bashclub/zamba-lxc-toolbox
2
0
Fork 1
mirror of https://github.com/bashclub/zamba-lxc-toolbox.git synced 2025-04-20 12:19:47 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: bashclub:main
Branches Tags
bashclub:main
bashclub:dev
bashclub:release-1.2
bashclub:old_dev_2022
bashclub:release-1.1
bashclub:Release-1.0
bashclub:archive-devel-1.0
bashclub:v0.1
..
compare: bashclub:v0.1
Branches Tags
bashclub:dev
bashclub:main
bashclub:release-1.2
bashclub:old_dev_2022
bashclub:release-1.1
bashclub:Release-1.0
bashclub:archive-devel-1.0
bashclub:v0.1

No commits in common. "main" and "v0.1" have entirely different histories.
main ... v0.1

85 changed files with 622 additions and 6165 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,5 +1,2 @@
*__pycache__*
.vscode/*
conf/*
!conf/README.md
!conf/zamba.conf.example

12
CHANGELOG.md Normal file
View File

@ -0,0 +1,12 @@
**** Zamba LXC Toolbox v0.1 ****
- `locales` are now configured noninteractive #21
- timezone is now configured with `pct set` command in `install.sh` #22
- changed command sequence in `install.sh` - select container first, then start the installation
- improved / updated documentation
- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
- (un)privileged now defined as constant based on created service #6
- improved log messages in `install.sh`
- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
- changed `mailpiler` version to 1.3.11
- changed `element-web` version to 1.7.25
- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)

55
README.md
View File

@ -5,32 +5,15 @@ Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC contai
The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes.
The package also provides LXC container installers for `mailpiler`, `matrix-synapse` + `element-web` and more services will follow in future releases.
### Requirements
Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
Proxmox VE Server with at least one configured ZFS Pool.
### Included services:
- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
- `debian-priv` => Debian privileged container with basic toolset
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
- `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
- `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
- `unifi` => Unifi Controller [ui.com](https://ui.com)
- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `debian-unpriv` => Debian privileged container with basic toolset
## Usage
Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
```bash
@ -43,32 +26,14 @@ git clone https://github.com/bashclub/zamba-lxc-toolbox
cd zamba-lxc-toolbox
```
### Configuration
Copy `zamba.conf.example` located in `conf` directory to a new file (default: `zamba.conf`) and adjust your desired settings.
For further information about configuration variables, have a look at [conf/README.md](conf/README.md)
```bash
cp conf/zamba.conf.example conf/zamba.conf
```
To fit your requirements, please edit the file `zamba.conf` with your favourite text editor (e.g. `vim` or `nano`).
The required adjustments are in the LXC container section and in the section for the service you want to launch.
For further information about the config variables, have a look at [zamba.conf.md](zamba.conf.md)
### Installation
After configuring, you are able to launch the script interactively (only works with `conf/zamba.conf`):
After configuring, you are able to launch the script interactively:
```bash
bash install.sh
```
### Advanced Usage
You can set optional parameters (config file, service, container id):
#### Example:
```bash
bash install.sh -i 280 -c conf/my-zmb-service.conf -s zmb-member
```
You can also view possible parameters with `install.sh -h`
After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.
Once the script has finished, the container is installed and running and you can continue with the service specific configuration.
# Authors
### Markus Helmke
[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/nettwarker)
### Thorsten Spille
[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/thorakel)

20
debian-priv.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

18
debian-unpriv.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
dpkg-reconfigure locales
source /root/zamba.conf
# Set Timezone
ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc

244
install.sh Executable file → Normal file
View File

@ -1,5 +1,4 @@
#!/bin/bash
set -euo pipefail
# This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
# On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@ -16,112 +15,79 @@ set -euo pipefail
# Please adjust th settings in 'zamba.conf' to your needs before running the script
############### ZAMBA INSTALL SCRIPT ###############
prog="$(basename $0)"
usage() {
cat >&2 <<-EOF
usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
installs a preconfigured lxc container on your proxmox server
-i CTID provide a container id instead of auto detection
-s SERVICE provide the service name and skip the selection dialog
-c CFGFILE use a different config file than 'zamba.conf'
-d Debug mode inside LXC container
-h displays this help text
---------------------------------------------------------------------------
(C) 2021 zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
---------------------------------------------------------------------------
EOF
exit $1
}
ctid=0
service=ask
config=$PWD/conf/zamba.conf
debug=0
while getopts "hi:s:c:d" opt; do
case $opt in
h) usage 0 ;;
i) ctid=$OPTARG ;;
s) service=$OPTARG ;;
c) config=$OPTARG ;;
d) debug=1 ;;
*) usage 1 ;;
esac
done
shift $((OPTIND-1))
OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)
valid=0
if [[ "$service" == "ask" ]]; then
select svc in $OPTS quit; do
if [[ "$svc" != "quit" ]]; then
for line in $OPTS; do
if [[ "$svc" == "$line" ]]; then
service=$svc
echo "Installation of $service selected."
valid=1
break
fi
done
else
echo "Selected 'quit' exiting without action..."
exit 0
fi
if [[ "$valid" == "1" ]]; then
break
fi
done
else
for line in $OPTS; do
if [[ "$service" == "$line" ]]; then
echo "Installation of $service selected."
valid=1
break
fi
done
fi
if [[ "$valid" != "1" ]]; then
echo "Invalid option, exiting..."
usage 1
fi
# Load configuration file
echo "Loading config file '$config'..."
if [ ! -e "$config" ]; then
echo "Configuration files does not exist"
source $PWD/zamba.conf
LXC_MP="0"
LXC_UNPRIVILEGED="1"
LXC_NESTING="0"
select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
case $opt in
debian-unpriv)
echo "Debian-only LXC container unprivileged mode selected"
break
;;
debian-priv)
echo "Debian-only LXC container privileged mode selected"
LXC_UNPRIVILEGED="0"
break
;;
zmb-standalone)
echo "Configuring LXC container '$opt'!"
LXC_MP="1"
LXC_UNPRIVILEGED="0"
break
;;
zmb-member)
echo "Configuring LXC container '$opt'!"
LXC_MP="1"
LXC_UNPRIVILEGED="0"
break
;;
zmb-ad)
echo "Selected Zamba AD DC"
LXC_NESTING="1"
LXC_UNPRIVILEGED="0"
break
;;
mailpiler)
echo "Configuring LXC container for '$opt'!"
LXC_NESTING="1"
break
;;
matrix)
echo "Install Matrix chat server and element web service"
break
;;
quit)
echo "Script aborted by user interaction."
exit 0
;;
*)
echo "Invalid option! Exiting..."
exit 1
fi
;;
esac
done
source "src/functions.sh"
# CHeck is the newest template available, else download it.
DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2)
source "$config"
source "$PWD/src/$service/constants-service.conf"
if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
LXC_MEM=$LXC_MEM_MIN
fi
if [ $LXC_AUTOTAG -gt 0 ]; then
TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
fi
# Check is the newest template available, else download it.
pveam update
TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
if [ $ctid -gt 99 ]; then
LXC_CHK=$ctid
if [[ $DEB_LOC == $DEB_REP ]];
then
echo "Newest Version of Debian 10 Standard $DEP_REP exists.";
else
# Get next free LXC-number
LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
echo "Will now download newest Debian 10 Standard $DEP_REP.";
pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz
fi
# Get next free LXC-number
LXC_LST=$( lxc-ls | egrep -o '.{1,5}$' )
LXC_CHK=$((LXC_LST+1));
if [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
LXC_NBR=$(pvesh get /cluster/nextid);
else
@ -129,77 +95,47 @@ else
fi
echo "Will now create LXC Container $LXC_NBR!";
if [ $LXC_THREADS -gt 0 ]; then
LXC_CORES=--cores\ $LXC_THREADS
fi
if [[ $LXC_RESSOURCE_POOL != "" ]]; then
LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
fi
# Create the container
set +u
pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
set -u
pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
sleep 2;
# Check vlan configuration
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
# Reconfigure conatiner
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
if [ $LXC_DHCP == true ]; then
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
if [[ $LXC_VLAN != "" ]];then
VLAN=",tag=$LXC_VLAN"
else
pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
VLAN=""
fi
# Reconfigure conatiner
pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
sleep 2
if [ $LXC_MP -gt 0 ]; then
pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
fi
pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
fi
sleep 2;
PS3="Select the Server-Function: "
pct start $LXC_NBR;
sleep 5;
# Set the root ssh key
pct exec $LXC_NBR -- mkdir -p /root/.ssh
# Set the root password and key
echo "Setting root password"
echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
echo "Creating /root/.ssh"
lxc-attach -n$LXC_NBR mkdir /root/.ssh;
echo "Copying authorized_keys"
pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
pct push $LXC_NBR "$config" /root/zamba.conf
pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
echo "Copying sources.list"
pct push $LXC_NBR ./sources.list /etc/apt/sources.list
echo "Copying zamba.conf"
pct push $LXC_NBR ./zamba.conf /root/zamba.conf
echo "Copying install script"
pct push $LXC_NBR ./$opt.sh /root/$opt.sh
echo "Install '$opt'!"
lxc-attach -n$LXC_NBR bash /root/$opt.sh
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
echo "Installing basic container setup..."
pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
echo "Install '$service'!"
pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
pct shutdown $LXC_NBR
if [[ $service == "zmb-ad" ]]; then
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
elif [[ $service == "zmb-ad-join" ]]; then
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
fi
pct start $LXC_NBR
if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
sleep 5
pct exec $LXC_NBR /usr/local/bin/smb-backup 7
if [[ $opt == "zmb-ad" ]]; then
pct stop $LXC_NBR
pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
pct start $LXC_NBR
fi

