Update and rename check_zambaconf_trmm.sh to check_zambaconfonpve_trmm.sh

Update check_zambaconf_trmm.sh
also recognizes forgotten zamba.confs in lxcs root
2025-06-15 14:27:01 +02:00 · 2025-06-05 22:32:26 +02:00 · 2025-06-05 22:05:15 +02:00 · 2025-06-04 11:01:30 +02:00 · 2025-06-04 10:47:50 +02:00 · 2025-05-22 15:56:06 +02:00
77 changed files with 3485 additions and 946 deletions
--- a/README.md
+++ b/README.md
@ -29,8 +29,8 @@ Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 - `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
 - `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
 - `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
+- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash
@ -64,3 +64,11 @@ You can also view possible parameters with `install.sh -h`
 After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.
 Once the script has finished, the container is installed and running and you can continue with the service specific configuration.
 # Authors
 ### Markus Helmke
 [<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/nettwarker)
 ### Thorsten Spille
 [<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/thorakel)
--- a/check_zambaconfonpve_trmm.sh
+++ b/check_zambaconfonpve_trmm.sh
@ -0,0 +1,19 @@
 #!/bin/bash
 export LC_ALL=C
 ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
 if [[ -f "$ZAMBA_CONF" ]]; then
    # Prüfen, ob die Datei älter als 3 Tage ist
    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
        rm -f "$ZAMBA_CONF"
        exit 0
    else
        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
        exit 2
    fi
 else
    echo "✅ OK: zamba.conf ist nicht vorhanden"
    exit 0
 fi
--- a/conf/README.md
+++ b/conf/README.md
@ -255,3 +255,75 @@ checkmk edition (raw or free)
 ```bash
 CMK_EDITION=raw
 ```
 ### Kopano-Section
 ### KOPANO_FQDN
 Define the FQDN of your Nextcloud server
 ```bash
 KOPANO_FQDN="kopano.zmb.rocks
 ```
 ### KOPANO_MAILGW=
 Define the host, to which mails will send.
 ```bash
 KOPANO_MAILGW="192.168.100.254"
 ```
 ### KOPANO_REPKEY
 Kopano test- or subscription-key offerd from 
 https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+11
 ```bash
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 ```
 ### vaultwarden Section
 ### VW_SMTP_HOST
 Hostname of your mailserver
 ```bash
 VW_SMTP_HOST=mail.bashclub.org
 ```
 ### VW_SMTP_FROM
 email address to send from
 ```bash
 VW_SMTP_FROM="vaultwarden@bashclub.org"
 ```
 ### VW_SMTP_FROM_NAME
 display name to send from
 ```bash
 VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
 ```
 ### VW_SMTP_PORT
 Smtp-port of your mailserver
 ```bash
 VW_SMTP_PORT=587
 ```
 ### VW_SMTP_SSL
 Use ssl true/false
 ```bash
 VW_SMTP_SSL=true
 ```
 ### VW_SMTP_EXPLICIT_TLS
 Use starttls true/false
 ```bash
 VW_SMTP_EXPLICIT_TLS=false
 ```
 ### VW_SMTP_USERNAME
 Username of your mailbox
 ```bash
 VW_SMTP_USERNAME=vaultwarden@bashclub.org
 ```
 ### VW_SMTP_PASSWORD
 Password of your mailbox
 ```bash
 VW_SMTP_PASSWORD='<yourEmailPassword>'
 ```
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@ -25,7 +25,11 @@ LXC_SHAREFS_SIZE="100"
 # Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
 LXC_SHAREFS_STORAGE="local-zfs"
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
+# Moved to constants-service.conf, be careful if you override this value
 # LXC_SHAREFS_MOUNTPOINT="tank"
 # cpu core count (default: 0 = unlimited)
 LXC_THREADS=0
 # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
 LXC_MEM=1024
@ -84,6 +88,9 @@ LXC_VIM_BG_DARK=1
 # Default random password length
 LXC_RANDOMPWD=32
 # Move lxc to specific ressource pool
 LXC_RESSOURCE_POOL=""
 # Automatically add meta tags to lxc container
 LXC_AUTOTAG=1
@ -92,26 +99,27 @@ LXC_TAGS="linux,debian,${service}"
 ############### Zamba-Server-Section ###############
-# Defines the REALM for the Active Directory (AD DC, AD member)
+# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
 ZMB_REALM="ZMB.ROCKS"
-# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
+# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_DOMAIN="ZMB"
-# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_ADMIN_USER="administrator"
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
 ZMB_ADMIN_PASS='Start!123'
 # Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
 ZMB_DOMAIN_ADMINS="domain admins"
 # Defines the name of your Zamba share
 ZMB_SHARE="share"
 ############### Mailpiler-Section ###############
-# Defines the (public) FQDN of your piler mail archive
+PILER_BRANCH=release
 PILER_FQDN="mailpiler.zmb.rocks"
 # Defines the smarthost for piler mail archive
 PILER_SMARTHOST="mail.zmb.rocks"
 ############### Matrix-Section ###############
@ -125,7 +133,7 @@ MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 MATRIX_ADMIN_USER="admin"
 # Define the admin password
-MATRIX_ADMIN_PASSWORD="Start!123"
+MATRIX_ADMIN_PASSWORD='Start!123'
 ############### Nextcloud-Section ###############
@ -170,6 +178,10 @@ KOPANO_MAILGW="192.168.100.254"
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 ############### vaultwarden Section ###############
 # Enable/disable signups (true/false)
 VW_SIGNUPS_ALLOWED=false
 # Hostname of your mailserver
 VW_SMTP_HOST=mail.bashclub.org
@ -192,4 +204,26 @@ VW_SMTP_EXPLICIT_TLS=false
 VW_SMTP_USERNAME=vaultwarden@bashclub.org
 # password of your mailbox
-VW_SMTP_PASSWORD='<yourEmailPassword>'
+VW_SMTP_PASSWORD='<yourEmailPassword>'
 ############### ansible-semaphore Section ###############
 SEMAPHORE_ADMIN=admin
 SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
 SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
 SEMAPHORE_ADMIN_PASSWORD='Start123'
 ############### docker Section ###############
 # Install Portainer (=full), Protainer Agent (=agent) or none
 PORTAINER=none
 ############### zabbix Section ###############
 # (Zabbix Proxy) Name:Port of the zabbix server
 ZBX_ADDR=zabbix.zmb.rocks:10051
 ############### freescout Section ################
 FS_FIRSTNAME=Max
 FS_LASTNAME=Mustermann
 FS_EMAIL=mail@zmb.rocks
--- a/install.sh
+++ b/install.sh
@ -102,6 +102,15 @@ source "$config"
 source "$PWD/src/$service/constants-service.conf"
 if [[ $service == "zmb-ad-restore" ]]; then
  if find ./ | grep samba-backup*.tar.bz2 ; then
    sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
  else
    echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
    exit 1
  fi
 fi
 if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
  LXC_MEM=$LXC_MEM_MIN
 fi
@ -119,8 +128,7 @@ if [ $ctid -gt 99 ]; then
  LXC_CHK=$ctid
 else
  # Get next free LXC-number
-  LXC_LST=$( lxc-ls -1 | tail -1 )
+  LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
  LXC_CHK=$((LXC_LST+1));
 fi
 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
@ -130,24 +138,43 @@ else
 fi
 echo "Will now create LXC Container $LXC_NBR!";
 if [ $LXC_THREADS -gt 0 ]; then
  LXC_CORES=--cores\ $LXC_THREADS
 fi
 if [[ $LXC_RESSOURCE_POOL != "" ]]; then
  LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
 fi
 # Create the container
-pct create $LXC_NBR $TAGS --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+set +u
 pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
 set -u
 sleep 2;
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
 if [ $LXC_DHCP == true ]; then
 pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
 else
 pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
 fi
 sleep 2
 if [ $LXC_MP -gt 0 ]; then
-  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
+  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
  if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
    pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
    dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
    zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
  fi
 fi
 sleep 2;
 PS3="Select the Server-Function: "
@ -155,7 +182,7 @@ PS3="Select the Server-Function: "
 pct start $LXC_NBR;
 sleep 5;
 # Set the root ssh key
-pct exec $LXC_NBR -- mkdir /root/.ssh
+pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
 pct push $LXC_NBR "$config" /root/zamba.conf
 pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
@ -166,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 if [[ $service == "zmb-ad-restore" ]]; then
    pct exec $LXC_NBR -- mkdir -p /backup/online
    pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
 fi
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
 echo "Installing basic container setup..."
@ -177,7 +209,14 @@ pct shutdown $LXC_NBR
 if [[ $service == "zmb-ad" ]]; then
  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-restore" ]]; then
  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-join" ]]; then
  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
-pct start $LXC_NBR
+pct start $LXC_NBR
 if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
  sleep 5
  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
 fi
--- a/scripts/nextcloud-update
+++ b/scripts/nextcloud-update
@ -1,17 +1,47 @@
 #!/bin/bash
-#
+
-# Update nextcloud
+# Update Nextcloud
-# place in /etc/cron.daily and make executable with chmod +x  /etc/cron.daily/nextcloud-update
+# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
 user=www-data
-phpversion=php8.0
+phpversion=php8.2
 path=/var/www/nextcloud
 logfile="/var/log/nextcloud-update.log"
-alias ncc="sudo -u $user $phpversion $path/occ"
+ncc() {
-alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
+  sudo -u "$user" "$phpversion" "$path/occ" "$@"
 }
-updater --no-backup --no-interaction
+updater() {
  sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
 }
-subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
+{
-for cmd in ${subcommands[@]}; do
+  echo "===== $(date): Nextcloud Update Start ====="
-  ncc -n $cmd
+
-done
+  updater --no-backup --no-interaction
  subcommands=(
    "db:add-missing-primary-keys"
    "db:add-missing-indices"
    "db:add-missing-columns"
    "db:convert-filecache-bigint"
    "files:scan-app-data"
    "upgrade"
  )
  for cmd in "${subcommands[@]}"; do
    echo "Running: occ $cmd"
    ncc -n $cmd
  done
  # App Updates
  echo "Updating apps..."
  apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
  for app in $apps; do
    echo "Updating app: $app"
    ncc app:update "$app"
  done
  echo "===== $(date): Nextcloud Update Finished ====="
 } >> "$logfile" 2>&1
--- a/src/ansible-semaphore/constants-service.conf
+++ b/src/ansible-semaphore/constants-service.conf
@ -0,0 +1,42 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # Defines the name from the SQL database
 SEMAPHORE_DB_NAME="semaphore"
 # Defines the name from the SQL user
 SEMAPHORE_DB_USR="semaphore"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 SEMAPHORE_DB_PWD="$(random_password)"
 # service dependent meta tags
 SERVICE_TAGS="postgresql,nginx"
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@ -0,0 +1,222 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint
 systemctl enable --now postgresql
 su - postgres <<EOF
 psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
 psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
 echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
 EOF
 curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
 cat << EOF > /usr/local/bin/update-semaphore
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 echo "Checking github for new semaphore version"
 current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
 installed_version=\$(semaphore version)
 echo "Installed semaphore version is \$installed_version"
 if [ \$installed_version != \$current_version ]; then
  echo "New semaphore version \$current_version available. Stopping semaphore.service"
  systemctl stop semaphore.service
  echo "Downloading semaphore version \$current_version..."
  curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical dpkg -i /opt/semaphore_linux_amd64.deb
  echo "Starting semaphore.service..."
  systemctl start semaphore.service
  echo "semaphore update finished!"
 else
  echo "semaphore version is up-to-date!"
