while getopts "hi:s:c:" opt; do
case $opt in
h) usage 0 ;;
i) ctid=$OPTARG ;;
s) service=$OPTARG ;;
c) config=$OPTARG ;;
d) debug=1 ;;
*) usage 1 ;;
esac
done
@ -102,24 +99,25 @@ source "$config"
source "$PWD/src/$service/constants-service.conf"
if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
LXC_MEM=$LXC_MEM_MIN
fi
if [ $LXC_AUTOTAG -gt 0 ]; then
TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
fi
# Check is the newest template available, else download it.
pveam update
# CHeck is the newest template available, else download it.
DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
DEB_REP=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d'_' -f2)
TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
if [[ $DEB_LOC == $DEB_REP ]];
then
echo "Newest Version of $LXC_TEMPLATE_VERSION $DEB_REP exists.";
else
echo "Will now download newest $LXC_TEMPLATE_VERSION $DEP_REP.";
pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
fi
if [ $ctid -gt 99 ]; then
LXC_CHK=$ctid
else
# Get next free LXC-number
LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
LXC_LST=$( lxc-ls -1 | tail -1 )
LXC_CHK=$((LXC_LST+1));
fi
if [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
@ -129,43 +127,24 @@ else
fi
echo "Will now create LXC Container $LXC_NBR!";
if [ $LXC_THREADS -gt 0 ]; then
LXC_CORES=--cores\ $LXC_THREADS
fi
if [[ $LXC_RESSOURCE_POOL != "" ]]; then
LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
fi
# Create the container
set +u
pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
set -u
pct create $LXC_NBR --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
sleep 2;
# Check vlan configuration
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
# Reconfigure conatiner
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
if [ $LXC_DHCP == true ]; then
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
else
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
fi
sleep 2
if [ $LXC_MP -gt 0 ]; then
pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
fi
pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
fi
sleep 2;
PS3="Select the Server-Function: "
@ -173,33 +152,23 @@ PS3="Select the Server-Function: "
pct start $LXC_NBR;
sleep 5;
# Set the root ssh key
pct exec $LXC_NBR -- mkdir -p /root/.ssh
pct exec $LXC_NBR -- mkdir /root/.ssh
pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
pct push $LXC_NBR "$config" /root/zamba.conf
pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
echo "Installing basic container setup..."
pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
lxc-attach -n$LXC_NBR bash /root/lxc-base.sh
echo "Install '$service'!"
pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
lxc-attach -n$LXC_NBR bash /root/install-service.sh
pct shutdown $LXC_NBR
if [[ $service == "zmb-ad" ]]; then
pct stop $LXC_NBR
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
elif [[ $service == "zmb-ad-join" ]]; then
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
fi
pct start $LXC_NBR
if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
sleep 5
pct exec $LXC_NBR /usr/local/bin/smb-backup 7
pct start $LXC_NBR
fi

17
scripts/nextcloud-update
View File

@ -1,17 +0,0 @@
#!/bin/bash
#
# Update nextcloud
# place in /etc/cron.daily and make executable with chmod +x /etc/cron.daily/nextcloud-update
user=www-data
phpversion=php8.0
path=/var/www/nextcloud
alias ncc="sudo -u $user $phpversion $path/occ"
alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
updater --no-backup --no-interaction
subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
for cmd in ${subcommands[@]}; do
ncc -n $cmd
done

103
scripts/zmb-ad_auto-map-root.sh
View File

@ -1,103 +0,0 @@
#!/bin/bash
set -e
SMB_CONF="/etc/samba/smb.conf"
USERMAP_FILE="/etc/samba/user.map"
KEYTAB_PATH="/root/admin.keytab"
SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
BASH_PROFILE="/root/.bash_profile"
# 1. Domain & Realm aus smb.conf auslesen
DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
exit 1
fi
echo "[INFO] Domain: $DOMAIN_NAME"
echo "[INFO] Realm: $REALM_NAME"
# 2. user.map schreiben
echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
# 3. smb.conf patchen
if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
echo "[OK] smb.conf wurde um 'username map' ergänzt."
else
echo "[INFO] 'username map' bereits gesetzt."
fi
# 4. Keytab erzeugen
echo "[INFO] Erzeuge Keytab für Administrator..."
samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
chmod 600 "$KEYTAB_PATH"
echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
# 5. systemd-Service + Timer für automatisches kinit
echo "[INFO] Erstelle systemd-Service & Timer..."
cat > "$SYSTEMD_SERVICE" <<EOF
[Unit]
Description=Kerberos Kinit für Administrator
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
EOF
cat > "$SYSTEMD_TIMER" <<EOF
[Unit]
Description=Kerberos Kinit für Administrator (Boot)
[Timer]
OnBootSec=10sec
Unit=kinit-admin.service
[Install]
WantedBy=multi-user.target
EOF
# Aktivieren
systemctl daemon-reexec
systemctl daemon-reload
systemctl enable --now kinit-admin.timer
# 6. root-Login: .bash_profile anpassen
echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
mkdir -p "$(dirname "$BASH_PROFILE")"
touch "$BASH_PROFILE"
# Block nur hinzufügen, wenn er nicht bereits vorhanden ist
if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
cat >> "$BASH_PROFILE" <<EOF
# Automatisches Kerberos-Ticket beim Login holen
if ! klist -s; then
echo "[INFO] Kein gültiges Kerberos-Ticket führe kinit aus..."
kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
fi
EOF
echo "[OK] .bash_profile angepasst."
else
echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
fi
# 7. samba-ad-dc neu starten
echo "[INFO] Starte samba-ad-dc neu..."
systemctl restart samba-ad-dc
# 8. Testausgaben
echo "[INFO] getent passwd root:"
getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
echo
echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"

42
src/ansible-semaphore/constants-service.conf
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# Defines the name from the SQL database
SEMAPHORE_DB_NAME="semaphore"
# Defines the name from the SQL user
SEMAPHORE_DB_USR="semaphore"
# Build a strong password for the SQL user - could be overwritten with something fixed
SEMAPHORE_DB_PWD="$(random_password)"
# service dependent meta tags
SERVICE_TAGS="postgresql,nginx"

222
src/ansible-semaphore/install-service.sh
View File

@ -1,222 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
EOF
curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
cat << EOF > /usr/local/bin/update-semaphore
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
echo "Checking github for new semaphore version"
current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
installed_version=\$(semaphore version)
echo "Installed semaphore version is \$installed_version"
if [ \$installed_version != \$current_version ]; then
echo "New semaphore version \$current_version available. Stopping semaphore.service"
systemctl stop semaphore.service
echo "Downloading semaphore version \$current_version..."
curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical dpkg -i /opt/semaphore_linux_amd64.deb
echo "Starting semaphore.service..."
systemctl start semaphore.service
echo "semaphore update finished!"
else
echo "semaphore version is up-to-date!"
fi
EOF
chmod +x /usr/local/bin/update-semaphore
useradd -m -r -s /bin/bash semaphore
sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
EOF
chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook
cat << EOF > /etc/systemd/system/semaphore.service
[Unit]
Description=Semaphore Ansible
Documentation=https://github.com/semaphoreui/semaphore
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
ExecReload=/bin/kill -HUP \$MAINPID
ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
SyslogIdentifier=semaphore
Restart=always
User=semaphore
Group=semaphore
[Install]
WantedBy=multi-user.target
EOF
mkdir -p /etc/semaphore
cat << EOF > /etc/semaphore/config.json
{
"mysql": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"bolt": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"postgres": {
"host": "127.0.0.1:5432",
"user": "${SEMAPHORE_DB_USR}",
"pass": "${SEMAPHORE_DB_PWD}",
"name": "${SEMAPHORE_DB_NAME}",
"options": {
"sslmode": "disable"
}
},
"dialect": "postgres",
"port": "",
"interface": "",
"tmp_path": "/tmp/semaphore",
"cookie_hash": "$(head -c32 /dev/urandom | base64)",
"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
"email_sender": "",
"email_host": "",
"email_port": "",
"email_username": "",
"email_password": "",
"web_host": "",
"ldap_binddn": "",
"ldap_bindpassword": "",
"ldap_server": "",
"ldap_searchdn": "",
"ldap_searchfilter": "",
"ldap_mappings": {
"dn": "",
"mail": "",
"uid": "",
"cn": ""
},
"telegram_chat": "",
"telegram_token": "",
"slack_url": "",
"max_parallel_tasks": 0,
"email_alert": false,
"email_secure": false,
"telegram_alert": false,
"slack_alert": false,
"ldap_enable": false,
"ldap_needtls": false,
"ssh_config_path": "/home/semaphore/.ssh/",
"demo_mode": false,
"git_client": ""
}
EOF
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/semaphore.access.log;
error_log /var/log/nginx/semaphore.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/semaphore.access.log;
error_log /var/log/nginx/semaphore.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:3000;
proxy_read_timeout 90;
}
}
EOF
echo "source <(semaphore completion bash)" >> /root/.bashrc
semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
generate_dhparam
systemctl daemon-reload
systemctl enable --now semaphore.service
systemctl restart nginx.service
echo -e "\n######################################################################\n\n Please note this user and password for the semaphore login:\n '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n Enjoy your semaphore intallation.\n\n######################################################################"