187
mailpiler.sh Normal file
View File

@ -0,0 +1,187 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
HOSTNAME=$(hostname -f)
echo "Ensure your Hostname is set to your Piler FQDN!"
echo $HOSTNAME
if
[ "$HOSTNAME" != "$PILER_FQDN" ]
then
echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
else
echo "Hostname matches PILER_FQDNAIN, so starting installation."
fi
apt update && apt full-upgrade -y
apt install -y $LXC_TOOLSET build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 software-properties-common libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23
# install php
wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt update && apt install -y php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
apt purge -y postfix
cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
innodb_buffer_pool_size=256M
innodb_flush_log_at_trx_commit=1
innodb_log_buffer_size=64M
innodb_log_file_size=16M
query_cache_size=0
query_cache_type=0
query_cache_limit=2M
EOF
systemctl restart mariadb
cd /tmp
wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
groupadd piler
useradd -g piler -m -s /bin/bash -d /var/piler piler
usermod -L piler
chmod 755 /var/piler
wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
tar -xvzf piler-$PILER_VERSION.tar.gz
cd piler-$PILER_VERSION/
./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
make
make install
ldconfig
cp util/postinstall.sh util/postinstall.sh.bak
sed -i "s/ PILER_SMARTHOST=.*/ PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
sed -i 's/ WWWGROUP=.*/ WWWGROUP="www-data"/' util/postinstall.sh
make postinstall
cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
/etc/init.d/rc.piler start
/etc/init.d/rc.searchd start
update-rc.d rc.piler defaults
update-rc.d rc.searchd defaults
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
cd /etc/nginx/sites-available
cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
sed -i "/server_name.*/a \\
listen 443 ssl http2;\n\n\
ssl_certificate /etc/nginx/ssl/piler.crt;\n\
ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
ssl_session_timeout 1d;\n\
ssl_session_cache shared:SSL:15m;\n\
ssl_session_tickets off;\n\n\
# modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
ssl_protocols TLSv1.2 TLSv1.3;\n\
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
ssl_prefer_server_ciphers off;\n\n\
add_header X-Frame-Options SAMEORIGIN;\n\
add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
sed -i "/^server {.*/i\
server {\n\
listen 80;\n\
server_name $PILER_FQDN default_host;\n\
server_tokens off;\n\
# HTTP to HTTPS redirect.\n\
return 301 https://\$host\$request_uri;\n\
}" /etc/nginx/sites-available/piler-nginx.conf
cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
cat >> /usr/local/etc/piler/config-site.php <<EOF
// CUSTOM
\$config['PROVIDED_BY'] = '$PILER_FQDN';
\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
\$config['COMPATIBILITY'] = '';
// fancy features.
\$config['ENABLE_INSTANT_SEARCH'] = 1;
\$config['ENABLE_TABLE_RESIZE'] = 1;
\$config['ENABLE_DELETE'] = 1;
\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
// general settings.
\$config['TIMEZONE'] = '$LXC_TIMEZONE';
// authentication
// Enable authentication against an imap server
//\$config['ENABLE_IMAP_AUTH'] = 1;
//\$config['RESTORE_OVER_IMAP'] = 1;
//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
//\$config['IMAP_PORT'] = 993;
//\$config['IMAP_SSL'] = true;
// authentication against an ldap directory (disabled by default)
//\$config['ENABLE_LDAP_AUTH'] = 1;
//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
//\$config['LDAP_PORT'] = 389;
//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
//\$config['LDAP_MAIL_ATTR'] = 'mail';
//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
// authentication against an Uninvention based ldap directory
//\$config['ENABLE_LDAP_AUTH'] = 1;
//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
//\$config['LDAP_PORT'] = 7389;
//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
// special settings.
\$config['MEMCACHED_ENABLED'] = 1;
\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
EOF
rm /etc/nginx/sites-enabled/default
nginx -t && systemctl restart nginx
apt autoremove -y
apt clean -y

70
src/matrix/install-service.sh → matrix.sh
View File

@ -5,29 +5,33 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
MRX_PKE=$(random_password)
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
ELE_DBNAME="synapse_db"
ELE_DBUSER="synapse_user"
ELE_DBPASS=$(random_password)
ELE_PATH=/var/www/element-web
WEBROOT=/var/www
ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
apt update && apt full-upgrade -y
wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
apt install -y $LXC_TOOLSET apt-transport-https gpg software-properties-common nginx postgresql python3-psycopg2
wget wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
apt update && apt install -y matrix-synapse-py3
systemctl enable matrix-synapse
ss -tulpen
mkdir -p /etc/nginx/ssl
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
@ -69,7 +73,7 @@ server {
ssl_certificate_key /etc/nginx/ssl/matrix.key;
# If you don't wanna serve a site, comment this out
root $ELE_PATH;
root /var/www/$MATRIX_FQDN;
index index.html index.htm;
location / {
@ -90,7 +94,7 @@ cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
server {
listen 80;
listen [::]:80;
server_name _;
server_name $MATRIX_ELEMENT_FQDN;
return 301 https://$MATRIX_ELEMENT_FQDN;
}
@ -104,34 +108,31 @@ server {
ssl_certificate_key /etc/nginx/ssl/matrix.key;
# If you don't wanna serve a site, comment this out
root $ELE_PATH;
root /var/www/$MATRIX_ELEMENT_FQDN/element;
index index.html index.htm;
}
EOF
unlink /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN
systemctl restart nginx
cd /var/www
wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
mkdir /var/www/$MATRIX_ELEMENT_FQDN
cd /var/www/$MATRIX_ELEMENT_FQDN
wget https://packages.riot.im/element-release-key.asc
gpg --import element-release-key.asc
MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/element-hq/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
chown www-data:www-data -R $ELE_PATH
cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json
ln -s element-$MATRIX_ELEMENT_VERSION element
chown www-data:www-data -R element
cp ./element/config.sample.json ./element/config.json
sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
su postgres <<EOF
psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@ -142,18 +143,19 @@ EOF
cd /
sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|server_name:|server_name: $MATRIX_FQDN|g" /etc/matrix-synapse/conf.d/server_name.yaml
sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n user: $ELE_DBUSER\n password: $ELE_DBPASS\n host: 127.0.0.1\n cp_min: 5\n cp_max: 10|" /etc/matrix-synapse/homeserver.yaml
reg_secret=$(random_password)
echo -e "registration_shared_secret: \"$reg_secret\"" > /etc/matrix-synapse/conf.d/registration.yaml
systemctl restart matrix-synapse
rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
#apt update
#apt install -y jitsi-meet
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"

17
scripts/nextcloud-update
View File

@ -1,17 +0,0 @@
#!/bin/bash
#
# Update nextcloud
# place in /etc/cron.daily and make executable with chmod +x /etc/cron.daily/nextcloud-update
user=www-data
phpversion=php8.0
path=/var/www/nextcloud
alias ncc="sudo -u $user $phpversion $path/occ"
alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
updater --no-backup --no-interaction
subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
for cmd in ${subcommands[@]}; do
ncc -n $cmd
done

6
sources.list Normal file
View File

@ -0,0 +1,6 @@
deb http://ftp.de.debian.org/debian buster main contrib
deb http://ftp.de.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib

42
src/ansible-semaphore/constants-service.conf
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# Defines the name from the SQL database
SEMAPHORE_DB_NAME="semaphore"
# Defines the name from the SQL user
SEMAPHORE_DB_USR="semaphore"
# Build a strong password for the SQL user - could be overwritten with something fixed
SEMAPHORE_DB_PWD="$(random_password)"
# service dependent meta tags
SERVICE_TAGS="postgresql,nginx"

222
src/ansible-semaphore/install-service.sh
View File

@ -1,222 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
EOF
curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
cat << EOF > /usr/local/bin/update-semaphore
PATH="/bin:/usr/bin:/usr/local/bin"
echo "Checking github for new semaphore version"
current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
installed_version=\$(semaphore version)
echo "Installed semaphore version is \$installed_version"
if [ \$installed_version != \$current_version ]; then
echo "New semaphore version \$current_version available. Stopping semaphore.service"
systemctl stop semaphore.service
echo "Downloading semaphore version \$current_version..."
curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
echo "Starting semaphore.service..."
systemctl start semaphore.service
echo "semaphore update finished!"
else
echo "semaphore version is up-to-date!"
fi
EOF
chmod +x /usr/local/bin/update-semaphore
useradd -m -r -s /bin/bash semaphore
sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
EOF
chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook
cat << EOF > /etc/systemd/system/semaphore.service
[Unit]
Description=Semaphore Ansible
Documentation=https://github.com/semaphoreui/semaphore
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
ExecReload=/bin/kill -HUP \$MAINPID
ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
SyslogIdentifier=semaphore
Restart=always
User=semaphore
Group=semaphore
[Install]
WantedBy=multi-user.target
EOF
mkdir -p /etc/semaphore
cat << EOF > /etc/semaphore/config.json
{
"mysql": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"bolt": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"postgres": {
"host": "127.0.0.1:5432",
"user": "${SEMAPHORE_DB_USR}",
"pass": "${SEMAPHORE_DB_PWD}",
"name": "${SEMAPHORE_DB_NAME}",
"options": {
"sslmode": "disable"
}
},
"dialect": "postgres",
"port": "",
"interface": "",
"tmp_path": "/tmp/semaphore",
"cookie_hash": "$(head -c32 /dev/urandom | base64)",
"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
"email_sender": "",
"email_host": "",
"email_port": "",
"email_username": "",
"email_password": "",
"web_host": "",
"ldap_binddn": "",
"ldap_bindpassword": "",
"ldap_server": "",
"ldap_searchdn": "",
"ldap_searchfilter": "",
"ldap_mappings": {
"dn": "",
"mail": "",
"uid": "",
"cn": ""
},
"telegram_chat": "",
"telegram_token": "",
"slack_url": "",
"max_parallel_tasks": 0,
"email_alert": false,
"email_secure": false,
"telegram_alert": false,
"slack_alert": false,
"ldap_enable": false,
"ldap_needtls": false,
"ssh_config_path": "~/.ssh/",
"demo_mode": false,
"git_client": ""
}
EOF
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/semaphore.access.log;
error_log /var/log/nginx/semaphore.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/semaphore.access.log;
error_log /var/log/nginx/semaphore.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:3000;
proxy_read_timeout 90;
}
}
EOF
echo "source <(semaphore completion bash)" >> /root/.bashrc
semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
generate_dhparam
systemctl daemon-reload
systemctl enable --now semaphore.service
systemctl restart nginx.service
echo -e "\n######################################################################\n\n Please note this user and password for the semaphore login:\n '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n Enjoy your semaphore intallation.\n\n######################################################################"

33
src/apt/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="srv"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="aptly,nginx"