 fi
 EOF
 chmod +x /usr/local/bin/update-semaphore
 useradd -m -r -s /bin/bash semaphore
 sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
 cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
 DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
 EOF
 chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook
 cat << EOF > /etc/systemd/system/semaphore.service
 [Unit]
 Description=Semaphore Ansible
 Documentation=https://github.com/semaphoreui/semaphore
 Wants=network-online.target
 After=network-online.target
 [Service]
 Type=simple
 ExecReload=/bin/kill -HUP \$MAINPID
 ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
 SyslogIdentifier=semaphore
 Restart=always
 User=semaphore
 Group=semaphore
 [Install]
 WantedBy=multi-user.target
 EOF
 mkdir -p /etc/semaphore
 cat << EOF > /etc/semaphore/config.json
 {
 	"mysql": {
 		"host": "",
 		"user": "",
 		"pass": "",
 		"name": "",
 		"options": null
 	},
 	"bolt": {
 		"host": "",
 		"user": "",
 		"pass": "",
 		"name": "",
 		"options": null
 	},
 	"postgres": {
 		"host": "127.0.0.1:5432",
 		"user": "${SEMAPHORE_DB_USR}",
 		"pass": "${SEMAPHORE_DB_PWD}",
 		"name": "${SEMAPHORE_DB_NAME}",
 		"options": {
 			"sslmode": "disable"
 		}
 	},
 	"dialect": "postgres",
 	"port": "",
 	"interface": "",
 	"tmp_path": "/tmp/semaphore",
 	"cookie_hash": "$(head -c32 /dev/urandom | base64)",
 	"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
 	"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
 	"email_sender": "",
 	"email_host": "",
 	"email_port": "",
 	"email_username": "",
 	"email_password": "",
 	"web_host": "",
 	"ldap_binddn": "",
 	"ldap_bindpassword": "",
 	"ldap_server": "",
 	"ldap_searchdn": "",
 	"ldap_searchfilter": "",
 	"ldap_mappings": {
 		"dn": "",
 		"mail": "",
 		"uid": "",
 		"cn": ""
 	},
 	"telegram_chat": "",
 	"telegram_token": "",
 	"slack_url": "",
 	"max_parallel_tasks": 0,
 	"email_alert": false,
 	"email_secure": false,
 	"telegram_alert": false,
 	"slack_alert": false,
 	"ldap_enable": false,
 	"ldap_needtls": false,
 	"ssh_config_path": "/home/semaphore/.ssh/",
 	"demo_mode": false,
 	"git_client": ""
 }
 EOF
 if [ -f /etc/nginx/sites-enabled/default ]; then
  unlink /etc/nginx/sites-enabled/default
 fi
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    server_tokens off;
    access_log /var/log/nginx/semaphore.access.log;
    error_log /var/log/nginx/semaphore.error.log;
    location /.well-known/ {
        root /var/www/html;
    }
    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
 }
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
    server_tokens off;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
    add_header Strict-Transport-Security "max-age=31536000" always;
    access_log /var/log/nginx/semaphore.access.log;
    error_log  /var/log/nginx/semaphore.error.log;
    client_max_body_size 50M;
    location / {
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:3000;
        proxy_read_timeout 90;
    }
 }
 EOF
 echo "source <(semaphore completion bash)" >> /root/.bashrc
 semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
 generate_dhparam
 systemctl daemon-reload
 systemctl enable --now semaphore.service
 systemctl restart nginx.service
 echo -e "\n######################################################################\n\n    Please note this user and password for the semaphore login:\n        '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n                Enjoy your semaphore intallation.\n\n######################################################################"
--- a/src/mailpiler/constants-service.conf
+++ b/src/mailpiler/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="srv"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,15 +23,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
-# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+# enable keyctl feature
-PILER_VERSION="1.3.12"
+LXC_KEYCTL="0"
 # Defines the version of sphinx to install
 PILER_SPHINX_VERSION="3.3.1"
 # Defines the php version to install
 PILER_PHP_VERSION="7.4"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,mariadb,sphinx"
+SERVICE_TAGS="aptly,nginx"
--- a/src/apt/install-service.sh
+++ b/src/apt/install-service.sh
@ -0,0 +1,273 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 source /etc/os-release
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
 # Create gpg key for apt repo signing
 gpg --batch --gen-key <<EOF
 Key-Type: 1
 Key-Length: 4096
 Subkey-Type: 1
 Subkey-Length: 4096
 Name-Real: ${AM_COMPANY_NAME}
 Name-Email: ${AM_COMPANY_EMAIL}
 Expire-Date: 0
 %no-protection
 EOF
 if [ -f /etc/nginx/sites-enabled/default ]; then
  unlink /etc/nginx/sites-enabled/default
 fi
 cat << EOF > /etc/aptly.conf
 {
  "rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
  "downloadConcurrency": 4,
  "downloadSpeedLimit": 0,
  "architectures": [
        "amd64",
        "armhf"
  ],
  "dependencyFollowSuggests": false,
  "dependencyFollowRecommends": false,
  "dependencyFollowAllVariants": false,
  "dependencyFollowSource": false,
  "dependencyVerboseResolve": true,
  "gpgDisableSign": false,
  "gpgDisableVerify": false,
  "gpgProvider": "gpg",
  "downloadSourcePackages": false,
  "skipLegacyPool": true,
  "ppaDistributorID": "$AM_COMPANY_NAME",
  "ppaCodename": ""
 }
 EOF
 cat << EOF > /usr/local/bin/update-apt-mirrors
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 for m in $(aptly mirror list -raw); do
  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
 done
 EOF
 chmod +x /usr/local/bin/update-apt-mirrors
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
        listen 80 default_server;
        listen [::]:80 default_server;
        # Force HTTPS connection. This rules is domain agnostic
        if (\$scheme != "https") {
                rewrite ^ https://\$host\$uri permanent;
        }
        # SSL configuration
        #
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 15.137.208.11 15.137.209.11 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        root /var/www/html;
        index index.html index.htm;
        server_name _;
        location /gpg {
                autoindex on;
        }
        location /graph {
                autoindex on;
        }
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                #try_files \$uri \$uri/ =404;
                proxy_set_header Host \$host;
                proxy_set_header X-Real-IP \$remote_addr;
                proxy_pass http://localhost:8080;
        }
        location /api {
                proxy_pass http://localhost:8000/api;
        }
        location /api/graph {
                return 403;
        }
 }
 EOF
 cat << EOF > /etc/systemd/system/aptly.service
 [Unit]
 Description=Aptly Repository service
 [Service]
 User=root
 ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
 KillSignal=SIGTERM
 KillMode=process
 TimeoutStopSec=15s
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /etc/systemd/system/aptly-api.service
 [Unit]
 Description=Aptly REST API service
 [Service]
 User=root
 ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
 KillSignal=SIGTERM
 KillMode=process
 TimeoutStopSec=15s
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /root/mirror-examples
 # import proxmox keyring
 wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
 # proxmox 8 no subscription mirror (about 11.5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
 # import debian keyring
 cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
 # debian 12 main mirror (about 87 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
 # debian 12 contrib mirror (about 600 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
 # debian 12 non-free mirror (about7,2 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
 # debian 12 non-free-firmware mirror (38 Packages)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
 # debian 12 update main mirror (about 2,5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
 # debian 12 update contrib mirror (currently empty)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
 # debian 12 updates non-free mirror (about 900 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
 # debian 12 updates non-free-firmware mirror (about 70 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
 # debian 12 security main mirror (about 5,5 GB)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
 # debian 12 security contrib mirror (2 packages)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
 # debian 12 security non-free mirror (currently empty)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
 # debian 12 security non-free-firmware mirror (1 package)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
 # debian 12 backports main mirror (about 14,5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
 # debian 12 backports contrib mirror (about 100 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
 # debian 12 backports non-free mirror (2 packages)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
 # debian 12 backports non-free-firmware mirror (currently empty)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
 EOF
 cat << EOF > /usr/local/bin/update-apt-mirrors 
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 for m in \$(aptly mirror list -raw); do
  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
 done
 EOF
 echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
 chmod +x /usr/local/bin/update-apt-mirrors 
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
 chown -R www-data:www-data /var/www
 # Create required webserver folders
 sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
 # Export gpg key
 sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
 generate_dhparam
 systemctl daemon-reload
 systemctl enable --now aptly aptly-api
 systemctl restart nginx
 echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."
--- a/src/authentik/constants-service.conf
+++ b/src/authentik/constants-service.conf
@ -0,0 +1,33 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="docker"
--- a/src/authentik/install-service.sh
+++ b/src/authentik/install-service.sh
@ -0,0 +1,108 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # Add Docker's official GPG key:
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
 install_portainer_full() {
    mkdir -p /opt/portainer/data
    cd /opt/portainer
    cat << EOF > /opt/portainer/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always
    image: portainer/portainer:latest
    volumes:
      - ./data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "8000:8000"
      - "9443:9443"
    command: --admin-password-file=/data/admin_password
 EOF
    echo -n "$SECRET" > ./data/admin_password
    docker compose pull
    docker compose up -d
    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
 }
 install_portainer_agent() {
    mkdir -p /opt/portainer-agent/data
    cd /opt/portainer-agent
    cat << EOF > /opt/portainer-agent/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always  
    image: portainer/agent:latest
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "9001:9001"
 EOF
    docker compose pull
    docker compose up -d
    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
 }
 mkdir -p /opt/authentik
 wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
 cd /opt/authentik
 cat << EOF > .env
 PG_PASS=$(pwgen -s 40 1)
 AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
 AUTHENTIK_DISABLE_UPDATE_CHECK=false
 AUTHENTIK_ERROR_REPORTING__ENABLED=false
 AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
 AUTHENTIK_AVATARS=initials
 COMPOSE_PORT_HTTP=80
 COMPOSE_PORT_HTTPS=443
 AUTHENTIK_EMAIL__HOST=
 AUTHENTIK_EMAIL__PORT=
 AUTHENTIK_EMAIL__USERNAME=
 AUTHENTIK_EMAIL__PASSWORD=
 # Use StartTLS
 AUTHENTIK_EMAIL__USE_TLS=false
 # Use SSL
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 # Email address authentik will send from, should have a correct @domain
 AUTHENTIK_EMAIL__FROM=
 AUTHENTIK_REDIS__DB=1
 EOF
 docker compose pull
 docker compose up -d
 case $PORTAINER in
  full) install_portainer_full ;;
  agent) install_portainer_agent ;;
  *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
 esac
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@ -16,11 +16,11 @@ webroot=/var/www/bookstack/public
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
-wget -O /opt/wkhtmltox_0.12.6-1.buster_amd64.deb https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.buster_amd64.deb
+curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /opt/wkhtmltox_0.12.6-1.buster_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
@ -106,9 +106,9 @@ CREATE DATABASE IF NOT EXISTS bookstack;
 GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
 FLUSH PRIVILEGES;"
-sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
-sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
-sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
 EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
 php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
@ -178,8 +178,8 @@ WantedBy=multi-user.target
 EOF
 systemctl daemon-reload
-systemctl enable --now bookstack-queue php7.4-fpm nginx redis-server
+systemctl enable --now bookstack-queue php${PHP_VERSION:0:3}-fpm nginx redis-server
-systemctl restart php7.4-fpm nginx bookstack-queue redis-server
+systemctl restart php${PHP_VERSION:0:3}-fpm nginx bookstack-queue redis-server
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@ -8,10 +8,15 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="opt"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,8 +24,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # checkmk version
-CMK_VERSION=2.1.0p21
+CMK_VERSION=2.3.0p6
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
@ -28,4 +36,4 @@ CMK_BUILD=_0
 LXC_MEM_MIN=2048
 # service dependent meta tags
-SERVICE_TAGS="apache2"
+SERVICE_TAGS="apache2"
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@ -23,6 +23,46 @@ cat << EOF > /etc/apache2/sites-available/000-default.conf
 </VirtualHost>
 EOF
 cat << EOF > /etc/apache2/sites-available/default-ssl.conf
 <VirtualHost *:443>
 	RewriteEngine On
 	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
 	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
 	ServerAdmin webmaster@localhost
 	DocumentRoot /var/www/html
 	ErrorLog \${APACHE_LOG_DIR}/error.log
 	CustomLog \${APACHE_LOG_DIR}/access.log combined
 	SSLEngine on
 	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
 	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
 	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
 	#SSLCACertificatePath /etc/ssl/certs/
 	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
 	#SSLCARevocationPath /etc/apache2/ssl.crl/
 	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
 	#SSLVerifyClient require
 	#SSLVerifyDepth  10
 	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
 		SSLOptions +StdEnvVars
 	</FilesMatch>
 	<Directory /usr/lib/cgi-bin>
 		SSLOptions +StdEnvVars
 	</Directory>
 </VirtualHost>
 EOF
 a2enmod ssl
 a2enmod rewrite
 a2ensite default-ssl
--- a/src/cloudpanel/constants-service.conf
+++ b/src/cloudpanel/constants-service.conf
@ -0,0 +1,31 @@
 #!/bin/bash
 # Authors:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="home"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/cloudpanel/install-service.sh
+++ b/src/cloudpanel/install-service.sh
@ -0,0 +1,14 @@
 #!/bin/bash
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source zamba.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
 echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
 DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh
--- a/src/constants.conf
+++ b/src/constants.conf
@ -8,4 +8,4 @@
 # This file contains the project constants on container level
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget"
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=512
--- a/src/docker/constants-service.conf
+++ b/src/docker/constants-service.conf
@ -0,0 +1,33 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS=""
--- a/src/docker/install-service.sh
+++ b/src/docker/install-service.sh
@ -0,0 +1,79 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # Add Docker's official GPG key:
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
 install_portainer_full() {
    mkdir -p /opt/portainer/data
    cd /opt/portainer
    cat << EOF > /opt/portainer/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always
    image: portainer/portainer:latest
    volumes:
      - ./data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "8000:8000"
      - "9443:9443"
    command: --admin-password-file=/data/admin_password
 EOF
    echo -n "$SECRET" > ./data/admin_password
    docker compose pull
    docker compose up -d
    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
 }
 install_portainer_agent() {
    mkdir -p /opt/portainer-agent/data
    cd /opt/portainer-agent
    cat << EOF > /opt/portainer-agent/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always  
    image: portainer/agent:latest
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "9001:9001"
 EOF
    docker compose pull
    docker compose up -d
    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
 }
 case $PORTAINER in
  full) install_portainer_full ;;
  agent) install_portainer_agent ;;
  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
 esac
--- a/src/ecodms/constants-service.conf
+++ b/src/ecodms/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,8 +23,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # set ecodms release version
-ECODMS_RELEASE=ecodms_220864
+ECODMS_RELEASE=ecodms_230164
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=6144
--- a/src/freescout/constants-service.conf
+++ b/src/freescout/constants-service.conf
@ -0,0 +1,33 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/freescout/install-service.sh
+++ b/src/freescout/install-service.sh
@ -0,0 +1,133 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 webroot=/var/www/html
 LXC_RANDOMPWD=20
 MYSQL_PASSWORD="$(random_password)"
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
 echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini
 cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    root $webroot/freescout/public;
    index index.php index.html index.htm;
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    client_max_body_size 20M;
    location / {
        try_files \$uri \$uri/ /index.php?\$query_string;
    }
    location ~ .php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    	include fastcgi_params;
    }
    location ^~ /storage/app/attachment/ {
        internal;
        alias /var/www/html/storage/app/attachment/;
    }
    location ~* ^/storage/attachment/ {
        expires 1M;
        access_log off;
        try_files \$uri \$uri/ /index.php?\$query_string;
    }
    location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
        expires 2d;
        access_log off;
        add_header Cache-Control "public, must-revalidate";
    }
    # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
        add_header Content-disposition "attachment; filename=\$2";
        default_type application/octet-stream;
    }	
    location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\\\\]+\..*)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }
    location ~ /\. {
        deny  all;
    }
 }
 EOF
 rm /var/www/html/*nginx*.html
 mkdir -p /etc/nginx/ssl
 ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 mysql -uroot -e "CREATE USER 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
 GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
 CREATE DATABASE IF NOT EXISTS freescout;
 GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
 curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
 cd $webroot
 tar -vxf freescout.tar.gz
 dir=$(ls -d freescout-helpdesk-freescout*)
 mv -v $dir freescout
 chown -R www-data:www-data /var/www/html
 find /var/www/html -type f -exec chmod 664 {} \;    
 find /var/www/html -type d -exec chmod 775 {} \;
 cd $webroot/freescout
 APP_KEY=$(sudo -u www-data php artisan key:generate --show)
 sudo -u www-data sed -e "s|APP_URL=.*|APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}|" -e "s|DB_DATABASE=|DB_DATABASE=freescout|" -e "s|DB_USERNAME=|DB_USERNAME=freescout|" -e "s|DB_PASSWORD=|DB_PASSWORD=${MYSQL_PASSWORD}|" -e "s|APP_KEY=|APP_KEY=${APP_KEY}|" .env.example > .env
 sudo -u www-data php artisan freescout:clear-cache
 sudo -u www-data php artisan storage:link
 sudo -u www-data php artisan migrate -n --force
 FS_PASSWORD=$(random_password)
 sudo -u www-data php artisan freescout:create-user -n --role=admin --firstName=$FS_FIRSTNAME --lastName=$FS_LASTNAME --email=$FS_EMAIL --password=$FS_PASSWORD
 cat << EOF > /etc/cron.d/freescout 
 * * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
 EOF
 systemctl enable --now php8.2-fpm
 systemctl restart php8.2-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 echo -e "Your freescout installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttps://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\t$FS_EMAIL\nPassword:\t$FS_PASSWORD\n"
--- a/src/functions.sh
+++ b/src/functions.sh
@ -5,5 +5,48 @@ LXC_RANDOMPWD=32
 random_password() {
    set +o pipefail
-    C_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+    LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
-}
+}
 generate_dhparam() {
    openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
    cat << EOF > /etc/cron.monthly/generate-dhparams
 #!/bin/bash
 openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
 mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
 systemctl restart nginx
 EOF
    chmod +x /etc/cron.monthly/generate-dhparams
 }
 apt_repo() {
    apt_name=$1
    apt_key_url=$2
    apt_key_path=/usr/share/keyrings/${apt_name}.gpg
    apt_repo_url=$3
    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
 }
 #### Set repo and install Nginx ####
 inst_nginx() {
    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
 }
 #### Set repo and install PHP ####
 inst_php() {
    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
 }
 #### Set repo and install Postgresql ####
 inst_postgresql() {
    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
 }
 #### Set repo and install Crowdsec ####
 inst_crowdsec() {
    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }
--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the IP from the SQL server
 GITEA_DB_IP="127.0.0.1"
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@ -9,11 +9,11 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
-echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
-echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
@ -120,6 +120,10 @@ chown -R root:git /etc/gitea
 chmod 770 /etc/gitea
 chmod 770 /etc/gitea/app.ini
 if [ -f /etc/nginx/sites-enabled/default ]; then
  unlink /etc/nginx/sites-enabled/default
 fi
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
    listen 80;
@ -177,7 +181,7 @@ server {
 }
 EOF
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
 systemctl daemon-reload
 systemctl enable --now gitea
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,11 +23,14 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
-KIMAI_VERSION="main"
+#KIMAI_VERSION="main"
 # Defines the php version to install
-KIMAI_PHP_VERSION="8.1"
+KIMAI_PHP_VERSION="8.2"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@ -14,14 +14,14 @@ source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
-wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php8.1 php8.1-intl php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-mbstring php8.1-gd php8.1-tokenizer php8.1-zip php8.1-opcache php8.1-curl
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
@ -132,7 +132,12 @@ rm composer-setup.php
 mv composer.phar /usr/local/bin/composer
 cd /var/www
-git clone https://github.com/kimai/kimai.git --branch $KIMAI_VERSION --depth 1
+dl=$(curl -s https://api.github.com/repos/kimai/kimai/releases/latest | grep tarball_url | cut -d'"' -f4)
 version=$(echo $dl | rev | cut -d'/' -f1 | rev)
 wget -O kimai-${version}.tar.gz ${dl}
 tar xfz kimai-${version}.tar.gz
 rm kimai-${version}.tar.gz
 mv kimai-* kimai
 cd kimai
 # Install kimai composer dependencies
@ -142,7 +147,7 @@ export COMPOSER_ALLOW_SUPERUSER=1
 # Copy and update kimai environment variables
 cat << EOF > .env
 # For more infos about the variables, see .env.dist
-DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.5.8
+DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.11.3
 MAILER_FROM=admin@$LXC_DOMAIN
 MAILER_URL=null://null
 APP_ENV=prod
@ -150,14 +155,14 @@ APP_SECRET=$(random_password)
 CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
 EOF
 chown -R www-data:www-data .