33
src/apt/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="srv"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="aptly,nginx"

273
src/apt/install-service.sh
View File

@ -1,273 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
source /etc/os-release
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
# Create gpg key for apt repo signing
gpg --batch --gen-key <<EOF
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: ${AM_COMPANY_NAME}
Name-Email: ${AM_COMPANY_EMAIL}
Expire-Date: 0
%no-protection
EOF
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/aptly.conf
{
"rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
"downloadConcurrency": 4,
"downloadSpeedLimit": 0,
"architectures": [
"amd64",
"armhf"
],
"dependencyFollowSuggests": false,
"dependencyFollowRecommends": false,
"dependencyFollowAllVariants": false,
"dependencyFollowSource": false,
"dependencyVerboseResolve": true,
"gpgDisableSign": false,
"gpgDisableVerify": false,
"gpgProvider": "gpg",
"downloadSourcePackages": false,
"skipLegacyPool": true,
"ppaDistributorID": "$AM_COMPANY_NAME",
"ppaCodename": ""
}
EOF
cat << EOF > /usr/local/bin/update-apt-mirrors
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
for m in $(aptly mirror list -raw); do
aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
done
EOF
chmod +x /usr/local/bin/update-apt-mirrors
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
# Force HTTPS connection. This rules is domain agnostic
if (\$scheme != "https") {
rewrite ^ https://\$host\$uri permanent;
}
# SSL configuration
#
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 15.137.208.11 15.137.209.11 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
root /var/www/html;
index index.html index.htm;
server_name _;
location /gpg {
autoindex on;
}
location /graph {
autoindex on;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files \$uri \$uri/ =404;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_pass http://localhost:8080;
}
location /api {
proxy_pass http://localhost:8000/api;
}
location /api/graph {
return 403;
}
}
EOF
cat << EOF > /etc/systemd/system/aptly.service
[Unit]
Description=Aptly Repository service
[Service]
User=root
ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
KillSignal=SIGTERM
KillMode=process
TimeoutStopSec=15s
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/aptly-api.service
[Unit]
Description=Aptly REST API service
[Service]
User=root
ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
KillSignal=SIGTERM
KillMode=process
TimeoutStopSec=15s
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /root/mirror-examples
# import proxmox keyring
wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
# proxmox 8 no subscription mirror (about 11.5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
# import debian keyring
cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
# debian 12 main mirror (about 87 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
# debian 12 contrib mirror (about 600 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
# debian 12 non-free mirror (about7,2 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
# debian 12 non-free-firmware mirror (38 Packages)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
# debian 12 update main mirror (about 2,5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
# debian 12 update contrib mirror (currently empty)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
# debian 12 updates non-free mirror (about 900 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
# debian 12 updates non-free-firmware mirror (about 70 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
# debian 12 security main mirror (about 5,5 GB)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
# debian 12 security contrib mirror (2 packages)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
# debian 12 security non-free mirror (currently empty)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
# debian 12 security non-free-firmware mirror (1 package)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
# debian 12 backports main mirror (about 14,5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
# debian 12 backports contrib mirror (about 100 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
# debian 12 backports non-free mirror (2 packages)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
# debian 12 backports non-free-firmware mirror (currently empty)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
EOF
cat << EOF > /usr/local/bin/update-apt-mirrors
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
for m in \$(aptly mirror list -raw); do
aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
done
EOF
echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
chmod +x /usr/local/bin/update-apt-mirrors
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
chown -R www-data:www-data /var/www
# Create required webserver folders
sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
# Export gpg key
sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
generate_dhparam
systemctl daemon-reload
systemctl enable --now aptly aptly-api
systemctl restart nginx
echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."

33
src/authentik/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="docker"

108
src/authentik/install-service.sh
View File

@ -1,108 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/portainer:latest
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8000:8000"
- "9443:9443"
command: --admin-password-file=/data/admin_password
EOF
echo -n "$SECRET" > ./data/admin_password
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
}
install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/agent:latest
volumes:
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9001:9001"
EOF
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
}
mkdir -p /opt/authentik
wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
cd /opt/authentik
cat << EOF > .env
PG_PASS=$(pwgen -s 40 1)
AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
AUTHENTIK_DISABLE_UPDATE_CHECK=false
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_AVATARS=initials
COMPOSE_PORT_HTTP=80
COMPOSE_PORT_HTTPS=443
AUTHENTIK_EMAIL__HOST=
AUTHENTIK_EMAIL__PORT=
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=
AUTHENTIK_REDIS__DB=1
EOF
docker compose pull
docker compose up -d
case $PORTAINER in
full) install_portainer_full ;;
agent) install_portainer_agent ;;
*) echo -e "\n######################################################################\n\n Enjoy your authentik intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
esac

33
src/bookstack/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

186
src/bookstack/install-service.sh
View File

@ -1,186 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
BOOKSTACK_DB_PWD=$(random_password)
webroot=/var/www/bookstack/public
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
client_max_body_size 100M;
fastcgi_buffers 64 4K;
client_body_timeout 120s;
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl default_server;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl_certificate /etc/nginx/ssl/open3a.crt;
ssl_certificate_key /etc/nginx/ssl/open3a.key;
access_log /var/log/nginx/bookstack.access.log;
error_log /var/log/nginx/bookstack.error.log;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.ht {
deny all;
}
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
EOF
mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
CREATE DATABASE IF NOT EXISTS bookstack;
GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
FLUSH PRIVILEGES;"
sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
>&2 echo 'ERROR: Invalid composer installer checksum'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
rm composer-setup.php
# Move composer to global installation
mv composer.phar /usr/local/bin/composer
cd /var/www
git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
cd bookstack
# Install BookStack composer dependencies
export COMPOSER_ALLOW_SUPERUSER=1
php /usr/local/bin/composer install --no-dev --no-plugins
# Copy and update BookStack environment variables
cp .env.example .env
sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
cat << EOF >> .env
QUEUE_CONNECTION=database
STORAGE_TYPE=local_secure
APP_LANG=de_informal
FILE_UPLOAD_SIZE_LIMIT=100
SESSION_SECURE_COOKIE=true
CACHE_DRIVER=redis
SESSION_DRIVER=redis
REDIS_SERVERS=127.0.0.1:6379:0
WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
ALLOW_UNTRUSTED_SERVER_FETCHING=true
EOF
# Generate the application key
php artisan key:generate --no-interaction --force
# Migrate the databases
php artisan migrate --no-interaction --force
php artisan bookstack:db-utf8mb4 > dbupgrade.sql
mysql -u root < dbupgrade.sql
chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
cat << EOF > /etc/systemd/system/bookstack-queue.service
[Unit]
Description=BookStack Queue Worker
[Service]
User=www-data
Group=www-data
Restart=always
ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now bookstack-queue php${PHP_VERSION:0:3}-fpm nginx redis-server
systemctl restart php${PHP_VERSION:0:3}-fpm nginx bookstack-queue redis-server
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"

20
src/checkmk/constants-service.conf
View File

@ -8,15 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="opt"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -24,16 +19,7 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# checkmk version
CMK_VERSION=2.3.0p6
CMK_VERSION=2.0.0p23
# build number of the debian package (needs to start with underscore)
CMK_BUILD=_0
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="apache2"

40
src/checkmk/install-service.sh
View File

@ -23,46 +23,6 @@ cat << EOF > /etc/apache2/sites-available/000-default.conf
</VirtualHost>
EOF
cat << EOF > /etc/apache2/sites-available/default-ssl.conf
<VirtualHost *:443>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
EOF
a2enmod ssl
a2enmod rewrite
a2ensite default-ssl

