Create zmb-ad_auto-map-root.sh

Das Script mappt den root user mit dem domain administrator und sorgt dafür dass samba-tool ohne angebe von zugangsdaten ausgeführt werden kann.

install.sh

@@ -119,8 +119,7 @@ if [ $ctid -gt 99 ]; then
   LXC_CHK=$ctid
 else
   # Get next free LXC-number
-  LXC_LST=$( lxc-ls -1 | tail -1 )
-  LXC_CHK=$((LXC_LST+1));
+  LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
 fi
 
 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
@@ -142,7 +141,7 @@ fi
 
 # Create the container
 set +u
-pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
 set -u
 sleep 2;
 
@@ -160,9 +159,11 @@ sleep 2
 
 if [ $LXC_MP -gt 0 ]; then
   pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
-  pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
-  dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
-  zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
+  if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
+    pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
+    dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
+    zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
+  fi
 fi
 
 sleep 2;

scripts/zmb-ad_auto-map-root.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+set -e
+
+SMB_CONF="/etc/samba/smb.conf"
+USERMAP_FILE="/etc/samba/user.map"
+KEYTAB_PATH="/root/admin.keytab"
+SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
+SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
+BASH_PROFILE="/root/.bash_profile"
+
+# 1. Domain & Realm aus smb.conf auslesen
+DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
+REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
+
+if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
+    echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
+    exit 1
+fi
+
+echo "[INFO] Domain: $DOMAIN_NAME"
+echo "[INFO] Realm: $REALM_NAME"
+
+# 2. user.map schreiben
+echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
+echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
+
+# 3. smb.conf patchen
+if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
+    sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
+    echo "[OK] smb.conf wurde um 'username map' ergänzt."
+else
+    echo "[INFO] 'username map' bereits gesetzt."
+fi
+
+# 4. Keytab erzeugen
+echo "[INFO] Erzeuge Keytab für Administrator..."
+samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
+chmod 600 "$KEYTAB_PATH"
+echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
+
+# 5. systemd-Service + Timer für automatisches kinit
+echo "[INFO] Erstelle systemd-Service & Timer..."
+
+cat > "$SYSTEMD_SERVICE" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
+EOF
+
+cat > "$SYSTEMD_TIMER" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator (Boot)
+
+[Timer]
+OnBootSec=10sec
+Unit=kinit-admin.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Aktivieren
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl enable --now kinit-admin.timer
+
+# 6. root-Login: .bash_profile anpassen
+echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
+mkdir -p "$(dirname "$BASH_PROFILE")"
+touch "$BASH_PROFILE"
+
+# Block nur hinzufügen, wenn er nicht bereits vorhanden ist
+if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
+    cat >> "$BASH_PROFILE" <<EOF
+
+# Automatisches Kerberos-Ticket beim Login holen
+if ! klist -s; then
+    echo "[INFO] Kein gültiges Kerberos-Ticket – führe kinit aus..."
+    kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
+fi
+EOF
+    echo "[OK] .bash_profile angepasst."
+else
+    echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
+fi
+
+# 7. samba-ad-dc neu starten
+echo "[INFO] Starte samba-ad-dc neu..."
+systemctl restart samba-ad-dc
+
+# 8. Testausgaben
+echo "[INFO] getent passwd root:"
+getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
+
+echo
+echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
+samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"
+

src/ansible-semaphore/install-service.sh

@@ -32,7 +32,7 @@ curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | gre
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
 
 cat << EOF > /usr/local/bin/update-semaphore
-PATH="/bin:/usr/bin:/usr/local/bin"
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 echo "Checking github for new semaphore version"
 current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
 installed_version=\$(semaphore version)
@@ -42,7 +42,7 @@ if [ \$installed_version != \$current_version ]; then
   systemctl stop semaphore.service
   echo "Downloading semaphore version \$current_version..."
   curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
-  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical dpkg -i /opt/semaphore_linux_amd64.deb
   echo "Starting semaphore.service..."
   systemctl start semaphore.service
   echo "semaphore update finished!"
@@ -141,7 +141,7 @@ cat << EOF > /etc/semaphore/config.json
  	"slack_alert": false,
  	"ldap_enable": false,
  	"ldap_needtls": false,
- 	"ssh_config_path": "~/.ssh/",
+ 	"ssh_config_path": "/home/semaphore/.ssh/",
  	"demo_mode": false,
  	"git_client": ""
  }

src/authentik/install-service.sh

@@ -95,6 +95,7 @@ AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 # Email address authentik will send from, should have a correct @domain
 AUTHENTIK_EMAIL__FROM=
+AUTHENTIK_REDIS__DB=1
 EOF
 
 docker compose pull
@@ -104,4 +105,4 @@ case $PORTAINER in
   full) install_portainer_full ;;
   agent) install_portainer_agent ;;
   *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
-esac
+esac

src/cloudpanel/constants-service.conf

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="home"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"

src/cloudpanel/install-service.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
+echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
+DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh

src/zabbix/constants-service.conf

@@ -45,7 +45,7 @@ ZABBIX_DB_PWD="$(random_password)"
 ZABBIX_VERSION=7.0 #zabbix 7 beta
 POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
 PHP_VERSION=8.2 # debian 12 default
-TS_VERSION=2.14.2 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096

src/zabbix/install-service.sh

@@ -18,7 +18,7 @@ apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "h
 apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 
 unlink /etc/nginx/sites-enabled/default
 
@@ -233,4 +233,4 @@ generate_dhparam
 
 systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 
 
-systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1
+systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1

src/zmb-ad-join/install-service.sh

@@ -35,7 +35,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d

src/zmb-ad/install-service.sh

@@ -35,7 +35,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d