 chmod -R g+r .
 chmod -R g+rw var/
 bin/console kimai:install -n
 bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
 chown -R www-data:www-data .
 chmod -R g+r .
 chmod -R g+rw var/
 systemctl daemon-reload
 systemctl enable --now php${PHP_VERSION}-fpm nginx
 systemctl restart php${PHP_VERSION}-fpm nginx
--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@ -11,7 +11,11 @@
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"
--- a/src/kopano-core/install-service.sh
+++ b/src/kopano-core/install-service.sh
@ -149,7 +149,7 @@ sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kop
 #### Adjust nginx settings ####
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
-openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+generate_dhparam
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
@ -187,7 +187,7 @@ server {
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_dhparam /etc/nginx/dhparam.pem;
    #
    # add headers
--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@ -24,27 +24,39 @@ EOF
 locale-gen $LXC_LOCALE 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
-deb http://debian.inf.tu-dresden.de/debian bullseye main contrib
+deb http://deb.debian.org/debian/ buster main contrib
-deb http://debian.inf.tu-dresden.de/debian bullseye-updates main contrib
+deb http://deb.debian.org/debian/ buster-updates main contrib
 # security updates
-deb http://debian.inf.tu-dresden.de/debian-security bullseye-security main contrib
+deb http://security.debian.org/debian-security buster/updates main contrib
 EOF
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
-deb http://debian.inf.tu-dresden.de/debian buster main contrib
+deb http://deb.debian.org/debian/ bullseye main contrib
-deb http://debian.inf.tu-dresden.de/debian buster-updates main contrib
+deb http://deb.debian.org/debian/ bullseye-updates main contrib
 # security updates
-deb http://debian.inf.tu-dresden.de/debian-security buster/updates main contrib
+deb http://security.debian.org/debian-security bullseye-security main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
 deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@ -0,0 +1,33 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="1"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=8192
 # service dependent meta tags
 SERVICE_TAGS="docker"
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@ -0,0 +1,438 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # Add Docker's official GPG key:
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
 install_portainer_full() {
    mkdir -p /opt/portainer/data
    cd /opt/portainer
    cat << EOF > /opt/portainer/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always
    image: portainer/portainer:latest
    volumes:
      - ./data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "8000:8000"
      - "9443:9443"
    command: --admin-password-file=/data/admin_password
 EOF
    echo -n "$SECRET" > ./data/admin_password
    docker compose pull
    docker compose up -d
    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
 }
 install_portainer_agent() {
    mkdir -p /opt/portainer-agent/data
    cd /opt/portainer-agent
    cat << EOF > /opt/portainer-agent/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always  
    image: portainer/agent:latest
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "9001:9001"
 EOF
    docker compose pull
    docker compose up -d
    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
 }
 cd /opt
 git clone https://github.com/mailcow/mailcow-dockerized
 cd mailcow-dockerized
 cat << EOF > mailcow.conf
 # ------------------------------
 # mailcow web ui configuration
 # ------------------------------
 # example.org is _not_ a valid hostname, use a fqdn here.
 # Default admin user is "admin"
 # Default password is "moohoo"
 MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
 # Password hash algorithm
 # Only certain password hash algorithm are supported. For a fully list of supported schemes,
 # see https://docs.mailcow.email/models/model-passwd/
 MAILCOW_PASS_SCHEME=BLF-CRYPT
 # ------------------------------
 # SQL database configuration
 # ------------------------------
 DBNAME=mailcow
 DBUSER=mailcow
 # Please use long, random alphanumeric strings (A-Za-z0-9)
 DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 # ------------------------------
 # HTTP/S Bindings
 # ------------------------------
 # You should use HTTPS, but in case of SSL offloaded reverse proxies:
 # Might be important: This will also change the binding within the container.
 # If you use a proxy within Docker, point it to the ports you set below.
 # Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
 # IMPORTANT: Do not use port 8081, 9081 or 65510!
 # Example: HTTP_BIND=1.2.3.4
 # For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
 # For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
 HTTP_PORT=80
 HTTP_BIND=
 HTTPS_PORT=443
 HTTPS_BIND=
 # ------------------------------
 # Other bindings
 # ------------------------------
 # You should leave that alone
 # Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
 SMTP_PORT=25
 SMTPS_PORT=465
 SUBMISSION_PORT=587
 IMAP_PORT=143
 IMAPS_PORT=993
 POP_PORT=110
 POPS_PORT=995
 SIEVE_PORT=4190
 DOVEADM_PORT=127.0.0.1:19991
 SQL_PORT=127.0.0.1:13306
 REDIS_PORT=127.0.0.1:7654
 # Your timezone
 # See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
 # Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
 TZ=${LXC_TIMEZONE}
 # Fixed project name
 # Please use lowercase letters only
 COMPOSE_PROJECT_NAME=mailcowdockerized
 # Used Docker Compose version
 # Switch here between native (compose plugin) and standalone
 # For more informations take a look at the mailcow docs regarding the configuration options.
 # Normally this should be untouched but if you decided to use either of those you can switch it manually here.
 # Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
 DOCKER_COMPOSE_VERSION=native
 # Set this to "allow" to enable the anyone pseudo user. Disabled by default.
 # When enabled, ACL can be created, that apply to "All authenticated users"
 # This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
 # Otherwise a user might share data with too many other users.
 ACL_ANYONE=disallow
 # Garbage collector cleanup
 # Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
 # How long should objects remain in the garbage until they are being deleted? (value in minutes)
 # Check interval is hourly
 MAILDIR_GC_TIME=7200
 # Additional SAN for the certificate
 #
 # You can use wildcard records to create specific names for every domain you add to mailcow.
 # Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
 #ADDITIONAL_SAN=imap.*,smtp.*
 # This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
 # plus every domain you add in the future.
 #
 # You can also just add static names...
 #ADDITIONAL_SAN=srv1.example.net
 # ...or combine wildcard and static names:
 #ADDITIONAL_SAN=imap.*,srv1.example.com
 #
 ADDITIONAL_SAN=
 # Additional server names for mailcow UI
 #
 # Specify alternative addresses for the mailcow UI to respond to
 # This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
 # If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
 # You can understand this as server_name directive in Nginx.
 # Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
 ADDITIONAL_SERVER_NAMES=
 # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
 SKIP_LETS_ENCRYPT=y
 # Create seperate certificates for all domains - y/n
 # this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
 # see https://doc.dovecot.org/admin_manual/ssl/sni_support
 ENABLE_SSL_SNI=n
 # Skip IPv4 check in ACME container - y/n
 SKIP_IP_CHECK=n
 # Skip HTTP verification in ACME container - y/n
 SKIP_HTTP_VERIFICATION=n
 # Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
 SKIP_CLAMD=n
 # Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
 SKIP_SOGO=n
 # Allow admins to log into SOGo as email user (without any password)
 ALLOW_ADMIN_EMAIL_LOGIN=n
 # Enable watchdog (watchdog-mailcow) to restart unhealthy containers
 USE_WATCHDOG=y
 # Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
 # CAUTION:
 # 1. You should use external recipients
 # 2. Mails are sent unsigned (no DKIM)
 # 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
 # Multiple rcpts allowed, NO quotation marks, NO spaces
 #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
 #WATCHDOG_NOTIFY_EMAIL=
 # Send notifications to a webhook URL that receives a POST request with the content type "application/json".
 # You can use this to send notifications to services like Discord, Slack and others.
 #WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # JSON body included in the webhook POST request. Needs to be in single quotes.
 # Following variables are available: SUBJECT, BODY
 #WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
 # Notify about banned IP (includes whois lookup)
 WATCHDOG_NOTIFY_BAN=n
 # Send a notification when the watchdog is started.
 WATCHDOG_NOTIFY_START=y
 # Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
 #WATCHDOG_SUBJECT=
 # Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
 # https://www.servercow.de/mailcow?lang=en
 # https://www.servercow.de/mailcow?lang=de
 # No data is collected. Opt-in and anonymous.
 # Will only work with unmodified mailcow setups.
 WATCHDOG_EXTERNAL_CHECKS=n
 # Enable watchdog verbose logging
 WATCHDOG_VERBOSE=n
 # Max log lines per service to keep in Redis logs
 LOG_LINES=9999
 # Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
 # Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
 IPV4_NETWORK=172.22.1
 # Internal IPv6 subnet in fc00::/7
 # Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
 IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
 # Use this IPv4 for outgoing connections (SNAT)
 #SNAT_TO_SOURCE=
 # Use this IPv6 for outgoing connections (SNAT)
 #SNAT6_TO_SOURCE=
 # Create or override an API key for the web UI
 # You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
 # An API key defined as API_KEY has read-write access
 # An API key defined as API_KEY_READ_ONLY has read-only access
 # Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
 # You can define API_KEY and/or API_KEY_READ_ONLY
 #API_KEY=
 #API_KEY_READ_ONLY=
 #API_ALLOW_FROM=172.22.1.1,127.0.0.1
 # mail_home is ~/Maildir
 MAILDIR_SUB=Maildir
 # SOGo session timeout in minutes
 SOGO_EXPIRE_SESSION=480
 # DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
 # Empty by default to auto-generate master user and password on start.
 # User expands to DOVECOT_MASTER_USER@mailcow.local
 # LEAVE EMPTY IF UNSURE
 DOVECOT_MASTER_USER=
 # LEAVE EMPTY IF UNSURE
 DOVECOT_MASTER_PASS=
 # Let's Encrypt registration contact information
 # Optional: Leave empty for none
 # This value is only used on first order!
 # Setting it at a later point will require the following steps:
 # https://docs.mailcow.email/troubleshooting/debug-reset_tls/
 ACME_CONTACT=
 # WebAuthn device manufacturer verification
 # After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
 # root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
 WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 # Spamhaus Data Query Service Key
 # Optional: Leave empty for none
 # Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. 
 # If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
 # Otherwise it will work normally.
 SPAMHAUS_DQS_KEY=
 # Obtain certificates for autodiscover.* and autoconfig.* domains.
 # This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
 # There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
 # between services. So acme-mailcow obtains for maildomains and all web-things get handled
 # in the reverse proxy.
 AUTODISCOVER_SAN=y
 # Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
 SKIP_UNBOUND_HEALTHCHECK=n
 # Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
 # CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
 DISABLE_NETFILTER_ISOLATION_RULE=n
 # ------------------------------
 # REDIS configuration
 # ------------------------------
 REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 # Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
 # Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
 # Please always monitor your Resource consumption!
 FTS_HEAP=128
 # Controls how many processes the Dovecot indexing process can spawn at max.
 # Too many indexing processes can use a lot of CPU and Disk I/O
 # Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
 FTS_PROCS=1
 # Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
 # Dovecot inside mailcow use Flatcurve as FTS Backend.
 SKIP_FTS=y
 # Redirect HTTP connections to HTTPS - y/n
 HTTP_REDIRECT=y
 EOF
 cat << EOF > data/conf/nginx/redirect.conf
 server {
  root /web;
  listen 80 default_server;
  listen [::]:80 default_server;
  include /etc/nginx/conf.d/server_name.active;
  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://\$host\$uri\$is_args\$args;
  }
 }
 EOF
 cat << EOF > /etc/cron.daily/mailcowbackup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
 40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
 5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
 EOF
 chmod +x /etc/cron.daily/mailcowbackup
 cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
 #!/bin/bash
 if ! which check_mk_agent ; then
  cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
  status=\$?
  if [ \$status -eq 3 ]; then
    state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
  elif [ \$status -eq 0 ]; then
    state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
  else
    state="3 \"mailcow_update\" - Unknown output from update script ..."
  fi
  echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
  mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
 fi
 exit
 EOF
 chmod +x /etc/cron.daily/checkmk-mailcow-update-check
 chmod 600 mailcow.conf
 mkdir -p data/assets/ssl
 openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
 openssl dhparam -out data/assets/ssl/dhparams.pem 2048
 cat << EOF > /etc/cron.monthly/generate-dhparams
 #!/bin/bash
 openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
 mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
 systemctl restart nginx
 EOF
 chmod +x /etc/cron.monthly/generate-dhparams
 docker compose pull
 docker compose up -d
 case $PORTAINER in
  full) install_portainer_full ;;
  agent) install_portainer_agent ;;
  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
 esac
--- a/src/mailpiler/install-service.sh
+++ b/src/mailpiler/install-service.sh
@ -1,189 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 HOSTNAME=$(hostname -f)
 echo "Ensure your Hostname is set to your Piler FQDN!"