31
src/cloudpanel/constants-service.conf
View File

@ -1,31 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="home"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

14
src/cloudpanel/install-service.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
# Author:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source zamba.conf
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh

2
src/constants.conf
View File

@ -8,4 +8,4 @@
# This file contains the project constants on container level
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
LXC_TOOLSET_BASE="lsb-release curl git gnupg2 apt-transport-https software-properties-common"

19
src/debian-priv/constants-service.conf
View File

@ -8,26 +8,13 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=512
# service dependent meta tags
SERVICE_TAGS="privileged"
LXC_NESTING="1"

19
src/debian-unpriv/constants-service.conf
View File

@ -8,26 +8,13 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=512
# service dependent meta tags
SERVICE_TAGS=""
LXC_NESTING="1"

33
src/docker/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS=""

79
src/docker/install-service.sh
View File

@ -1,79 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/portainer:latest
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8000:8000"
- "9443:9443"
command: --admin-password-file=/data/admin_password
EOF
echo -n "$SECRET" > ./data/admin_password
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
}
install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/agent:latest
volumes:
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9001:9001"
EOF
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
}
case $PORTAINER in
full) install_portainer_full ;;
agent) install_portainer_agent ;;
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
esac

36
src/ecodms/constants-service.conf
View File

@ -1,36 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# set ecodms release version
ECODMS_RELEASE=ecodms_230164
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=6144
# service dependent meta tags
SERVICE_TAGS="java,postgresql"

21
src/ecodms/install-service.sh
View File

@ -1,21 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver

33
src/freescout/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

133
src/freescout/install-service.sh
View File

@ -1,133 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
webroot=/var/www/html
LXC_RANDOMPWD=20
MYSQL_PASSWORD="$(random_password)"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
echo cgi.fix_pathinfo=0 >> /etc/php/8.2/fpm/php.ini
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot/freescout/public;
index index.php index.html index.htm;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
client_max_body_size 20M;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ .php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
include fastcgi_params;
}
location ^~ /storage/app/attachment/ {
internal;
alias /var/www/html/storage/app/attachment/;
}
location ~* ^/storage/attachment/ {
expires 1M;
access_log off;
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public, must-revalidate";
}
# The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
add_header Content-disposition "attachment; filename=\$2";
default_type application/octet-stream;
}
location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\\\\]+\..*)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~ /\. {
deny all;
}
}
EOF
rm /var/www/html/*nginx*.html
mkdir -p /etc/nginx/ssl
ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
mysql -uroot -e "CREATE USER 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS freescout;
GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
cd $webroot
tar -vxf freescout.tar.gz
dir=$(ls -d freescout-helpdesk-freescout*)
mv -v $dir freescout
chown -R www-data:www-data /var/www/html
find /var/www/html -type f -exec chmod 664 {} \;
find /var/www/html -type d -exec chmod 775 {} \;
cd $webroot/freescout
APP_KEY=$(sudo -u www-data php artisan key:generate --show)
sudo -u www-data sed -e "s|APP_URL=.*|APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}|" -e "s|DB_DATABASE=|DB_DATABASE=freescout|" -e "s|DB_USERNAME=|DB_USERNAME=freescout|" -e "s|DB_PASSWORD=|DB_PASSWORD=${MYSQL_PASSWORD}|" -e "s|APP_KEY=|APP_KEY=${APP_KEY}|" .env.example > .env
sudo -u www-data php artisan freescout:clear-cache
sudo -u www-data php artisan storage:link
sudo -u www-data php artisan migrate -n --force
FS_PASSWORD=$(random_password)
sudo -u www-data php artisan freescout:create-user -n --role=admin --firstName=$FS_FIRSTNAME --lastName=$FS_LASTNAME --email=$FS_EMAIL --password=$FS_PASSWORD
cat << EOF > /etc/cron.d/freescout
* * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
EOF
systemctl enable --now php8.2-fpm
systemctl restart php8.2-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your freescout installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttps://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\t$FS_EMAIL\nPassword:\t$FS_PASSWORD\n"

26
src/functions.sh
View File

@ -1,31 +1,13 @@
#!/bin/bash
#
# This script has basic functions like a random password generator
LXC_RANDOMPWD=32
random_password() {
set +o pipefail
LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32
}
generate_dhparam() {
openssl dhparam -out /etc/nginx/dhparam.pem 2048
cat << EOF > /etc/cron.monthly/generate-dhparams
#!/bin/bash
openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
systemctl restart nginx
EOF
chmod +x /etc/cron.monthly/generate-dhparams
}
apt_repo() {
apt_name=$1
apt_key_url=$2
apt_key_path=/usr/share/keyrings/${apt_name}.gpg
apt_repo_url=$3
wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
random_password_open3a() {
set +o pipefail
C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c20
}

21
src/gitea/constants-service.conf
View File

@ -8,24 +8,17 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
GITEA_DB_IP="127.0.0.1"
@ -39,10 +32,4 @@ GITEA_DB_NAME="gitea"
GITEA_DB_USR="gitea"
# Build a strong password for the SQL user - could be overwritten with something fixed
GITEA_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql"
GITEA_DB_PWD="$(random_password)"

44
src/gitea/install-service.sh
View File

@ -9,15 +9,17 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
@ -36,32 +38,6 @@ mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
cat << EOF > /usr/local/bin/update-gitea
PATH="/bin:/usr/bin:/usr/local/bin"
echo "Checking github for new gitea version"
current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
echo "Installed gitea version is \$installed_version"
if [ \$installed_version != \$current_version ]; then
echo "New gitea version \$current_version available. Stopping gitea.service"
systemctl stop gitea.service
echo "Downloading gitea version \$current_version..."
curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
chmod +x /usr/local/bin/gitea
echo "Starting gitea.service..."
systemctl start gitea.service
echo "gitea update finished!"
else
echo "gitea version is up-to-date!"
fi
EOF
chmod +x /usr/local/bin/update-gitea
cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
EOF
chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
cat << EOF > /etc/systemd/system/gitea.service
[Unit]
Description=Gitea
@ -120,10 +96,6 @@ chown -R root:git /etc/gitea
chmod 770 /etc/gitea
chmod 770 /etc/gitea/app.ini
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
@ -181,7 +153,7 @@ server {
}
EOF
generate_dhparam
openssl dhparam -out /etc/nginx/dhparam.pem 4096
systemctl daemon-reload
systemctl enable --now gitea

39
src/kimai/constants-service.conf
View File

@ -1,39 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
#KIMAI_VERSION="main"
# Defines the php version to install
KIMAI_PHP_VERSION="8.2"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

172
src/kimai/install-service.sh
View File

@ -1,172 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
KIMAI_DB_PWD=$(random_password)
webroot=/var/www/kimai/public
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
PHP_VERSION=${PHP_VERSION:0:3}
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
client_max_body_size 2M;
fastcgi_buffers 64 4K;
client_body_timeout 120s;
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl default_server;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl_certificate /etc/nginx/ssl/kimai.crt;
ssl_certificate_key /etc/nginx/ssl/kimai.key;
access_log /var/log/nginx/kimai.access.log;
error_log /var/log/nginx/kimai.error.log;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.ht {
deny all;
}
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
EOF
mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
CREATE DATABASE IF NOT EXISTS kimai;
GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
FLUSH PRIVILEGES;"
sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
>&2 echo 'ERROR: Invalid composer installer checksum'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
rm composer-setup.php
# Move composer to global installation
mv composer.phar /usr/local/bin/composer
cd /var/www
dl=$(curl -s https://api.github.com/repos/kimai/kimai/releases/latest | grep tarball_url | cut -d'"' -f4)
version=$(echo $dl | rev | cut -d'/' -f1 | rev)
wget -O kimai-${version}.tar.gz ${dl}
tar xfz kimai-${version}.tar.gz
rm kimai-${version}.tar.gz
mv kimai-* kimai
cd kimai
# Install kimai composer dependencies
export COMPOSER_ALLOW_SUPERUSER=1
/usr/local/bin/composer install --optimize-autoloader -n
# Copy and update kimai environment variables
cat << EOF > .env
# For more infos about the variables, see .env.dist
DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.11.3
MAILER_FROM=admin@$LXC_DOMAIN
MAILER_URL=null://null
APP_ENV=prod
APP_SECRET=$(random_password)
CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
EOF
bin/console kimai:install -n
bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
chown -R www-data:www-data .
chmod -R g+r .
chmod -R g+rw var/
systemctl daemon-reload
systemctl enable --now php${PHP_VERSION}-fpm nginx
systemctl restart php${PHP_VERSION}-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"