273
src/apt/install-service.sh
View File

@ -1,273 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
source /etc/os-release
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
# Create gpg key for apt repo signing
gpg --batch --gen-key <<EOF
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: ${AM_COMPANY_NAME}
Name-Email: ${AM_COMPANY_EMAIL}
Expire-Date: 0
%no-protection
EOF
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/aptly.conf
{
"rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
"downloadConcurrency": 4,
"downloadSpeedLimit": 0,
"architectures": [
"amd64",
"armhf"
],
"dependencyFollowSuggests": false,
"dependencyFollowRecommends": false,
"dependencyFollowAllVariants": false,
"dependencyFollowSource": false,
"dependencyVerboseResolve": true,
"gpgDisableSign": false,
"gpgDisableVerify": false,
"gpgProvider": "gpg",
"downloadSourcePackages": false,
"skipLegacyPool": true,
"ppaDistributorID": "$AM_COMPANY_NAME",
"ppaCodename": ""
}
EOF
cat << EOF > /usr/local/bin/update-apt-mirrors
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
for m in $(aptly mirror list -raw); do
aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
done
EOF
chmod +x /usr/local/bin/update-apt-mirrors
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
# Force HTTPS connection. This rules is domain agnostic
if (\$scheme != "https") {
rewrite ^ https://\$host\$uri permanent;
}
# SSL configuration
#
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 15.137.208.11 15.137.209.11 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
root /var/www/html;
index index.html index.htm;
server_name _;
location /gpg {
autoindex on;
}
location /graph {
autoindex on;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files \$uri \$uri/ =404;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_pass http://localhost:8080;
}
location /api {
proxy_pass http://localhost:8000/api;
}
location /api/graph {
return 403;
}
}
EOF
cat << EOF > /etc/systemd/system/aptly.service
[Unit]
Description=Aptly Repository service
[Service]
User=root
ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
KillSignal=SIGTERM
KillMode=process
TimeoutStopSec=15s
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/aptly-api.service
[Unit]
Description=Aptly REST API service
[Service]
User=root
ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
KillSignal=SIGTERM
KillMode=process
TimeoutStopSec=15s
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /root/mirror-examples
# import proxmox keyring
wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
# proxmox 8 no subscription mirror (about 11.5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
# import debian keyring
cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
# debian 12 main mirror (about 87 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
# debian 12 contrib mirror (about 600 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
# debian 12 non-free mirror (about7,2 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
# debian 12 non-free-firmware mirror (38 Packages)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
# debian 12 update main mirror (about 2,5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
# debian 12 update contrib mirror (currently empty)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
# debian 12 updates non-free mirror (about 900 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
# debian 12 updates non-free-firmware mirror (about 70 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
# debian 12 security main mirror (about 5,5 GB)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
# debian 12 security contrib mirror (2 packages)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
# debian 12 security non-free mirror (currently empty)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
# debian 12 security non-free-firmware mirror (1 package)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
# debian 12 backports main mirror (about 14,5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
# debian 12 backports contrib mirror (about 100 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
# debian 12 backports non-free mirror (2 packages)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
# debian 12 backports non-free-firmware mirror (currently empty)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
EOF
cat << EOF > /usr/local/bin/update-apt-mirrors
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
for m in \$(aptly mirror list -raw); do
aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
done
EOF
echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
chmod +x /usr/local/bin/update-apt-mirrors
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
chown -R www-data:www-data /var/www
# Create required webserver folders
sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
# Export gpg key
sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
generate_dhparam
systemctl daemon-reload
systemctl enable --now aptly aptly-api
systemctl restart nginx
echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."

33
src/authentik/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="docker"

108
src/authentik/install-service.sh
View File

@ -1,108 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/portainer:latest
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8000:8000"
- "9443:9443"
command: --admin-password-file=/data/admin_password
EOF
echo -n "$SECRET" > ./data/admin_password
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
}
install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/agent:latest
volumes:
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9001:9001"
EOF
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
}
mkdir -p /opt/authentik
wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
cd /opt/authentik
cat << EOF > .env
PG_PASS=$(pwgen -s 40 1)
AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
AUTHENTIK_DISABLE_UPDATE_CHECK=false
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_AVATARS=initials
COMPOSE_PORT_HTTP=80
COMPOSE_PORT_HTTPS=443
AUTHENTIK_EMAIL__HOST=
AUTHENTIK_EMAIL__PORT=
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=
AUTHENTIK_REDIS__DB=1
EOF
docker compose pull
docker compose up -d
case $PORTAINER in
full) install_portainer_full ;;
agent) install_portainer_agent ;;
*) echo -e "\n######################################################################\n\n Enjoy your authentik intallation.\n\n######################################################################\n\n Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
esac

33
src/bookstack/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

186
src/bookstack/install-service.sh
View File

@ -1,186 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
BOOKSTACK_DB_PWD=$(random_password)
webroot=/var/www/bookstack/public
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
client_max_body_size 100M;
fastcgi_buffers 64 4K;
client_body_timeout 120s;
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl default_server;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl_certificate /etc/nginx/ssl/open3a.crt;
ssl_certificate_key /etc/nginx/ssl/open3a.key;
access_log /var/log/nginx/bookstack.access.log;
error_log /var/log/nginx/bookstack.error.log;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.ht {
deny all;
}
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
EOF
mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
CREATE DATABASE IF NOT EXISTS bookstack;
GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
FLUSH PRIVILEGES;"
sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
>&2 echo 'ERROR: Invalid composer installer checksum'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
rm composer-setup.php
# Move composer to global installation
mv composer.phar /usr/local/bin/composer
cd /var/www
git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
cd bookstack
# Install BookStack composer dependencies
export COMPOSER_ALLOW_SUPERUSER=1
php /usr/local/bin/composer install --no-dev --no-plugins
# Copy and update BookStack environment variables
cp .env.example .env
sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
cat << EOF >> .env
QUEUE_CONNECTION=database
STORAGE_TYPE=local_secure
APP_LANG=de_informal
FILE_UPLOAD_SIZE_LIMIT=100
SESSION_SECURE_COOKIE=true
CACHE_DRIVER=redis
SESSION_DRIVER=redis
REDIS_SERVERS=127.0.0.1:6379:0
WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
ALLOW_UNTRUSTED_SERVER_FETCHING=true
EOF
# Generate the application key
php artisan key:generate --no-interaction --force
# Migrate the databases
php artisan migrate --no-interaction --force
php artisan bookstack:db-utf8mb4 > dbupgrade.sql
mysql -u root < dbupgrade.sql
chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
cat << EOF > /etc/systemd/system/bookstack-queue.service
[Unit]
Description=BookStack Queue Worker
[Service]
User=www-data
Group=www-data
Restart=always
ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now bookstack-queue php${PHP_VERSION:0:3}-fpm nginx redis-server
systemctl restart php${PHP_VERSION:0:3}-fpm nginx bookstack-queue redis-server
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"

39
src/checkmk/constants-service.conf
View File

@ -1,39 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="opt"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# checkmk version
CMK_VERSION=2.3.0p6
# build number of the debian package (needs to start with underscore)
CMK_BUILD=_0
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="apache2"

78
src/checkmk/install-service.sh
View File

@ -1,78 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
cd /tmp
wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
cat << EOF > /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
</VirtualHost>
EOF
cat << EOF > /etc/apache2/sites-available/default-ssl.conf
<VirtualHost *:443>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
EOF
a2enmod ssl
a2enmod rewrite
a2ensite default-ssl
systemctl restart apache2.service
omd start $CMK_INSTANCE
# install matrix notification plugin
wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py

31
src/cloudpanel/constants-service.conf
View File

@ -1,31 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="home"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

14
src/cloudpanel/install-service.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
# Author:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source zamba.conf
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh

11
src/constants.conf
View File

@ -1,11 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on container level
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"

33
src/debian-priv/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=512
# service dependent meta tags
SERVICE_TAGS="privileged"

8
src/debian-priv/install-service.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
echo "'debian-priv' is ready to use!"

33
src/debian-unpriv/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=512
# service dependent meta tags
SERVICE_TAGS=""

8
src/debian-unpriv/install-service.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
echo "'debian-unpriv' is ready to use!"

33
src/docker/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS=""

79
src/docker/install-service.sh
View File

@ -1,79 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/portainer:latest
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8000:8000"
- "9443:9443"
command: --admin-password-file=/data/admin_password
EOF
echo -n "$SECRET" > ./data/admin_password
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
}
install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/agent:latest
volumes:
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9001:9001"
EOF
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
}
case $PORTAINER in
full) install_portainer_full ;;
agent) install_portainer_agent ;;
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
esac

36
src/ecodms/constants-service.conf
View File

@ -1,36 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# set ecodms release version
ECODMS_RELEASE=ecodms_230164
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=6144
# service dependent meta tags
SERVICE_TAGS="java,postgresql"

21
src/ecodms/install-service.sh
View File

@ -1,21 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver

33
src/freescout/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

133
src/freescout/install-service.sh
View File

@ -1,133 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
webroot=/var/www/html
LXC_RANDOMPWD=20
MYSQL_PASSWORD="$(random_password)"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
echo cgi.fix_pathinfo=0 >> /etc/php/8.2/fpm/php.ini
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot/freescout/public;
index index.php index.html index.htm;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
client_max_body_size 20M;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ .php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
include fastcgi_params;
}
location ^~ /storage/app/attachment/ {
internal;
alias /var/www/html/storage/app/attachment/;
}
location ~* ^/storage/attachment/ {
expires 1M;
access_log off;
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public, must-revalidate";
}
# The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
add_header Content-disposition "attachment; filename=\$2";
default_type application/octet-stream;
}
location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\\\\]+\..*)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~ /\. {
deny all;
}
}
EOF
rm /var/www/html/*nginx*.html
mkdir -p /etc/nginx/ssl
ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
mysql -uroot -e "CREATE USER 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS freescout;
GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
cd $webroot
tar -vxf freescout.tar.gz
dir=$(ls -d freescout-helpdesk-freescout*)
mv -v $dir freescout
chown -R www-data:www-data /var/www/html
find /var/www/html -type f -exec chmod 664 {} \;
find /var/www/html -type d -exec chmod 775 {} \;
cd $webroot/freescout
APP_KEY=$(sudo -u www-data php artisan key:generate --show)
sudo -u www-data sed -e "s|APP_URL=.*|APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}|" -e "s|DB_DATABASE=|DB_DATABASE=freescout|" -e "s|DB_USERNAME=|DB_USERNAME=freescout|" -e "s|DB_PASSWORD=|DB_PASSWORD=${MYSQL_PASSWORD}|" -e "s|APP_KEY=|APP_KEY=${APP_KEY}|" .env.example > .env
sudo -u www-data php artisan freescout:clear-cache
sudo -u www-data php artisan storage:link
sudo -u www-data php artisan migrate -n --force
FS_PASSWORD=$(random_password)
sudo -u www-data php artisan freescout:create-user -n --role=admin --firstName=$FS_FIRSTNAME --lastName=$FS_LASTNAME --email=$FS_EMAIL --password=$FS_PASSWORD
cat << EOF > /etc/cron.d/freescout
* * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
EOF
systemctl enable --now php8.2-fpm
systemctl restart php8.2-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your freescout installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttps://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\t$FS_EMAIL\nPassword:\t$FS_PASSWORD\n"

31
src/functions.sh
View File

@ -1,31 +0,0 @@
#!/bin/bash
#
# This script has basic functions like a random password generator
LXC_RANDOMPWD=32
random_password() {
set +o pipefail
LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
}
generate_dhparam() {
openssl dhparam -out /etc/nginx/dhparam.pem 2048
cat << EOF > /etc/cron.monthly/generate-dhparams
#!/bin/bash
openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
systemctl restart nginx
EOF
chmod +x /etc/cron.monthly/generate-dhparams
}
apt_repo() {
apt_name=$1
apt_key_url=$2
apt_key_path=/usr/share/keyrings/${apt_name}.gpg
apt_repo_url=$3
wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
}

48
src/gitea/constants-service.conf
View File

@ -1,48 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
GITEA_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
GITEA_DB_PORT="5432"
# Defines the name from the SQL database
GITEA_DB_NAME="gitea"
# Defines the name from the SQL user
GITEA_DB_USR="gitea"
# Build a strong password for the SQL user - could be overwritten with something fixed
GITEA_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql"