 echo $HOSTNAME
 if 
    [ "$HOSTNAME" != "$PILER_FQDN" ]
 then
        echo "Hostname doesn't match $PILER_FQDN! Check install.sh, /etc/hosts, /etc/hostname." && exit
 else
        echo "Hostname matches $PILER_FQDN, so starting installation."
 fi
 # install php
 wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
 echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
 apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
 add-apt-repository "deb [arch=amd64] https://mirror.wtnet.de/mariadb/repo/10.5/debian $(lsb_release -cs) main"
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq build-essential libwrap0-dev libpst-dev tnef libytnef0-dev \
 unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 libpoppler-dev openssl libssl-dev memcached telnet nginx \
 mariadb-server default-libmysqlclient-dev python3-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23 \
 php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt remove --purge -y -qq postfix
 cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
 innodb_buffer_pool_size=256M
 innodb_flush_log_at_trx_commit=1
 innodb_log_buffer_size=64M
 innodb_log_file_size=16M
 query_cache_size=0
 query_cache_type=0
 query_cache_limit=2M
 EOF
 systemctl restart mariadb
 cd /tmp
 wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
 tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
 groupadd piler
 useradd -g piler -m -s /bin/bash -d /var/piler piler
 usermod -L piler
 chmod 755 /var/piler
 if [[ "$PILER_VERSION" == "latest" ]]; then
        URL=$(curl -s https://www.mailpiler.org/wiki/download | grep "https://bitbucket.org/jsuto/piler/downloads/piler-" | cut -d '"' -f2)
        PILER_VERSION=$(echo $URL | cut -d'-' -f2 | cut -d'.' -f1-3)
        wget -O piler-$PILER_VERSION.tar.gz $URL
 else
        wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
 fi
 tar -xvzf piler-$PILER_VERSION.tar.gz
 cd piler-$PILER_VERSION/
 ./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
 make
 make install
 ldconfig
 cp util/postinstall.sh util/postinstall.sh.bak
 sed -i "s/   PILER_SMARTHOST=.*/   PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
 sed -i 's/   WWWGROUP=.*/   WWWGROUP="www-data"/' util/postinstall.sh
 make postinstall
 cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
 sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
 sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
 su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
 /etc/init.d/rc.piler start
 /etc/init.d/rc.searchd start
 update-rc.d rc.piler defaults
 update-rc.d rc.searchd defaults
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
 cd /etc/nginx/sites-available
 cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
 ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
 sed -i "s|PILER_HOST|$PILER_FQDN|g" /etc/nginx/sites-available/piler-nginx.conf
 sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
 sed -i "/server_name.*/a \\
        listen 443 ssl http2;\n\n\
        ssl_certificate /etc/nginx/ssl/piler.crt;\n\
        ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
        ssl_session_timeout 1d;\n\
        ssl_session_cache shared:SSL:15m;\n\
        ssl_session_tickets off;\n\n\
        # modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
        ssl_protocols TLSv1.2 TLSv1.3;\n\
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
        ssl_prefer_server_ciphers off;\n\n\
        add_header X-Frame-Options SAMEORIGIN;\n\
        add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
 sed -i "/^server {.*/i\
 server {\n\
        listen 80;\n\
        server_name _;\n\
        server_tokens off;\n\
        # HTTP to HTTPS redirect.\n\
        return 301 https://$PILER_FQDN;\n\
 }" /etc/nginx/sites-available/piler-nginx.conf
 unlink /etc/nginx/sites-enabled/default
 cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
 sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
 cat >> /usr/local/etc/piler/config-site.php <<EOF
 // CUSTOM
 \$config['PROVIDED_BY'] = '$PILER_FQDN';
 \$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
 \$config['COMPATIBILITY'] = '';
 // fancy features.
 \$config['ENABLE_INSTANT_SEARCH'] = 1;
 \$config['ENABLE_TABLE_RESIZE'] = 1;
 \$config['ENABLE_DELETE'] = 1;
 \$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
 // general settings.
 \$config['TIMEZONE'] = '$LXC_TIMEZONE';
 // authentication
 // Enable authentication against an imap server
 //\$config['ENABLE_IMAP_AUTH'] = 1;
 //\$config['RESTORE_OVER_IMAP'] = 1;
 //\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
 //\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
 //\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
 //\$config['IMAP_PORT'] =  993;
 //\$config['IMAP_SSL'] = true;
 // authentication against an ldap directory (disabled by default)
 //\$config['ENABLE_LDAP_AUTH'] = 1;
 //\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
 //\$config['LDAP_PORT'] = 389;
 //\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
 //\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
 //\$config['LDAP_MAIL_ATTR'] = 'mail';
 //\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
 //\$config['LDAP_ADMIN_MEMBER_DN'] = '';
 //\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
 // authentication against an Uninvention based ldap directory 
 //\$config['ENABLE_LDAP_AUTH'] = 1;
 //\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
 //\$config['LDAP_PORT'] = 7389;
 //\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
 //\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
 //\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
 //\$config['LDAP_ADMIN_MEMBER_DN'] = '';
 //\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
 //\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
 //\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
 //\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
 //\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
 // special settings.
 \$config['MEMCACHED_ENABLED'] = 1;
 \$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
 EOF
 nginx -t && systemctl restart nginx
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@ -27,7 +27,7 @@ systemctl enable matrix-synapse
 ss -tulpen
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
 cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
@ -120,10 +120,10 @@ cd /var/www
 wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
 gpg --import element-release-key.asc
-MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
+MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/element-hq/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
-wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
-wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
@ -147,10 +147,13 @@ sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-sy
 sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n    user: $ELE_DBUSER\n    password: $ELE_DBPASS\n    host: 127.0.0.1\n    cp_min: 5\n    cp_max: 10|" /etc/matrix-synapse/homeserver.yaml
 reg_secret=$(random_password)
 echo -e "registration_shared_secret: \"$reg_secret\"" > /etc/matrix-synapse/conf.d/registration.yaml
 systemctl restart matrix-synapse
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
 echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,11 +23,17 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 NEXTCLOUD_VERSION="latest"
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.1"
+NEXTCLOUD_PHP_VERSION="8.3"
 # Defines the postgresql version to install
 POSTGRES_VERSION=16 
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
@ -44,4 +54,4 @@ NEXTCLOUD_DB_PWD="$(random_password)"
 LXC_MEM_MIN=4096
 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,postgresql"
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@ -5,127 +5,68 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 NEXTCLOUD_ADMIN_PWD=$(random_password)
 source /root/zamba.conf
 source /root/constants-service.conf
 NEXTCLOUD_ADMIN_PWD=$(random_password)
 NEXTCLOUD_REDIS_PWD=$(random_password)
 HOSTNAME=$(hostname -f)
 HOST_IP=$(hostname -i)
-wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+#### Modify Nginx for Nextcloud ####
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+mod_nginx() {
 wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
 postgresql-13 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #### Create database for nextcloud ####
 su - postgres <<EOF
 psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
 psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
 echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
 EOF
 #### Adjust php settings ####
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
 cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
 sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
 sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
 #### Adjust nginx settings ####
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
-openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
+generate_dhparam
 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 cat > /etc/nginx/nginx.conf <<EOF
 user www-data;
 worker_processes auto;
 pid /var/run/nginx.pid;
 events {
-worker_connections 1024;
+  worker_connections 2048;
-multi_accept on; use epoll;
+  multi_accept on;
  use epoll;
 }
 http {
-server_names_hash_bucket_size 64;
+  log_format bashclub escape=json
-access_log /var/log/nginx/access.log;
+  '{'
-error_log /var/log/nginx/error.log warn;
+    '"time_local":"\$time_local",'
-set_real_ip_from 127.0.0.1;
+    '"remote_addr":"\$remote_addr",'
-#optional, Sie können das eigene Subnetz ergänzen, bspw.:
+    '"remote_user":"\$remote_user",'
-# set_real_ip_from $LXC_IP;
+    '"request":"\$request",'
-real_ip_header X-Forwarded-For;
+    '"status": "\$status",'
-real_ip_recursive on;
+    '"body_bytes_sent":"\$body_bytes_sent",'
-include /etc/nginx/mime.types;
+    '"request_time":"\$request_time",'
-default_type application/octet-stream;
+    '"http_referrer":"\$http_referer",'
-sendfile on;
+    '"http_user_agent":"\$http_user_agent"'
-send_timeout 3600;
+  '}';
-tcp_nopush on;
+  server_names_hash_bucket_size 64;
-tcp_nodelay on;
+  access_log /var/log/nginx/access.log;
-open_file_cache max=500 inactive=10m;
+  error_log /var/log/nginx/error.log warn;
-open_file_cache_errors on;
+  set_real_ip_from 127.0.0.1;
-keepalive_timeout 65;
+  # optional, set reverse proxy ip, if used:
-reset_timedout_connection on;
+  # set_real_ip_from $NEXTCLOUD_REVPROX;
-server_tokens off;
+  real_ip_header X-Forwarded-For;
-resolver 127.0.0.53 valid=30s;
+  real_ip_recursive on;
-resolver_timeout 5s;
+  include /etc/nginx/mime.types;
-include /etc/nginx/conf.d/*.conf;
+  default_type application/octet-stream;
  sendfile on;
  send_timeout 3600;
  tcp_nopush on;
  tcp_nodelay on;
  open_file_cache max=500 inactive=10m;
  open_file_cache_errors on;
  keepalive_timeout 65;
  reset_timedout_connection on;
  server_tokens off;
  resolver $NEXTCLOUD_REVPROX valid=30s;
  resolver_timeout 5s;
  include /etc/nginx/conf.d/*.conf;
 }
 EOF
@ -134,162 +75,311 @@ touch /etc/nginx/conf.d/default.conf
 cat > /etc/nginx/conf.d/http.conf << EOF
 upstream php-handler {
-server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+  server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
 }
 map \$arg_v \$asset_immutable {
  "" "";
  default "immutable";
 }
 server {
-listen 80 default_server;
+  listen 80 default_server;
-listen [::]:80 default_server;
+  listen [::]:80 default_server;
-server_name $NEXTCLOUD_FQDN;
+  server_name $NEXTCLOUD_FQDN;
-root /var/www;
+  root /var/www;
-location / {
+  location ^~ /.well-known/acme-challenge {
-return 301 https://\$host\$request_uri;
+    default_type text/plain;
-}
+    root /var/www/letsencrypt;
  }
  location / {
    return 301 https://\$host\$request_uri;
  }  
 }
 EOF
 cat > /etc/nginx/conf.d/nextcloud.conf << EOF
 limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
 server {
-listen 443      ssl http2;
+  listen 443 ssl default_server;
-listen [::]:443 ssl http2;
+  listen [::]:443 ssl default_server;
-server_name $NEXTCLOUD_FQDN;
+  http2 on;
-ssl_certificate /etc/ssl/certs/nextcloud.crt;
+  #listen 443 quic reuseport;
-ssl_certificate_key /etc/ssl/private/nextcloud.key;
+  #listen [::]:443 quic reuseport;
-ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+  #http3 on;
-#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+  #http3_hq on;
-#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+  #quic_retry on;
-#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+  server_name $NEXTCLOUD_FQDN;
-#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+  ssl_certificate /etc/ssl/certs/nextcloud.crt;
-#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+  ssl_certificate_key /etc/ssl/private/nextcloud.key;
-ssl_dhparam /etc/ssl/certs/dhparam.pem;
+  ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
-ssl_session_timeout 1d;
+  #ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
-ssl_session_cache shared:SSL:50m;
+  #ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
-ssl_session_tickets off;
+  #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
-ssl_protocols TLSv1.3 TLSv1.2;
+  #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
-ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+  #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
-ssl_ecdh_curve X448:secp521r1:secp384r1;
+  ssl_dhparam /etc/nginx/dhparam.pem;
-ssl_prefer_server_ciphers on;
+  ssl_session_timeout 1d;
-ssl_stapling on;
+  ssl_session_cache shared:SSL:50m;
-ssl_stapling_verify on;
+  ssl_session_tickets off;
-client_max_body_size 5120M;
+  ssl_protocols TLSv1.3 TLSv1.2;
-fastcgi_buffers 64 4K;
+  ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
-gzip on;
+  ssl_prefer_server_ciphers on;
-gzip_vary on;
+  ssl_stapling on;
-gzip_comp_level 4;
+  ssl_stapling_verify on;
-gzip_min_length 256;
+  client_max_body_size 10G;
-gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  client_body_timeout 3600s;
-gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  client_body_buffer_size 512k;
-add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+  fastcgi_buffers 64 4K;
-add_header Permissions-Policy                   "interest-cohort=()";
+  gzip on;
-add_header Referrer-Policy                      "no-referrer"   always;
+  gzip_vary on;
-add_header X-Content-Type-Options               "nosniff"       always;
+  gzip_comp_level 4;
-add_header X-Download-Options                   "noopen"        always;
+  gzip_min_length 256;
-add_header X-Frame-Options                      "SAMEORIGIN"    always;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-add_header X-Robots-Tag                         "none"          always;
+  add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
-add_header X-XSS-Protection                     "1; mode=block" always;
+  add_header Permissions-Policy                   "interest-cohort=()";
-fastcgi_hide_header X-Powered-By;
+  add_header Referrer-Policy                      "no-referrer"   always;
-fastcgi_read_timeout 3600;
+  add_header X-Content-Type-Options               "nosniff"       always;
-fastcgi_send_timeout 3600;
+  add_header X-Download-Options                   "noopen"        always;
-fastcgi_connect_timeout 3600;
+  add_header X-Frame-Options                      "SAMEORIGIN"    always;
-root /var/www/nextcloud;
+  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-index index.php index.html /index.php\$request_uri;
+  add_header X-Robots-Tag                         "noindex, nofollow" always;
-expires 1m;
+  add_header X-XSS-Protection                     "1; mode=block" always;
-location = / {
+  add_header Alt-Svc                              'h3=":\$server_port"; ma=86400';