18
src/kopano-core/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
LXC_TEMPLATE_VERSION="debian-10-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,14 +19,11 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
KOPANO_VERSION="latest"
# Defines the php version to install
KOPANO_PHP_VERSION="7.4"
KOPANO_PHP_VERSION="7.3"
# Defines Maria DB Version
MARIA_DB_VERS="10.5"
@ -46,8 +39,3 @@ MARIA_DB_USER="kopano"
MARIA_ROOT_PWD=$(random_password)
MARIA_USER_PWD=$(random_password)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

50
src/kopano-core/install-service.sh
View File

@ -11,8 +11,8 @@ source /root/constants-service.conf
HOSTNAME=$(hostname -f)
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
@ -22,10 +22,8 @@ echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_relea
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
#timedatectl set-timezone Europe/Berlin
#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@ -37,7 +35,7 @@ mysqladmin -u root password "[$MARIA_ROOT_PWD]"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
#### Create user and DB for Kopano ####
@ -52,19 +50,19 @@ db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
cat > /etc/apt/sources.list.d/kopano.list << EOF
# Kopano Core
deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
deb https://download.kopano.io/supported/core:/final/Debian_10/ ./
# Kopano WebApp
deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
deb https://download.kopano.io/supported/webapp:/final/Debian_10/ ./
# Kopano MobileDeviceManagement
deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
deb https://download.kopano.io/supported/mdm:/final/Debian_10/ ./
# Kopano Files
deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
deb https://download.kopano.io/supported/files:/final/Debian_10/ ./
# Z-Push
deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
deb https://download.kopano.io/zhub/z-push:/final/Debian_10/ ./
EOF
@ -76,11 +74,11 @@ password $KOPANO_REPKEY
EOF
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_10/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_10/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_10/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_10/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_10/Release.key | apt-key add -
apt update && apt full-upgrade -y
@ -93,7 +91,7 @@ cat > /etc/kopano/ldap.cfg << EOF
!include /usr/share/kopano/ldap.active-directory.cfg
ldap_uri = ldap://192.168.100.100:389
ldap_uri = ldap://10.10.81.12:389
ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
ldap_bind_passwd = Start123!
ldap_search_base = dc=zmb,dc=rocks
@ -114,8 +112,8 @@ mysql_user = $MARIA_DB_USER
mysql_password = $MARIA_USER_PWD
mysql_database = $MARIA_DB_NAME
#user_plugin = ldap
#user_plugin_config = /etc/kopano/ldap.cfg
user_plugin = ldap
user_plugin_config = /etc/kopano/ldap.cfg
EOF
@ -123,7 +121,7 @@ EOF
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
cat > /etc/php/7.3/fpm/pool.d/webapp.conf << EOF
[webapp]
listen = 127.0.0.1:9002
@ -149,15 +147,15 @@ sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kop
#### Adjust nginx settings ####
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
generate_dhparam
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/sites-available/webapp.conf << EOF
upstream php-handler {
#server 127.0.0.1:9002;
server 127.0.0.1:9002;
#server unix:/var/run/php5-fpm.sock;
server unix:/var/run/php/php7.4-fpm.sock;
#server unix:/var/run/php/php7.3-fpm.sock;
}
server{
@ -187,7 +185,7 @@ server {
ssl_prefer_server_ciphers on;
#
# ssl_dhparam require you to create a dhparam.pem, this takes a long time
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
#
# add headers
@ -272,5 +270,5 @@ EOF
ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
phpenmod kopano
systemctl restart php7.4-fpm nginx
systemctl restart nginx

29
src/lxc-base.sh
View File

@ -16,7 +16,6 @@ source /root/constants-service.conf
echo "Updating locales"
# update locales
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
@ -24,39 +23,27 @@ EOF
locale-gen $LXC_LOCALE
# Generate sources
if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main contrib
deb https://debian.inf.tu-dresden.de/debian bullseye main contrib
deb http://deb.debian.org/debian/ buster-updates main contrib
deb https://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
# security updates
deb http://security.debian.org/debian-security buster/updates main contrib
deb https://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bullseye main contrib
deb https://debian.inf.tu-dresden.de/debian buster main contrib
deb http://deb.debian.org/debian/ bullseye-updates main contrib
deb https://debian.inf.tu-dresden.de/debian buster-updates main contrib
# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib
deb https://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bookworm main contrib
deb http://deb.debian.org/debian/ bookworm-updates main contrib
# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib
EOF
else echo "LXC Debian Version false. Please check configuration files!" ; exit
fi

33
src/mailcow/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=8192
# service dependent meta tags
SERVICE_TAGS="docker"

438
src/mailcow/install-service.sh
View File

@ -1,438 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/portainer:latest
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8000:8000"
- "9443:9443"
command: --admin-password-file=/data/admin_password
EOF
echo -n "$SECRET" > ./data/admin_password
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
}
install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/agent:latest
volumes:
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9001:9001"
EOF
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
}
cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
cat << EOF > mailcow.conf
# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
# Password hash algorithm
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
# see https://docs.mailcow.email/models/model-passwd/
MAILCOW_PASS_SCHEME=BLF-CRYPT
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow
# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
# ------------------------------
# HTTP/S Bindings
# ------------------------------
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
HTTP_PORT=80
HTTP_BIND=
HTTPS_PORT=443
HTTPS_BIND=
# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654
# Your timezone
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
TZ=${LXC_TIMEZONE}
# Fixed project name
# Please use lowercase letters only
COMPOSE_PROJECT_NAME=mailcowdockerized
# Used Docker Compose version
# Switch here between native (compose plugin) and standalone
# For more informations take a look at the mailcow docs regarding the configuration options.
# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
DOCKER_COMPOSE_VERSION=native
# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to "All authenticated users"
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow
# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly
MAILDIR_GC_TIME=7200
# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
# plus every domain you add in the future.
#
# You can also just add static names...
#ADDITIONAL_SAN=srv1.example.net
# ...or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#
ADDITIONAL_SAN=
# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
ADDITIONAL_SERVER_NAMES=
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=y
# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://doc.dovecot.org/admin_manual/ssl/sni_support
ENABLE_SSL_SNI=n
# Skip IPv4 check in ACME container - y/n
SKIP_IP_CHECK=n
# Skip HTTP verification in ACME container - y/n
SKIP_HTTP_VERIFICATION=n
# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
SKIP_CLAMD=n
# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
SKIP_SOGO=n
# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
SKIP_SOLR=n
# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
SOLR_HEAP=1024
# Allow admins to log into SOGo as email user (without any password)
ALLOW_ADMIN_EMAIL_LOGIN=n
# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
USE_WATCHDOG=y
# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces
#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
#WATCHDOG_NOTIFY_EMAIL=
# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
# You can use this to send notifications to services like Discord, Slack and others.
#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# JSON body included in the webhook POST request. Needs to be in single quotes.
# Following variables are available: SUBJECT, BODY
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n
# Send a notification when the watchdog is started.
WATCHDOG_NOTIFY_START=y
# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
#WATCHDOG_SUBJECT=
# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n
# Enable watchdog verbose logging
WATCHDOG_VERBOSE=n
# Max log lines per service to keep in Redis logs
LOG_LINES=9999
# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
IPV4_NETWORK=172.22.1
# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
# Use this IPv4 for outgoing connections (SNAT)
#SNAT_TO_SOURCE=
# Use this IPv6 for outgoing connections (SNAT)
#SNAT6_TO_SOURCE=
# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY
#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1
# mail_home is ~/Maildir
MAILDIR_SUB=Maildir
# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480
# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to DOVECOT_MASTER_USER@mailcow.local
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=
# Let's Encrypt registration contact information
# Optional: Leave empty for none
# This value is only used on first order!
# Setting it at a later point will require the following steps:
# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
ACME_CONTACT=
# WebAuthn device manufacturer verification
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
WEBAUTHN_ONLY_TRUSTED_VENDORS=n
# Spamhaus Data Query Service Key
# Optional: Leave empty for none
# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
# Otherwise it will work normally.
SPAMHAUS_DQS_KEY=
EOF
cat << EOF > data/conf/nginx/redirect.conf
server {
root /web;
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/conf.d/server_name.active;
if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
location / {
return 301 https://\$host\$uri\$is_args\$args;
}
}
EOF
cat << EOF > /etc/cron.daily/mailcowbackup
#!/bin/sh
# Backup mailcow data
# https://docs.mailcow.email/backup_restore/b_n_r-backup/
set -e
OUT="\$(mktemp)"
export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
PARAMETERS="backup all"
OPTIONS="--delete-days 7"
mkdir -p \$MAILCOW_BACKUP_LOCATION
# run command
set +e
"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
RESULT=\$?
if [ \$RESULT -ne 0 ]
then
echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
echo "RESULT=\$RESULT"
echo "STDOUT / STDERR:"
cat "\$OUT"
fi
EOF
chmod +x /etc/cron.daily/mailcowbackup
cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
#!/bin/bash
if ! which check_mk_agent ; then
cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
status=\$?
if [ \$status -eq 3 ]; then
state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
elif [ \$status -eq 0 ]; then
state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
else
state="3 \"mailcow_update\" - Unknown output from update script ..."
fi
echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
fi
exit
EOF
chmod +x /etc/cron.daily/checkmk-mailcow-update-check
chmod 600 mailcow.conf
mkdir -p data/assets/ssl
openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
openssl dhparam -out data/assets/ssl/dhparams.pem 2048
cat << EOF > /etc/cron.monthly/generate-dhparams
#!/bin/bash
openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
systemctl restart nginx
EOF
chmod +x /etc/cron.monthly/generate-dhparams
docker compose pull
docker compose up -d
case $PORTAINER in
full) install_portainer_full ;;
agent) install_portainer_agent ;;
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
esac