188
src/gitea/install-service.sh
View File

@ -1,188 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
EOF
adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
chmod +x /usr/local/bin/gitea
mkdir -p /etc/gitea
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
cat << EOF > /usr/local/bin/update-gitea
PATH="/bin:/usr/bin:/usr/local/bin"
echo "Checking github for new gitea version"
current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
echo "Installed gitea version is \$installed_version"
if [ \$installed_version != \$current_version ]; then
echo "New gitea version \$current_version available. Stopping gitea.service"
systemctl stop gitea.service
echo "Downloading gitea version \$current_version..."
curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
chmod +x /usr/local/bin/gitea
echo "Starting gitea.service..."
systemctl start gitea.service
echo "gitea update finished!"
else
echo "gitea version is up-to-date!"
fi
EOF
chmod +x /usr/local/bin/update-gitea
cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
EOF
chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
cat << EOF > /etc/systemd/system/gitea.service
[Unit]
Description=Gitea
After=syslog.target
After=network.target
After=postgresql.service
[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/gitea/app.ini
RUN_MODE = prod
RUN_USER = git
[repository]
ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
[repository.local]
LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
[database]
DB_TYPE=postgres
HOST=localhost
NAME=${GITEA_DB_NAME}
USER=${GITEA_DB_USR}
PASSWD=${GITEA_DB_PWD}
SSL_MODE=disable
[server]
APP_DATA_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea
DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN}
SSH_DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN}
HTTP_HOST = localhost
HTTP_PORT = 3000
ROOT_URL = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
EOF
chown -R root:git /etc/gitea
chmod 770 /etc/gitea
chmod 770 /etc/gitea/app.ini
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/gitea.access.log;
error_log /var/log/nginx/gitea.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:3000;
proxy_read_timeout 90;
}
}
EOF
generate_dhparam
systemctl daemon-reload
systemctl enable --now gitea
systemctl restart nginx

39
src/kimai/constants-service.conf
View File

@ -1,39 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
#KIMAI_VERSION="main"
# Defines the php version to install
KIMAI_PHP_VERSION="8.2"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

172
src/kimai/install-service.sh
View File

@ -1,172 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
KIMAI_DB_PWD=$(random_password)
webroot=/var/www/kimai/public
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
PHP_VERSION=${PHP_VERSION:0:3}
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
client_max_body_size 2M;
fastcgi_buffers 64 4K;
client_body_timeout 120s;
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl default_server;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl_certificate /etc/nginx/ssl/kimai.crt;
ssl_certificate_key /etc/nginx/ssl/kimai.key;
access_log /var/log/nginx/kimai.access.log;
error_log /var/log/nginx/kimai.error.log;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.ht {
deny all;
}
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
}
EOF
mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
CREATE DATABASE IF NOT EXISTS kimai;
GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
FLUSH PRIVILEGES;"
sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
>&2 echo 'ERROR: Invalid composer installer checksum'
rm composer-setup.php
exit 1
fi
php composer-setup.php --quiet
rm composer-setup.php
# Move composer to global installation
mv composer.phar /usr/local/bin/composer
cd /var/www
dl=$(curl -s https://api.github.com/repos/kimai/kimai/releases/latest | grep tarball_url | cut -d'"' -f4)
version=$(echo $dl | rev | cut -d'/' -f1 | rev)
wget -O kimai-${version}.tar.gz ${dl}
tar xfz kimai-${version}.tar.gz
rm kimai-${version}.tar.gz
mv kimai-* kimai
cd kimai
# Install kimai composer dependencies
export COMPOSER_ALLOW_SUPERUSER=1
/usr/local/bin/composer install --optimize-autoloader -n
# Copy and update kimai environment variables
cat << EOF > .env
# For more infos about the variables, see .env.dist
DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.11.3
MAILER_FROM=admin@$LXC_DOMAIN
MAILER_URL=null://null
APP_ENV=prod
APP_SECRET=$(random_password)
CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
EOF
bin/console kimai:install -n
bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
chown -R www-data:www-data .
chmod -R g+r .
chmod -R g+rw var/
systemctl daemon-reload
systemctl enable --now php${PHP_VERSION}-fpm nginx
systemctl restart php${PHP_VERSION}-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"

53
src/kopano-core/constants-service.conf
View File

@ -1,53 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
KOPANO_VERSION="latest"
# Defines the php version to install
KOPANO_PHP_VERSION="7.4"
# Defines Maria DB Version
MARIA_DB_VERS="10.5"
# Defines the name from the SQL database
MARIA_DB_NAME="kopano"
# Defines the name from the SQL user
MARIA_DB_USER="kopano"
# Build a strong password for the SQL user - could be overwritten with something fixed
MARIA_ROOT_PWD=$(random_password)
MARIA_USER_PWD=$(random_password)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

276
src/kopano-core/install-service.sh
View File

@ -1,276 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
#timedatectl set-timezone Europe/Berlin
#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#### Secure Maria Instance ####
mysqladmin -u root password "[$MARIA_ROOT_PWD]"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
#### Create user and DB for Kopano ####
mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
echo "root-password: $MARIA_ROOT_PWD,\
db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
cat > /etc/apt/sources.list.d/kopano.list << EOF
# Kopano Core
deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
# Kopano WebApp
deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
# Kopano MobileDeviceManagement
deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
# Kopano Files
deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
# Z-Push
deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
EOF
cat > /etc/apt/auth.conf.d/kopano.conf << EOF
machine download.kopano.io
login serial
password $KOPANO_REPKEY
EOF
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
apt update && apt full-upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files
#### Adjust kopano settings ####
cat > /etc/kopano/ldap.cfg << EOF
!include /usr/share/kopano/ldap.active-directory.cfg
ldap_uri = ldap://192.168.100.100:389
ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
ldap_bind_passwd = Start123!
ldap_search_base = dc=zmb,dc=rocks
#ldap_user_search_filter = (kopanoAccount=1)
EOF
cat > /etc/kopano/server.cfg << EOF
server_listen = *:236
local_admin_users = root kopano
#database_engine = mysql
#mysql_host = localhost
#mysql_port = 3306
mysql_user = $MARIA_DB_USER
mysql_password = $MARIA_USER_PWD
mysql_database = $MARIA_DB_NAME
#user_plugin = ldap
#user_plugin_config = /etc/kopano/ldap.cfg
EOF
#### Adjust php settings ####
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
[webapp]
listen = 127.0.0.1:9002
user = www-data
group = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 150
pm.start_servers = 35
pm.min_spare_servers = 20
pm.max_spare_servers = 50
pm.max_requests = 200
listen.backlog = -1
request_terminate_timeout = 120s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes
EOF
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
#### Adjust nginx settings ####
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
generate_dhparam
#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/sites-available/webapp.conf << EOF
upstream php-handler {
#server 127.0.0.1:9002;
#server unix:/var/run/php5-fpm.sock;
server unix:/var/run/php/php7.4-fpm.sock;
}
server{
listen 80;
charset utf-8;
listen [::]:80;
server_name _;
location / {
rewrite ^(.*) https://\$server_name\$1 permanent;
}
}
server {
charset utf-8;
listen 443;
listen [::]:443 ssl;
server_name _;
ssl on;
client_max_body_size 1024m;
ssl_certificate /etc/ssl/certs/kopano.crt;
ssl_certificate_key /etc/ssl/private/kopano.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
#
# ssl_dhparam require you to create a dhparam.pem, this takes a long time
ssl_dhparam /etc/nginx/dhparam.pem;
#
# add headers
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location /webapp {
alias /usr/share/kopano-webapp/;
index index.php;
location ~ /webapp/presence/ {
rewrite ^/webapp/presence(/.*)$ \$1 break;
proxy_pass http://localhost:1234;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
location ~* ^/webapp/(.+\.php)$ {
alias /usr/share/kopano-webapp/;
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
fastcgi_param PHP_VALUE "
register_globals=off
magic_quotes_gpc=off
magic_quotes_runtime=off
post_max_size=31M
upload_max_filesize=30M
";
fastcgi_param PHP_VALUE "post_max_size=31M
upload_max_filesize=30M
max_execution_time=3660
";
include fastcgi_params;
fastcgi_index index.php;
#fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME \$document_root\$1;
fastcgi_pass php-handler;
access_log /var/log/nginx/kopano-webapp-access.log;
error_log /var/log/nginx/kopano-webapp-error.log;
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# All (static) resources set to 2 months expiration time.
location ~* \.(?:jpg|gif|png)\$ {
expires 2M;
access_log off;
add_header Cache-Control "public";
}
# enable gzip compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css application/json;
gzip_vary on;
}
}
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
EOF
ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
phpenmod kopano
systemctl restart php7.4-fpm nginx

81
src/lxc-base.sh
View File

@ -1,81 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# load configuration
echo "Loading configuration..."
source /root/functions.sh
source /root/zamba.conf
source /root/constants.conf
source /root/constants-service.conf
echo "Updating locales"
# update locales
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
# Generate sources
if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main contrib
deb http://deb.debian.org/debian/ buster-updates main contrib
# security updates
deb http://security.debian.org/debian-security buster/updates main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bullseye main contrib
deb http://deb.debian.org/debian/ bullseye-updates main contrib
# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bookworm main contrib
deb http://deb.debian.org/debian/ bookworm-updates main contrib
# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib
EOF
else echo "LXC Debian Version false. Please check configuration files!" ; exit
fi
# update package lists
echo "Updating package database..."
apt --allow-releaseinfo-change update
# install latest packages
echo "Installing latest updates"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install toolset
echo "Installing preconfigured toolset..."
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
echo "Enabling vim syntax highlighting..."
sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
if [ $LXC_VIM_BG_DARK -gt 0 ]; then
sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
fi
echo "Basic container setup finished, continuing with service installation..."