-if ( \$http_user_agent ~ ^DavClnt ) {
+  add_header x-quic                               'h3';
-return 302 /remote.php/webdav/\$is_args\$args;
+  add_header Alt-Svc                              'h3-29=":\$server_port"';
-}
+  fastcgi_hide_header X-Powered-By;
-}
+  include mime.types;
-location = /robots.txt {
+  types {
-allow all;
+    text/javascript mjs;
-log_not_found off;
+  }
-access_log off;
+  root /var/www/nextcloud;
-}
+  index index.php index.html /index.php\$request_uri;
-location ^~ /apps/rainloop/app/data {
+  location = / {
-deny all;
+    if ( \$http_user_agent ~ ^DavClnt ) {
-}
+      return 302 /remote.php/webdav/\$is_args\$args;
-location ^~ /.well-known {
+    }
-location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+  }
-location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+  location = /robots.txt {
-location ^~ /.well-known            { return 301 /index.php/\$uri; }
+    allow all;
-try_files \$uri \$uri/ =404;
+    log_not_found off;
-}
+    access_log off;
-location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+  }
-location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+  location ^~ /.well-known {
-location ~ \.php(?:\$|/) {
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
-rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+    location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
-set \$path_info \$fastcgi_path_info;
+    location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
-try_files \$fastcgi_script_name =404;
+    return 301 /index.php\$request_uri;
-include fastcgi_params;
+  }
-fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
-fastcgi_param PATH_INFO \$path_info;
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-fastcgi_param HTTPS on;
+  location ~ \.php(?:$|/) {
-fastcgi_param modHeadersAvailable true;
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
-fastcgi_param front_controller_active true;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-fastcgi_pass php-handler;
+    set \$path_info \$fastcgi_path_info;
-fastcgi_intercept_errors on;
+    try_files \$fastcgi_script_name =404;
-fastcgi_request_buffering off;
+    include fastcgi_params;
-}
+    fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
-location ~ \.(?:css|js|svg|gif)\$ {
+    fastcgi_param PATH_INFO \$path_info;
-try_files \$uri /index.php\$request_uri;
+    fastcgi_param HTTPS on;
-expires 6M;
+    fastcgi_param modHeadersAvailable true;
-access_log off;
+    fastcgi_param front_controller_active true;
-}
+    fastcgi_pass php-handler;
-location ~ \.woff2?\$ {
+    fastcgi_intercept_errors on;
-try_files \$uri /index.php\$request_uri;
+    fastcgi_request_buffering off;
-expires 7d;
+    fastcgi_read_timeout 3600;
-access_log off;
+    fastcgi_send_timeout 3600;
-}
+    fastcgi_connect_timeout 3600;
-location / {
+    fastcgi_max_temp_file_size 0;
-try_files \$uri \$uri/ /index.php\$request_uri;
+  }
-}
+  location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
-location /push/ {
+    try_files \$uri /index.php\$request_uri;
-proxy_pass http://localhost:7867/;
+    add_header Cache-Control                     "public, max-age=15768000, \$asset_immutable";
-proxy_http_version 1.1;
+    add_header Permissions-Policy                "interest-cohort=()";
-proxy_set_header Upgrade \$http_upgrade;
+    add_header Referrer-Policy                   "no-referrer"       always;
-proxy_set_header Connection "Upgrade";
+    add_header X-Content-Type-Options            "nosniff"           always;
-proxy_set_header Host \$host;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
-proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
-}
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;
    add_header Alt-Svc                           'h3=":\$server_port"; ma=86400';
    add_header x-quic                            'h3';
    add_header Alt-Svc                           'h3-29=":\$server_port"';
    access_log off;
    expires 6M;
    access_log off;
    location ~ \.wasm$ {
      default_type application/wasm;
    }
  }
  location ~ \.(otf|woff2?)$ {
    try_files \$uri /index.php\$request_uri;
    expires 7d;
    access_log off;
  }
  location /remote {
    return 301 /remote.php\$request_uri;
  }
  location /login {
    limit_req zone=NextcloudRateLimit burst=5 nodelay;
    limit_req_status 429;
    try_files \$uri \$uri/ /index.php\$request_uri;
  }
  location / {
    try_files \$uri \$uri/ /index.php\$request_uri;
  }
  location ^~ /push/ {
    proxy_pass http://127.0.0.1:7867/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host \$host;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  }
 }
 EOF
 }
-systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+#### Modify php settings for Nextcloud ####
 mod_php() {
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
 cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
-#### Adjust redis settings ####
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
 sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
 sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
 sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
 sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
 sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 }
 #### Modify Postgresql for Nextcloud ####
 mod_postgresql() {
 su - postgres <<EOF
    psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
    psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
    echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
 EOF
    cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
    max_connections = 200
    shared_buffers = 1GB
    effective_cache_size = 3GB
    maintenance_work_mem = 256MB
    checkpoint_completion_target = 0.9
    wal_buffers = 16MB
    default_statistics_target = 100
    random_page_cost = 1.1
    effective_io_concurrency = 200
    work_mem = 2621kB
    min_wal_size = 1GB
    max_wal_size = 4GB
    max_worker_processes = 4
    max_parallel_workers_per_gather = 2
    max_parallel_workers = 4
    max_parallel_maintenance_workers = 2
 EOF
 }
 #### Install and modify Redis-server ####
 inst_redis() {
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
 }
 mod_redis() {
 cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
 sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
 sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
 sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
-sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
 sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
 #### Adjust sysctl.conf settings ####
 cp /etc/sysctl.conf /etc/sysctl.conf.bak
-echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
+sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
-systemctl restart redis
+}
-#### HIER MÜSSTE EIN REBOOT REIN ####
+#### Install some more packages
-
+inst_packages() {
-
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
-#### Install nextcloud ####
+timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 }
 #### Install and modify Nextcloud ####
 inst_nextcloud() {
 cd /usr/local/src
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
-md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
+md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
-
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*
 tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
 cat > /root/permissions.sh << EOF
 #!/bin/bash
 find /var/www/ -type f -print0 | xargs -0 chmod 0640
 find /var/www/ -type d -print0 | xargs -0 chmod 0750
-chown -R www-data:www-data /var/www 
+if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
 chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
 fi
 chmod -R 770 /etc/letsencrypt 
 chown -R www-data:www-data /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 chmod 0644 /var/www/nextcloud/.htaccess
 chmod 0644 /var/www/nextcloud/.user.ini
@ -298,39 +388,14 @@ EOF
 chmod +x /root/permissions.sh
 /root/permissions.sh
-
+}
 #### install fail2ban ####
 cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
 [Definition]
 _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
 failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
 datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
 EOF
 cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
 [nextcloud]
 backend = auto
 enabled = true
 port = 80,443
 protocol = tcp
 filter = nextcloud
 maxretry = 5
 bantime = 3600
 findtime = 36000
 logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
 EOF
 systemctl restart fail2ban
 #### Create configuration script for nextcloud, which will be executet as user www-data
 mod_nextcloudconfig() {
-cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+systemctl stop nginx
-#!/bin/bash 
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
 php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --database-host $NEXTCLOUD_DB_IP \
 --database-port $NEXTCLOUD_DB_PORT \
 --database-name $NEXTCLOUD_DB_NAME \
@ -340,110 +405,176 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --admin-pass $NEXTCLOUD_ADMIN_PWD \
 --data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
-php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
 cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i '/);/d' /var/www/nextcloud/config/config.php
 sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
 cat >> /var/www/nextcloud/config/config.php << EOF
-'activity_expire_days' => 14,
+  'activity_expire_days' => 14,
-'auth.bruteforce.protection.enabled' => true,
+  'allow_local_remote_servers' => true,
-'blacklisted_files' => 
+  'auth.bruteforce.protection.enabled' => true,
-array (
+  'forbidden_filenames' =>
-0 => '.htaccess',
+  array (
-1 => 'Thumbs.db',
+    0 => '.htaccess',
-2 => 'thumbs.db',
+    1 => 'Thumbs.db',
-),
+    2 => 'thumbs.db',
-'cron_log' => true,
+    ),
-'default_phone_region' => 'DE',
+  'cron_log' => true,
-'enable_previews' => true,
+  'default_phone_region' => 'DE',
-'enabledPreviewProviders' => 
+  'enable_previews' => true,
-array (
+  'enabledPreviewProviders' =>
-0 => 'OC\Preview\PNG',
+  array (
-1 => 'OC\Preview\JPEG',
+    0 => 'OC\\Preview\\PNG',
-2 => 'OC\Preview\GIF',
+    1 => 'OC\\Preview\\JPEG',
-3 => 'OC\Preview\BMP',
+    2 => 'OC\\Preview\\GIF',
-4 => 'OC\Preview\XBitmap',
+    3 => 'OC\\Preview\\BMP',
-5 => 'OC\Preview\Movie',
+    4 => 'OC\\Preview\\XBitmap',
-6 => 'OC\Preview\PDF',
+    5 => 'OC\\Preview\\Movie',
-7 => 'OC\Preview\MP3',
+    6 => 'OC\\Preview\\PDF',
-8 => 'OC\Preview\TXT',
+    7 => 'OC\\Preview\\MP3',
-9 => 'OC\Preview\MarkDown',
+    8 => 'OC\\Preview\\TXT',
-),
+    9 => 'OC\\Preview\\MarkDown',
-'filesystem_check_changes' => 0,
+    10 => 'OC\\Preview\\HEIC',
-'filelocking.enabled' => 'true',
+    11 => 'OC\\Preview\\Movie',
-'htaccess.RewriteBase' => '/',
+    12 => 'OC\\Preview\\MKV',
-'integrity.check.disabled' => false,
+    13 => 'OC\\Preview\\MP4',
-'knowledgebaseenabled' => false,
+    14 => 'OC\\Preview\\AVI',
-'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+    ),
-'loglevel' => 2,
+  'filesystem_check_changes' => 0,
-'logtimezone' => '$LXC_TIMEZONE',
+  'filelocking.enabled' => 'true',
-'log_rotate_size' => 104857600,
+  'htaccess.RewriteBase' => '/',
-'maintenance' => false,
+  'integrity.check.disabled' => false,
-'memcache.local' => '\OC\Memcache\APCu',
+  'knowledgebaseenabled' => false,
-'memcache.locking' => '\OC\Memcache\Redis',
+  'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
-'overwriteprotocol' => 'https',
+  'loglevel' => 2,
-'preview_max_x' => 1024,
+  'logtimezone' => '$LXC_TIMEZONE',
-'preview_max_y' => 768,
+  'log_rotate_size' => 104857600,
-'preview_max_scale_factor' => 1,
+  'memcache.local' => '\OC\Memcache\APCu',
-'redis' => 
+  'memcache.locking' => '\OC\Memcache\Redis',
-array (
+  'overwriteprotocol' => 'https',
-'host' => '/var/run/redis/redis-server.sock',
+  'preview_max_x' => 1024,
-'port' => 0,
+  'preview_max_y' => 768,
-'timeout' => 0.0,
+  'preview_max_scale_factor' => 1,
-),
+  'profile.enabled' => false,
-'quota_include_external_storage' => false,
+  'redis' => 
-'share_folder' => '/Freigaben',
+  array (
-'skeletondirectory' => '',
+    'host' => '/run/redis/redis-server.sock',
-'theme' => '',
+    'port' => 0,
-'trashbin_retention_obligation' => 'auto, 7',
+    'password' => '$NEXTCLOUD_REDIS_PWD',
-'updater.release.channel' => 'stable',
+    'timeout' => 0.0,
-'trusted_proxies' => 
+  ),
-array (
+  'quota_include_external_storage' => false,
-'$NEXTCLOUD_REVPROX',
+  'share_folder' => '/Freigaben',
-'127.0.0.1',
+  'skeletondirectory' => '',
-'::1',
+  'theme' => '',
-),
+  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'maintenance_window_start' => 1,
  'maintenance' => false,
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
  'mail_domain' => '$NEXTCLOUD_FQDN',
  'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
  'overwritehost' => '$NEXTCLOUD_FQDN',
  'trusted_domains' => 
  array (
    0 => '$HOST_IP',
    1 => '$NEXTCLOUD_FQDN',
  ),
 );
 EOF
 sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
 php /var/www/nextcloud/occ app:disable survey_client
 php /var/www/nextcloud/occ app:disable firstrunwizard
 php /var/www/nextcloud/occ app:enable admin_audit
 php /var/www/nextcloud/occ app:enable notify_push
 php /var/www/nextcloud/occ app:enable files_pdfviewer
 php /var/www/nextcloud/occ background:cron
 DFOE
 /root/permissions.sh
-su -s /bin/bash www-data <<EOF
+sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
-EOF
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
 sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
 #sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
 sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
 sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
 sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
 sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
-#### Create file for high performance backend
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
 systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
 systemctl start nginx
 cat > /etc/systemd/system/notify_push.service << EOF
 [Unit]
 Description = Push daemon for Nextcloud clients
 After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
 [Service]
 Environment=PORT=7867
 Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
 Environment=ALLOW_SELF_SIGNED=true
 ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
 User=www-data
 [Install]
 WantedBy = multi-user.target
 EOF
 systemctl daemon-reload
-systemctl enable --now notify_push
+systemctl enable notify_push
 }
-echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+#### Modifying Crowdsec ####
 mod_crowdsec() {
 systemctl restart crowdsec
 cscli collections install crowdsecurity/nginx
 cscli collections install crowdsecurity/nextcloud
 cscli collections install crowdsecurity/sshd
 cat >> /etc/crowdsec/acquis.yaml << EOF
 filenames:
 - /var/log/nextcloud/nextcloud.log
 labels:
  type: Nextcloud
 ---
 EOF
 systemctl reload crowdsec
 }
 #### Install the system !####
 echo "=> Installing Nginx ..."
 inst_nginx
 echo "=> Modifying Nginx config for Nextcloud ..."
 mod_nginx
 echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
 inst_php
 echo "=> Modifying PHP config for Nextcloud ..."
 mod_php
 echo "=> Installing Postgresql $POSTGRES_VERSION ..."
 inst_postgresql
 echo "=> Modifying Postgresql config for Nextcloud ..."
 mod_postgresql
 echo "=> Installing Redis-server ..."
 inst_redis
 echo "=> Modifying Redis-server for Nextcloud ..."
 mod_redis
 echo "=> Installing some more packages ..."
 inst_packages
 echo "=> Installing Nextcloud ..."
 inst_nextcloud
 echo "=> Modifying Nextcloud ..."
 mod_nextcloudconfig
 echo "=> Installing Crowdsec ..."
 inst_crowdsec
 echo "=> Modifying Crowdsec ..."