20
src/omada/constants-service.conf → src/mailpiler/constants-service.conf
View File

@ -11,11 +11,7 @@
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,11 +19,9 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
PILER_VERSION="latest"
# Defines the version of sphinx to install
PILER_SPHINX_VERSION="3.3.1"
# Defines the php version to install
PILER_PHP_VERSION="7.4"

189
src/mailpiler/install-service.sh Normal file
View File

@ -0,0 +1,189 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
echo "Ensure your Hostname is set to your Piler FQDN!"
echo $HOSTNAME
if
[ "$HOSTNAME" != "$PILER_FQDN" ]
then
echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
else
echo "Hostname matches $PILER_FQDN, so starting installation."
fi
# install php
wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
innodb_buffer_pool_size=256M
innodb_flush_log_at_trx_commit=1
innodb_log_buffer_size=64M
innodb_log_file_size=16M
query_cache_size=0
query_cache_type=0
query_cache_limit=2M
EOF
systemctl restart mariadb
cd /tmp
wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
groupadd piler
useradd -g piler -m -s /bin/bash -d /var/piler piler
usermod -L piler
chmod 755 /var/piler
if [[ "$PILER_VERSION" == "latest" ]]; then
URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
wget -O piler-$PILER_VERSION.tar.gz $URL
else
wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
fi
tar -xvzf piler-$PILER_VERSION.tar.gz
cd piler-$PILER_VERSION/
./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
make
make install
ldconfig
cp util/postinstall.sh util/postinstall.sh.bak
sed -i "s/ PILER_SMARTHOST=.*/ PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
sed -i 's/ WWWGROUP=.*/ WWWGROUP="www-data"/' util/postinstall.sh
make postinstall
cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
/etc/init.d/rc.piler start
/etc/init.d/rc.searchd start
update-rc.d rc.piler defaults
update-rc.d rc.searchd defaults
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
cd /etc/nginx/sites-available
cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "/server_name.*/a \\
listen 443 ssl http2;\n\n\
ssl_certificate /etc/nginx/ssl/piler.crt;\n\
ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
ssl_session_timeout 1d;\n\
ssl_session_cache shared:SSL:15m;\n\
ssl_session_tickets off;\n\n\
# modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
ssl_protocols TLSv1.2 TLSv1.3;\n\
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
ssl_prefer_server_ciphers off;\n\n\
add_header X-Frame-Options SAMEORIGIN;\n\
add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
sed -i "/^server {.*/i\
server {\n\
listen 80;\n\
server_name _;\n\
server_tokens off;\n\
# HTTP to HTTPS redirect.\n\
return 301 https://$PILER_FQDN;\n\
}" /etc/nginx/sites-available/piler-nginx.conf
unlink /etc/nginx/sites-enabled/default
cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
cat >> /usr/local/etc/piler/config-site.php <<EOF
// CUSTOM
\$config['PROVIDED_BY'] = '$PILER_FQDN';
\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
\$config['COMPATIBILITY'] = '';
// fancy features.
\$config['ENABLE_INSTANT_SEARCH'] = 1;
\$config['ENABLE_TABLE_RESIZE'] = 1;
\$config['ENABLE_DELETE'] = 1;
\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
// general settings.
\$config['TIMEZONE'] = '$LXC_TIMEZONE';
// authentication
// Enable authentication against an imap server
//\$config['ENABLE_IMAP_AUTH'] = 1;
//\$config['RESTORE_OVER_IMAP'] = 1;
//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
//\$config['IMAP_PORT'] = 993;
//\$config['IMAP_SSL'] = true;
// authentication against an ldap directory (disabled by default)
//\$config['ENABLE_LDAP_AUTH'] = 1;
//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
//\$config['LDAP_PORT'] = 389;
//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
//\$config['LDAP_MAIL_ATTR'] = 'mail';
//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
// authentication against an Uninvention based ldap directory
//\$config['ENABLE_LDAP_AUTH'] = 1;
//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
//\$config['LDAP_PORT'] = 7389;
//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
// special settings.
\$config['MEMCACHED_ENABLED'] = 1;
\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
EOF
nginx -t && systemctl restart nginx

18
src/matrix/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,11 +19,5 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,element-web"
# Define the version of Element Web
MATRIX_ELEMENT_VERSION="v1.9.9"

41
src/matrix/install-service.sh
View File

@ -14,8 +14,6 @@ MRX_PKE=$(random_password)
ELE_DBNAME="synapse_db"
ELE_DBUSER="synapse_user"
ELE_DBPASS=$(random_password)
ELE_PATH=/var/www/element-web
WEBROOT=/var/www
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
@ -27,7 +25,7 @@ systemctl enable matrix-synapse
ss -tulpen
mkdir -p /etc/nginx/ssl
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
@ -69,7 +67,7 @@ server {
ssl_certificate_key /etc/nginx/ssl/matrix.key;
# If you don't wanna serve a site, comment this out
root $ELE_PATH;
root /var/www/$MATRIX_FQDN;
index index.html index.htm;
location / {
@ -104,7 +102,7 @@ server {
ssl_certificate_key /etc/nginx/ssl/matrix.key;
# If you don't wanna serve a site, comment this out
root $ELE_PATH;
root /var/www/$MATRIX_ELEMENT_FQDN/element;
index index.html index.htm;
}
@ -115,23 +113,21 @@ ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$
systemctl restart nginx
cd /var/www
wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
mkdir /var/www/$MATRIX_ELEMENT_FQDN
cd /var/www/$MATRIX_ELEMENT_FQDN
wget https://packages.riot.im/element-release-key.asc
gpg --import element-release-key.asc
MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/element-hq/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
chown www-data:www-data -R $ELE_PATH
cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json
ln -s element-$MATRIX_ELEMENT_VERSION element
chown www-data:www-data -R element
cp ./element/config.sample.json ./element/config.json
sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
su postgres <<EOF
psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@ -147,13 +143,12 @@ sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-sy
sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n user: $ELE_DBUSER\n password: $ELE_DBPASS\n host: 127.0.0.1\n cp_min: 5\n cp_max: 10|" /etc/matrix-synapse/homeserver.yaml
reg_secret=$(random_password)
echo -e "registration_shared_secret: \"$reg_secret\"" > /etc/matrix-synapse/conf.d/registration.yaml
systemctl restart matrix-synapse
rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p '$MATRIX_ADMIN_PASSWORD' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
#apt update
#apt install -y jitsi-meet