33
src/mailcow/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="1"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=8192
# service dependent meta tags
SERVICE_TAGS="docker"

438
src/mailcow/install-service.sh
View File

@ -1,438 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/portainer:latest
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "8000:8000"
- "9443:9443"
command: --admin-password-file=/data/admin_password
EOF
echo -n "$SECRET" > ./data/admin_password
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n You can access Portainer with your browser at https://${myip}:9443\n\n Please note the following admin password to access the portainer:\n '$SECRET'\n Enjoy your Docker intallation.\n\n######################################################################"
}
install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
image: portainer/agent:latest
volumes:
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9001:9001"
EOF
docker compose pull
docker compose up -d
echo -e "\n######################################################################\n\n Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n Enjoy your Docker intallation.\n\n######################################################################"
}
cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
cat << EOF > mailcow.conf
# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
# Password hash algorithm
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
# see https://docs.mailcow.email/models/model-passwd/
MAILCOW_PASS_SCHEME=BLF-CRYPT
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow
# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
# ------------------------------
# HTTP/S Bindings
# ------------------------------
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
HTTP_PORT=80
HTTP_BIND=
HTTPS_PORT=443
HTTPS_BIND=
# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654
# Your timezone
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
TZ=${LXC_TIMEZONE}
# Fixed project name
# Please use lowercase letters only
COMPOSE_PROJECT_NAME=mailcowdockerized
# Used Docker Compose version
# Switch here between native (compose plugin) and standalone
# For more informations take a look at the mailcow docs regarding the configuration options.
# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
DOCKER_COMPOSE_VERSION=native
# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to "All authenticated users"
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow
# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly
MAILDIR_GC_TIME=7200
# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
# plus every domain you add in the future.
#
# You can also just add static names...
#ADDITIONAL_SAN=srv1.example.net
# ...or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#
ADDITIONAL_SAN=
# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
ADDITIONAL_SERVER_NAMES=
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=y
# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://doc.dovecot.org/admin_manual/ssl/sni_support
ENABLE_SSL_SNI=n
# Skip IPv4 check in ACME container - y/n
SKIP_IP_CHECK=n
# Skip HTTP verification in ACME container - y/n
SKIP_HTTP_VERIFICATION=n
# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
SKIP_CLAMD=n
# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
SKIP_SOGO=n
# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
SKIP_SOLR=n
# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
SOLR_HEAP=1024
# Allow admins to log into SOGo as email user (without any password)
ALLOW_ADMIN_EMAIL_LOGIN=n
# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
USE_WATCHDOG=y
# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces
#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
#WATCHDOG_NOTIFY_EMAIL=
# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
# You can use this to send notifications to services like Discord, Slack and others.
#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# JSON body included in the webhook POST request. Needs to be in single quotes.
# Following variables are available: SUBJECT, BODY
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n
# Send a notification when the watchdog is started.
WATCHDOG_NOTIFY_START=y
# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
#WATCHDOG_SUBJECT=
# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n
# Enable watchdog verbose logging
WATCHDOG_VERBOSE=n
# Max log lines per service to keep in Redis logs
LOG_LINES=9999
# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
IPV4_NETWORK=172.22.1
# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
# Use this IPv4 for outgoing connections (SNAT)
#SNAT_TO_SOURCE=
# Use this IPv6 for outgoing connections (SNAT)
#SNAT6_TO_SOURCE=
# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY
#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1
# mail_home is ~/Maildir
MAILDIR_SUB=Maildir
# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480
# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to DOVECOT_MASTER_USER@mailcow.local
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=
# Let's Encrypt registration contact information
# Optional: Leave empty for none
# This value is only used on first order!
# Setting it at a later point will require the following steps:
# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
ACME_CONTACT=
# WebAuthn device manufacturer verification
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
WEBAUTHN_ONLY_TRUSTED_VENDORS=n
# Spamhaus Data Query Service Key
# Optional: Leave empty for none
# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
# Otherwise it will work normally.
SPAMHAUS_DQS_KEY=
EOF
cat << EOF > data/conf/nginx/redirect.conf
server {
root /web;
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/conf.d/server_name.active;
if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
location / {
return 301 https://\$host\$uri\$is_args\$args;
}
}
EOF
cat << EOF > /etc/cron.daily/mailcowbackup
#!/bin/sh
# Backup mailcow data
# https://docs.mailcow.email/backup_restore/b_n_r-backup/
set -e
OUT="\$(mktemp)"
export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
PARAMETERS="backup all"
OPTIONS="--delete-days 7"
mkdir -p \$MAILCOW_BACKUP_LOCATION
# run command
set +e
"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
RESULT=\$?
if [ \$RESULT -ne 0 ]
then
echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
echo "RESULT=\$RESULT"
echo "STDOUT / STDERR:"
cat "\$OUT"
fi
EOF
chmod +x /etc/cron.daily/mailcowbackup
cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
#!/bin/bash
if ! which check_mk_agent ; then
cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
status=\$?
if [ \$status -eq 3 ]; then
state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
elif [ \$status -eq 0 ]; then
state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
else
state="3 \"mailcow_update\" - Unknown output from update script ..."
fi
echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
fi
exit
EOF
chmod +x /etc/cron.daily/checkmk-mailcow-update-check
chmod 600 mailcow.conf
mkdir -p data/assets/ssl
openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
openssl dhparam -out data/assets/ssl/dhparams.pem 2048
cat << EOF > /etc/cron.monthly/generate-dhparams
#!/bin/bash
openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
systemctl restart nginx
EOF
chmod +x /etc/cron.monthly/generate-dhparams
docker compose pull
docker compose up -d
case $PORTAINER in
full) install_portainer_full ;;
agent) install_portainer_agent ;;
*) echo -e "\n######################################################################\n\n Enjoy your Docker intallation.\n\n######################################################################" ;;
esac

33
src/matrix/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,element-web"

54
src/nextcloud/constants-service.conf
View File

@ -1,54 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
NEXTCLOUD_VERSION="latest"
# Defines the php version to install
NEXTCLOUD_PHP_VERSION="8.2"
# Defines the IP from the SQL server
NEXTCLOUD_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
NEXTCLOUD_DB_PORT="5432"
# Defines the name from the SQL database
NEXTCLOUD_DB_NAME="nextcloud_db"
# Defines the name from the SQL user
NEXTCLOUD_DB_USR="nextcloud"
# Build a strong password for the SQL user - could be overwritten with something fixed
NEXTCLOUD_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

461
src/nextcloud/install-service.sh
View File

@ -1,461 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
NEXTCLOUD_ADMIN_PWD=$(random_password)
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
timedatectl set-timezone $LXC_TIMEZONE
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#### Create database for nextcloud ####
su - postgres <<EOF
psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
EOF
#### Adjust php settings ####
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
#### Adjust nginx settings ####
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
generate_dhparam
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/nginx.conf <<EOF
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on; use epoll;
}
http {
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
set_real_ip_from 127.0.0.1;
#optional, Sie können das eigene Subnetz ergänzen, bspw.:
# set_real_ip_from $LXC_IP;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
types {
text/javascript mjs;
}
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 127.0.0.53 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}
EOF
[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
touch /etc/nginx/conf.d/default.conf
cat > /etc/nginx/conf.d/http.conf << EOF
upstream php-handler {
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
}
map \$arg_v \$asset_immutable {
"" "";
default "immutable";
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name $NEXTCLOUD_FQDN;
root /var/www;
location / {
return 301 https://\$host\$request_uri;
}
}
EOF
cat > /etc/nginx/conf.d/nextcloud.conf << EOF
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $NEXTCLOUD_FQDN;
ssl_certificate /etc/ssl/certs/nextcloud.crt;
ssl_certificate_key /etc/ssl/private/nextcloud.key;
ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 5120M;
client_body_timeout 300s;
client_body_buffer_size 512k;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
root /var/www/nextcloud;
index index.php index.html /index.php\$request_uri;
expires 1m;
location = / {
if ( \$http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/\$is_args\$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php/\$uri; }
try_files \$uri \$uri/ =404;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:\$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
set \$path_info \$fastcgi_path_info;
try_files \$fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param PATH_INFO \$path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
try_files \$uri /index.php\$request_uri;
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?\$ {
try_files \$uri /index.php\$request_uri;
expires 7d;
access_log off;
}
location / {
try_files \$uri \$uri/ /index.php\$request_uri;
}
location /push/ {
proxy_pass http://localhost:7867/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
#### Adjust redis settings ####
cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
usermod -aG redis www-data
#### Adjust sysctl.conf settings ####
cp /etc/sysctl.conf /etc/sysctl.conf.bak
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
systemctl restart redis
#### HIER MÜSSTE EIN REBOOT REIN ####
#### Install nextcloud ####
cd /usr/local/src
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
cat > /root/permissions.sh << EOF
#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chown -R www-data:www-data /var/www
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
exit 0
EOF
chmod +x /root/permissions.sh
/root/permissions.sh
#### install fail2ban ####
cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
EOF
cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 3600
findtime = 36000
logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log
EOF
systemctl restart fail2ban
#### Create configuration script for nextcloud, which will be executet as user www-data
cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
#!/bin/bash
php /var/www/nextcloud/occ maintenance:install --database pgsql \
--database-host $NEXTCLOUD_DB_IP \
--database-port $NEXTCLOUD_DB_PORT \
--database-name $NEXTCLOUD_DB_NAME \
--database-user $NEXTCLOUD_DB_USR \
--database-pass $NEXTCLOUD_DB_PWD \
--admin-user $NEXTCLOUD_ADMIN_USR \
--admin-pass $NEXTCLOUD_ADMIN_PWD \
--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
sed -i '/);/d' /var/www/nextcloud/config/config.php
cat >> /var/www/nextcloud/config/config.php << EOF
'activity_expire_days' => 14,
'auth.bruteforce.protection.enabled' => true,
'blacklisted_files' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'default_phone_region' => 'DE',
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\Preview\PNG',
1 => 'OC\Preview\JPEG',
2 => 'OC\Preview\GIF',
3 => 'OC\Preview\BMP',
4 => 'OC\Preview\XBitmap',
5 => 'OC\Preview\Movie',
6 => 'OC\Preview\PDF',
7 => 'OC\Preview\MP3',
8 => 'OC\Preview\TXT',
9 => 'OC\Preview\MarkDown',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
'loglevel' => 2,
'logtimezone' => '$LXC_TIMEZONE',
'log_rotate_size' => 104857600,
'maintenance' => false,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),
'quota_include_external_storage' => false,
'share_folder' => '/Freigaben',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
'trusted_proxies' =>
array (
'$NEXTCLOUD_REVPROX',
'127.0.0.1',
'::1',
),
);
EOF
sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
php /var/www/nextcloud/occ app:disable survey_client
php /var/www/nextcloud/occ app:disable firstrunwizard
php /var/www/nextcloud/occ app:enable admin_audit
php /var/www/nextcloud/occ app:enable notify_push
php /var/www/nextcloud/occ app:enable files_pdfviewer
php /var/www/nextcloud/occ background:cron
DFOE
/root/permissions.sh
su -s /bin/bash www-data <<EOF
bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
EOF
#### Create file for high performance backend
cat > /etc/systemd/system/notify_push.service << EOF
[Unit]
Description = Push daemon for Nextcloud clients
[Service]
Environment=PORT=7867
Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
Environment=ALLOW_SELF_SIGNED=true
ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
User=www-data
[Install]
WantedBy = multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now notify_push
echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################"
shutdown -r now

33
src/omada/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"

23
src/omada/install-service.sh
View File

@ -1,23 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac

39
src/onlyoffice/constants-service.conf
View File

@ -1,39 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
ONLYOFFICE_DB_HOST=localhost
ONLYOFFICE_DB_NAME=onlyoffice
ONLYOFFICE_DB_USER=onlyoffice
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,rabbitmq"

25
src/onlyoffice/fix-update.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
cat > /usr/local/bin/ods-apt-pre-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds-ssl.conf
systemctl stop nginx.service
DFOE
chmod +x /usr/local/bin/ods-apt-pre-hook
cat > /usr/local/bin/ods-apt-post-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx
DFOE
chmod +x /usr/local/bin/ods-apt-post-hook
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
EOF
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
EOF