 mod_crowdsec
 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
 shutdown -r now
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,8 +23,11 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=2048
+LXC_MEM_MIN=4096
 # service dependent meta tags
-SERVICE_TAGS="mongodb-server,java"
+SERVICE_TAGS="mongodb-server,java"
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@ -10,20 +10,14 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-
+# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
-wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
-add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
+wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
-
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
-wget -O /etc/apt/trusted.gpg.d/mongodb-4.4.asc https://www.mongodb.org/static/pgp/server-4.4.asc
+# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
-
+echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
 echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq adoptopenjdk-8-hotspot jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
-
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
 DL=$(wget -O - -q  https://www.tp-link.com/de/support/download/omada-software-controller/ 2>/dev/null | grep Download-Detail-Software_Omada-Software-Controller | grep "Linux_x64.deb" | head -1 | cut -d'"' -f6)
 wget -O /tmp/omada.deb -q $DL
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq /tmp/omada.deb
--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 ONLYOFFICE_DB_HOST=localhost
 ONLYOFFICE_DB_NAME=onlyoffice
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@ -11,9 +11,15 @@ source /root/constants-service.conf
 ONLYOFFICE_DB_PASS=$(random_password)
-apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
+curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
 cat > /etc/apt/preferences.d/onlyoffice << EOF
 Package: onlyoffice-documentserver
 Pin: version 7.1.1-23
 Pin-Priority: 900
 EOF
 apt update 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
@ -39,7 +45,7 @@ ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
 ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
 EOF
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 rm /etc/nginx/conf.d/ds.conf
@ -73,4 +79,4 @@ cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
 DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
 EOF
-systemctl restart nginx
+systemctl restart nginx
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@ -16,9 +16,9 @@ MYSQL_PASSWORD="$(random_password)"
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 cat << EOF > /etc/nginx/sites-available/default
@ -45,7 +45,7 @@ server {
    location ~ .php$ {
        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    }
 }
@ -57,7 +57,7 @@ CREATE DATABASE IF NOT EXISTS open3a;
 GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
 cd $webroot
-wget https://www.open3a.de/download/open3A%203.7.zip -O $webroot/open3a.zip
+wget https://www.open3a.de/download/open3A%204.0.zip -O $webroot/open3a.zip
 unzip open3a.zip
 rm open3a.zip
 chmod 666 system/DBData/Installation.pfdb.php
@ -76,8 +76,8 @@ localhost                               &%%%&open3a              &%%%&$MYSQL_PAS
 */ ?>
 EOF
-systemctl enable --now php7.4-fpm
+systemctl enable --now php8.2-fpm
-systemctl restart php7.4-fpm nginx
+systemctl restart php8.2-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
--- a/src/piler/constants-service.conf
+++ b/src/piler/constants-service.conf
@ -0,0 +1,31 @@
 #!/bin/bash
 # Authors:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="var/piler"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"
--- a/src/piler/install-service.sh
+++ b/src/piler/install-service.sh
@ -0,0 +1,23 @@
 #!/bin/bash
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 source zamba.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
 echo -e "Installation of piler finished."
 echo -e "\nFor administration please visit the following Website:"
 echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
 echo -e "\nLogin with following credentials:"
 echo -e "\tUser: admin@local"
 echo -e "\tPass: pilerrocks"
 echo -e "\n\nPlease have a look the the GOBD notes (in German):"
 echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="128K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Backup ubdir where Urbackup will store backups
 PBS_DATA="backup"
--- a/src/proxmox-pbs/install-service.sh
+++ b/src/proxmox-pbs/install-service.sh
@ -15,7 +15,7 @@ cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list
 deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
 EOF
-wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
+wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
 apt update && apt upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
--- a/src/rei3/constants-service.conf
+++ b/src/rei3/constants-service.conf
@ -0,0 +1,49 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the IP from the SQL server
 REI3_DB_IP="127.0.0.1"
 # Defines the PORT from the SQL server
 REI3_DB_PORT="5432"
 # Defines the name from the SQL database
 REI3_DB_NAME="app"
 # Defines the name from the SQL user
 REI3_DB_USR="rei3"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 REI3_DB_PWD="$(random_password)"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="postgresql"
--- a/src/rei3/install-service.sh
+++ b/src/rei3/install-service.sh
@ -0,0 +1,42 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 mkdir /opt/rei3
 wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
 echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
 timedatectl set-timezone ${LXC_TIMEZONE}
 systemctl enable --now postgresql
 su - postgres <<EOF
 psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
 psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
 psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
 echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
 EOF
 cp /opt/rei3/config_template.json /opt/rei3/config.json
 chmod u+x /opt/rei3/r3
 sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json 
 sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json 
 /opt/rei3/r3 -install
 #/opt/rei/r3 -newadmin
 systemctl start rei3
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@ -11,12 +11,12 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -O /etc/apt/trusted.gpg.d/mongodb-3.6.asc https://www.mongodb.org/static/pgp/server-3.6.asc
+wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
-wget -O /etc/apt/trusted.gpg.d/unifi.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
+wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
-echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" > /etc/apt/sources.list.d/mongodb.list
+echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
-echo "deb http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
+echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq unifi
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="128K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,11 +23,14 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Backup ubdir where Urbackup will store backups
 URBACKUP_DATA="urbackup"
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_11"
+REPO_CODENAME="Debian_12"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@ -11,7 +11,7 @@ source /root/constants-service.conf
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
-mkdir /etc/urbackup
+mkdir -p /etc/urbackup
 echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
 echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
@ -20,7 +20,7 @@ curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
 ln -s /usr/share/urbackup/www /var/www/urbackup
--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the name from the SQL database
 VAULTWARDEN_DB_NAME="vaultwarden"
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@ -18,7 +18,7 @@ systemctl enable --now postgresql
 wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
 chmod +x docker-image-extract
 ./docker-image-extract vaultwarden/server:alpine
-mkdir /opt/vaultwarden
+mkdir -p /opt/vaultwarden
 mkdir -p /var/lib/vaultwarden/data
 useradd vaultwarden
 chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
@ -40,7 +40,7 @@ ORG_CREATION_USERS=admin@$LXC_DOMAIN
 # Use `openssl rand -base64 48` to generate
 ADMIN_TOKEN=$admin_token
 # Uncomment this once vaults restored
-SIGNUPS_ALLOWED=false
+SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
 SMTP_HOST=$VW_SMTP_HOST
 SMTP_FROM=$VW_SMTP_FROM
 SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
@ -64,7 +64,6 @@ Group=vaultwarden
 EnvironmentFile=/var/lib/vaultwarden/.env
 ExecStart=/opt/vaultwarden/vaultwarden
 LimitNOFILE=1048576
 LimitNPROC=64
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
@ -154,8 +153,11 @@ server {
 }
 EOF
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
 generate_dhparam
 unlink /etc/nginx/sites-enabled/default
 systemctl daemon-reload
 systemctl enable --now vaultwarden
-systemctl restart nginx
+systemctl restart nginx
--- a/src/zabbix-proxy/constants-service.conf
+++ b/src/zabbix-proxy/constants-service.conf
@ -0,0 +1,52 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="data"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the IP from the SQL server
 ZABBIX_DB_IP="127.0.0.1"
 # Defines the PORT from the SQL server
 ZABBIX_DB_PORT="5432"
 # Defines the name from the SQL database
 ZABBIX_DB_NAME="zabbix_proxy"
 # Defines the name from the SQL user
 ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
 ZABBIX_VERSION=7.0 #zabbix 7 beta
 POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/zabbix-proxy/install-service.sh
+++ b/src/zabbix-proxy/install-service.sh
@ -0,0 +1,67 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
 apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 timedatectl set-timezone ${LXC_TIMEZONE}
 systemctl enable --now postgresql
 su - postgres <<EOF
 psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
 psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
 cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
 srv=$(grep -E "^Server" /etc/zabbix/zabbix_proxy.conf)
 sed -i "s/$srv/Server=${ZBX_ADDR}/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/# ListenPort=/ListenPort=/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/Hostname=Zabbix proxy/Hostname=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
 mkdir -p /var/lib/zabbix
 chown -R zabbix:zabbix /var/lib/zabbix/
 chmod 700 /var/lib/zabbix/
 psk=$(openssl rand -hex 32)
 echo "$psk" > /var/lib/zabbix/proxy.psk
 chown zabbix:zabbix /var/lib/zabbix/proxy.psk
 chmod 600 /var/lib/zabbix/proxy.psk
 sed -i "s/# TLSConnect=unencrypted/TLSConnect=psk/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
 systemctl enable zabbix-proxy zabbix-agent2
 systemctl restart zabbix-proxy zabbix-agent2 
 echo -e "Installation of zabbix-proxy finished."
 echo -e "\nPlease register the Proxy on yout zabbix server with following data:"
 echo -e "Proxy name:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
 echo -e "Proxy mode: Active"
 echo -e "Proxy address:\t$(ip a s dev eth0 | grep -m1 inet | cut -d ' ' -f6 | cut -d'/' -f1)"
 echo -e "Encryption:\tPSK"
 echo -e "PSK identity:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
 echo -e "PSK:\t\t${psk}"
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="data"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the IP from the SQL server
 ZABBIX_DB_IP="127.0.0.1"
@ -35,8 +42,13 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
 ZABBIX_VERSION=7.0 #zabbix 7 beta
 POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
 PHP_VERSION=8.2 # debian 12 default
 TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,postgresql"
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/zabbix/install-service.sh
+++ b/src/zabbix/install-service.sh
@ -5,20 +5,20 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt-key adv --fetch https://repo.zabbix.com/zabbix-official-repo.key
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
-echo "deb https://repo.zabbix.com/zabbix/6.0/debian/ bullseye main contrib non-free" > /etc/apt/sources.list.d/zabbix-6.0.list
+apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
-
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql nginx php7.4-pgsql php7.4-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 unlink /etc/nginx/sites-enabled/default
@ -122,7 +122,7 @@ server {
 }
 EOF
-cat << EOF > /etc/php/7.4/fpm/pool.d/zabbix-php-fpm.conf
+cat << EOF > /etc/php/$PHP_VERSION/fpm/pool.d/zabbix-php-fpm.conf
 [zabbix]
 user = www-data
 group = www-data
@ -220,10 +220,17 @@ sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
 zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
 systemctl restart postgresql
 echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
 cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
-openssl dhparam -out /etc/nginx/dhparam.pem 4096
+generate_dhparam
-systemctl enable --now zabbix-server zabbix-agent nginx php7.4-fpm 
+systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 
-systemctl restart zabbix-server zabbix-agent nginx php7.4-fpm 
+systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@ -9,32 +9,16 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key
+curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/pkgr-zammad.gpg > /dev/null
-apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch
+curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor | tee /etc/apt/trusted.gpg.d/elasticsearch.gpg> /dev/null
-wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"| tee -a /etc/apt/sources.list.d/elastic-7.x.list > /dev/null
-echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/pkgr-zammad.gpg] https://dl.packager.io/srv/deb/zammad/zammad/stable/debian 12 main"| tee /etc/apt/sources.list.d/zammad.list > /dev/null
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
 cat << EOF >>/etc/hosts
 0.0.0.0 image.zammad.com
 0.0.0.0 images.zammad.com
 0.0.0.0 geo.zammad.com
 0.0.0.0 www.zammad.com
 0.0.0.0 www.zammad.org
 0.0.0.0 www.zammad.net
 0.0.0.0 www.zammad.de
 0.0.0.0 zammad.com
 0.0.0.0 zammad.org
 0.0.0.0 zammad.net
 0.0.0.0 zammad.de
 #
 127.0.0.1 elasticsearch
 0.0.0.0 geoip.elastic.co
 EOF
 # Java set startup environment 
 mkdir -p /etc/elasticsearch/jvm.options.d
 cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
@ -44,127 +28,36 @@ cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
 -Xmx1g
 EOF
-# configurwe nginx
+# configure nginx
-rm -f /etc/nginx/sites-enabled/default
+generate_dhparam
-cat << EOF > /etc/nginx/sites-available/zammad.conf
+unlink /etc/nginx/sites-enabled/default
-upstream zammad-railsserver {
+unlink /etc/nginx/sites-enabled/zammad.conf
  server 127.0.0.1:3000;
 }
-upstream zammad-websocket {
+mkdir -p /etc/nginx/ssl
-  server 127.0.0.1:6042;
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
-}
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
-server {
+sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
-    listen 80;
+ -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
-    listen [::]:80;
+ -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
-    server_name _;
+ -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
-    
+ -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
-    server_tokens off;
+ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
-    access_log /var/log/nginx/zammad.access.log;
+ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
    error_log /var/log/nginx/zammad.error.log;
    location /.well-known/ {
        root /var/www/html;
    }
-    return 301 https://\$host\$request_uri;
+# configure elasticsearch
-}
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;
    server_tokens off;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
 #
 #  https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
 #
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
    add_header Referrer-Policy "strict-origin";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Strict-Transport-Security "max-age=31536000" always;
    location = /robots.txt  {
    access_log off; log_not_found off;
    }
    location = /favicon.ico {
    access_log off; log_not_found off;
    }
    root /opt/zammad/public;
    access_log /var/log/nginx/zammad.access.log;
    error_log  /var/log/nginx/zammad.error.log;
    client_max_body_size 50M;
    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
    expires max;
    }
    location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto	\$scheme;
    proxy_read_timeout 86400;
    proxy_pass http://zammad-websocket;
    }
    location / {
    proxy_set_header Host \$http_host;
    proxy_set_header CLIENT_IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto	\$scheme;
    # change this line in an SSO setup
    proxy_set_header X-Forwarded-User "";
    proxy_read_timeout 180;
    proxy_pass http://zammad-railsserver;
    gzip on;
    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
    gzip_proxied any;
    }
 }
 EOF
 ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
 openssl dhparam -out /etc/nginx/dhparam.pem 4096
 systemctl enable elasticsearch.service
 systemctl restart nginx elasticsearch.service
 # Elasticsearch conntact to Zammad
-/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+zammad run rails r "Setting.set('es_url', 'http://127.0.0.1:9200')"
 zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
 zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
 zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
 systemctl restart elasticsearch.service
-zammad run rake searchindex:rebuild
+zammad run rake zammad:searchindex:rebuild[$(nproc)]
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
@ -29,7 +36,7 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@ -15,8 +15,6 @@ for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
      apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
      echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
  elif [[ "$f" == "splitdns" ]]; then
      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
@ -29,38 +27,41 @@ for f in ${OPTIONAL_FEATURES[@]}; do
  fi
 done
-## configure ntp
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 cat << EOF > /etc/ntp.conf
 # Local clock. Note that is not the "localhost" address!
 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 # Where to retrieve the time from
 server 0.de.pool.ntp.org     iburst prefer
 server 1.de.pool.ntp.org     iburst prefer
 server 2.de.pool.ntp.org     iburst prefer
 driftfile       /var/lib/ntp/ntp.drift
 logfile         /var/log/ntp
 ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
 # Access control
 # Default restriction: Allow clients only to query the time
 restrict default kod nomodify notrap nopeer mssntp
 # No restrictions for "localhost"
 restrict 127.0.0.1
 # Enable the time sources to only provide time to this host
 restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
 cat << EOF > /etc/default/chrony
 # This is a configuration file for /etc/init.d/chrony and
 # /lib/systemd/system/chrony.service; it allows you to pass various options to
 # the chrony daemon without editing the init script or service file.
 # Options to pass to chrony.
 DAEMON_OPTS="-x -F 1"
 EOF
 cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
 [Unit]
 ConditionCapability=
 EOF
 cat << EOF > /etc/chrony/conf.d/samba.conf
 bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
 server de.pool.ntp.org iburst
 server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
@ -123,11 +124,15 @@ cat > /etc/krb5.conf <<EOF
 EOF
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
-samba-tool domain join $ZMB_REALM DC -k yes --backend-store=mdb
+samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
 rm /etc/krb5.conf
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 mkdir -p /mnt/sysvol
@ -142,13 +147,75 @@ echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0"
 mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
 cat > /etc/cron.d/sysvol-sync << EOF
-*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
 EOF
 /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
 if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
  samba-tool ntacl sysvolreset
 fi
 ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
 keep=$1
 if \$1 ; then
  keep=\$1
 fi
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
 prune () {
  backup_type=\$1
  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
  fi
 }
 echo "\$(date) Starting samba-ad-dc online backup"
 if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
  prune online
 else
  echo "\$(date) samba-ad-dc online backup failed"
  rc=\$((\$rc + 1))
 fi
 echo "\$(date) Starting samba-ad-dc offline backup"
 if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
  prune offline
 else
  echo "S(date) samba-ad-dc offline backup failed"
  rc=\$((\$rc + 1))
 fi
 exit \$rc
 EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
 0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
 /var/log/smb-backup.log {
        weekly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
 }
 EOF
--- a/src/zmb-ad-restore/constants-service.conf
+++ b/src/zmb-ad-restore/constants-service.conf
@ -0,0 +1,45 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-restore/install-service.sh
+++ b/src/zmb-ad-restore/install-service.sh
@ -0,0 +1,195 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
    ZMB_DNS_BACKEND="BIND9_DLZ"
    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
    echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
 cat << EOF > /etc/default/chrony
 # This is a configuration file for /etc/init.d/chrony and
 # /lib/systemd/system/chrony.service; it allows you to pass various options to
 # the chrony daemon without editing the init script or service file.
 # Options to pass to chrony.
 DAEMON_OPTS="-x -F 1"
 EOF
 cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
 [Unit]
 ConditionCapability=
 EOF
 cat << EOF > /etc/chrony/conf.d/samba.conf
 bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
 server de.pool.ntp.org iburst
 server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 # stop + disable samba services and remove default config
 systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 rm -r /var/lib/samba/*
 backupfile=$(find /backup/online -name samba-backup* | tail -1)
 samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 # disable password expiry for administrator
 samba-tool user setexpiry Administrator --noexpiry
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
 keep=\$1
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
 prune () {
  backup_type=\$1
  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
  fi
 }
 echo "\$(date) Starting samba-ad-dc online backup"
 if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
  prune online
 else
  echo "\$(date) samba-ad-dc online backup failed"
  rc=\$((\$rc + 1))
 fi
 echo "\$(date) Starting samba-ad-dc offline backup"
 if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
  prune offline
 else
  echo "S(date) samba-ad-dc offline backup failed"
  rc=\$((\$rc + 1))
 fi
 exit \$rc
 EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
 23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
 /var/log/smb-backup.log {
        weekly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
 }
 EOF
 exit 0
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="0"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
@ -29,7 +36,7 @@ LXC_NESTING="1"
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@ -15,8 +15,6 @@ for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
    apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
    echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
  elif [[ "$f" == "splitdns" ]]; then
    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
@ -29,44 +27,40 @@ for f in ${OPTIONAL_FEATURES[@]}; do
  fi
 done
-## configure ntp
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 cat << EOF > /etc/ntp.conf
 # Local clock. Note that is not the "localhost" address!
 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 # Where to retrieve the time from
 server 0.de.pool.ntp.org     iburst prefer
 server 1.de.pool.ntp.org     iburst prefer
 server 2.de.pool.ntp.org     iburst prefer
 driftfile       /var/lib/ntp/ntp.drift
 logfile         /var/log/ntp
 ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
 # Access control
 # Default restriction: Allow clients only to query the time
 restrict default kod nomodify notrap nopeer mssntp
 # No restrictions for "localhost"
 restrict 127.0.0.1
 # Enable the time sources to only provide time to this host
 restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
 tinker panic 0
 EOF
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils ntp
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
 cat << EOF > /etc/default/chrony
 # This is a configuration file for /etc/init.d/chrony and
 # /lib/systemd/system/chrony.service; it allows you to pass various options to
 # the chrony daemon without editing the init script or service file.
 # Options to pass to chrony.
 DAEMON_OPTS="-x -F 1"
 EOF
 cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
 [Unit]
 ConditionCapability=
 EOF
 cat << EOF > /etc/chrony/conf.d/samba.conf
 bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
 server de.pool.ntp.org iburst
 server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
@ -125,20 +119,76 @@ EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 # provision zamba domain
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
-cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 # disable password expiry for administrator
 samba-tool user setexpiry Administrator --noexpiry
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
 keep=\$1
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
 prune () {
  backup_type=\$1
  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
  fi
 }
 echo "\$(date) Starting samba-ad-dc online backup"
 if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
  prune online
 else
  echo "\$(date) samba-ad-dc online backup failed"
  rc=\$((\$rc + 1))
 fi
 echo "\$(date) Starting samba-ad-dc offline backup"
 if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
  prune offline
 else
  echo "S(date) samba-ad-dc offline backup failed"
  rc=\$((\$rc + 1))
 fi
 exit \$rc
 EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
 0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
 /var/log/smb-backup.log {
        weekly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
 }
 EOF
 exit 0
--- a/src/zmb-cups/constants-service.conf
+++ b/src/zmb-cups/constants-service.conf
@ -0,0 +1,33 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="samba,member,cups,printserver"
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@ -0,0 +1,110 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 apt update
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
 [libdefaults]
 	default_realm = $ZMB_REALM
 	ticket_lifetime = 600
 	dns_lookup_realm = true
 	dns_lookup_kdc = true
 	renew_lifetime = 7d
 EOF
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 klist
 mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
 cat > /etc/samba/smb.conf <<EOF
 [global]
 	workgroup = $ZMB_DOMAIN
 	security = ADS
 	realm = $ZMB_REALM
 	server string = %h server
 	vfs objects = acl_xattr shadow_copy2
 	map acl inherit = Yes
 	store dos attributes = Yes
 	idmap config *:backend = tdb
 	idmap config *:range = 3000000-4000000
 	idmap config *:schema_mode = rfc2307
 	winbind refresh tickets = Yes
 	winbind use default domain = Yes
 	winbind separator = /
 	winbind nested groups = yes
 	winbind nss info = rfc2307
 	pam password change = Yes
 	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 	passwd program = /usr/bin/passwd %u
 	template homedir = /home/%U
 	template shell = /bin/bash
 	bind interfaces only = Yes
 	interfaces = lo eth0
 	log file = /var/log/samba/log.%m
 	logging = syslog
 	max log size = 1000
 	panic action = /usr/share/samba/panic-action %d
 	dns proxy = No
 	shadow: snapdir = .zfs/snapshot
 	shadow: sort = desc
 	shadow: format = -%Y-%m-%d-%H%M
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 	printing = CUPS
 	rpcd_spoolss:idle_seconds=300
 	rpcd_spoolss:num_workers = 10
 	spoolss: architecture = Windows x64
 [printers]
 	path = /${LXC_SHAREFS_MOUNTPOINT}/spool
 	printable = yes
 [print$]
 	path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 	read only = no
 EOF
 systemctl restart smbd
 echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
 sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
 sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
 echo -e "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
 systemctl restart winbind nmbd
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
 cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
 chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
 systemctl disable --now cups-browsed.service
 cupsctl --remote-admin
 systemctl restart cups smbd nmbd winbind wsdd
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="128K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@ -9,14 +9,12 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-# add wsdd package repo
+# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
 echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@ -98,12 +96,12 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
-mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 systemctl restart smbd nmbd winbind wsdd
--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@ -8,10 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
-LXC_MP="1"
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="128K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
@ -19,6 +23,9 @@ LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@ -9,34 +9,16 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # add wsdd package repo
 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
 apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
 echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
 echo "deb http://ftp.de.debian.org/debian $(lsb_release -cs)-backports main contrib" > /etc/apt/sources.list.d/$(lsb_release -cs)-backports.list
-cat << EOF > /etc/apt/preferences.d/samba
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 Package: samba*
 Pin: release a=$(lsb_release -cs)-backports
 Pin-Priority: 900
 EOF
 cat << EOF > /etc/apt/preferences.d/winbind
 Package: winbind*
 Pin: release a=$(lsb_release -cs)-backports
 Pin-Priority: 900
 EOF
 cat << EOF > /etc/apt/preferences.d/cockpit
 Package: cockpit*
 Pin: release a=$(lsb_release -cs)-backports
 Pin-Priority: 900
 EOF
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" -t $(lsb_release -cs)-backports acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
Author	SHA1	Message	Date
Chriz	49d96dd3eb	Update and rename check_zambaconf_trmm.sh to check_zambaconfonpve_trmm.sh	2025-06-05 22:32:26 +02:00
Chriz	c8c898f047	Update check_zambaconf_trmm.sh also recognizes forgotten zamba.confs in lxcs root	2025-06-05 22:05:15 +02:00
Chriz	c9fd96a681	Update check_zambaconf_trmm.sh delete after three days	2025-06-04 11:01:30 +02:00
Chriz	077735aa03	Create check_zambaconf_trmm.sh TRMM check if you forgot to delete your zamba.conf with Passwords!	2025-06-04 10:47:50 +02:00
Chriz	8d22b06bd5	Update nextcloud-update updated tested version with php 8.2	2025-05-22 15:56:06 +02:00
Chriz	df45fc5e39	Update install-service.sh missing php-ldap	2025-05-21 19:10:30 +02:00
Thorsten Spille	e53a1854b3	Merge pull request #127 from bashclub/main merge semaphore changes to dev	2025-05-17 10:11:06 +02:00
Thorsten Spille	ce9f3f4a9c	Update install-service.sh	2025-05-07 14:13:40 +02:00
Thorsten Spille	6d4d70e74e	Update ansible-semaphore	2025-05-07 14:10:25 +02:00
thorstenspille	f0de34102b	replace backup cronjob	2025-04-28 13:09:55 +02:00
thorstenspille	203e4bdc28	fix description for variable	2025-04-28 12:44:27 +02:00
thorstenspille	8f182ac9f8	add permissions for domain admins group	2025-04-28 12:43:42 +02:00
thorstenspille	ab363d5793	mailcow: fis backup path	2025-04-28 12:43:14 +02:00
thorstenspille	d64a81b185	Fix permissions on zmb-cups	2025-04-28 12:42:37 +02:00
thorstenspille	73a70918d4	fix smb backup jobs for dcs	2025-04-28 12:41:58 +02:00
thorstenspille	3bbd1d98b5	update mailcow.conf, fix backup storage	2025-04-28 12:41:26 +02:00
DerFossiBaer	26cef69e6b	Update install-service.sh	2025-01-30 12:57:51 +01:00