19
src/nextcloud/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,14 +19,11 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
NEXTCLOUD_VERSION="latest"
# Defines the php version to install
NEXTCLOUD_PHP_VERSION="8.2"
NEXTCLOUD_PHP_VERSION="8.0"
# Defines the IP from the SQL server
NEXTCLOUD_DB_IP="127.0.0.1"
@ -46,9 +39,3 @@ NEXTCLOUD_DB_USR="nextcloud"
# Build a strong password for the SQL user - could be overwritten with something fixed
NEXTCLOUD_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

41
src/nextcloud/install-service.sh
View File

@ -6,27 +6,24 @@
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
NEXTCLOUD_ADMIN_PWD=$(random_password)
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends sudo tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
timedatectl set-timezone $LXC_TIMEZONE
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@ -76,7 +73,7 @@ sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXT
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
@ -90,7 +87,7 @@ sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
generate_dhparam
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
@ -113,9 +110,6 @@ set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
types {
text/javascript mjs;
}
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
@ -139,10 +133,6 @@ cat > /etc/nginx/conf.d/http.conf << EOF
upstream php-handler {
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
}
map \$arg_v \$asset_immutable {
"" "";
default "immutable";
}
server {
listen 80 default_server;
listen [::]:80 default_server;
@ -167,7 +157,7 @@ ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
@ -178,15 +168,13 @@ ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 5120M;
client_body_timeout 300s;
client_body_buffer_size 512k;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
@ -194,7 +182,7 @@ add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
@ -239,13 +227,10 @@ fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
location ~ \.(?:css|js|svg|gif)\$ {
try_files \$uri /index.php\$request_uri;
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?\$ {
try_files \$uri /index.php\$request_uri;
@ -414,9 +399,7 @@ array (
'updater.release.channel' => 'stable',
'trusted_proxies' =>
array (
'$NEXTCLOUD_REVPROX',
'127.0.0.1',
'::1',
'$NEXTCLOUD_REVPROX'
),
);
EOF

23
src/omada/install-service.sh
View File

@ -1,23 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac

19
src/onlyoffice/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,17 +19,8 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
ONLYOFFICE_DB_HOST=localhost
ONLYOFFICE_DB_NAME=onlyoffice
ONLYOFFICE_DB_USER=onlyoffice
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,rabbitmq"
ONLYOFFICE_DB_USER=onlyoffice

25
src/onlyoffice/fix-update.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
cat > /usr/local/bin/ods-apt-pre-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds-ssl.conf
systemctl stop nginx.service
DFOE
chmod +x /usr/local/bin/ods-apt-pre-hook
cat > /usr/local/bin/ods-apt-post-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx
DFOE
chmod +x /usr/local/bin/ods-apt-post-hook
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
EOF
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
EOF

41
src/onlyoffice/install-service.sh
View File

@ -11,15 +11,9 @@ source /root/constants-service.conf
ONLYOFFICE_DB_PASS=$(random_password)
curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
cat > /etc/apt/preferences.d/onlyoffice << EOF
Package: onlyoffice-documentserver
Pin: version 7.1.1-23
Pin-Priority: 900
EOF
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
@ -45,38 +39,13 @@ ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
EOF
mkdir -p /etc/nginx/ssl
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
rm /etc/nginx/conf.d/ds.conf
cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
cat > /usr/local/bin/ods-apt-pre-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds-ssl.conf
systemctl stop nginx.service
DFOE
chmod +x /usr/local/bin/ods-apt-pre-hook
cat > /usr/local/bin/ods-apt-post-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx
DFOE
chmod +x /usr/local/bin/ods-apt-post-hook
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
EOF
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
EOF
systemctl restart nginx
sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/nginx/conf.d/ds-ssl.conf
sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx

19
src/open3a/constants-service.conf
View File

@ -8,26 +8,13 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"
LXC_NESTING="1"

21
src/open3a/install-service.sh
View File

@ -8,17 +8,16 @@
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
LXC_IP=$(hostname -I)
webroot=/var/www/html
LXC_RANDOMPWD=20
MYSQL_PASSWORD="$(random_password)"
MYSQL_PASSWORD="$(random_password_open3a)"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
mkdir -p /etc/nginx/ssl
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
cat << EOF > /etc/nginx/sites-available/default
@ -45,7 +44,7 @@ server {
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
}
@ -57,7 +56,7 @@ CREATE DATABASE IF NOT EXISTS open3a;
GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
cd $webroot
wget https://www.open3a.de/download/open3A%204.0.zip -O $webroot/open3a.zip
wget https://www.open3a.de/download/open3A%203.5.zip -O $webroot/open3a.zip
unzip open3a.zip
rm open3a.zip
chmod 666 system/DBData/Installation.pfdb.php
@ -68,6 +67,9 @@ chown -R www-data:www-data $webroot
echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
chmod +x /etc/cron.daily/open3a-backup
systemctl enable --now php7.4-fpm
systemctl restart php7.4-fpm nginx
cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
<?php echo "This is a database-file."; /*
host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
@ -76,9 +78,4 @@ localhost &%%%&open3a &%%%&$MYSQL_PAS
*/ ?>
EOF
systemctl enable --now php8.2-fpm
systemctl restart php8.2-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"

31
src/piler/constants-service.conf
View File

@ -1,31 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/piler"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"

23
src/piler/install-service.sh
View File

@ -1,23 +0,0 @@
#!/bin/bash
# Author:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
source zamba.conf
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
echo -e "Installation of piler finished."
echo -e "\nFor administration please visit the following Website:"
echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
echo -e "\nLogin with following credentials:"
echo -e "\tUser: admin@local"
echo -e "\tPass: pilerrocks"
echo -e "\n\nPlease have a look the the GOBD notes (in German):"
echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"

19
src/proxmox-pbs/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,14 +19,5 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Backup ubdir where Urbackup will store backups
PBS_DATA="backup"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="backup"
PBS_DATA="backup"

4
src/proxmox-pbs/install-service.sh
View File

@ -15,11 +15,9 @@ cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list
deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
EOF
wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
apt update && apt upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
systemctl disable --now zfs-mount.service zfs-share.service

49
src/rei3/constants-service.conf
View File

@ -1,49 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
REI3_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
REI3_DB_PORT="5432"
# Defines the name from the SQL database
REI3_DB_NAME="app"
# Defines the name from the SQL user
REI3_DB_USR="rei3"
# Build a strong password for the SQL user - could be overwritten with something fixed
REI3_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="postgresql"

42
src/rei3/install-service.sh
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
mkdir /opt/rei3
wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
EOF
cp /opt/rei3/config_template.json /opt/rei3/config.json
chmod u+x /opt/rei3/r3
sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json
sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json
/opt/rei3/r3 -install
#/opt/rei/r3 -newadmin
systemctl start rei3

33
src/unifi/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"

22
src/unifi/install-service.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi

19
src/urbackup/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,17 +19,8 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Backup ubdir where Urbackup will store backups
URBACKUP_DATA="urbackup"
# OS codename for opensuse / urbackup repo
REPO_CODENAME="Debian_12"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx"
REPO_CODENAME="Debian_11"

4
src/urbackup/install-service.sh
View File

@ -11,7 +11,7 @@ source /root/constants-service.conf
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
mkdir -p /etc/urbackup
mkdir /etc/urbackup
echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
@ -20,7 +20,7 @@ curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
mkdir -p /etc/nginx/ssl
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
ln -s /usr/share/urbackup/www /var/www/urbackup

42
src/vaultwarden/constants-service.conf
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the name from the SQL database
VAULTWARDEN_DB_NAME="vaultwarden"
# Defines the name from the SQL user
VAULTWARDEN_DB_USR="vaultwarden"
# Build a strong password for the SQL user - could be overwritten with something fixed
VAULTWARDEN_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql"