82
src/onlyoffice/install-service.sh
View File

@ -1,82 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ONLYOFFICE_DB_PASS=$(random_password)
curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
cat > /etc/apt/preferences.d/onlyoffice << EOF
Package: onlyoffice-documentserver
Pin: version 7.1.1-23
Pin-Priority: 900
EOF
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
su postgres <<EOF
psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
psql -c "CREATE DATABASE $ONLYOFFICE_DB_NAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ONLYOFFICE_DB_USER;"
echo "Postgres User '$ONLYOFFICE_DB_USER' and database '$ONLYOFFICE_DB_NAME' created."
EOF
echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
cat << EOF > /root/onlyoffice.credentials
ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME
ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
EOF
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
rm /etc/nginx/conf.d/ds.conf
cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
cat > /usr/local/bin/ods-apt-pre-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds-ssl.conf
systemctl stop nginx.service
DFOE
chmod +x /usr/local/bin/ods-apt-pre-hook
cat > /usr/local/bin/ods-apt-post-hook << DFOE
#!/bin/bash
rm /etc/nginx/conf.d/ds.conf
ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
systemctl restart nginx
DFOE
chmod +x /usr/local/bin/ods-apt-post-hook
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
EOF
cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
EOF
systemctl restart nginx

33
src/open3a/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

84
src/open3a/install-service.sh
View File

@ -1,84 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
webroot=/var/www/html
LXC_RANDOMPWD=20
MYSQL_PASSWORD="$(random_password)"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root $webroot;
index index.php;
ssl on;
ssl_certificate /etc/nginx/ssl/open3a.crt;
ssl_certificate_key /etc/nginx/ssl/open3a.key;
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
}
EOF
mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS open3a;
GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
cd $webroot
wget https://www.open3a.de/download/open3A%204.0.zip -O $webroot/open3a.zip
unzip open3a.zip
rm open3a.zip
chmod 666 system/DBData/Installation.pfdb.php
chmod -R 777 specifics/
chmod -R 777 system/Backup
chown -R www-data:www-data $webroot
echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
chmod +x /etc/cron.daily/open3a-backup
cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
<?php echo "This is a database-file."; /*
host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)
localhost &%%%&open3a &%%%&$MYSQL_PASSWORD&%%%&open3a &%%%&* %%&&&
*/ ?>
EOF
systemctl enable --now php8.2-fpm
systemctl restart php8.2-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"

31
src/piler/constants-service.conf
View File

@ -1,31 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/piler"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"

23
src/piler/install-service.sh
View File

@ -1,23 +0,0 @@
#!/bin/bash
# Author:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
source zamba.conf
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
echo -e "Installation of piler finished."
echo -e "\nFor administration please visit the following Website:"
echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
echo -e "\nLogin with following credentials:"
echo -e "\tUser: admin@local"
echo -e "\tPass: pilerrocks"
echo -e "\n\nPlease have a look the the GOBD notes (in German):"
echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"

36
src/proxmox-pbs/constants-service.conf
View File

@ -1,36 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Backup ubdir where Urbackup will store backups
PBS_DATA="backup"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="backup"

25
src/proxmox-pbs/install-service.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list
# PBS pbs-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
EOF
wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
apt update && apt upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
systemctl disable --now zfs-mount.service zfs-share.service

49
src/rei3/constants-service.conf
View File

@ -1,49 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
REI3_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
REI3_DB_PORT="5432"
# Defines the name from the SQL database
REI3_DB_NAME="app"
# Defines the name from the SQL user
REI3_DB_USR="rei3"
# Build a strong password for the SQL user - could be overwritten with something fixed
REI3_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="postgresql"

42
src/rei3/install-service.sh
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
mkdir /opt/rei3
wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
EOF
cp /opt/rei3/config_template.json /opt/rei3/config.json
chmod u+x /opt/rei3/r3
sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json
sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json
/opt/rei3/r3 -install
#/opt/rei/r3 -newadmin
systemctl start rei3

33
src/unifi/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"

22
src/unifi/install-service.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi

39
src/urbackup/constants-service.conf
View File

@ -1,39 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Backup ubdir where Urbackup will store backups
URBACKUP_DATA="urbackup"
# OS codename for opensuse / urbackup repo
REPO_CODENAME="Debian_12"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx"

64
src/urbackup/install-service.sh
View File

@ -1,64 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
mkdir -p /etc/urbackup
echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
ln -s /usr/share/urbackup/www /var/www/urbackup
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
root /var/www/urbackup;
index index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/urbackup.crt;
ssl_certificate_key /etc/nginx/ssl/urbackup.key;
location /x {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:55413;
}
}
EOF
sed -i "s/DAEMON_TMPDIR=\"\/tmp\"/DAEMON_TMPDIR=\"\/$LXC_SHAREFS_MOUNTPOINT\/tmp\"/g" /etc/default/urbackupsrv
sed -i "s/HTTP_SERVER=\"true\"/HTTP_SERVER=\"false\"/g" /etc/default/urbackupsrv
chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/tmp
chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
systemctl restart urbackupsrv nginx

42
src/vaultwarden/constants-service.conf
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the name from the SQL database
VAULTWARDEN_DB_NAME="vaultwarden"
# Defines the name from the SQL user
VAULTWARDEN_DB_USR="vaultwarden"
# Build a strong password for the SQL user - could be overwritten with something fixed
VAULTWARDEN_DB_PWD="$(random_password)"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql"

163
src/vaultwarden/install-service.sh
View File

@ -1,163 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
admin_token=$(openssl rand -base64 48)
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
systemctl enable --now postgresql
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:alpine
mkdir -p /opt/vaultwarden
mkdir -p /var/lib/vaultwarden/data
useradd vaultwarden
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
mv output/vaultwarden /opt/vaultwarden
mv output/web-vault /var/lib/vaultwarden/
rm -Rf output
rm -Rf docker-image-extract
su - postgres <<EOF
psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
EOF
cat << EOF > /var/lib/vaultwarden/.env
DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
ORG_CREATION_USERS=admin@$LXC_DOMAIN
# Use `openssl rand -base64 48` to generate
ADMIN_TOKEN=$admin_token
# Uncomment this once vaults restored
SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
SMTP_HOST=$VW_SMTP_HOST
SMTP_FROM=$VW_SMTP_FROM
SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
SMTP_PORT=$VW_SMTP_PORT # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
SMTP_SSL=$VW_SMTP_SSL # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
SMTP_USERNAME=$VW_SMTP_USERNAME
SMTP_PASSWORD=$VW_SMTP_PASSWORD
SMTP_TIMEOUT=15
EOF
cat << EOF > /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/var/lib/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
LimitNOFILE=1048576
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
EOF
cat << EOF > /var/lib/vaultwarden/update.sh
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
./docker-image-extract vaultwarden/server:alpine
mv output/vaultwarden /opt/vaultwarden
systemctl stop vaultwarden.service
cp -rlf output/web-vault /var/lib/vaultwarden/
rm -Rf output
rm -Rf docker-image-extract
systemctl start vaultwarden.service
EOF
chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
chmod +x /var/lib/vaultwarden/update.sh
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name _;
server_tokens off;
access_log /var/log/nginx/vaultwarden.access.log;
error_log /var/log/nginx/vaultwarden.error.log;
location /.well-known/ {
root /var/www/html;
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/vaultwarden.access.log;
error_log /var/log/nginx/vaultwarden.error.log;
client_max_body_size 50M;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
proxy_read_timeout 90;
}
}
EOF
generate_dhparam
unlink /etc/nginx/sites-enabled/default
systemctl daemon-reload
systemctl enable --now vaultwarden
systemctl restart nginx

52
src/zabbix-proxy/constants-service.conf
View File

@ -1,52 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="data"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
ZABBIX_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
ZABBIX_DB_PORT="5432"
# Defines the name from the SQL database
ZABBIX_DB_NAME="zabbix_proxy"
# Defines the name from the SQL user
ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
ZABBIX_VERSION=7.0 #zabbix 7 beta
POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

67
src/zabbix-proxy/install-service.sh
View File

@ -1,67 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
srv=$(grep -E "^Server" /etc/zabbix/zabbix_proxy.conf)
sed -i "s/$srv/Server=${ZBX_ADDR}/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# ListenPort=/ListenPort=/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/Hostname=Zabbix proxy/Hostname=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
mkdir -p /var/lib/zabbix
chown -R zabbix:zabbix /var/lib/zabbix/
chmod 700 /var/lib/zabbix/
psk=$(openssl rand -hex 32)
echo "$psk" > /var/lib/zabbix/proxy.psk
chown zabbix:zabbix /var/lib/zabbix/proxy.psk
chmod 600 /var/lib/zabbix/proxy.psk
sed -i "s/# TLSConnect=unencrypted/TLSConnect=psk/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
systemctl enable zabbix-proxy zabbix-agent2
systemctl restart zabbix-proxy zabbix-agent2
echo -e "Installation of zabbix-proxy finished."
echo -e "\nPlease register the Proxy on yout zabbix server with following data:"
echo -e "Proxy name:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
echo -e "Proxy mode: Active"
echo -e "Proxy address:\t$(ip a s dev eth0 | grep -m1 inet | cut -d ' ' -f6 | cut -d'/' -f1)"
echo -e "Encryption:\tPSK"
echo -e "PSK identity:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
echo -e "PSK:\t\t${psk}"

54
src/zabbix/constants-service.conf
View File

@ -1,54 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="data"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the IP from the SQL server
ZABBIX_DB_IP="127.0.0.1"
# Defines the PORT from the SQL server
ZABBIX_DB_PORT="5432"
# Defines the name from the SQL database
ZABBIX_DB_NAME="zabbix"
# Defines the name from the SQL user
ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
ZABBIX_VERSION=7.0 #zabbix 7 beta
POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13)
PHP_VERSION=8.2 # debian 12 default
TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"