DerFossiBaer	f481a7a7f4	Update install-service.sh	2025-01-29 18:11:54 +01:00
DerFossiBaer	472cb5b777	Update install-service.sh	2025-01-29 18:09:08 +01:00
DerFossiBaer	12a9c39873	Update functions.sh Added some functions for installations	2025-01-29 18:07:04 +01:00
DerFossiBaer	6876e6f459	Update install-service.sh nearly completely new installation is now generated in functions, witch are added at the end of the script.	2025-01-29 18:02:48 +01:00
DerFossiBaer	a10e16633a	Update constants-service.conf change php to 8.3 added postgresql version	2025-01-29 17:58:14 +01:00
DerFossiBaer	23c4166e18	Update constants-service.conf Due to oom-killers set MEM to 4096MB	2025-01-07 16:05:46 +01:00
DerFossiBaer	3fe94152cc	Update install-service.sh With Omada 5.15 mongodb 7.0 and default jre are possible.	2025-01-06 23:05:43 +01:00
Thorsten Spille	d50b7a93c2	Update constants-service.conf Change Omada to Debian bookworm	2025-01-06 21:32:36 +01:00
Thorsten Spille	8cf9c45f79	set domain admins group in zmb.conf, add zmb-ad-restore container	2024-11-28 21:27:56 +01:00
Thorsten Spille	0c91d48778	Merge pull request #121 from bashclub/dev Fix zabbix container	2024-11-14 22:19:50 +01:00
Thorsten Spille	c3eef2aed6	Update constants-service.conf Update timescaledb to 2.16.1	2024-11-14 22:01:10 +01:00
Thorsten Spille	34a9d7f0ab	Update install-service.sh Fix postgresql-client version	2024-11-14 21:36:45 +01:00
Thorsten Spille	415703ea5f	Merge pull request #116 from bashclub/dev Dev	2024-07-12 22:50:55 +02:00
thorstenspille	1a3d29953f	add cloudpanel container	2024-07-12 22:49:06 +02:00
thorstenspille	b9f92b610a	Change lxc id detection	2024-07-08 20:15:53 +02:00
Thorsten Spille	2892b7b416	Update install.sh Only set volblocksize if sharefs is zfspool	2024-07-05 18:33:52 +02:00
Thorsten Spille	c94b8c8a9a	Merge pull request #114 from bashclub/main Fix AD DC	2024-07-04 18:23:11 +02:00
Thorsten Spille	954dc0d27e	add samba-ad-dc package to zmb-ad and zmb-ad-join	2024-07-04 18:22:06 +02:00
Thorsten Spille	731e4563e7	Update install.sh Set acl=1 on every lxc rootfs	2024-07-04 18:20:03 +02:00
Thorsten Spille	250d828bc9	Merge pull request #113 from bashclub/dev Update install-service.sh	2024-06-29 14:54:36 +02:00
Thorsten Spille	e966260068	Update install-service.sh Fix initial setup of authentik (AUTHENTIK_REDIS__DB=1)	2024-06-29 14:27:21 +02:00
Thorsten Spille	0d430bdac2	Merge pull request #112 from bashclub/dev release-1.2	2024-06-14 10:58:58 +02:00
thorstenspille	efbc86394d	Change samba version from backports to main	2024-06-14 09:45:23 +02:00
thorstenspille	45da9e8a47	update apt mirror (work in progress)	2024-06-11 18:20:20 +02:00
thorstenspille	e28752b8b8	Fixed semaphore repo urls	2024-06-10 22:40:36 +02:00
thorstenspille	246b7a348d	checkmk: improve apache config	2024-06-10 21:37:24 +02:00
thorstenspille	6218183d9c	set checkmk version to 2.3.0p6	2024-06-10 21:15:59 +02:00
thorstenspille	f442f0c0ed	update element-web repo url	2024-06-09 22:10:45 +02:00
thorstenspille	97c8ba8cd1	Fix java version omada	2024-06-09 21:58:53 +02:00
thorstenspille	f6dd7bbf55	Add temurin jre	2024-06-09 21:42:25 +02:00
thorstenspille	8304e3b13a	Add tmux to default packages	2024-06-09 21:18:24 +02:00
thorstenspille	a6244afe44	Move omada sdn controller to bashclub repo	2024-06-09 21:12:44 +02:00
thorstenspille	be58381932	Reset omada to debian 11	2024-06-09 20:14:11 +02:00
thorstenspille	5dfef6e5ff	Fix mongodb	2024-06-09 20:05:40 +02:00
thorstenspille	115ccab33e	Update omada	2024-06-09 19:14:29 +02:00
thorstenspille	3d2efa450d	Change open3a version to 4.0	2024-06-09 18:46:13 +02:00
thorstenspille	5cdd54f5c5	Fix rei3 download url, set to latest version	2024-06-09 18:36:12 +02:00
thorstenspille	0448dee517	Fix postgres repo for rei3	2024-06-09 18:22:19 +02:00
thorstenspille	d96b78dad7	Fix mongodb repo	2024-06-09 18:08:55 +02:00
thorstenspille	02946ec248	Fix nginx config in zammad	2024-06-09 17:30:21 +02:00
thorstenspille	f764354471	remove mongodb-server package	2024-06-09 15:59:33 +02:00
thorstenspille	b24ec835a2	update unifi debian 12 mongodb 7	2024-06-09 12:45:59 +02:00
thorstenspille	ddcedc57e4	zammad fix webserver config	2024-06-08 22:43:31 +02:00
thorstenspille	b56ae6487b	install zabbix-agent2	2024-06-08 21:50:32 +02:00
thorstenspille	db302d6713	Change zabbix version to 7.0	2024-06-08 21:38:40 +02:00
thorstenspille	e90395ba3c	remove /etc/hosts manipulation	2024-05-26 00:52:50 +02:00
thorstenspille	80b2e5c9d1	Add freescout options	2024-05-25 19:56:57 +02:00
thorstenspille	a49ca5208d	Add freescout container	2024-05-25 19:56:38 +02:00
Thorsten Spille	0dc6ef9062	fix permissions	2024-05-17 17:37:00 +02:00
Thorsten Spille	9b166bef7a	fix permissions	2024-05-17 17:32:59 +02:00
Thorsten Spille	404cf7f66c	fix sed	2024-05-17 17:23:01 +02:00
Thorsten Spille	0a34587b39	fix config	2024-05-17 17:19:20 +02:00
Thorsten Spille	2521cbd14e	fix tabs	2024-05-17 17:18:22 +02:00
Thorsten Spille	52f641e873	Add psk encryption to zabbix proxy	2024-05-17 17:14:14 +02:00
Thorsten Spille	430e125350	Fix hostname in proxy config	2024-05-17 12:58:27 +02:00
Thorsten Spille	8f668262d8	Fix zabbix proxy config	2024-05-17 12:55:17 +02:00
Thorsten Spille	774217a55c	Fix var	2024-05-17 12:51:25 +02:00
Thorsten Spille	84173e46a8	Change zabbix proxy config	2024-05-17 12:47:41 +02:00
Thorsten Spille	d1c9615a4a	add server parameter for zabbix proxy	2024-05-17 12:18:41 +02:00
Thorsten Spille	d76b7ebfd2	Fix db schema import	2024-05-16 12:07:43 +02:00
Thorsten Spille	69d2653e4b	Add draft for zabbix-proxy	2024-05-16 12:03:29 +02:00
thorstenspille	333d55916d	add mp settings to apt	2024-05-14 22:34:27 +02:00
thorstenspille	c8921c18c9	Merge branch 'dev' of github.com:bashclub/zamba-lxc-toolbox into dev	2024-05-14 22:30:07 +02:00
thorstenspille	8ed654f6ea	Change cmk version to 2.3.0p2, change mountpoint	2024-05-14 22:28:32 +02:00
Chriz	592f3cae7d	Update constants-service.conf 2.2.0p26	2024-05-14 16:44:22 +02:00
thorstenspille	99a47fb130	update zabbix to 6.5 (7.0 beta) , add timescaledb	2024-05-14 00:19:52 +02:00
thorstenspille	cbea17efdf	Add repo function	2024-05-14 00:19:17 +02:00
thorstenspille	8551291e6f	Fix storage path parser	2024-05-05 15:36:09 +02:00
thorstenspille	ec5bc5796c	Fix mailpiler min ram	2024-05-05 13:02:58 +02:00
thorstenspille	d43131f872	Fix pool path detection	2024-05-05 11:31:59 +02:00
Thorsten Spille	e2245b2528	Set recordsize for mp0	2024-05-05 11:13:27 +02:00
Thorsten Spille	70b8561798	Merge branch 'dev' of https://github.com/bashclub/zamba-lxc-toolbox into dev	2024-05-01 17:23:24 +02:00
Thorsten Spille	907093512b	Update zmb-cups	2024-05-01 17:19:19 +02:00
Thorsten Spille	3a70f5f7b1	Merge pull request #90 from nezzept/dev Migrate Nextcloud to debian bookworm	2024-04-25 18:45:25 +02:00
thorstenspille	e72430dc02	Fix apt repo	2024-04-25 17:29:27 +02:00
thorstenspille	72d72bf8d2	Add PILER_BRANCH variable	2024-04-25 16:44:28 +02:00
thorstenspille	92f7a4774c	Replace mailpiler by piler (updgrade to 1.4)	2024-04-25 16:42:03 +02:00
thorstenspille	a3c8efc00d	Remove obsolete PILER_FQDN config parameter	2024-04-25 12:42:58 +02:00
thorstenspille	ccc69b6d55	Change debian repos to deb.debian.org	2024-04-05 22:26:06 +02:00
Thorsten Spille	d0693c82e2	Update install-service.sh Remove LimitNPROC=64	2024-03-19 20:35:05 +01:00
Chriz	773c852c18	Update install-service.sh	2024-03-04 18:22:42 +01:00
Chriz	83873fd5a3	Update install-service.sh 7.2.2	2024-03-04 18:07:22 +01:00
Chriz	55f5bd6eec	Update install-service.sh	2024-03-04 15:46:23 +01:00
Chriz	e18c9b1ed5	Update install-service.sh bookworm	2024-03-04 15:04:00 +01:00
Chriz	2f4e674474	Update install-service.sh 8.0.1-31	2024-03-04 14:37:58 +01:00
thorstenspille	3b3174e19c	Add mailcow-dockerized	2024-01-21 22:51:55 +01:00
thorstenspille	f8c3d90ebe	Authentik: add docker tag	2024-01-21 21:45:34 +01:00
thorstenspille	f3db293064	Add mailcow	2024-01-21 21:45:13 +01:00
thorstenspille	a9853a6fbe	Add authentik container	2024-01-21 21:15:21 +01:00
thorstenspille	8644cab71f	Add portainer and portainer agent option	2024-01-21 17:17:12 +01:00
thorstenspille	0ab5cffbef	Add docker service	2024-01-21 13:47:07 +01:00
thorstenspille	6ac88f649b	Add keyctl parameter	2024-01-21 13:46:06 +01:00
thorstenspille	3977496d8e	Comment unifi os version	2024-01-15 21:03:12 +01:00
thorstenspille	60b1d9c6ec	reset unifi to debian-11	2024-01-15 20:59:51 +01:00
thorstenspille	c6e381e4fc	Test unifi on debian 12	2024-01-15 20:53:51 +01:00
thorstenspille	98d2aae0c4	Update unifi, fix mongodb repo	2024-01-15 20:48:50 +01:00
thorstenspille	11a8f4ecc3	Change ntp server from ntpd to chrony	2023-11-29 19:45:29 +01:00
thorstenspille	4dbb11c3bd	Set checkmk version to 2.2.0p14	2023-11-29 19:45:03 +01:00
thorstenspille	80ad64f422	Beta ready zmb-cups	2023-11-27 21:49:00 +01:00
thorstenspille	9fa103d8ae	Fix backup script	2023-10-30 00:35:42 +01:00
thorstenspille	2164f6d2ce	Fix systemd-resolved, backup	2023-10-29 22:59:43 +01:00
thorstenspille	3ce6d7c2ae	fix backup, systemd-resolved	2023-10-29 22:58:18 +01:00
thorstenspille	fbe274117f	Add ressource pool parameter	2023-10-29 22:35:07 +01:00
thorstenspille	54883a83d1	Remove splitdns from default	2023-10-29 22:28:32 +01:00
thorstenspille	f2d28c9c8b	Remove splitdns from defaults	2023-10-29 22:27:56 +01:00
thorstenspille	16330657cd	Fix cpu cores	2023-10-29 22:27:34 +01:00
thorstenspille	05260c5456	Fix install line	2023-10-29 22:26:06 +01:00
thorstenspille	a93bda84ae	Set zabbix version to 6.5 (7.0 beta)	2023-10-29 21:59:53 +01:00
thorstenspille	4520ebb17a	Add smb/cups server draft	2023-10-29 21:59:30 +01:00
thorstenspille	38590ee60a	Switch to backports	2023-10-29 21:58:17 +01:00
thorstenspille	677383edb0	Switch to backports	2023-10-29 21:57:55 +01:00
thorstenspille	818a5ecd84	Switch to backports, add backup function	2023-10-29 21:57:37 +01:00
thorstenspille	975855f7a8	Fix dhparams path	2023-10-17 21:52:28 +02:00
thorstenspille	b148d290ce	Fix Kerberos config on dcs	2023-10-07 15:37:08 +02:00
thorstenspille	c51d2a91ff	Add cpu core count	2023-10-07 15:09:15 +02:00
thorstenspille	862929cd51	Change dh param gen to function	2023-09-10 11:25:55 +02:00
thorstenspille	96e6d0d3ba	Add signups allowed parameter für vaultwarden	2023-09-10 11:24:40 +02:00
thorstenspille	a8a5cda289	Change dhparam gen to monthly	2023-09-10 11:22:40 +02:00
thorstenspille	5802c2c043	Add dhparam generation function	2023-09-10 11:17:10 +02:00
thorstenspille	858f17c03f	Set semaphore password in zamba.conf.example	2023-08-30 13:05:06 +02:00
thorstenspille	d1f9867415	print credentials	2023-08-24 21:37:45 +02:00
thorstenspille	0868002464	run semaphore as unpriv user	2023-08-24 21:36:04 +02:00
thorstenspille	1bc031af17	Add ansible-semaphore variables	2023-08-24 20:29:20 +02:00
thorstenspille	31eb6c5862	Fix password function	2023-08-24 20:28:59 +02:00
Thorsten Spille	6ed28a0243	Merge pull request #97 from carstenabele/main rei3 hinzugefuegt	2023-08-17 19:07:44 +02:00
Carsten	e0aa991878	rei3 hinzugefuegt	2023-08-17 17:18:31 +02:00
thorstenspille	95d1ebd013	Update checkmk to 2.2.0p7 and debian bookworm	2023-08-07 12:53:23 +02:00
thorstenspille	82d3be6e14	Update ecodms to 230164 and debian bookworm	2023-08-07 12:44:28 +02:00
thorstenspille	322f64759c	Add ansible semaphore container	2023-07-08 18:20:52 +02:00
thorstenspille	8d8618acfa	Migrate zmb-standalone to debian bookworm	2023-07-07 00:39:21 +02:00
thorstenspille	1403c03acf	Migrate zmb-member to debian bookworm	2023-07-07 00:32:38 +02:00
thorstenspille	15afd4541e	Migrate zmb-ad-join to debian bookworm	2023-07-07 00:25:39 +02:00
thorstenspille	b2df1a984b	Migrate zmb-ad to debian bookworm	2023-07-06 23:55:10 +02:00
thorstenspille	c296ea017a	Migrate zammad to debian bookworm	2023-07-06 23:40:26 +02:00
thorstenspille	3c241e3fd3	Migrate zabbix to debian bookworm	2023-07-06 22:42:27 +02:00
thorstenspille	8b563d9b98	Migrate vaultwarden to debian bookworm	2023-07-06 22:23:57 +02:00
thorstenspille	bd75acfd72	Migrate urbackup to debian bookworm	2023-07-06 22:12:25 +02:00
thorstenspille	aade290381	Migrate pbs to debian bookworm	2023-07-06 21:11:22 +02:00
thorstenspille	2a91ac74a1	Migrate open3a to debian bookworm	2023-07-06 20:57:14 +02:00
thorstenspille	12fef3afa0	Migrate onlyoffice to debian bookworm	2023-07-06 20:14:33 +02:00
thorstenspille	e15c878b4d	Migrate matrix to debian bookworm	2023-07-06 19:52:16 +02:00
Thorsten Spille	07654432df	Update README.md	2023-07-06 13:36:40 +02:00
thorstenspille	06a362d6cd	Activate external repos	2023-07-05 17:57:57 +02:00
Thorsten Spille	9ca05ed0f5	Set backup=1 or lxc mountpooint	2023-06-30 11:45:29 +02:00
thorstenspille	806cc1c604	Fixed #83	2023-06-25 08:32:01 +02:00
Danny Nakielski	713219b6d5	Upgrade Nextcloud to Postgresql 15	2023-06-25 03:20:24 +02:00
Danny Nakielski	788b09c391	Migrate Nextcloud to debian bookworm	2023-06-25 01:43:55 +02:00
thorstenspille	60366677d4	Migrate kimai to debian bookworm	2023-06-24 21:44:21 +02:00
thorstenspille	effbf224aa	Migrate gitea to debian bookworm	2023-06-24 20:43:21 +02:00
thorstenspille	cd0ee573ab	Debian bookworm for debian-priv and debian-unpriv	2023-06-24 19:37:13 +02:00
thorstenspille	d51f6a4f10	Checkmk Version 2.2p04	2023-06-24 19:26:16 +02:00
thorstenspille	c6f1e06084	Fix #82 , migrate bookstack to debian bookworm	2023-06-24 19:22:08 +02:00
thorstenspille	59220ac477	Safely create folders	2023-06-24 18:43:43 +02:00
thorstenspille	a33ad43a50	Add debian bookworm sources	2023-06-24 18:42:45 +02:00
thorstenspille	a7bcde4178	safely create .ssh folder	2023-06-24 18:40:58 +02:00
DerFossiBaer	20a158c916	Update install-service.sh Fix X-Robots-Tag issue from NC 25.0.5/26.0.0	2023-04-08 14:38:04 +02:00
Thorsten Spille	0855d37d9b	Update README.md	2023-03-14 15:49:45 +01:00
Thorsten Spille	d33223ec6e	Fix matrix admin password	2023-03-07 08:43:02 +01:00
DerFossiBaer	828c4a740c	Update install-service.sh Apt pinning Version 7.1.1	2023-02-17 14:47:31 +01:00
DerFossiBaer	69d58badf3	Update README.md Added section Kopano and Vaultwarden	2023-02-17 14:45:04 +01:00
Thorsten Spille	7baf5ad194	Add ssl-cert to base toolset	2023-02-12 20:42:38 +01:00
thorstenspille	18a8ff5f2c	Fix matrix user creation	2023-02-12 17:03:55 +01:00
Thorsten Spille	a082e03c59	Merge pull request #77 from bashclub/release-1.1 Release 1.1	2023-02-12 16:10:47 +01:00