163
src/vaultwarden/install-service.sh
View File

@ -1,163 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
admin_token=$(openssl rand -base64 48)
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
systemctl enable --now postgresql
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:alpine
mkdir -p /opt/vaultwarden
mkdir -p /var/lib/vaultwarden/data
useradd vaultwarden
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
mv output/vaultwarden /opt/vaultwarden
mv output/web-vault /var/lib/vaultwarden/
rm -Rf output
rm -Rf docker-image-extract
su - postgres <<EOF
psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
EOF
cat << EOF > /var/lib/vaultwarden/.env
DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
ORG_CREATION_USERS=admin@$LXC_DOMAIN
# Use `openssl rand -base64 48` to generate
ADMIN_TOKEN=$admin_token
# Uncomment this once vaults restored
SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
SMTP_HOST=$VW_SMTP_HOST
SMTP_FROM=$VW_SMTP_FROM
SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
SMTP_PORT=$VW_SMTP_PORT # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
SMTP_SSL=$VW_SMTP_SSL # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
SMTP_USERNAME=$VW_SMTP_USERNAME
SMTP_PASSWORD=$VW_SMTP_PASSWORD
SMTP_TIMEOUT=15
EOF
cat << EOF > /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/var/lib/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
LimitNOFILE=1048576
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
EOF
cat << EOF > /var/lib/vaultwarden/update.sh
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:alpine
mv output/vaultwarden /opt/vaultwarden
systemctl stop vaultwarden.service
cp -rlf output/web-vault /var/lib/vaultwarden/
rm -Rf output
rm -Rf docker-image-extract
systemctl start vaultwarden.service
EOF
chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
chmod +x /var/lib/vaultwarden/update.sh
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/vaultwarden.access.log;
error_log /var/log/nginx/vaultwarden.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/vaultwarden.access.log;
error_log /var/log/nginx/vaultwarden.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
proxy_read_timeout 90;
}
}
EOF
generate_dhparam
unlink /etc/nginx/sites-enabled/default
systemctl daemon-reload
systemctl enable --now vaultwarden
systemctl restart nginx

52
src/zabbix-proxy/constants-service.conf
View File

@ -1,52 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="data"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
ZABBIX_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
ZABBIX_DB_PORT="5432"
# Defines the name from the SQL database
ZABBIX_DB_NAME="zabbix_proxy"
# Defines the name from the SQL user
ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
ZABBIX_VERSION=7.0 #zabbix 7 beta
POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

67
src/zabbix-proxy/install-service.sh
View File

@ -1,67 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
srv=$(grep -E "^Server" /etc/zabbix/zabbix_proxy.conf)
sed -i "s/$srv/Server=${ZBX_ADDR}/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# ListenPort=/ListenPort=/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/Hostname=Zabbix proxy/Hostname=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
mkdir -p /var/lib/zabbix
chown -R zabbix:zabbix /var/lib/zabbix/
chmod 700 /var/lib/zabbix/
psk=$(openssl rand -hex 32)
echo "$psk" > /var/lib/zabbix/proxy.psk
chown zabbix:zabbix /var/lib/zabbix/proxy.psk
chmod 600 /var/lib/zabbix/proxy.psk
sed -i "s/# TLSConnect=unencrypted/TLSConnect=psk/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
systemctl enable zabbix-proxy zabbix-agent2
systemctl restart zabbix-proxy zabbix-agent2
echo -e "Installation of zabbix-proxy finished."
echo -e "\nPlease register the Proxy on yout zabbix server with following data:"
echo -e "Proxy name:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
echo -e "Proxy mode: Active"
echo -e "Proxy address:\t$(ip a s dev eth0 | grep -m1 inet | cut -d ' ' -f6 | cut -d'/' -f1)"
echo -e "Encryption:\tPSK"
echo -e "PSK identity:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
echo -e "PSK:\t\t${psk}"

24
src/zabbix/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="data"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,9 +19,6 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
ZABBIX_DB_IP="127.0.0.1"
@ -40,15 +33,4 @@ ZABBIX_DB_NAME="zabbix"
ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
ZABBIX_VERSION=7.0 #zabbix 7 beta
POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13)
PHP_VERSION=8.2 # debian 12 default
TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"
ZABBIX_DB_PWD="$(random_password)"

94
src/zabbix/install-service.sh
View File

@ -5,20 +5,20 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-sql-scripts zabbix-agent sudo ssl-cert
unlink /etc/nginx/sites-enabled/default
@ -30,8 +30,8 @@ server {
server_tokens off;
access_log /var/log/nginx/zabbix.access.log;
error_log /var/log/nginx/zabbix.error.log;
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log;
location /.well-known/ {
}
@ -122,7 +122,9 @@ server {
}
EOF
cat << EOF > /etc/php/$PHP_VERSION/fpm/pool.d/zabbix-php-fpm.conf
ln -sf /etc/zabbix/nginx.conf /etc/nginx/sites-enabled/zabbix.conf
cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
[zabbix]
user = www-data
group = www-data
@ -149,88 +151,24 @@ php_value[max_input_time] = 300
php_value[max_input_vars] = 10000
EOF
cat << EOF > /etc/zabbix/web/zabbix.conf.php
<?php
// Zabbix GUI configuration file.
\$DB['TYPE'] = 'POSTGRESQL';
\$DB['SERVER'] = 'localhost';
\$DB['PORT'] = '0';
\$DB['DATABASE'] = '${ZABBIX_DB_NAME}';
\$DB['USER'] = '${ZABBIX_DB_USR}';
\$DB['PASSWORD'] = '${ZABBIX_DB_PWD}';
// Schema name. Used for PostgreSQL.
\$DB['SCHEMA'] = '';
// Used for TLS connection.
\$DB['ENCRYPTION'] = true;
\$DB['KEY_FILE'] = '';
\$DB['CERT_FILE'] = '';
\$DB['CA_FILE'] = '';
\$DB['VERIFY_HOST'] = false;
\$DB['CIPHER_LIST'] = '';
// Vault configuration. Used if database credentials are stored in Vault secrets manager.
\$DB['VAULT_URL'] = '';
\$DB['VAULT_DB_PATH'] = '';
\$DB['VAULT_TOKEN'] = '';
// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
// This option is enabled by default for new Zabbix installations.
// For upgraded installations, please read database upgrade notes before enabling this option.
\$DB['DOUBLE_IEEE754'] = true;
// Uncomment and set to desired values to override Zabbix hostname/IP and port.
// \$ZBX_SERVER = '';
// \$ZBX_SERVER_PORT = '';
\$ZBX_SERVER_NAME = '${LXC_HOSTNAME}';
\$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;
// Uncomment this block only if you are using Elasticsearch.
// Elasticsearch url (can be string if same url is used for all types).
//\$HISTORY['url'] = [
// 'uint' => 'http://localhost:9200',
// 'text' => 'http://localhost:9200'
//];
// Value types stored in Elasticsearch.
//\$HISTORY['types'] = ['uint', 'text'];
// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
//\$SSO['SP_KEY'] = 'conf/certs/sp.key';
//\$SSO['SP_CERT'] = 'conf/certs/sp.crt';
//\$SSO['IDP_CERT'] = 'conf/certs/idp.crt';
//\$SSO['SETTINGS'] = [];
EOF
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
psql -c "CREATE USER ZABBIX WITH PASSWORD '${ZABBIX_DB_PWD}';"
psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
systemctl restart postgresql
echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
zcat /usr/share/doc/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql zabbix
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
generate_dhparam
openssl dhparam -out /etc/nginx/dhparam.pem 4096
systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2
systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm
systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1
systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm

18
src/zammad/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@ -23,11 +19,5 @@ LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,elasticsearch"
# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
LXC_MEM="2048"