236
src/zabbix/install-service.sh
View File

@ -1,236 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
unlink /etc/nginx/sites-enabled/default
cat << EOF > /etc/zabbix/nginx.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
server_tokens off;
access_log /var/log/nginx/zabbix.access.log;
error_log /var/log/nginx/zabbix.error.log;
location /.well-known/ {
}
return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
server_tokens off;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
add_header Strict-Transport-Security "max-age=31536000" always;
root /usr/share/zabbix;
index index.php;
location = /favicon.ico {
log_not_found off;
}
location / {
try_files \$uri \$uri/ =404;
}
location /assets {
access_log off;
expires 10d;
}
location ~ /\.ht {
deny all;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
location /vendor {
deny all;
return 404;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/var/run/php/zabbix.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING \$query_string;
fastcgi_param REQUEST_METHOD \$request_method;
fastcgi_param CONTENT_TYPE \$content_type;
fastcgi_param CONTENT_LENGTH \$content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}
EOF
cat << EOF > /etc/php/$PHP_VERSION/fpm/pool.d/zabbix-php-fpm.conf
[zabbix]
user = www-data
group = www-data
listen = /var/run/php/zabbix.sock
listen.owner = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 200
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/sessions/
php_value[max_execution_time] = 300
php_value[memory_limit] = 128M
php_value[post_max_size] = 16M
php_value[upload_max_filesize] = 2M
php_value[max_input_time] = 300
php_value[max_input_vars] = 10000
EOF
cat << EOF > /etc/zabbix/web/zabbix.conf.php
<?php
// Zabbix GUI configuration file.
\$DB['TYPE'] = 'POSTGRESQL';
\$DB['SERVER'] = 'localhost';
\$DB['PORT'] = '0';
\$DB['DATABASE'] = '${ZABBIX_DB_NAME}';
\$DB['USER'] = '${ZABBIX_DB_USR}';
\$DB['PASSWORD'] = '${ZABBIX_DB_PWD}';
// Schema name. Used for PostgreSQL.
\$DB['SCHEMA'] = '';
// Used for TLS connection.
\$DB['ENCRYPTION'] = true;
\$DB['KEY_FILE'] = '';
\$DB['CERT_FILE'] = '';
\$DB['CA_FILE'] = '';
\$DB['VERIFY_HOST'] = false;
\$DB['CIPHER_LIST'] = '';
// Vault configuration. Used if database credentials are stored in Vault secrets manager.
\$DB['VAULT_URL'] = '';
\$DB['VAULT_DB_PATH'] = '';
\$DB['VAULT_TOKEN'] = '';
// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
// This option is enabled by default for new Zabbix installations.
// For upgraded installations, please read database upgrade notes before enabling this option.
\$DB['DOUBLE_IEEE754'] = true;
// Uncomment and set to desired values to override Zabbix hostname/IP and port.
// \$ZBX_SERVER = '';
// \$ZBX_SERVER_PORT = '';
\$ZBX_SERVER_NAME = '${LXC_HOSTNAME}';
\$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;
// Uncomment this block only if you are using Elasticsearch.
// Elasticsearch url (can be string if same url is used for all types).
//\$HISTORY['url'] = [
// 'uint' => 'http://localhost:9200',
// 'text' => 'http://localhost:9200'
//];
// Value types stored in Elasticsearch.
//\$HISTORY['types'] = ['uint', 'text'];
// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
//\$SSO['SP_KEY'] = 'conf/certs/sp.key';
//\$SSO['SP_CERT'] = 'conf/certs/sp.crt';
//\$SSO['IDP_CERT'] = 'conf/certs/idp.crt';
//\$SSO['SETTINGS'] = [];
EOF
timedatectl set-timezone ${LXC_TIMEZONE}
systemctl enable --now postgresql
su - postgres <<EOF
psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
systemctl restart postgresql
echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
generate_dhparam
systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2
systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1

33
src/zammad/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="nginx,postgresql,elasticsearch"

63
src/zammad/install-service.sh
View File

@ -1,63 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/pkgr-zammad.gpg > /dev/null
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor | tee /etc/apt/trusted.gpg.d/elasticsearch.gpg> /dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"| tee -a /etc/apt/sources.list.d/elastic-7.x.list > /dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/pkgr-zammad.gpg] https://dl.packager.io/srv/deb/zammad/zammad/stable/debian 12 main"| tee /etc/apt/sources.list.d/zammad.list > /dev/null
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
# Java set startup environment
mkdir -p /etc/elasticsearch/jvm.options.d
cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
-Xms1g
-Xmx1g
EOF
# configure nginx
generate_dhparam
unlink /etc/nginx/sites-enabled/default
unlink /etc/nginx/sites-enabled/zammad.conf
mkdir -p /etc/nginx/ssl
ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
-e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
-e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
-e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
-e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
/opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
# configure elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
systemctl enable elasticsearch.service
systemctl restart nginx elasticsearch.service
# Elasticsearch conntact to Zammad
zammad run rails r "Setting.set('es_url', 'http://127.0.0.1:9200')"
zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
systemctl restart elasticsearch.service
zammad run rake zammad:searchindex:rebuild[$(nproc)]

45
src/zmb-ad-join/constants-service.conf
View File

@ -1,45 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"

221
src/zmb-ad-join/install-service.sh
View File

@ -1,221 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS="-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[Unit]
ConditionCapability=
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = $ZMB_REALM
ticket_lifetime = 600
dns_lookup_realm = true
dns_lookup_kdc = true
renew_lifetime = 7d
EOF
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
rm -f /etc/samba/smb.conf
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
rm /etc/krb5.conf
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
mkdir -p /mnt/sysvol
cat << EOF > /root/.smbcredentials
username=$ZMB_ADMIN_USER
password=$ZMB_ADMIN_PASS
domain=$ZMB_DOMAIN
EOF
echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
cat > /etc/cron.d/sysvol-sync << EOF
*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
EOF
/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
samba-tool ntacl sysvolreset
fi
ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=$1
if \$1 ; then
keep=\$1
fi
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
prune () {
backup_type=\$1
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc=\$((\$rc + 1))
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc=\$((\$rc + 1))
fi
exit \$rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF

45
src/zmb-ad/constants-service.conf
View File

@ -1,45 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"

194
src/zmb-ad/install-service.sh
View File

@ -1,194 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS="-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[Unit]
ConditionCapability=
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
# provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
# disable password expiry for administrator
samba-tool user setexpiry Administrator --noexpiry
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=\$1
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
prune () {
backup_type=\$1
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc=\$((\$rc + 1))
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc=\$((\$rc + 1))
fi
exit \$rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
exit 0

33
src/zmb-cups/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,member,cups,printserver"

110
src/zmb-cups/install-service.sh
View File

@ -1,110 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
apt update
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = $ZMB_REALM
ticket_lifetime = 600
dns_lookup_realm = true
dns_lookup_kdc = true
renew_lifetime = 7d
EOF
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
klist
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
cat > /etc/samba/smb.conf <<EOF
[global]
workgroup = $ZMB_DOMAIN
security = ADS
realm = $ZMB_REALM
server string = %h server
vfs objects = acl_xattr shadow_copy2
map acl inherit = Yes
store dos attributes = Yes
idmap config *:backend = tdb
idmap config *:range = 3000000-4000000
idmap config *:schema_mode = rfc2307
winbind refresh tickets = Yes
winbind use default domain = Yes
winbind separator = /
winbind nested groups = yes
winbind nss info = rfc2307
pam password change = Yes
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
template homedir = /home/%U
template shell = /bin/bash
bind interfaces only = Yes
interfaces = lo eth0
log file = /var/log/samba/log.%m
logging = syslog
max log size = 1000
panic action = /usr/share/samba/panic-action %d
dns proxy = No
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: delimiter = -20
printing = CUPS
rpcd_spoolss:idle_seconds=300
rpcd_spoolss:num_workers = 10
spoolss: architecture = Windows x64
[printers]
path = /${LXC_SHAREFS_MOUNTPOINT}/spool
printable = yes
[print$]
path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
read only = no
EOF
systemctl restart smbd
echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
echo -e "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
systemctl restart winbind nmbd
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
systemctl disable --now cups-browsed.service
cupsctl --remote-admin
systemctl restart cups smbd nmbd winbind wsdd

33
src/zmb-member/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,member,fileserver"

33
src/zmb-standalone/constants-service.conf
View File

@ -1,33 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="128K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"

78
src/zmb-standalone/install-service.sh
View File

@ -1,78 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
usermod -aG sudo $USER
cat << EOF | sudo tee -i /etc/samba/smb.conf
[global]
include = registry
EOF
cat << EOF | sudo tee -i /etc/samba/import.template
[global]
workgroup = WORKGROUP
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
log level = 3
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
fruit:encoding = native
fruit:metadata = stream
fruit:zero_file_id = yes
fruit:nfs_aces = no
EOF
net conf import /etc/samba/import.template
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf setparm $ZMB_SHARE readonly no
net conf setparm $ZMB_SHARE browseable yes
net conf setparm $ZMB_SHARE createmask 0660
net conf setparm $ZMB_SHARE directorymask 0770
systemctl restart smbd nmbd wsdd

158
conf/zamba.conf.example → zamba.conf
View File

@ -25,27 +25,20 @@ LXC_SHAREFS_SIZE="100"
# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
LXC_SHAREFS_STORAGE="local-zfs"
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
# Moved to constants-service.conf, be careful if you override this value
# LXC_SHAREFS_MOUNTPOINT="tank"
# cpu core count (default: 0 = unlimited)
LXC_THREADS=0
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
LXC_MEM=1024
LXC_MEM="1024"
# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
LXC_SWAP=1024
LXC_SWAP="1024"
# Defines the hostname of your LXC container
LXC_HOSTNAME="${service}"
LXC_HOSTNAME="zamba"
# Defines the domain name / search domain of your LXC container
LXC_DOMAIN="zmb.rocks"
# Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
LXC_DHCP=false
# Defines the local IP address and subnet of your LXC container in CIDR format
LXC_IP="192.168.100.200/24"
@ -61,41 +54,23 @@ LXC_DNS="192.168.100.254"
LXC_BRIDGE="vmbr0"
# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
LXC_VLAN=NONE
LXC_VLAN=
# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
LXC_PWD='Start!123'
LXC_PWD='S3cr3tp@ssw0rd'
# Defines an authorized_keys file to push into the LXC container.
# By default the authorized_keys will be inherited from your proxmox host.
LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
# Define the local timezone of your LXC container (default: Euroe/Berlin)
LXC_TIMEZONE="Europe/Berlin"
# Define system language on LXC container (locales)
# With this paramater you can generate additional locales, the default language will be inherited from proxmox host.
# en_US.UTF-8 english
# de_DE.UTF-8 german (default)
LXC_LOCALE="de_DE.UTF-8"
# Set dark background for vim syntax highlighting (0 or 1)
LXC_VIM_BG_DARK=1
# Default random password length
LXC_RANDOMPWD=32
# Move lxc to specific ressource pool
LXC_RESSOURCE_POOL=""
# Automatically add meta tags to lxc container
LXC_AUTOTAG=1
# Add meta tags to linux container
LXC_TAGS="linux,debian,${service}"
LXC_LOCALE=de_DE.UTF-8
############### Zamba-Server-Section ###############
@ -104,18 +79,30 @@ ZMB_REALM="ZMB.ROCKS"
# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
ZMB_DOMAIN="ZMB"
# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
# Defines the name of your domain administrator account (AD DC, AD member, standalone)
ZMB_ADMIN_USER="administrator"
# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
ZMB_ADMIN_PASS='Start!123'
ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
# Defines the name of your Zamba share
ZMB_SHARE="share"
############### Mailpiler-Section ###############
PILER_BRANCH=release
# Defines the (public) FQDN of your piler mail archive
PILER_FQDN="piler.zmb.rocks"
# Defines the smarthost for piler mail archive
PILER_SMARTHOST="your.mailserver.tld"
# Defines the version number of piler mail archive to install
PILER_VERSION="1.3.11"
# Defines the version of sphinx to install
PILER_SPHINX_VERSION="3.3.1"
# Defines the php version to install
PILER_PHP_VERSION="7.4"
############### Matrix-Section ###############
@ -125,101 +112,8 @@ MATRIX_FQDN="matrix.zmb.rocks"
# Define the FQDN for the Element Web virtual host
MATRIX_ELEMENT_FQDN="element.zmb.rocks"
# Define the administrative user of matrix service
MATRIX_ADMIN_USER="admin"
# Define the version of Element Web
MATRIX_ELEMENT_VERSION="v1.7.25"
# Define the admin password
MATRIX_ADMIN_PASSWORD='Start!123'
############### Nextcloud-Section ###############
# Define the FQDN of your Nextcloud server
NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
# The initial admin-user which will be configured
NEXTCLOUD_ADMIN_USR="zmb-admin"
# Build a strong password for this user. Username and password will shown at the end of the installation.
# NEXTCLOUD_ADMIN_PWD='very_secure_password'
# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
NEXTCLOUD_DATA="nc_data"
# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
NEXTCLOUD_REVPROX="192.168.100.254"
############### Check_MK-Section ###############
# Define the name of your checkmk instance
CMK_INSTANCE=zmbrocks
# Define the password of user 'cmkadmin'
CMK_ADMIN_PW='Start!123'
# checkmk edition (raw or free)
# raw = completely free
# free = limited version of the enterprise edition (25 hosts, 1 instance)
CMK_EDITION=raw
############### Kopano-Section ###############
# Define the FQDN of your Nextcloud server
KOPANO_FQDN="kopano.zmb.rocks"
# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
KOPANO_MAILGW="192.168.100.254"
# Kopano test- or subscription-key offerd from
# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
KOPANO_REPKEY="1234567890abcdefghijklmno"
############### vaultwarden Section ###############
# Enable/disable signups (true/false)
VW_SIGNUPS_ALLOWED=false
# Hostname of your mailserver
VW_SMTP_HOST=mail.bashclub.org
# email address to send from
VW_SMTP_FROM="vaultwarden@bashclub.org"
# display name to send from
VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
# port of your mailserver
VW_SMTP_PORT=587
# use ssl?
VW_SMTP_SSL=true
# use starttls?
VW_SMTP_EXPLICIT_TLS=false
# username of your mailbox
VW_SMTP_USERNAME=vaultwarden@bashclub.org
# password of your mailbox
VW_SMTP_PASSWORD='<yourEmailPassword>'
############### ansible-semaphore Section ###############
SEMAPHORE_ADMIN=admin
SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
SEMAPHORE_ADMIN_PASSWORD='Start123'
############### docker Section ###############
# Install Portainer (=full), Protainer Agent (=agent) or none
PORTAINER=none
############### zabbix Section ###############
# (Zabbix Proxy) Name:Port of the zabbix server
ZBX_ADDR=zabbix.zmb.rocks:10051
############### freescout Section ################
FS_FIRSTNAME=Max
FS_LASTNAME=Mustermann
FS_EMAIL=mail@zmb.rocks
# Define the FQDN for the Jitsi Meet virtual host
MATRIX_JITSI_FQDN="meet.zmb.rocks"