176
src/zammad/install-service.sh
View File

@ -8,16 +8,27 @@
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
LXC_IP=$(hostname -I)
curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/pkgr-zammad.gpg > /dev/null
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor | tee /etc/apt/trusted.gpg.d/elasticsearch.gpg> /dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"| tee -a /etc/apt/sources.list.d/elastic-7.x.list > /dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/pkgr-zammad.gpg] https://dl.packager.io/srv/deb/zammad/zammad/stable/debian 12 main"| tee /etc/apt/sources.list.d/zammad.list > /dev/null
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
cat << EOF >>/etc/hosts
0.0.0.0 image.zammad.com
0.0.0.0 images.zammad.com
0.0.0.0 geo.zammad.com
0.0.0.0 www.zammad.com
0.0.0.0 www.zammad.org
0.0.0.0 www.zammad.net
0.0.0.0 www.zammad.de
0.0.0.0 zammad.com
0.0.0.0 zammad.org
0.0.0.0 zammad.net
0.0.0.0 zammad.de
#
127.0.0.1 elasticsearch
0.0.0.0 geoip.elastic.co
EOF
# Java set startup environment
mkdir -p /etc/elasticsearch/jvm.options.d
@ -28,36 +39,143 @@ cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
-Xmx1g
EOF
# configure nginx
generate_dhparam
wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql
unlink /etc/nginx/sites-enabled/default
unlink /etc/nginx/sites-enabled/zammad.conf
# configurwe nginx
rm -f /etc/nginx/sites-enabled/default
mkdir -p /etc/nginx/ssl
ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
cat << EOF > /etc/nginx/sites-available/zammad.conf
upstream zammad-railsserver {
server 127.0.0.1:3000;
}
sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
-e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
-e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
-e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
-e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
/opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
upstream zammad-websocket {
server 127.0.0.1:6042;
}
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
server {
listen 80;
#EDIT no IPv6 ;-) listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl http2;
#EDIT no IPv6 ;-) listen [::]:443 ssl http2;
server_name _;
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
#
# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
#
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
add_header Referrer-Policy "strict-origin";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
location = /robots.txt {
access_log off; log_not_found off;
}
location = /favicon.ico {
access_log off; log_not_found off;
}
root /opt/zammad/public;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}
location / {
proxy_set_header Host \$http_host;
proxy_set_header CLIENT_IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
# change this line in an SSO setup
proxy_set_header X-Forwarded-User "";
proxy_read_timeout 180;
proxy_pass http://zammad-railsserver;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
EOF
#EDIT ADD
echo -e "\n\n\n >>> Warte 5 sek. und installier Zammad ...\n\n\n"
sleep 5
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install zammad
# SymLink nginx Zammad enable
ln -s /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
openssl dhparam -out /etc/nginx/dhparam.pem 4096
# configure elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
systemctl restart nginx
systemctl enable elasticsearch.service
systemctl restart nginx elasticsearch.service
systemctl start elasticsearch.service
# Elasticsearch conntact to Zammad
zammad run rails r "Setting.set('es_url', 'http://127.0.0.1:9200')"
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
systemctl restart elasticsearch.service
zammad run rake zammad:searchindex:rebuild[$(nproc)]
zammad run rake searchindex:rebuild
echo -e "Your Zammad installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\n"

29
src/zmb-ad-join/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
@ -23,23 +19,4 @@ LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
OPTIONAL_FEATURES=(wsdd splitdns)

141
src/zmb-ad-join/install-service.sh
View File

@ -15,6 +15,8 @@ for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
@ -27,40 +29,35 @@ for f in ${OPTIONAL_FEATURES[@]}; do
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
## configure ntp
cat << EOF > /etc/ntp.conf
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.de.pool.ntp.org iburst prefer
server 1.de.pool.ntp.org iburst prefer
server 2.de.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS="-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[Unit]
ConditionCapability=
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES rsync acl attr ntpdate rpl net-tools dnsutils ntp cifs-utils samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
@ -124,98 +121,18 @@ cat > /etc/krb5.conf <<EOF
EOF
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
systemctl disable --now smbd nmbd winbind systemd-resolved
rm -f /etc/samba/smb.conf
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
rm /etc/krb5.conf
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
mkdir -p /mnt/sysvol
cat << EOF > /root/.smbcredentials
username=$ZMB_ADMIN_USER
password=$ZMB_ADMIN_PASS
domain=$ZMB_DOMAIN
EOF
echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
cat > /etc/cron.d/sysvol-sync << EOF
*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
*/5 * * * * root /usr/bin/rsync -XAavz --delete-after root@$LXC_DNS:/var/lib/samba/sysvol/ /var/lib/samba/sysvol
EOF
/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
samba-tool ntacl sysvolreset
fi
ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=$1
if \$1 ; then
keep=\$1
fi
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
prune () {
backup_type=\$1
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc=\$((\$rc + 1))
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc=\$((\$rc + 1))
fi
exit \$rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF

19
src/zmb-ad/constants-service.conf
View File

@ -8,14 +8,10 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP="0"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
@ -23,9 +19,6 @@ LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
@ -36,10 +29,4 @@ LXC_KEYCTL="0"
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"
OPTIONAL_FEATURES=()

125
src/zmb-ad/install-service.sh
View File

@ -15,6 +15,8 @@ for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
@ -27,40 +29,41 @@ for f in ${OPTIONAL_FEATURES[@]}; do
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
## configure ntp
cat << EOF > /etc/ntp.conf
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.de.pool.ntp.org iburst prefer
server 1.de.pool.ntp.org iburst prefer
server 2.de.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS="-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[Unit]
ConditionCapability=
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
@ -119,76 +122,20 @@ EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
systemctl disable --now smbd nmbd winbind systemd-resolved
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
# provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
# disable password expiry for administrator
samba-tool user setexpiry Administrator --noexpiry
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=\$1
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
prune () {
backup_type=\$1
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc=\$((\$rc + 1))
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc=\$((\$rc + 1))
fi
exit \$rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
exit 0

33
src/zmb-cups/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,member,cups,printserver"

110
src/zmb-cups/install-service.sh
View File

@ -1,110 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
apt update
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = $ZMB_REALM
ticket_lifetime = 600
dns_lookup_realm = true
dns_lookup_kdc = true
renew_lifetime = 7d
EOF
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
klist
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
cat > /etc/samba/smb.conf <<EOF
[global]
workgroup = $ZMB_DOMAIN
security = ADS
realm = $ZMB_REALM
server string = %h server
vfs objects = acl_xattr shadow_copy2
map acl inherit = Yes
store dos attributes = Yes
idmap config *:backend = tdb
idmap config *:range = 3000000-4000000
idmap config *:schema_mode = rfc2307
winbind refresh tickets = Yes
winbind use default domain = Yes
winbind separator = /
winbind nested groups = yes
winbind nss info = rfc2307
pam password change = Yes
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
template homedir = /home/%U
template shell = /bin/bash
bind interfaces only = Yes
interfaces = lo eth0
log file = /var/log/samba/log.%m
logging = syslog
max log size = 1000
panic action = /usr/share/samba/panic-action %d
dns proxy = No
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: delimiter = -20
printing = CUPS
rpcd_spoolss:idle_seconds=300
rpcd_spoolss:num_workers = 10
spoolss: architecture = Windows x64
[printers]
path = /${LXC_SHAREFS_MOUNTPOINT}/spool
printable = yes
[print$]
path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
read only = no
EOF
systemctl restart smbd
echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
echo -e "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
systemctl restart winbind nmbd
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
systemctl disable --now cups-browsed.service
cupsctl --remote-admin
systemctl restart cups smbd nmbd winbind wsdd

19
src/zmb-member/constants-service.conf
View File

@ -8,26 +8,13 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,member,fileserver"
LXC_NESTING="1"

7
src/zmb-member/install-service.sh
View File

@ -9,11 +9,12 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# add wsdd package repo
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
mv /etc/krb5.conf /etc/krb5.conf.bak
@ -96,7 +97,7 @@ systemctl restart winbind nmbd
wbinfo -u
wbinfo -g
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

19
src/zmb-standalone/constants-service.conf
View File

@ -8,26 +8,13 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
LXC_MP="1"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"
LXC_NESTING="1"

66
src/zmb-standalone/install-service.sh
View File

@ -9,17 +9,20 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# add wsdd package repo
apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends -t $(lsb_release -cs)-backports cockpit
mkdir /usr/share/cockpit/smb
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/index.html -O /usr/share/cockpit/smb/index.html
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/manifest.json -O /usr/share/cockpit/smb/manifest.json
wget https://raw.githubusercontent.com/enira/cockpit-smb-plugin/master/smb.js -O /usr/share/cockpit/smb/smb.js
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
@ -27,52 +30,23 @@ echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
usermod -aG sudo $USER
cat << EOF | sudo tee -i /etc/samba/smb.conf
[global]
include = registry
EOF
cat << EOF | sudo tee -i /etc/samba/import.template
[global]
workgroup = WORKGROUP
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
log level = 3
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
cat << EOF >> /etc/samba/smb.conf
[$ZMB_SHARE]
comment = Main Share
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
read only = No
vfs objects = shadow_copy2
create mask = 0660
directory mask = 0770
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: delimiter = -20
fruit:encoding = native
fruit:metadata = stream
fruit:zero_file_id = yes
fruit:nfs_aces = no
EOF
net conf import /etc/samba/import.template
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf setparm $ZMB_SHARE readonly no
net conf setparm $ZMB_SHARE browseable yes
net conf setparm $ZMB_SHARE createmask 0660
net conf setparm $ZMB_SHARE directorymask 0770
systemctl restart smbd nmbd wsdd