190
conf/README.md → zamba.conf.md
View File

@ -1,5 +1,4 @@
# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS
# Configuration options reference
# `zamba.conf` options reference
This is the reference of all config options you can set in `zamba.conf`
<br>
@ -40,30 +39,24 @@ LXC_SHAREFS_MOUNTPOINT="tank"
```
### LXC_MEM
Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
If a service needs more minimum memory, LXC_MEM will be overwritten.
```bash
LXC_MEM=1024
LXC_MEM="1024"
```
### LXC_SWAP
Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
```bash
LXC_SWAP=1024
LXC_SWAP="1024"
```
### LXC_HOSTNAME
Defines the hostname of your LXC container (Default: Name of installed Service)
Defines the hostname of your LXC container
```bash
LXC_HOSTNAME="zamba"
LXC_SWAP="zamba"
```
### LXC_DOMAIN
Defines the domain name / search domain of your LXC container
```bash
LXC_DOMAIN="zmb.rocks"
```
### LXC_DHCP
Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
```bash
LXC_DHCP=false
```
### LXC_IP
Defines the local IP address and subnet of your LXC container in CIDR format
```bash
@ -94,7 +87,7 @@ LXC_VLAN="80"
### LXC_PWD
Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
```bash
LXC_PWD="Start!123"
LXC_PWD="S3cr3tp@ssw0rd"
```
### LXC_AUTHORIZED_KEY
Defines an authorized_keys file to push into the LXC container.
@ -105,7 +98,7 @@ LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
### LXC_TOOLSET
Define your (administrative) tools, you always want to have installed into your LXC container
```bash
LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
```
### LXC_TIMEZONE
Define the local timezone of your LXC container (default: Euroe/Berlin)
@ -118,13 +111,6 @@ Define system language on LXC container (locales)
LXC_LOCALE="de_DE.utf8"
```
This parameter is not used yet, but will be integrated in future releases.
### LXC_VIM_BG_DARK
Set dark background for vim syntax highlighting (0 or 1)
```bash
LXC_VIM_BG_DARK=1
```
<br>
## Zamba Server Section
@ -141,6 +127,11 @@ Defines the domain name in your Active Directory or Workgroup (AD DC, AD member,
```bash
ZMB_DOMAIN="ZMB"
```
### ZMB_DNS_BACKEND
Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
```bash
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
```
### ZMB_ADMIN_USER
Defines the name of your domain administrator account (AD DC, AD member, standalone)
```bash
@ -149,7 +140,7 @@ ZMB_ADMIN_USER="Administrator"
### ZMB_ADMIN_PASS
Defines the domain administrator's password (AD DC, AD member).
```bash
ZMB_ADMIN_PASS='Start!123'
ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
```
Please use 'single quotation marks' to avoid unexpected behaviour.
`zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
@ -172,7 +163,22 @@ PILER_FQDN="piler.zmb.rocks"
### PILER_SMARTHOST
Defines the smarthost for piler mail archive
```bash
PILER_SMARTHOST="your.mailserver.tld"
PILER_SMARTHOST="10.10.80.20"
```
### PILER_VERSION
Defines the version number of piler mail archive to install
```bash
PILER_VERSION="1.3.10"
```
### PILER_SPHINX_VERSION
Defines the version of sphinx to install
```bash
PILER_SPHINX_VERSION="3.3.1"
```
### PILER_PHP_VERSION
Defines the php version to install
```bash
PILER_PHP_VERSION="7.4"
```
<br>
@ -191,139 +197,13 @@ Define the FQDN for the Element Web virtual host
```bash
MATRIX_ELEMENT_FQDN="element.zmb.rocks"
```
### MATRIX_ADMIN_USER
Define the administrative user of matrix service
### MATRIX_ELEMENT_VERSION
Define the version of Element Web
```bash
MATRIX_ADMIN_USER="admin"
MATRIX_ELEMENT_VERSION="v1.7.24"
```
### MATRIX_ADMIN_PASSWORD
Define the admin password
### MATRIX_JITSI_FQDN
Define the FQDN for the Jitsi Meet virtual host
```bash
MATRIX_ADMIN_PASSWORD="Start!123"
MATRIX_JITSI_FQDN="meet.zmb.rocks"
```
## Nextcloud-Section
### NEXTCLOUD_FQDN
Define the FQDN of your Nextcloud server
```bash
NEXTCLOUD_FQDN="nc1.zmb.rocks"
```
### NEXTCLOUD_ADMIN_USR
The initial admin-user which will be configured
```bash
NEXTCLOUD_ADMIN_USR="zmb-admin"
```
### NEXTCLOUD_ADMIN_PWD
Build a strong password for this user. Username and password will shown at the end of the instalation.
```bash
NEXTCLOUD_ADMIN_PWD="$(random_password)"
```
### NEXTCLOUD_DATA
Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
```bash
NEXTCLOUD_DATA="nc_data"
```
### NEXTCLOUD_REVPROX
Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
```bash
NEXTCLOUD_REVPROX="192.168.100.254"
```
## Check_MK-Section
### CMK_INSTANCE
Define the name of your checkmk instance
```bash
CMK_INSTANCE=zmbrocks
```
### CMK_ADMIN_PW
Define the password of user 'cmkadmin'
```bash
CMK_ADMIN_PW='Start!123'
```
### CMK_EDITION
checkmk edition (raw or free)
- raw = completely free
- free = limited version of the enterprise edition (25 hosts, 1 instance)
```bash
CMK_EDITION=raw
```
### Kopano-Section
### KOPANO_FQDN
Define the FQDN of your Nextcloud server
```bash
KOPANO_FQDN="kopano.zmb.rocks
```
### KOPANO_MAILGW=
Define the host, to which mails will send.
```bash
KOPANO_MAILGW="192.168.100.254"
```
### KOPANO_REPKEY
Kopano test- or subscription-key offerd from
https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+11
```bash
KOPANO_REPKEY="1234567890abcdefghijklmno"
```
### vaultwarden Section
### VW_SMTP_HOST
Hostname of your mailserver
```bash
VW_SMTP_HOST=mail.bashclub.org
```
### VW_SMTP_FROM
email address to send from
```bash
VW_SMTP_FROM="vaultwarden@bashclub.org"
```
### VW_SMTP_FROM_NAME
display name to send from
```bash
VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
```
### VW_SMTP_PORT
Smtp-port of your mailserver
```bash
VW_SMTP_PORT=587
```
### VW_SMTP_SSL
Use ssl true/false
```bash
VW_SMTP_SSL=true
```
### VW_SMTP_EXPLICIT_TLS
Use starttls true/false
```bash
VW_SMTP_EXPLICIT_TLS=false
```
### VW_SMTP_USERNAME
Username of your mailbox
```bash
VW_SMTP_USERNAME=vaultwarden@bashclub.org
```
### VW_SMTP_PASSWORD
Password of your mailbox
```bash
VW_SMTP_PASSWORD='<yourEmailPassword>'
```

119
zmb-ad.sh Normal file
View File

@ -0,0 +1,119 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
BINDNINE=bind9
fi
## configure ntp
cat << EOF > /etc/ntp.conf
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.de.pool.ntp.org iburst prefer
server 1.de.pool.ntp.org iburst prefer
server 2.de.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
# stop + disable samba services and remove default config
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
# provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc $BINDNINE
systemctl restart samba-ad-dc $BINDNINE
exit 0

30
src/zmb-member/install-service.sh → zmb-member.sh
View File

@ -5,16 +5,18 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
@ -68,11 +70,12 @@ cat > /etc/samba/smb.conf <<EOF
printing = bsd
disable spoolss = Yes
allow trusted domains = No
dns proxy = No
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
[$ZMB_SHARE]
@ -83,6 +86,8 @@ cat > /etc/samba/smb.conf <<EOF
directory mask = 0770
inherit acls = Yes
EOF
systemctl restart smbd
@ -96,12 +101,13 @@ systemctl restart winbind nmbd
wbinfo -u
wbinfo -g
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd winbind
systemctl restart smbd nmbd winbind wsdd

44
zmb-standalone.sh Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba samba-dsdb-modules samba-vfs-modules
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
cat << EOF >> /etc/samba/smb.conf
[share]
comment = Main Share
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
read only = No
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
EOF
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd