Merge pull request #121 from bashclub/dev

Fix zabbix container
Update constants-service.conf
2025-04-19 11:49:48 +02:00 · 2024-11-14 22:19:50 +01:00 · 2024-11-14 22:01:10 +01:00 · 2024-11-14 21:36:45 +01:00 · 2024-07-12 22:50:55 +02:00 · 2024-07-12 22:49:06 +02:00
85 changed files with 6164 additions and 621 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,5 @@
 *__pycache__*
 .vscode/*
+conf/*
+!conf/README.md
+!conf/zamba.conf.example
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,12 +0,0 @@
-**** Zamba LXC Toolbox v0.1 ****
- `locales` are now configured noninteractive #21
- timezone is now configured with `pct set` command in `install.sh` #22
- changed command sequence in `install.sh` - select container first, then start the installation
- improved / updated documentation
- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
- (un)privileged now defined as constant based on created service #6
- improved log messages in `install.sh`
- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
- changed `mailpiler` version to 1.3.11
- changed `element-web` version to 1.7.25
- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)
--- a/README.md
+++ b/README.md
@ -5,15 +5,32 @@ Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC contai
 The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes.
 The package also provides LXC container installers for `mailpiler`, `matrix-synapse` + `element-web` and more services will follow in future releases.
 ### Requirements
-Proxmox VE Server with at least one configured ZFS Pool.
+Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 ### Included services:
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
+- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
+- `debian-priv` => Debian privileged container with basic toolset
+- `debian-unpriv` => Debian unprivileged container with basic toolset
+- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
+- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
+- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
+- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `debian-unpriv` => Debian privileged container with basic toolset
+- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
+- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
+- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
+- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
+- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
+- `unifi` => Unifi Controller [ui.com](https://ui.com)
+- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
+- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
+- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
+- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
+- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
+- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
+- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash
@ -26,14 +43,32 @@ git clone https://github.com/bashclub/zamba-lxc-toolbox
 cd zamba-lxc-toolbox
 ```
 ### Configuration
-To fit your requirements, please edit the file `zamba.conf` with your favourite text editor (e.g. `vim` or `nano`).
-The required adjustments are in the LXC container section and in the section for the service you want to launch.
-For further information about the config variables, have a look at [zamba.conf.md](zamba.conf.md)
+Copy `zamba.conf.example` located in `conf` directory to a new file (default: `zamba.conf`) and adjust your desired settings.
+For further information about configuration variables, have a look at [conf/README.md](conf/README.md)
+```bash
+cp conf/zamba.conf.example conf/zamba.conf
+```
 ### Installation
-After configuring, you are able to launch the script interactively:
+After configuring, you are able to launch the script interactively (only works with `conf/zamba.conf`):
 ```bash
 bash install.sh
 ```
+### Advanced Usage
+You can set optional parameters (config file, service, container id):
+#### Example:
+```bash
+bash install.sh -i 280 -c conf/my-zmb-service.conf -s zmb-member
+```
+You can also view possible parameters with `install.sh -h`
+
 After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.

 Once the script has finished, the container is installed and running and you can continue with the service specific configuration.
+
+# Authors
+
+### Markus Helmke
+[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/nettwarker)
+
+### Thorsten Spille
+[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/thorakel)
--- a/conf/README.md
+++ b/conf/README.md
@ -1,4 +1,5 @@
-# `zamba.conf` options reference
+# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS
+# Configuration options reference
 This is the reference of all config options you can set in `zamba.conf`
 <br>

@ -39,24 +40,30 @@ LXC_SHAREFS_MOUNTPOINT="tank"
 ```
 ### LXC_MEM
 Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+If a service needs more minimum memory, LXC_MEM will be overwritten.
 ```bash
-LXC_MEM="1024"
+LXC_MEM=1024
 ```
 ### LXC_SWAP
 Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
 ```bash
-LXC_SWAP="1024"
+LXC_SWAP=1024
 ```
 ### LXC_HOSTNAME
-Defines the hostname of your LXC container
+Defines the hostname of your LXC container (Default: Name of installed Service)
 ```bash
-LXC_SWAP="zamba"
+LXC_HOSTNAME="zamba"
 ```
 ### LXC_DOMAIN
 Defines the domain name / search domain of your LXC container
 ```bash
 LXC_DOMAIN="zmb.rocks"
 ```
+### LXC_DHCP
+Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+```bash
+LXC_DHCP=false
+```
 ### LXC_IP
 Defines the local IP address and subnet of your LXC container in CIDR format
 ```bash
@ -87,7 +94,7 @@ LXC_VLAN="80"
 ### LXC_PWD
 Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
 ```bash
-LXC_PWD="S3cr3tp@ssw0rd"
+LXC_PWD="Start!123"
 ```
 ### LXC_AUTHORIZED_KEY
 Defines an authorized_keys file to push into the LXC container.
@ -98,7 +105,7 @@ LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
 ### LXC_TOOLSET
 Define your (administrative) tools, you always want to have installed into your LXC container
 ```bash
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
 ```
 ### LXC_TIMEZONE
 Define the local timezone of your LXC container (default: Euroe/Berlin)
@ -111,6 +118,13 @@ Define system language on LXC container (locales)
 LXC_LOCALE="de_DE.utf8"
 ```
 This parameter is not used yet, but will be integrated in future releases.
+
+### LXC_VIM_BG_DARK
+Set dark background for vim syntax highlighting (0 or 1)
+```bash
+LXC_VIM_BG_DARK=1
+```
+
 <br>

 ## Zamba Server Section
@ -127,11 +141,6 @@ Defines the domain name in your Active Directory or Workgroup (AD DC, AD member,
 ```bash
 ZMB_DOMAIN="ZMB"
 ```
-### ZMB_DNS_BACKEND
-Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-```bash
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-```
 ### ZMB_ADMIN_USER
 Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ```bash
@ -140,7 +149,7 @@ ZMB_ADMIN_USER="Administrator"
 ### ZMB_ADMIN_PASS
 Defines the domain administrator's password (AD DC, AD member).
 ```bash
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
@ -163,22 +172,7 @@ PILER_FQDN="piler.zmb.rocks"
 ### PILER_SMARTHOST
 Defines the smarthost for piler mail archive
 ```bash
-PILER_SMARTHOST="10.10.80.20"
-```
-### PILER_VERSION
-Defines the version number of piler mail archive to install
-```bash
-PILER_VERSION="1.3.10"
-```
-### PILER_SPHINX_VERSION
-Defines the version of sphinx to install
-```bash
-PILER_SPHINX_VERSION="3.3.1"
-```
-### PILER_PHP_VERSION
-Defines the php version to install
-```bash
-PILER_PHP_VERSION="7.4"
+PILER_SMARTHOST="your.mailserver.tld"
 ```
 <br>

@ -197,13 +191,139 @@ Define the FQDN for the Element Web virtual host
 ```bash
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 ```
-### MATRIX_ELEMENT_VERSION
-Define the version of Element Web
+
+### MATRIX_ADMIN_USER
+Define the administrative user of matrix service
 ```bash
-MATRIX_ELEMENT_VERSION="v1.7.24"
+MATRIX_ADMIN_USER="admin"
 ```
-### MATRIX_JITSI_FQDN
-Define the FQDN for the Jitsi Meet virtual host
+
+### MATRIX_ADMIN_PASSWORD
+Define the admin password
 ```bash
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
+MATRIX_ADMIN_PASSWORD="Start!123"
 ```
+
+## Nextcloud-Section
+
+### NEXTCLOUD_FQDN
+Define the FQDN of your Nextcloud server
+```bash
+NEXTCLOUD_FQDN="nc1.zmb.rocks"
+```
+
+### NEXTCLOUD_ADMIN_USR
+The initial admin-user which will be configured
+```bash
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+```
+
+### NEXTCLOUD_ADMIN_PWD
+Build a strong password for this user. Username and password will shown at the end of the instalation. 
+```bash
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
+```
+### NEXTCLOUD_DATA
+Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+```bash
+NEXTCLOUD_DATA="nc_data"
+```
+### NEXTCLOUD_REVPROX
+Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+```bash
+NEXTCLOUD_REVPROX="192.168.100.254"
+```
+
+## Check_MK-Section
+
+### CMK_INSTANCE
+Define the name of your checkmk instance
+```bash
+CMK_INSTANCE=zmbrocks
+```
+
+### CMK_ADMIN_PW
+Define the password of user 'cmkadmin'
+```bash
+CMK_ADMIN_PW='Start!123'
+```
+
+### CMK_EDITION
+checkmk edition (raw or free)
+- raw = completely free
+- free = limited version of the enterprise edition (25 hosts, 1 instance)
+```bash
+CMK_EDITION=raw
+```
+### Kopano-Section
+
+### KOPANO_FQDN
+Define the FQDN of your Nextcloud server
+```bash
+KOPANO_FQDN="kopano.zmb.rocks
+```
+
+
+### KOPANO_MAILGW=
+Define the host, to which mails will send.
+```bash
+KOPANO_MAILGW="192.168.100.254"
+```
+
+### KOPANO_REPKEY
+Kopano test- or subscription-key offerd from 
+https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+11
+```bash
+KOPANO_REPKEY="1234567890abcdefghijklmno"
+```
+
+### vaultwarden Section
+
+### VW_SMTP_HOST
+Hostname of your mailserver
+```bash
+VW_SMTP_HOST=mail.bashclub.org
+```
+
+### VW_SMTP_FROM
+email address to send from
+```bash
+VW_SMTP_FROM="vaultwarden@bashclub.org"
+```
+
+### VW_SMTP_FROM_NAME
+display name to send from
+```bash
+VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
+```
+
+### VW_SMTP_PORT
+Smtp-port of your mailserver
+```bash
+VW_SMTP_PORT=587
+```
+
+### VW_SMTP_SSL
+Use ssl true/false
+```bash
+VW_SMTP_SSL=true
+```
+
+### VW_SMTP_EXPLICIT_TLS
+Use starttls true/false
+```bash
+VW_SMTP_EXPLICIT_TLS=false
+```
+
+### VW_SMTP_USERNAME
+Username of your mailbox
+```bash
+VW_SMTP_USERNAME=vaultwarden@bashclub.org
+```
+
+### VW_SMTP_PASSWORD
+Password of your mailbox
+```bash
+VW_SMTP_PASSWORD='<yourEmailPassword>'
+```
+
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@ -25,20 +25,27 @@ LXC_SHAREFS_SIZE="100"
 # Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
 LXC_SHAREFS_STORAGE="local-zfs"
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
+# Moved to constants-service.conf, be careful if you override this value
+# LXC_SHAREFS_MOUNTPOINT="tank"
+
+# cpu core count (default: 0 = unlimited)
+LXC_THREADS=0

 # Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
-LXC_MEM="1024"
+LXC_MEM=1024

 # Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
-LXC_SWAP="1024"
+LXC_SWAP=1024

 # Defines the hostname of your LXC container
-LXC_HOSTNAME="zamba"
+LXC_HOSTNAME="${service}"

 # Defines the domain name / search domain of your LXC container
 LXC_DOMAIN="zmb.rocks"

+# Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+LXC_DHCP=false
+
 # Defines the local IP address and subnet of your LXC container in CIDR format
 LXC_IP="192.168.100.200/24"

@ -54,23 +61,41 @@ LXC_DNS="192.168.100.254"
 LXC_BRIDGE="vmbr0"

 # Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
-LXC_VLAN=
+LXC_VLAN=NONE

 # Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
-LXC_PWD='S3cr3tp@ssw0rd'
+LXC_PWD='Start!123'

 # Defines an authorized_keys file to push into the LXC container.
 # By default the authorized_keys will be inherited from your proxmox host.
 LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys

 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"

 # Define the local timezone of your LXC container (default: Euroe/Berlin)
 LXC_TIMEZONE="Europe/Berlin"

 # Define system language on LXC container (locales)
-LXC_LOCALE=de_DE.UTF-8
+# With this paramater you can generate additional locales, the default language will be inherited from proxmox host.
+# en_US.UTF-8  english
+# de_DE.UTF-8  german (default)
+LXC_LOCALE="de_DE.UTF-8"
+
+# Set dark background for vim syntax highlighting (0 or 1)
+LXC_VIM_BG_DARK=1
+
+# Default random password length
+LXC_RANDOMPWD=32
+
+# Move lxc to specific ressource pool
+LXC_RESSOURCE_POOL=""
+
+# Automatically add meta tags to lxc container
+LXC_AUTOTAG=1
+
+# Add meta tags to linux container
+LXC_TAGS="linux,debian,${service}"

 ############### Zamba-Server-Section ###############

@ -79,30 +104,18 @@ ZMB_REALM="ZMB.ROCKS"
 # Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
 ZMB_DOMAIN="ZMB"

-# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
 # Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ZMB_ADMIN_USER="administrator"
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'

 # Defines the name of your Zamba share
 ZMB_SHARE="share"

 ############### Mailpiler-Section ###############

-# Defines the (public) FQDN of your piler mail archive
-PILER_FQDN="piler.zmb.rocks"
-# Defines the smarthost for piler mail archive
-PILER_SMARTHOST="your.mailserver.tld"
-# Defines the version number of piler mail archive to install
-PILER_VERSION="1.3.11"
-# Defines the version of sphinx to install
-PILER_SPHINX_VERSION="3.3.1"
-# Defines the php version to install
-PILER_PHP_VERSION="7.4"
+PILER_BRANCH=release

 ############### Matrix-Section ###############

@ -112,8 +125,101 @@ MATRIX_FQDN="matrix.zmb.rocks"
 # Define the FQDN for the Element Web virtual host
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"

-# Define the version of Element Web
-MATRIX_ELEMENT_VERSION="v1.7.25"
+# Define the administrative user of matrix service
+MATRIX_ADMIN_USER="admin"

-# Define the FQDN for the Jitsi Meet virtual host
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
+# Define the admin password
+MATRIX_ADMIN_PASSWORD='Start!123'
+
+############### Nextcloud-Section ###############
+
+# Define the FQDN of your Nextcloud server
+NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
+
+# The initial admin-user which will be configured
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+
+# Build a strong password for this user. Username and password will shown at the end of the installation. 
+# NEXTCLOUD_ADMIN_PWD='very_secure_password'
+
+# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+NEXTCLOUD_DATA="nc_data"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+NEXTCLOUD_REVPROX="192.168.100.254"
+
+############### Check_MK-Section ###############
+
+# Define the name of your checkmk instance
+CMK_INSTANCE=zmbrocks
+
+# Define the password of user 'cmkadmin'
+CMK_ADMIN_PW='Start!123'
+
+# checkmk edition (raw or free)
+# raw = completely free
+# free = limited version of the enterprise edition (25 hosts, 1 instance)
+CMK_EDITION=raw
+
+############### Kopano-Section ###############
+
+# Define the FQDN of your Nextcloud server
+KOPANO_FQDN="kopano.zmb.rocks"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+KOPANO_MAILGW="192.168.100.254"
+
+# Kopano test- or subscription-key offerd from 
+# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
+KOPANO_REPKEY="1234567890abcdefghijklmno"
+
+############### vaultwarden Section ###############
+
+# Enable/disable signups (true/false)
+VW_SIGNUPS_ALLOWED=false
+
+# Hostname of your mailserver
+VW_SMTP_HOST=mail.bashclub.org
+
+# email address to send from
+VW_SMTP_FROM="vaultwarden@bashclub.org"
+
+# display name to send from
+VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
+
+# port of your mailserver
+VW_SMTP_PORT=587
+
+# use ssl?
+VW_SMTP_SSL=true
+
+# use starttls?
+VW_SMTP_EXPLICIT_TLS=false
+
+# username of your mailbox
+VW_SMTP_USERNAME=vaultwarden@bashclub.org
+
+# password of your mailbox
+VW_SMTP_PASSWORD='<yourEmailPassword>'
+
+############### ansible-semaphore Section ###############
+
+SEMAPHORE_ADMIN=admin
+SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
+SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
+SEMAPHORE_ADMIN_PASSWORD='Start123'
+
+############### docker Section ###############
+
+# Install Portainer (=full), Protainer Agent (=agent) or none
+PORTAINER=none
+
+############### zabbix Section ###############
+
+# (Zabbix Proxy) Name:Port of the zabbix server
+ZBX_ADDR=zabbix.zmb.rocks:10051
+
+############### freescout Section ################
+FS_FIRSTNAME=Max
+FS_LASTNAME=Mustermann
+FS_EMAIL=mail@zmb.rocks
--- a/debian-priv.sh
+++ b/debian-priv.sh
@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
--- a/debian-unpriv.sh
+++ b/debian-unpriv.sh
@ -1,18 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-dpkg-reconfigure locales
-
-source /root/zamba.conf
-
-# Set Timezone
-ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
--- a/install.sh
+++ b/install.sh
@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail

 # This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
 # On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@ -15,78 +16,111 @@
 # Please adjust th settings in 'zamba.conf' to your needs before running the script

 ############### ZAMBA INSTALL SCRIPT ###############
+prog="$(basename $0)"

-# Load configuration file
-source $PWD/zamba.conf
+usage() {
+	cat >&2 <<-EOF
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	  installs a preconfigured lxc container on your proxmox server
+    -i CTID      provide a container id instead of auto detection
+    -s SERVICE   provide the service name and skip the selection dialog
+    -c CFGFILE   use a different config file than 'zamba.conf'
+    -d           Debug mode inside LXC container
+    -h           displays this help text
+  ---------------------------------------------------------------------------
+    (C) 2021     zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
+  ---------------------------------------------------------------------------

-LXC_MP="0"
-LXC_UNPRIVILEGED="1"
-LXC_NESTING="0"
+	EOF
+	exit $1
+}

-select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
+ctid=0
+service=ask
+config=$PWD/conf/zamba.conf
+debug=0
+
+while getopts "hi:s:c:d" opt; do
  case $opt in
-    debian-unpriv)
-      echo "Debian-only LXC container unprivileged mode selected"
-      break
-      ;;
-    debian-priv)
-      echo "Debian-only LXC container privileged mode selected"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-standalone)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-member)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-ad)
-      echo "Selected Zamba AD DC"
-      LXC_NESTING="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    mailpiler)
-      echo "Configuring LXC container for '$opt'!"
-      LXC_NESTING="1"
-      break
-      ;;
-    matrix)
-      echo "Install Matrix chat server and element web service"
-      break
-      ;;
-    quit)
-      echo "Script aborted by user interaction."
-      exit 0
-      ;;
-    *)
-      echo "Invalid option! Exiting..."
-      exit 1
-      ;;
+    h) usage 0 ;;
+    i) ctid=$OPTARG ;;
+    s) service=$OPTARG ;;
+    c) config=$OPTARG ;;
+    d) debug=1 ;;
+    *) usage 1 ;;
  esac
 done
+shift $((OPTIND-1))

-# CHeck is the newest template available, else download it.
-DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
-DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2)
+OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)

-if [[ $DEB_LOC == $DEB_REP ]];
-then
-  echo "Newest Version of Debian 10 Standard $DEP_REP exists.";
+valid=0
+if [[ "$service" == "ask" ]]; then
+  select svc in $OPTS quit; do
+    if [[ "$svc" != "quit" ]]; then
+       for line in $OPTS; do
+        if [[ "$svc" == "$line" ]]; then
+          service=$svc
+          echo "Installation of $service selected."
+          valid=1
+          break
+        fi
+      done
    else
-  echo "Will now download newest Debian 10 Standard $DEP_REP.";
-  pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz
+      echo "Selected 'quit' exiting without action..."
+      exit 0
+    fi
+    if [[ "$valid" == "1" ]]; then
+      break
+    fi
+  done
+else
+  for line in $OPTS; do
+    if [[ "$service" == "$line" ]]; then
+      echo "Installation of $service selected."
+      valid=1
+      break
+    fi
+  done
 fi

+if [[ "$valid" != "1" ]]; then
+  echo "Invalid option, exiting..."
+  usage 1
+fi
+
+# Load configuration file
+echo "Loading config file '$config'..."
+if [ ! -e "$config" ]; then
+  echo "Configuration files does not exist"
+  exit 1
+fi
+
+source "src/functions.sh"
+
+source "$config"
+
+source "$PWD/src/$service/constants-service.conf"
+
+if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
+  LXC_MEM=$LXC_MEM_MIN
+fi
+
+if [ $LXC_AUTOTAG -gt 0 ]; then
+  TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
+fi
+
+# Check is the newest template available, else download it.
+pveam update
+TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
+pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
+
+if [ $ctid -gt 99 ]; then
+  LXC_CHK=$ctid
+else
  # Get next free LXC-number
-LXC_LST=$( lxc-ls | egrep -o '.{1,5}$' )
-LXC_CHK=$((LXC_LST+1));
+  LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
+fi

 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
  LXC_NBR=$(pvesh get /cluster/nextid);
@ -95,47 +129,77 @@ else
 fi
 echo "Will now create LXC Container $LXC_NBR!";

+if [ $LXC_THREADS -gt 0 ]; then
+  LXC_CORES=--cores\ $LXC_THREADS
+fi
+
+
+if [[ $LXC_RESSOURCE_POOL != "" ]]; then
+  LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
+fi
+
+
 # Create the container
-pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+set +u
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
+set -u
 sleep 2;

 # Check vlan configuration
-if [[ $LXC_VLAN != "" ]];then
-  VLAN=",tag=$LXC_VLAN"
-else
- VLAN=""
-fi
+if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
+if [ $LXC_DHCP == true ]; then
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
+else
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
+fi
+
 sleep 2

 if [ $LXC_MP -gt 0 ]; then
-  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
+  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
+  if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
+    pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
+    dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
+    zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
  fi
+fi
+
 sleep 2;

 PS3="Select the Server-Function: "

 pct start $LXC_NBR;
 sleep 5;
-# Set the root password and key
-echo "Setting root password"
-echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
-echo "Creating /root/.ssh"
-lxc-attach -n$LXC_NBR mkdir /root/.ssh;
-echo "Copying authorized_keys"
+# Set the root ssh key
+pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
-echo "Copying sources.list"
-pct push $LXC_NBR ./sources.list /etc/apt/sources.list
-echo "Copying zamba.conf"
-pct push $LXC_NBR ./zamba.conf /root/zamba.conf
-echo "Copying install script"
-pct push $LXC_NBR ./$opt.sh /root/$opt.sh
-echo "Install '$opt'!"
-lxc-attach -n$LXC_NBR bash /root/$opt.sh
+pct push $LXC_NBR "$config" /root/zamba.conf
+pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
+pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
+pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
+pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
+pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
+pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
+pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf

-if [[ $opt == "zmb-ad" ]]; then
-  pct stop $LXC_NBR
-  pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
-  pct start $LXC_NBR
+if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
+
+echo "Installing basic container setup..."
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
+echo "Install '$service'!"
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
+
+pct shutdown $LXC_NBR
+if [[ $service == "zmb-ad" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-join" ]]; then
+  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
+fi
+pct start $LXC_NBR
+if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
+  sleep 5
+  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
 fi
--- a/mailpiler.sh
+++ b/mailpiler.sh
@ -1,187 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-HOSTNAME=$(hostname -f)
-
-echo "Ensure your Hostname is set to your Piler FQDN!"
-
-echo $HOSTNAME
-
-if 
-    [ "$HOSTNAME" != "$PILER_FQDN" ]
-then
-        echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
-else
-        echo "Hostname matches PILER_FQDNAIN, so starting installation."
-fi
-
-apt update && apt full-upgrade -y
-
-apt install -y $LXC_TOOLSET build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 software-properties-common libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23
-
-# install php
-wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
-echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
-
-apt update && apt install -y php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
-
-apt purge -y postfix
-
-cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
-innodb_buffer_pool_size=256M
-innodb_flush_log_at_trx_commit=1
-innodb_log_buffer_size=64M
-innodb_log_file_size=16M
-query_cache_size=0
-query_cache_type=0
-query_cache_limit=2M
-EOF
-
-systemctl restart mariadb
-
-cd /tmp
-wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
-tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
-
-groupadd piler
-useradd -g piler -m -s /bin/bash -d /var/piler piler
-usermod -L piler
-chmod 755 /var/piler
-
-wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
-tar -xvzf piler-$PILER_VERSION.tar.gz
-cd piler-$PILER_VERSION/
-./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
-make
-make install
-ldconfig
-
-cp util/postinstall.sh util/postinstall.sh.bak
-sed -i "s/   PILER_SMARTHOST=.*/   PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
-sed -i 's/   WWWGROUP=.*/   WWWGROUP="www-data"/' util/postinstall.sh
-
-make postinstall
-
-cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
-sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
-sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
-
-su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
-
-/etc/init.d/rc.piler start
-/etc/init.d/rc.searchd start
-
-update-rc.d rc.piler defaults
-update-rc.d rc.searchd defaults
-
-mkdir -p /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
-
-cd /etc/nginx/sites-available
-cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
-ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
-
-sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
-sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/server_name.*/a \\
-        listen 443 ssl http2;\n\n\
-        ssl_certificate /etc/nginx/ssl/piler.crt;\n\
-        ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
-        ssl_session_timeout 1d;\n\
-        ssl_session_cache shared:SSL:15m;\n\
-        ssl_session_tickets off;\n\n\
-        # modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
-        ssl_protocols TLSv1.2 TLSv1.3;\n\
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
-        ssl_prefer_server_ciphers off;\n\n\
-        add_header X-Frame-Options SAMEORIGIN;\n\
-        add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/^server {.*/i\
-server {\n\
-        listen 80;\n\
-        server_name $PILER_FQDN default_host;\n\
-        server_tokens off;\n\
-        # HTTP to HTTPS redirect.\n\
-        return 301 https://\$host\$request_uri;\n\
-}" /etc/nginx/sites-available/piler-nginx.conf
-
-cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
-sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
-cat >> /usr/local/etc/piler/config-site.php <<EOF
-
-// CUSTOM
-\$config['PROVIDED_BY'] = '$PILER_FQDN';
-\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
-\$config['COMPATIBILITY'] = '';
-
-// fancy features.
-\$config['ENABLE_INSTANT_SEARCH'] = 1;
-\$config['ENABLE_TABLE_RESIZE'] = 1;
-
-\$config['ENABLE_DELETE'] = 1;
-\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
-
-// general settings.
-\$config['TIMEZONE'] = '$LXC_TIMEZONE';
-
-// authentication
-// Enable authentication against an imap server
-//\$config['ENABLE_IMAP_AUTH'] = 1;
-//\$config['RESTORE_OVER_IMAP'] = 1;
-//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
-//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
-//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['IMAP_PORT'] =  993;
-//\$config['IMAP_SSL'] = true;
-
-// authentication against an ldap directory (disabled by default)
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 389;
-//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_MAIL_ATTR'] = 'mail';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
-
-// authentication against an Uninvention based ldap directory 
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 7389;
-//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
-//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
-
-// special settings.
-\$config['MEMCACHED_ENABLED'] = 1;
-\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
-EOF
-
-rm /etc/nginx/sites-enabled/default
-
-nginx -t && systemctl restart nginx
-
-apt autoremove -y
-apt clean -y
--- a/scripts/nextcloud-update
+++ b/scripts/nextcloud-update
@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# Update nextcloud
+# place in /etc/cron.daily and make executable with chmod +x  /etc/cron.daily/nextcloud-update
+user=www-data
+phpversion=php8.0
+path=/var/www/nextcloud
+
+alias ncc="sudo -u $user $phpversion $path/occ"
+alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
+
+updater --no-backup --no-interaction
+
+subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
+for cmd in ${subcommands[@]}; do
+  ncc -n $cmd
+done
--- a/sources.list
+++ b/sources.list
@ -1,6 +0,0 @@
-deb http://ftp.de.debian.org/debian buster main contrib
-
-deb http://ftp.de.debian.org/debian buster-updates main contrib
-
-# security updates
-deb http://security.debian.org buster/updates main contrib
--- a/src/ansible-semaphore/constants-service.conf
+++ b/src/ansible-semaphore/constants-service.conf
@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# Defines the name from the SQL database
+SEMAPHORE_DB_NAME="semaphore"
+
+# Defines the name from the SQL user
+SEMAPHORE_DB_USR="semaphore"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+SEMAPHORE_DB_PWD="$(random_password)"
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql,nginx"
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@ -0,0 +1,222 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
+psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
+echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
+EOF
+
+curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+
+cat << EOF > /usr/local/bin/update-semaphore
+PATH="/bin:/usr/bin:/usr/local/bin"
+echo "Checking github for new semaphore version"
+current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
+installed_version=\$(semaphore version)
+echo "Installed semaphore version is \$installed_version"
+if [ \$installed_version != \$current_version ]; then
+  echo "New semaphore version \$current_version available. Stopping semaphore.service"
+  systemctl stop semaphore.service
+  echo "Downloading semaphore version \$current_version..."
+  curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
+  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+  echo "Starting semaphore.service..."
+  systemctl start semaphore.service
+  echo "semaphore update finished!"
+else
+  echo "semaphore version is up-to-date!"
+fi
+EOF
+chmod +x /usr/local/bin/update-semaphore
+
+useradd -m -r -s /bin/bash semaphore
+sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
+
+cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
+DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
+EOF
+chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook
+
+cat << EOF > /etc/systemd/system/semaphore.service
+[Unit]
+Description=Semaphore Ansible
+Documentation=https://github.com/semaphoreui/semaphore
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecReload=/bin/kill -HUP \$MAINPID
+ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
+SyslogIdentifier=semaphore
+Restart=always
+User=semaphore
+Group=semaphore
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+mkdir -p /etc/semaphore
+
+cat << EOF > /etc/semaphore/config.json
+{
+ 	"mysql": {
+ 		"host": "",
+ 		"user": "",
+ 		"pass": "",
+ 		"name": "",
+ 		"options": null
+ 	},
+ 	"bolt": {
+ 		"host": "",
+ 		"user": "",
+ 		"pass": "",
+ 		"name": "",
+ 		"options": null
+ 	},
+ 	"postgres": {
+ 		"host": "127.0.0.1:5432",
+ 		"user": "${SEMAPHORE_DB_USR}",
+ 		"pass": "${SEMAPHORE_DB_PWD}",
+ 		"name": "${SEMAPHORE_DB_NAME}",
+ 		"options": {
+ 			"sslmode": "disable"
+ 		}
+ 	},
+ 	"dialect": "postgres",
+ 	"port": "",
+ 	"interface": "",
+ 	"tmp_path": "/tmp/semaphore",
+ 	"cookie_hash": "$(head -c32 /dev/urandom | base64)",
+ 	"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
+ 	"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
+ 	"email_sender": "",
+ 	"email_host": "",
+ 	"email_port": "",
+ 	"email_username": "",
+ 	"email_password": "",
+ 	"web_host": "",
+ 	"ldap_binddn": "",
+ 	"ldap_bindpassword": "",
+ 	"ldap_server": "",
+ 	"ldap_searchdn": "",
+ 	"ldap_searchfilter": "",
+ 	"ldap_mappings": {
+ 		"dn": "",
+ 		"mail": "",
+ 		"uid": "",
+ 		"cn": ""
+ 	},
+ 	"telegram_chat": "",
+ 	"telegram_token": "",
+ 	"slack_url": "",
+ 	"max_parallel_tasks": 0,
+ 	"email_alert": false,
+ 	"email_secure": false,
+ 	"telegram_alert": false,
+ 	"slack_alert": false,
+ 	"ldap_enable": false,
+ 	"ldap_needtls": false,
+ 	"ssh_config_path": "~/.ssh/",
+ 	"demo_mode": false,
+ 	"git_client": ""
+ }
+EOF
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/semaphore.access.log;
+    error_log /var/log/nginx/semaphore.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/semaphore.access.log;
+    error_log  /var/log/nginx/semaphore.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+EOF
+
+echo "source <(semaphore completion bash)" >> /root/.bashrc
+semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
+
+
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now semaphore.service
+systemctl restart nginx.service
+
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the semaphore login:\n        '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n                Enjoy your semaphore intallation.\n\n######################################################################"
--- a/src/apt/constants-service.conf
+++ b/src/apt/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="srv"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="aptly,nginx"
--- a/src/apt/install-service.sh
+++ b/src/apt/install-service.sh
@ -0,0 +1,273 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+source /etc/os-release
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
+
+# Create gpg key for apt repo signing
+gpg --batch --gen-key <<EOF
+Key-Type: 1
+Key-Length: 4096
+Subkey-Type: 1
+Subkey-Length: 4096
+Name-Real: ${AM_COMPANY_NAME}
+Name-Email: ${AM_COMPANY_EMAIL}
+Expire-Date: 0
+%no-protection
+EOF
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/aptly.conf
+{
+  "rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
+  "downloadConcurrency": 4,
+  "downloadSpeedLimit": 0,
+  "architectures": [
+        "amd64",
+        "armhf"
+  ],
+  "dependencyFollowSuggests": false,
+  "dependencyFollowRecommends": false,
+  "dependencyFollowAllVariants": false,
+  "dependencyFollowSource": false,
+  "dependencyVerboseResolve": true,
+  "gpgDisableSign": false,
+  "gpgDisableVerify": false,
+  "gpgProvider": "gpg",
+  "downloadSourcePackages": false,
+  "skipLegacyPool": true,
+  "ppaDistributorID": "$AM_COMPANY_NAME",
+  "ppaCodename": ""
+}
+EOF
+
+cat << EOF > /usr/local/bin/update-apt-mirrors
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+for m in $(aptly mirror list -raw); do
+  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
+done
+EOF
+
+chmod +x /usr/local/bin/update-apt-mirrors
+
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        # Force HTTPS connection. This rules is domain agnostic
+        if (\$scheme != "https") {
+                rewrite ^ https://\$host\$uri permanent;
+        }
+
+        # SSL configuration
+        #
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+        ssl_session_timeout  10m;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off; # Requires nginx >= 1.5.9
+        ssl_stapling on; # Requires nginx >= 1.3.7
+        ssl_stapling_verify on; # Requires nginx => 1.3.7
+        resolver 15.137.208.11 15.137.209.11 valid=300s;
+        resolver_timeout 5s;
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
+        root /var/www/html;
+        index index.html index.htm;
+
+        server_name _;
+
+        location /gpg {
+                autoindex on;
+        }
+
+        location /graph {
+                autoindex on;
+        }
+
+        location / {
+                # First attempt to serve request as file, then
+                # as directory, then fall back to displaying a 404.
+                #try_files \$uri \$uri/ =404;
+                proxy_set_header Host \$host;
+                proxy_set_header X-Real-IP \$remote_addr;
+                proxy_pass http://localhost:8080;
+
+        }
+
+        location /api {
+                proxy_pass http://localhost:8000/api;
+        }
+
+        location /api/graph {
+                return 403;
+        }
+}
+EOF
+
+cat << EOF > /etc/systemd/system/aptly.service
+[Unit]
+Description=Aptly Repository service
+
+[Service]
+User=root
+ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
+KillSignal=SIGTERM
+KillMode=process
+TimeoutStopSec=15s
+
+[Install]
+WantedBy=multi-user.target
+
+EOF
+
+cat << EOF > /etc/systemd/system/aptly-api.service
+[Unit]
+Description=Aptly REST API service
+
+[Service]
+User=root
+ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
+KillSignal=SIGTERM
+KillMode=process
+TimeoutStopSec=15s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /root/mirror-examples
+# import proxmox keyring
+wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
+
+# proxmox 8 no subscription mirror (about 11.5 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
+
+# import debian keyring
+cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
+
+# debian 12 main mirror (about 87 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
+
+# debian 12 contrib mirror (about 600 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
+
+# debian 12 non-free mirror (about7,2 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
+
+# debian 12 non-free-firmware mirror (38 Packages)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
+
+# debian 12 update main mirror (about 2,5 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
+
+# debian 12 update contrib mirror (currently empty)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
+
+# debian 12 updates non-free mirror (about 900 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
+
+# debian 12 updates non-free-firmware mirror (about 70 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
+
+# debian 12 security main mirror (about 5,5 GB)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
+
+# debian 12 security contrib mirror (2 packages)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
+
+# debian 12 security non-free mirror (currently empty)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
+
+# debian 12 security non-free-firmware mirror (1 package)
+aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
+
+# debian 12 backports main mirror (about 14,5 GB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
+
+# debian 12 backports contrib mirror (about 100 MB)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
+
+# debian 12 backports non-free mirror (2 packages)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
+
+# debian 12 backports non-free-firmware mirror (currently empty)
+aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
+aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
+EOF
+
+cat << EOF > /usr/local/bin/update-apt-mirrors 
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+for m in \$(aptly mirror list -raw); do
+  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
+done
+EOF
+
+echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
+
+chmod +x /usr/local/bin/update-apt-mirrors 
+
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
+
+chown -R www-data:www-data /var/www
+
+# Create required webserver folders
+sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
+
+# Export gpg key
+sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
+
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now aptly aptly-api
+systemctl restart nginx
+
+echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."
--- a/src/authentik/constants-service.conf
+++ b/src/authentik/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="docker"
--- a/src/authentik/install-service.sh
+++ b/src/authentik/install-service.sh
@ -0,0 +1,108 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+mkdir -p /opt/authentik
+wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
+cd /opt/authentik
+cat << EOF > .env
+PG_PASS=$(pwgen -s 40 1)
+AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_AVATARS=initials
+COMPOSE_PORT_HTTP=80
+COMPOSE_PORT_HTTPS=443
+AUTHENTIK_EMAIL__HOST=
+AUTHENTIK_EMAIL__PORT=
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=
+AUTHENTIK_REDIS__DB=1
+EOF
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
+esac
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@ -0,0 +1,186 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+BOOKSTACK_DB_PWD=$(random_password)
+webroot=/var/www/bookstack/public
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+
+    client_max_body_size 100M;
+    fastcgi_buffers 64 4K;
+    client_body_timeout 120s;
+
+    listen 443 http2 ssl default_server;
+    listen [::]:443 http2 ssl default_server;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    access_log  /var/log/nginx/bookstack.access.log;
+    error_log   /var/log/nginx/bookstack.error.log;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    fastcgi_hide_header X-Powered-By;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+
+    add_header Permissions-Policy                   "interest-cohort=()";
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
+CREATE DATABASE IF NOT EXISTS bookstack;
+GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
+FLUSH PRIVILEGES;"
+
+sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
+sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid composer installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+php composer-setup.php --quiet
+rm composer-setup.php
+# Move composer to global installation
+mv composer.phar /usr/local/bin/composer
+
+cd /var/www
+git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
+cd bookstack
+
+# Install BookStack composer dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+php /usr/local/bin/composer install --no-dev --no-plugins
+
+
+# Copy and update BookStack environment variables
+cp .env.example .env
+sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
+sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
+sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
+sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
+
+cat << EOF >> .env
+QUEUE_CONNECTION=database
+STORAGE_TYPE=local_secure
+APP_LANG=de_informal
+FILE_UPLOAD_SIZE_LIMIT=100
+SESSION_SECURE_COOKIE=true
+CACHE_DRIVER=redis
+SESSION_DRIVER=redis
+REDIS_SERVERS=127.0.0.1:6379:0
+WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
+ALLOW_UNTRUSTED_SERVER_FETCHING=true
+EOF
+
+# Generate the application key
+php artisan key:generate --no-interaction --force
+# Migrate the databases
+php artisan migrate --no-interaction --force
+
+php artisan bookstack:db-utf8mb4 > dbupgrade.sql
+mysql -u root < dbupgrade.sql
+
+chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
+
+cat << EOF > /etc/systemd/system/bookstack-queue.service
+[Unit]
+Description=BookStack Queue Worker
+
+[Service]
+User=www-data
+Group=www-data
+Restart=always
+ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now bookstack-queue php${PHP_VERSION:0:3}-fpm nginx redis-server
+systemctl restart php${PHP_VERSION:0:3}-fpm nginx bookstack-queue redis-server
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"
--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="opt"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# checkmk version
+CMK_VERSION=2.3.0p6
+# build number of the debian package (needs to start with underscore)
+CMK_BUILD=_0
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="apache2"
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cd /tmp
+wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+
+omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
+
+cat << EOF > /etc/apache2/sites-available/000-default.conf
+<VirtualHost *:80>
+	RewriteEngine On
+	RewriteCond %{HTTPS} !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
+</VirtualHost>
+EOF
+
+cat << EOF > /etc/apache2/sites-available/default-ssl.conf
+<VirtualHost *:443>
+	RewriteEngine On
+	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
+	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
+
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/html
+
+	ErrorLog \${APACHE_LOG_DIR}/error.log
+	CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+	SSLEngine on
+
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2enmod ssl
+a2enmod rewrite
+a2ensite default-ssl
+
+systemctl restart apache2.service
+
+omd start $CMK_INSTANCE
+
+# install matrix notification plugin
+
+wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
+chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
--- a/src/cloudpanel/constants-service.conf
+++ b/src/cloudpanel/constants-service.conf
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="home"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/cloudpanel/install-service.sh
+++ b/src/cloudpanel/install-service.sh
@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
+echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
+DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh
--- a/src/constants.conf
+++ b/src/constants.conf
@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on container level
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=512
+
+# service dependent meta tags
+SERVICE_TAGS="privileged"
--- a/src/debian-priv/install-service.sh
+++ b/src/debian-priv/install-service.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-priv' is ready to use!"
--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=512
+
+# service dependent meta tags
+SERVICE_TAGS=""
--- a/src/debian-unpriv/install-service.sh
+++ b/src/debian-unpriv/install-service.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-unpriv' is ready to use!"
--- a/src/docker/constants-service.conf
+++ b/src/docker/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS=""
--- a/src/docker/install-service.sh
+++ b/src/docker/install-service.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac
--- a/src/ecodms/constants-service.conf
+++ b/src/ecodms/constants-service.conf
@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# set ecodms release version
+ECODMS_RELEASE=ecodms_230164
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=6144
+
+# service dependent meta tags
+SERVICE_TAGS="java,postgresql"
--- a/src/ecodms/install-service.sh
+++ b/src/ecodms/install-service.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
+echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
+
+echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
+wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver
--- a/src/freescout/constants-service.conf
+++ b/src/freescout/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/freescout/install-service.sh
+++ b/src/freescout/install-service.sh
@ -0,0 +1,133 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+webroot=/var/www/html
+
+LXC_RANDOMPWD=20
+MYSQL_PASSWORD="$(random_password)"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
+
+
+echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot/freescout/public;
+
+    index index.php index.html index.htm;
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+    client_max_body_size 20M;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ .php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+    	include fastcgi_params;
+    }
+    
+    location ^~ /storage/app/attachment/ {
+        internal;
+        alias /var/www/html/storage/app/attachment/;
+    }
+    
+    location ~* ^/storage/attachment/ {
+        expires 1M;
+        access_log off;
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+    
+    location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
+        expires 2d;
+        access_log off;
+        add_header Cache-Control "public, must-revalidate";
+    }
+    
+    # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
+    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
+        add_header Content-disposition "attachment; filename=\$2";
+        default_type application/octet-stream;
+    }	
+    
+    location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\\\\]+\..*)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+    }
+    
+    location ~ /\. {
+        deny  all;
+    }
+}
+
+EOF
+
+rm /var/www/html/*nginx*.html
+mkdir -p /etc/nginx/ssl
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+
+mysql -uroot -e "CREATE USER 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS freescout;
+GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
+
+curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
+cd $webroot
+tar -vxf freescout.tar.gz
+dir=$(ls -d freescout-helpdesk-freescout*)
+mv -v $dir freescout
+chown -R www-data:www-data /var/www/html
+find /var/www/html -type f -exec chmod 664 {} \;    
+find /var/www/html -type d -exec chmod 775 {} \;
+cd $webroot/freescout
+APP_KEY=$(sudo -u www-data php artisan key:generate --show)
+sudo -u www-data sed -e "s|APP_URL=.*|APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}|" -e "s|DB_DATABASE=|DB_DATABASE=freescout|" -e "s|DB_USERNAME=|DB_USERNAME=freescout|" -e "s|DB_PASSWORD=|DB_PASSWORD=${MYSQL_PASSWORD}|" -e "s|APP_KEY=|APP_KEY=${APP_KEY}|" .env.example > .env
+sudo -u www-data php artisan freescout:clear-cache
+sudo -u www-data php artisan storage:link
+sudo -u www-data php artisan migrate -n --force
+FS_PASSWORD=$(random_password)
+sudo -u www-data php artisan freescout:create-user -n --role=admin --firstName=$FS_FIRSTNAME --lastName=$FS_LASTNAME --email=$FS_EMAIL --password=$FS_PASSWORD
+
+cat << EOF > /etc/cron.d/freescout 
+* * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
+EOF
+
+systemctl enable --now php8.2-fpm
+systemctl restart php8.2-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your freescout installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttps://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\t$FS_EMAIL\nPassword:\t$FS_PASSWORD\n"
--- a/src/functions.sh
+++ b/src/functions.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# This script has basic functions like a random password generator
+LXC_RANDOMPWD=32
+
+random_password() {
+    set +o pipefail
+    LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+}
+
+generate_dhparam() {
+    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
+mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
+systemctl restart nginx
+EOF
+    chmod +x /etc/cron.monthly/generate-dhparams
+}
+
+apt_repo() {
+    apt_name=$1
+    apt_key_url=$2
+    apt_key_path=/usr/share/keyrings/${apt_name}.gpg
+    apt_repo_url=$3
+
+    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
+    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+
+}
--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the IP from the SQL server
+GITEA_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+GITEA_DB_PORT="5432"
+
+# Defines the name from the SQL database
+GITEA_DB_NAME="gitea"
+
+# Defines the name from the SQL user
+GITEA_DB_USR="gitea"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+GITEA_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql"
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@ -0,0 +1,188 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
+psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
+echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
+EOF
+
+adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
+
+curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
+chmod +x /usr/local/bin/gitea
+mkdir -p /etc/gitea
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
+chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
+chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
+
+cat << EOF > /usr/local/bin/update-gitea
+PATH="/bin:/usr/bin:/usr/local/bin"
+echo "Checking github for new gitea version"
+current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
+installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
+echo "Installed gitea version is \$installed_version"
+if [ \$installed_version != \$current_version ]; then
+  echo "New gitea version \$current_version available. Stopping gitea.service"
+  systemctl stop gitea.service
+  echo "Downloading gitea version \$current_version..."
+  curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
+  chmod +x /usr/local/bin/gitea
+  echo "Starting gitea.service..."
+  systemctl start gitea.service
+  echo "gitea update finished!"
+else
+  echo "gitea version is up-to-date!"
+fi
+EOF
+chmod +x /usr/local/bin/update-gitea
+
+cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
+DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
+EOF
+chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
+
+cat << EOF > /etc/systemd/system/gitea.service
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/gitea/app.ini
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
+
+[database]
+DB_TYPE=postgres
+HOST=localhost
+NAME=${GITEA_DB_NAME}
+USER=${GITEA_DB_USR}
+PASSWD=${GITEA_DB_PWD}
+SSL_MODE=disable
+
+[server]
+APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
+DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+HTTP_HOST        = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+SSH_LISTEN_PORT  = 22
+EOF
+
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 770 /etc/gitea/app.ini
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log /var/log/nginx/gitea.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log  /var/log/nginx/gitea.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now gitea
+systemctl restart nginx
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+#KIMAI_VERSION="main"
+
+# Defines the php version to install
+KIMAI_PHP_VERSION="8.2"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@ -0,0 +1,172 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+KIMAI_DB_PWD=$(random_password)
+webroot=/var/www/kimai/public
+
+#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
+PHP_VERSION=${PHP_VERSION:0:3}
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+
+    client_max_body_size 2M;
+    fastcgi_buffers 64 4K;
+    client_body_timeout 120s;
+
+    listen 443 http2 ssl default_server;
+    listen [::]:443 http2 ssl default_server;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/kimai.crt;
+    ssl_certificate_key /etc/nginx/ssl/kimai.key;
+
+    access_log  /var/log/nginx/kimai.access.log;
+    error_log   /var/log/nginx/kimai.error.log;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    fastcgi_hide_header X-Powered-By;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+
+    add_header Permissions-Policy                   "interest-cohort=()";
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
+CREATE DATABASE IF NOT EXISTS kimai;
+GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
+FLUSH PRIVILEGES;"
+
+sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid composer installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+php composer-setup.php --quiet
+rm composer-setup.php
+# Move composer to global installation
+mv composer.phar /usr/local/bin/composer
+
+cd /var/www
+dl=$(curl -s https://api.github.com/repos/kimai/kimai/releases/latest | grep tarball_url | cut -d'"' -f4)
+version=$(echo $dl | rev | cut -d'/' -f1 | rev)
+wget -O kimai-${version}.tar.gz ${dl}
+tar xfz kimai-${version}.tar.gz
+rm kimai-${version}.tar.gz
+mv kimai-* kimai
+cd kimai
+
+# Install kimai composer dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+/usr/local/bin/composer install --optimize-autoloader -n
+
+# Copy and update kimai environment variables
+cat << EOF > .env
+# For more infos about the variables, see .env.dist
+DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.11.3
+MAILER_FROM=admin@$LXC_DOMAIN
+MAILER_URL=null://null
+APP_ENV=prod
+APP_SECRET=$(random_password)
+CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
+EOF
+
+bin/console kimai:install -n
+
+bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
+
+chown -R www-data:www-data .
+chmod -R g+r .
+chmod -R g+rw var/
+
+systemctl daemon-reload
+systemctl enable --now php${PHP_VERSION}-fpm nginx
+systemctl restart php${PHP_VERSION}-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"
--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+KOPANO_VERSION="latest"
+
+# Defines the php version to install
+KOPANO_PHP_VERSION="7.4"
+
+# Defines Maria DB Version
+MARIA_DB_VERS="10.5"
+
+# Defines the name from the SQL database
+MARIA_DB_NAME="kopano"
+
+# Defines the name from the SQL user
+MARIA_DB_USER="kopano"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+
+MARIA_ROOT_PWD=$(random_password)
+MARIA_USER_PWD=$(random_password)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kopano-core/install-service.sh
+++ b/src/kopano-core/install-service.sh
@ -0,0 +1,276 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
+#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
+echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
+
+apt update
+
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
+#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
+php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
+
+#timedatectl set-timezone Europe/Berlin
+#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Secure Maria Instance ####
+
+mysqladmin -u root password "[$MARIA_ROOT_PWD]"
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
+mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+#### Create user and DB for Kopano ####
+
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
+mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
+
+echo "root-password: $MARIA_ROOT_PWD,\
+db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
+
+cat > /etc/apt/sources.list.d/kopano.list << EOF
+
+# Kopano Core
+deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
+
+# Kopano WebApp
+deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
+
+# Kopano MobileDeviceManagement
+deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
+
+# Kopano Files
+deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
+
+# Z-Push
+deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
+
+EOF
+
+cat > /etc/apt/auth.conf.d/kopano.conf << EOF
+
+machine download.kopano.io
+login serial
+password $KOPANO_REPKEY
+
+EOF
+
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
+curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
+
+apt update && apt full-upgrade -y
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
+z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
+
+#### Adjust kopano settings ####
+
+cat > /etc/kopano/ldap.cfg << EOF
+
+!include /usr/share/kopano/ldap.active-directory.cfg
+
+ldap_uri = ldap://192.168.100.100:389
+ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
+ldap_bind_passwd = Start123!
+ldap_search_base = dc=zmb,dc=rocks
+
+#ldap_user_search_filter = (kopanoAccount=1)
+
+EOF
+
+cat > /etc/kopano/server.cfg << EOF
+
+server_listen = *:236
+local_admin_users = root kopano
+
+#database_engine = mysql
+#mysql_host = localhost
+#mysql_port = 3306
+mysql_user = $MARIA_DB_USER
+mysql_password = $MARIA_USER_PWD
+mysql_database = $MARIA_DB_NAME
+
+#user_plugin = ldap
+#user_plugin_config = /etc/kopano/ldap.cfg
+
+EOF
+
+#### Adjust php settings ####
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
+
+[webapp]
+listen = 127.0.0.1:9002
+user = www-data
+group = www-data
+listen.allowed_clients = 127.0.0.1
+pm = dynamic
+pm.max_children = 150
+pm.start_servers = 35
+pm.min_spare_servers = 20
+pm.max_spare_servers = 50
+pm.max_requests = 200
+listen.backlog = -1
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+EOF
+
+sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
+
+#### Adjust nginx settings ####
+
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
+generate_dhparam
+
+#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+cat > /etc/nginx/sites-available/webapp.conf << EOF
+upstream php-handler {
+    #server 127.0.0.1:9002;
+    #server unix:/var/run/php5-fpm.sock;
+    server unix:/var/run/php/php7.4-fpm.sock;
+}
+ 
+server{
+    listen 80;
+    charset utf-8;
+    listen [::]:80;
+    server_name _;
+ 
+    location / {
+        rewrite   ^(.*)   https://\$server_name\$1 permanent;
+    }  
+ }
+ 
+server {
+    charset utf-8;
+    listen 443;
+    listen [::]:443 ssl;
+    server_name _;
+    ssl on;
+    client_max_body_size 1024m;
+    ssl_certificate /etc/ssl/certs/kopano.crt;
+    ssl_certificate_key /etc/ssl/private/kopano.key;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_prefer_server_ciphers on;
+    #
+    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    #
+ 
+    # add headers
+    server_tokens off;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+  
+    location /webapp {
+        alias /usr/share/kopano-webapp/;
+        index index.php;
+     
+    location ~ /webapp/presence/ {
+                rewrite ^/webapp/presence(/.*)$ \$1 break;
+                proxy_pass http://localhost:1234;
+                proxy_set_header Upgrade \$http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_http_version 1.1;
+                }
+ 
+    }
+ 
+    location ~* ^/webapp/(.+\.php)$ {
+        alias /usr/share/kopano-webapp/;
+ 
+        # deny access to .htaccess files
+        location ~ /\.ht {
+                    deny all;
+        }
+  
+        fastcgi_param PHP_VALUE "
+            register_globals=off
+            magic_quotes_gpc=off
+            magic_quotes_runtime=off
+            post_max_size=31M
+            upload_max_filesize=30M
+        ";
+        fastcgi_param PHP_VALUE "post_max_size=31M
+                 upload_max_filesize=30M
+                 max_execution_time=3660
+        ";
+ 
+        include fastcgi_params;
+        fastcgi_index index.php;
+        #fastcgi_param HTTPS on;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
+        fastcgi_pass php-handler;
+        access_log /var/log/nginx/kopano-webapp-access.log;
+        error_log /var/log/nginx/kopano-webapp-error.log;
+ 
+        # CSS and Javascript
+        location ~* \.(?:css|js)$ {
+            expires 1y;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # All (static) resources set to 2 months expiration time.
+        location ~* \.(?:jpg|gif|png)\$ {
+            expires 2M;
+            access_log off;
+            add_header Cache-Control "public";
+        }
+ 
+        # enable gzip compression
+        gzip on;
+        gzip_min_length  1100;
+        gzip_buffers  4 32k;
+        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
+        gzip_vary on;
+        }
+ 
+}
+ 
+map \$http_upgrade \$connection_upgrade {
+        default upgrade;
+        '' close;
+}
+EOF
+
+
+
+ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
+
+phpenmod kopano
+systemctl restart php7.4-fpm nginx
--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@ -0,0 +1,81 @@
+#!/bin/bash
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# load configuration
+echo "Loading configuration..."
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants.conf
+source /root/constants-service.conf
+
+echo "Updating locales"
+# update locales
+sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
+sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
+cat << EOF > /etc/default/locale
+LANG="$LXC_LOCALE"
+LANGUAGE=$LXC_LOCALE
+EOF
+locale-gen $LXC_LOCALE 
+
+# Generate sources
+if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://deb.debian.org/debian/ buster main contrib
+
+deb http://deb.debian.org/debian/ buster-updates main contrib
+
+# security updates
+deb http://security.debian.org/debian-security buster/updates main contrib
+EOF
+
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://deb.debian.org/debian/ bullseye main contrib
+
+deb http://deb.debian.org/debian/ bullseye-updates main contrib
+
+# security updates
+deb http://security.debian.org/debian-security bullseye-security main contrib
+EOF
+
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://deb.debian.org/debian/ bookworm main contrib
+
+deb http://deb.debian.org/debian/ bookworm-updates main contrib
+
+# security updates
+deb http://security.debian.org/debian-security bookworm-security main contrib
+EOF
+
+else echo "LXC Debian Version false. Please check configuration files!" ; exit
+fi
+
+# update package lists
+echo "Updating package database..."
+apt --allow-releaseinfo-change update
+
+# install latest packages
+echo "Installing latest updates"
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+
+# install toolset
+echo "Installing preconfigured toolset..."
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
+
+echo "Enabling vim syntax highlighting..."
+sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+if [ $LXC_VIM_BG_DARK -gt 0 ]; then
+    sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
+fi
+
+echo "Basic container setup finished, continuing with service installation..."
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="docker"
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@ -0,0 +1,438 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+cd /opt
+git clone https://github.com/mailcow/mailcow-dockerized
+cd mailcow-dockerized
+
+cat << EOF > mailcow.conf
+# ------------------------------
+# mailcow web ui configuration
+# ------------------------------
+# example.org is _not_ a valid hostname, use a fqdn here.
+# Default admin user is "admin"
+# Default password is "moohoo"
+
+MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
+
+# Password hash algorithm
+# Only certain password hash algorithm are supported. For a fully list of supported schemes,
+# see https://docs.mailcow.email/models/model-passwd/
+MAILCOW_PASS_SCHEME=BLF-CRYPT
+
+# ------------------------------
+# SQL database configuration
+# ------------------------------
+
+DBNAME=mailcow
+DBUSER=mailcow
+
+# Please use long, random alphanumeric strings (A-Za-z0-9)
+
+DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
+# ------------------------------
+# HTTP/S Bindings
+# ------------------------------
+
+# You should use HTTPS, but in case of SSL offloaded reverse proxies:
+# Might be important: This will also change the binding within the container.
+# If you use a proxy within Docker, point it to the ports you set below.
+# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
+# IMPORTANT: Do not use port 8081, 9081 or 65510!
+# Example: HTTP_BIND=1.2.3.4
+# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
+# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
+
+HTTP_PORT=80
+HTTP_BIND=
+
+HTTPS_PORT=443
+HTTPS_BIND=
+
+# ------------------------------
+# Other bindings
+# ------------------------------
+# You should leave that alone
+# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
+
+SMTP_PORT=25
+SMTPS_PORT=465
+SUBMISSION_PORT=587
+IMAP_PORT=143
+IMAPS_PORT=993
+POP_PORT=110
+POPS_PORT=995
+SIEVE_PORT=4190
+DOVEADM_PORT=127.0.0.1:19991
+SQL_PORT=127.0.0.1:13306
+SOLR_PORT=127.0.0.1:18983
+REDIS_PORT=127.0.0.1:7654
+
+# Your timezone
+# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
+# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
+
+TZ=${LXC_TIMEZONE}
+
+# Fixed project name
+# Please use lowercase letters only
+
+COMPOSE_PROJECT_NAME=mailcowdockerized
+
+# Used Docker Compose version
+# Switch here between native (compose plugin) and standalone
+# For more informations take a look at the mailcow docs regarding the configuration options.
+# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
+# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
+
+DOCKER_COMPOSE_VERSION=native
+
+# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
+# When enabled, ACL can be created, that apply to "All authenticated users"
+# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+# Otherwise a user might share data with too many other users.
+ACL_ANYONE=disallow
+
+# Garbage collector cleanup
+# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
+# How long should objects remain in the garbage until they are being deleted? (value in minutes)
+# Check interval is hourly
+
+MAILDIR_GC_TIME=7200
+
+# Additional SAN for the certificate
+#
+# You can use wildcard records to create specific names for every domain you add to mailcow.
+# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
+#ADDITIONAL_SAN=imap.*,smtp.*
+# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
+# plus every domain you add in the future.
+#
+# You can also just add static names...
+#ADDITIONAL_SAN=srv1.example.net
+# ...or combine wildcard and static names:
+#ADDITIONAL_SAN=imap.*,srv1.example.com
+#
+
+ADDITIONAL_SAN=
+
+# Additional server names for mailcow UI
+#
+# Specify alternative addresses for the mailcow UI to respond to
+# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
+# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
+# You can understand this as server_name directive in Nginx.
+# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
+
+ADDITIONAL_SERVER_NAMES=
+
+# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
+
+SKIP_LETS_ENCRYPT=y
+
+# Create seperate certificates for all domains - y/n
+# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
+# see https://doc.dovecot.org/admin_manual/ssl/sni_support
+ENABLE_SSL_SNI=n
+
+# Skip IPv4 check in ACME container - y/n
+
+SKIP_IP_CHECK=n
+
+# Skip HTTP verification in ACME container - y/n
+
+SKIP_HTTP_VERIFICATION=n
+
+# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
+
+SKIP_CLAMD=n
+
+# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
+
+SKIP_SOGO=n
+
+# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
+
+SKIP_SOLR=n
+
+# Solr heap size in MB, there is no recommendation, please see Solr docs.
+# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
+
+SOLR_HEAP=1024
+
+# Allow admins to log into SOGo as email user (without any password)
+
+ALLOW_ADMIN_EMAIL_LOGIN=n
+
+# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
+
+USE_WATCHDOG=y
+
+# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
+# CAUTION:
+# 1. You should use external recipients
+# 2. Mails are sent unsigned (no DKIM)
+# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
+# Multiple rcpts allowed, NO quotation marks, NO spaces
+
+#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
+#WATCHDOG_NOTIFY_EMAIL=
+
+# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
+# You can use this to send notifications to services like Discord, Slack and others.
+#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# JSON body included in the webhook POST request. Needs to be in single quotes.
+# Following variables are available: SUBJECT, BODY
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+
+# Notify about banned IP (includes whois lookup)
+WATCHDOG_NOTIFY_BAN=n
+
+# Send a notification when the watchdog is started.
+WATCHDOG_NOTIFY_START=y
+
+# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
+#WATCHDOG_SUBJECT=
+
+# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
+# https://www.servercow.de/mailcow?lang=en
+# https://www.servercow.de/mailcow?lang=de
+# No data is collected. Opt-in and anonymous.
+# Will only work with unmodified mailcow setups.
+WATCHDOG_EXTERNAL_CHECKS=n
+
+# Enable watchdog verbose logging
+WATCHDOG_VERBOSE=n
+
+# Max log lines per service to keep in Redis logs
+
+LOG_LINES=9999
+
+# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
+# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
+
+IPV4_NETWORK=172.22.1
+
+# Internal IPv6 subnet in fc00::/7
+# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
+
+IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
+
+# Use this IPv4 for outgoing connections (SNAT)
+
+#SNAT_TO_SOURCE=
+
+# Use this IPv6 for outgoing connections (SNAT)
+
+#SNAT6_TO_SOURCE=
+
+# Create or override an API key for the web UI
+# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
+# An API key defined as API_KEY has read-write access
+# An API key defined as API_KEY_READ_ONLY has read-only access
+# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
+# You can define API_KEY and/or API_KEY_READ_ONLY
+
+#API_KEY=
+#API_KEY_READ_ONLY=
+#API_ALLOW_FROM=172.22.1.1,127.0.0.1
+
+# mail_home is ~/Maildir
+MAILDIR_SUB=Maildir
+
+# SOGo session timeout in minutes
+SOGO_EXPIRE_SESSION=480
+
+# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
+# Empty by default to auto-generate master user and password on start.
+# User expands to DOVECOT_MASTER_USER@mailcow.local
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_USER=
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_PASS=
+
+# Let's Encrypt registration contact information
+# Optional: Leave empty for none
+# This value is only used on first order!
+# Setting it at a later point will require the following steps:
+# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
+ACME_CONTACT=
+
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+
+# Spamhaus Data Query Service Key
+# Optional: Leave empty for none
+# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. 
+# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
+# Otherwise it will work normally.
+SPAMHAUS_DQS_KEY=
+
+EOF
+
+cat << EOF > data/conf/nginx/redirect.conf
+server {
+  root /web;
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  include /etc/nginx/conf.d/server_name.active;
+  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+  }
+  location / {
+    return 301 https://\$host\$uri\$is_args\$args;
+  }
+}
+EOF
+
+cat << EOF > /etc/cron.daily/mailcowbackup
+#!/bin/sh
+
+# Backup mailcow data
+# https://docs.mailcow.email/backup_restore/b_n_r-backup/
+
+set -e
+
+OUT="\$(mktemp)"
+export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
+SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
+PARAMETERS="backup all"
+OPTIONS="--delete-days 7"
+mkdir -p \$MAILCOW_BACKUP_LOCATION
+
+# run command
+set +e
+"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
+RESULT=\$?
+
+if [ \$RESULT -ne 0 ]
+    then
+            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
+            echo "RESULT=\$RESULT"
+            echo "STDOUT / STDERR:"
+            cat "\$OUT"
+fi
+EOF
+
+chmod +x /etc/cron.daily/mailcowbackup
+
+cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
+#!/bin/bash
+if ! which check_mk_agent ; then
+  cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
+  status=\$?
+  if [ \$status -eq 3 ]; then
+    state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
+  elif [ \$status -eq 0 ]; then
+    state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
+  else
+    state="3 \"mailcow_update\" - Unknown output from update script ..."
+  fi
+  echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
+  mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
+fi
+exit
+EOF
+chmod +x /etc/cron.daily/checkmk-mailcow-update-check
+
+chmod 600 mailcow.conf
+
+mkdir -p data/assets/ssl
+
+openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
+
+openssl dhparam -out data/assets/ssl/dhparams.pem 2048
+cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
+mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
+systemctl restart nginx
+EOF
+chmod +x /etc/cron.monthly/generate-dhparams
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,element-web"
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@ -5,33 +5,29 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+MRX_PKE=$(random_password)

 ELE_DBNAME="synapse_db"
 ELE_DBUSER="synapse_user"
-ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ELE_DBPASS=$(random_password)
+ELE_PATH=/var/www/element-web
+WEBROOT=/var/www

-apt update && apt full-upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2

-apt install -y $LXC_TOOLSET apt-transport-https gpg software-properties-common nginx postgresql python3-psycopg2
-
-wget wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
-apt update && apt install -y matrix-synapse-py3
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
 systemctl enable matrix-synapse

 ss -tulpen

-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"

 cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
@ -73,7 +69,7 @@ server {
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_FQDN;
+    root $ELE_PATH;
    index index.html index.htm;

    location / {
@ -94,7 +90,7 @@ cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
 server {
    listen 80;
    listen [::]:80;
-    server_name $MATRIX_ELEMENT_FQDN;
+    server_name _;
    return 301 https://$MATRIX_ELEMENT_FQDN;
 }

@ -108,31 +104,34 @@ server {
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_ELEMENT_FQDN/element;
+    root $ELE_PATH;
    index index.html index.htm;
 } 

 EOF

+unlink /etc/nginx/sites-enabled/default
 ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN

 systemctl restart nginx

-mkdir /var/www/$MATRIX_ELEMENT_FQDN
-cd /var/www/$MATRIX_ELEMENT_FQDN
-wget https://packages.riot.im/element-release-key.asc
+cd /var/www
+
+wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
 gpg --import element-release-key.asc

-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/element-hq/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
+
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc

 tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
-ln -s element-$MATRIX_ELEMENT_VERSION element
-chown www-data:www-data -R element
-cp ./element/config.sample.json ./element/config.json
-sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
-sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
+mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
+chown www-data:www-data -R $ELE_PATH
+cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
+sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
+sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json

 su postgres <<EOF
 psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@ -143,19 +142,18 @@ EOF
 cd /
 sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|server_name:|server_name: $MATRIX_FQDN|g" /etc/matrix-synapse/conf.d/server_name.yaml
 sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n    user: $ELE_DBUSER\n    password: $ELE_DBPASS\n    host: 127.0.0.1\n    cp_min: 5\n    cp_max: 10|" /etc/matrix-synapse/homeserver.yaml

+reg_secret=$(random_password)
+echo -e "registration_shared_secret: \"$reg_secret\"" > /etc/matrix-synapse/conf.d/registration.yaml
+
 systemctl restart matrix-synapse

-register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
-
-#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
-#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
-
-#apt update
-#apt install -y jitsi-meet
-
+rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc

+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008

+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+NEXTCLOUD_VERSION="latest"
+
+# Defines the php version to install
+NEXTCLOUD_PHP_VERSION="8.2"
+
+# Defines the IP from the SQL server
+NEXTCLOUD_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+NEXTCLOUD_DB_PORT="5432"
+
+# Defines the name from the SQL database
+NEXTCLOUD_DB_NAME="nextcloud_db"
+
+# Defines the name from the SQL user
+NEXTCLOUD_DB_USR="nextcloud"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+NEXTCLOUD_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@ -0,0 +1,461 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+
+NEXTCLOUD_ADMIN_PWD=$(random_password)
+
+source /root/zamba.conf
+source /root/constants-service.conf
+
+HOSTNAME=$(hostname -f)
+
+wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
+echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
+postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
+
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+
+#### Create database for nextcloud ####
+
+su - postgres <<EOF
+psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+
+#### Adjust php settings ####
+
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+
+#### Adjust nginx settings ####
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
+generate_dhparam
+
+mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+
+cat > /etc/nginx/nginx.conf <<EOF
+user www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+events {
+worker_connections 1024;
+multi_accept on; use epoll;
+}
+http {
+server_names_hash_bucket_size 64;
+access_log /var/log/nginx/access.log;
+error_log /var/log/nginx/error.log warn;
+set_real_ip_from 127.0.0.1;
+#optional, Sie können das eigene Subnetz ergänzen, bspw.:
+# set_real_ip_from $LXC_IP;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+include /etc/nginx/mime.types;
+types {
+        text/javascript mjs;
+    }
+default_type application/octet-stream;
+sendfile on;
+send_timeout 3600;
+tcp_nopush on;
+tcp_nodelay on;
+open_file_cache max=500 inactive=10m;
+open_file_cache_errors on;
+keepalive_timeout 65;
+reset_timedout_connection on;
+server_tokens off;
+resolver 127.0.0.53 valid=30s;
+resolver_timeout 5s;
+include /etc/nginx/conf.d/*.conf;
+}
+EOF
+
+[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
+touch /etc/nginx/conf.d/default.conf
+
+cat > /etc/nginx/conf.d/http.conf << EOF
+upstream php-handler {
+server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+}
+map \$arg_v \$asset_immutable {
+    "" "";
+    default "immutable";
+}
+server {
+listen 80 default_server;
+listen [::]:80 default_server;
+server_name $NEXTCLOUD_FQDN;
+root /var/www;
+location / {
+return 301 https://\$host\$request_uri;
+}
+}
+EOF
+
+cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+server {
+listen 443      ssl http2;
+listen [::]:443 ssl http2;
+server_name $NEXTCLOUD_FQDN;
+ssl_certificate /etc/ssl/certs/nextcloud.crt;
+ssl_certificate_key /etc/ssl/private/nextcloud.key;
+ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+ssl_ecdh_curve X448:secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_stapling on;
+ssl_stapling_verify on;
+client_max_body_size 5120M;
+client_body_timeout 300s;
+client_body_buffer_size 512k;
+fastcgi_buffers 64 4K;
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+add_header Permissions-Policy                   "interest-cohort=()";
+add_header Referrer-Policy                      "no-referrer"   always;
+add_header X-Content-Type-Options               "nosniff"       always;
+add_header X-Download-Options                   "noopen"        always;
+add_header X-Frame-Options                      "SAMEORIGIN"    always;
+add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+add_header X-Robots-Tag                         "noindex, nofollow"          always;
+add_header X-XSS-Protection                     "1; mode=block" always;
+fastcgi_hide_header X-Powered-By;
+fastcgi_read_timeout 3600;
+fastcgi_send_timeout 3600;
+fastcgi_connect_timeout 3600;
+root /var/www/nextcloud;
+index index.php index.html /index.php\$request_uri;
+expires 1m;
+location = / {
+if ( \$http_user_agent ~ ^DavClnt ) {
+return 302 /remote.php/webdav/\$is_args\$args;
+}
+}
+location = /robots.txt {
+allow all;
+log_not_found off;
+access_log off;
+}
+location ^~ /apps/rainloop/app/data {
+deny all;
+}
+location ^~ /.well-known {
+location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+location ^~ /.well-known            { return 301 /index.php/\$uri; }
+try_files \$uri \$uri/ =404;
+}
+location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+location ~ \.php(?:\$|/) {
+rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+set \$path_info \$fastcgi_path_info;
+try_files \$fastcgi_script_name =404;
+include fastcgi_params;
+fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+fastcgi_param PATH_INFO \$path_info;
+fastcgi_param HTTPS on;
+fastcgi_param modHeadersAvailable true;
+fastcgi_param front_controller_active true;
+fastcgi_pass php-handler;
+fastcgi_intercept_errors on;
+fastcgi_request_buffering off;
+}
+location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
+try_files \$uri /index.php\$request_uri;
+expires 6M;
+access_log off;
+    location ~ \.wasm$ {
+            default_type application/wasm;
+        }
+}
+location ~ \.woff2?\$ {
+try_files \$uri /index.php\$request_uri;
+expires 7d;
+access_log off;
+}
+location / {
+try_files \$uri \$uri/ /index.php\$request_uri;
+}
+location /push/ {
+proxy_pass http://localhost:7867/;
+proxy_http_version 1.1;
+proxy_set_header Upgrade \$http_upgrade;
+proxy_set_header Connection "Upgrade";
+proxy_set_header Host \$host;
+proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+}
+}
+EOF
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+
+#### Adjust redis settings ####
+
+cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
+sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
+sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
+sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+usermod -aG redis www-data
+
+#### Adjust sysctl.conf settings ####
+
+cp /etc/sysctl.conf /etc/sysctl.conf.bak
+echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
+systemctl restart redis
+
+#### HIER MÜSSTE EIN REBOOT REIN ####
+
+
+#### Install nextcloud ####
+
+cd /usr/local/src
+
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
+
+md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
+
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
+
+cat > /root/permissions.sh << EOF
+#!/bin/bash
+find /var/www/ -type f -print0 | xargs -0 chmod 0640
+find /var/www/ -type d -print0 | xargs -0 chmod 0750
+chown -R www-data:www-data /var/www 
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+chmod 0644 /var/www/nextcloud/.htaccess
+chmod 0644 /var/www/nextcloud/.user.ini
+exit 0
+EOF
+
+chmod +x /root/permissions.sh
+/root/permissions.sh
+
+#### install fail2ban ####
+
+cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+EOF
+
+cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 5
+bantime = 3600
+findtime = 36000
+logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
+EOF
+
+systemctl restart fail2ban
+
+#### Create configuration script for nextcloud, which will be executet as user www-data
+
+cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+
+#!/bin/bash 
+
+php /var/www/nextcloud/occ maintenance:install --database pgsql \
+--database-host $NEXTCLOUD_DB_IP \
+--database-port $NEXTCLOUD_DB_PORT \
+--database-name $NEXTCLOUD_DB_NAME \
+--database-user $NEXTCLOUD_DB_USR \
+--database-pass $NEXTCLOUD_DB_PWD \
+--admin-user $NEXTCLOUD_ADMIN_USR \
+--admin-pass $NEXTCLOUD_ADMIN_PWD \
+--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+
+php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
+php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
+
+cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i '/);/d' /var/www/nextcloud/config/config.php
+
+cat >> /var/www/nextcloud/config/config.php << EOF
+'activity_expire_days' => 14,
+'auth.bruteforce.protection.enabled' => true,
+'blacklisted_files' => 
+array (
+0 => '.htaccess',
+1 => 'Thumbs.db',
+2 => 'thumbs.db',
+),
+'cron_log' => true,
+'default_phone_region' => 'DE',
+'enable_previews' => true,
+'enabledPreviewProviders' => 
+array (
+0 => 'OC\Preview\PNG',
+1 => 'OC\Preview\JPEG',
+2 => 'OC\Preview\GIF',
+3 => 'OC\Preview\BMP',
+4 => 'OC\Preview\XBitmap',
+5 => 'OC\Preview\Movie',
+6 => 'OC\Preview\PDF',
+7 => 'OC\Preview\MP3',
+8 => 'OC\Preview\TXT',
+9 => 'OC\Preview\MarkDown',
+),
+'filesystem_check_changes' => 0,
+'filelocking.enabled' => 'true',
+'htaccess.RewriteBase' => '/',
+'integrity.check.disabled' => false,
+'knowledgebaseenabled' => false,
+'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+'loglevel' => 2,
+'logtimezone' => '$LXC_TIMEZONE',
+'log_rotate_size' => 104857600,
+'maintenance' => false,
+'memcache.local' => '\OC\Memcache\APCu',
+'memcache.locking' => '\OC\Memcache\Redis',
+'overwriteprotocol' => 'https',
+'preview_max_x' => 1024,
+'preview_max_y' => 768,
+'preview_max_scale_factor' => 1,
+'redis' => 
+array (
+'host' => '/var/run/redis/redis-server.sock',
+'port' => 0,
+'timeout' => 0.0,
+),
+'quota_include_external_storage' => false,
+'share_folder' => '/Freigaben',
+'skeletondirectory' => '',
+'theme' => '',
+'trashbin_retention_obligation' => 'auto, 7',
+'updater.release.channel' => 'stable',
+'trusted_proxies' => 
+array (
+'$NEXTCLOUD_REVPROX',
+'127.0.0.1',
+'::1',
+),
+);
+EOF
+
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+php /var/www/nextcloud/occ app:disable survey_client
+php /var/www/nextcloud/occ app:disable firstrunwizard
+php /var/www/nextcloud/occ app:enable admin_audit
+php /var/www/nextcloud/occ app:enable notify_push
+php /var/www/nextcloud/occ app:enable files_pdfviewer
+php /var/www/nextcloud/occ background:cron
+DFOE
+
+/root/permissions.sh
+
+su -s /bin/bash www-data <<EOF
+bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
+EOF
+
+#### Create file for high performance backend
+
+cat > /etc/systemd/system/notify_push.service << EOF
+[Unit]
+Description = Push daemon for Nextcloud clients
+[Service]
+Environment=PORT=7867
+Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
+Environment=ALLOW_SELF_SIGNED=true
+ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
+User=www-data
+[Install]
+WantedBy = multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now notify_push
+
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
+
+shutdown -r now
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="mongodb-server,java"
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
+echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
+echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+ONLYOFFICE_DB_HOST=localhost
+
+ONLYOFFICE_DB_NAME=onlyoffice
+
+ONLYOFFICE_DB_USER=onlyoffice
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,rabbitmq"
--- a/src/onlyoffice/fix-update.sh
+++ b/src/onlyoffice/fix-update.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds-ssl.conf
+systemctl stop nginx.service
+DFOE
+chmod +x /usr/local/bin/ods-apt-pre-hook
+
+cat > /usr/local/bin/ods-apt-post-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx
+DFOE
+chmod +x /usr/local/bin/ods-apt-post-hook
+
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
+DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
+DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
+EOF
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@ -0,0 +1,82 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ONLYOFFICE_DB_PASS=$(random_password)
+
+curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
+echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
+
+cat > /etc/apt/preferences.d/onlyoffice << EOF
+Package: onlyoffice-documentserver
+Pin: version 7.1.1-23
+Pin-Priority: 900
+EOF
+
+apt update 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
+
+su postgres <<EOF
+psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
+psql -c "CREATE DATABASE $ONLYOFFICE_DB_NAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ONLYOFFICE_DB_USER;"
+echo "Postgres User '$ONLYOFFICE_DB_USER' and database '$ONLYOFFICE_DB_NAME' created."
+EOF
+
+echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
+
+cat << EOF > /root/onlyoffice.credentials
+ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
+ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME
+ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
+ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
+EOF
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+rm /etc/nginx/conf.d/ds.conf
+cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+
+sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds-ssl.conf
+systemctl stop nginx.service
+DFOE
+chmod +x /usr/local/bin/ods-apt-pre-hook
+
+cat > /usr/local/bin/ods-apt-post-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx
+DFOE
+chmod +x /usr/local/bin/ods-apt-post-hook
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
+DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
+DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
+EOF
+
+systemctl restart nginx
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@ -0,0 +1,84 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+webroot=/var/www/html
+
+LXC_RANDOMPWD=20
+MYSQL_PASSWORD="$(random_password)"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    location ~ .php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+    }
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS open3a;
+GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
+
+cd $webroot
+wget https://www.open3a.de/download/open3A%204.0.zip -O $webroot/open3a.zip
+unzip open3a.zip
+rm open3a.zip
+chmod 666 system/DBData/Installation.pfdb.php
+chmod -R 777 specifics/
+chmod -R 777 system/Backup
+chown -R www-data:www-data $webroot
+
+echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
+chmod +x /etc/cron.daily/open3a-backup
+
+cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
+<?php echo "This is a database-file."; /*
+host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
+varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)                                                                                         
+localhost                               &%%%&open3a              &%%%&$MYSQL_PASSWORD&%%%&open3a                        &%%%&*                                       %%&&&
+*/ ?>
+EOF
+
+systemctl enable --now php8.2-fpm
+systemctl restart php8.2-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"
--- a/src/piler/constants-service.conf
+++ b/src/piler/constants-service.conf
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/piler"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"
--- a/src/piler/install-service.sh
+++ b/src/piler/install-service.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
+
+echo -e "Installation of piler finished."
+echo -e "\nFor administration please visit the following Website:"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
+echo -e "\nLogin with following credentials:"
+echo -e "\tUser: admin@local"
+echo -e "\tPass: pilerrocks"
+echo -e "\n\nPlease have a look the the GOBD notes (in German):"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Backup ubdir where Urbackup will store backups
+PBS_DATA="backup"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="backup"
--- a/src/proxmox-pbs/install-service.sh
+++ b/src/proxmox-pbs/install-service.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list 
+# PBS pbs-no-subscription repository provided by proxmox.com,
+# NOT recommended for production use
+deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
+EOF
+
+wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
+
+apt update && apt upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
+
+proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
+
+systemctl disable --now zfs-mount.service zfs-share.service
--- a/src/rei3/constants-service.conf
+++ b/src/rei3/constants-service.conf
@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+REI3_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+REI3_DB_PORT="5432"
+
+# Defines the name from the SQL database
+REI3_DB_NAME="app"
+
+# Defines the name from the SQL user
+REI3_DB_USR="rei3"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+REI3_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql"
--- a/src/rei3/install-service.sh
+++ b/src/rei3/install-service.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir /opt/rei3
+wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
+echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
+psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
+psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
+echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
+EOF
+
+cp /opt/rei3/config_template.json /opt/rei3/config.json
+chmod u+x /opt/rei3/r3
+
+sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json 
+sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json 
+
+/opt/rei3/r3 -install
+#/opt/rei/r3 -newadmin
+systemctl start rei3
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="mongodb-server,java"
--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
+wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
+
+echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
+echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Backup ubdir where Urbackup will store backups
+URBACKUP_DATA="urbackup"
+
+# OS codename for opensuse / urbackup repo
+REPO_CODENAME="Debian_12"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx"
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+mkdir -p /etc/urbackup
+echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
+
+echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
+curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+ln -s /usr/share/urbackup/www /var/www/urbackup
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root /var/www/urbackup;
+
+    index index.htm;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/urbackup.crt;
+    ssl_certificate_key /etc/nginx/ssl/urbackup.key;
+
+    location /x {
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass 127.0.0.1:55413;
+    }
+}
+
+EOF
+
+sed -i "s/DAEMON_TMPDIR=\"\/tmp\"/DAEMON_TMPDIR=\"\/$LXC_SHAREFS_MOUNTPOINT\/tmp\"/g" /etc/default/urbackupsrv
+sed -i "s/HTTP_SERVER=\"true\"/HTTP_SERVER=\"false\"/g" /etc/default/urbackupsrv
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/tmp
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+
+systemctl restart urbackupsrv nginx
--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the name from the SQL database
+VAULTWARDEN_DB_NAME="vaultwarden"
+
+# Defines the name from the SQL user
+VAULTWARDEN_DB_USR="vaultwarden"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+VAULTWARDEN_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql"
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@ -0,0 +1,163 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+admin_token=$(openssl rand -base64 48)
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
+
+systemctl enable --now postgresql
+
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mkdir -p /opt/vaultwarden
+mkdir -p /var/lib/vaultwarden/data
+useradd vaultwarden
+chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
+mv output/vaultwarden /opt/vaultwarden
+mv output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+
+su - postgres <<EOF
+psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
+psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
+echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
+EOF
+
+cat << EOF > /var/lib/vaultwarden/.env
+DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
+DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
+ORG_CREATION_USERS=admin@$LXC_DOMAIN
+# Use `openssl rand -base64 48` to generate
+ADMIN_TOKEN=$admin_token
+# Uncomment this once vaults restored
+SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
+SMTP_HOST=$VW_SMTP_HOST
+SMTP_FROM=$VW_SMTP_FROM
+SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
+SMTP_PORT=$VW_SMTP_PORT          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
+SMTP_SSL=$VW_SMTP_SSL          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
+SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
+SMTP_USERNAME=$VW_SMTP_USERNAME
+SMTP_PASSWORD=$VW_SMTP_PASSWORD
+SMTP_TIMEOUT=15
+EOF
+
+cat << EOF > /etc/systemd/system/vaultwarden.service
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target
+
+[Service]
+User=vaultwarden
+Group=vaultwarden
+EnvironmentFile=/var/lib/vaultwarden/.env
+ExecStart=/opt/vaultwarden/vaultwarden
+LimitNOFILE=1048576
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+WorkingDirectory=/var/lib/vaultwarden
+ReadWriteDirectories=/var/lib/vaultwarden
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
+EOF
+
+cat << EOF > /var/lib/vaultwarden/update.sh
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mv output/vaultwarden /opt/vaultwarden
+systemctl stop vaultwarden.service
+cp -rlf output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+systemctl start vaultwarden.service
+EOF
+
+chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+chmod +x /var/lib/vaultwarden/update.sh
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log /var/log/nginx/vaultwarden.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log  /var/log/nginx/vaultwarden.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:8000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+
+generate_dhparam
+
+unlink /etc/nginx/sites-enabled/default
+
+systemctl daemon-reload
+systemctl enable --now vaultwarden
+systemctl restart nginx
--- a/src/zabbix-proxy/constants-service.conf
+++ b/src/zabbix-proxy/constants-service.conf
@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="data"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix_proxy"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"
+
+ZABBIX_VERSION=7.0 #zabbix 7 beta
+POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/zabbix-proxy/install-service.sh
+++ b/src/zabbix-proxy/install-service.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
+
+srv=$(grep -E "^Server" /etc/zabbix/zabbix_proxy.conf)
+sed -i "s/$srv/Server=${ZBX_ADDR}/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# ListenPort=/ListenPort=/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/Hostname=Zabbix proxy/Hostname=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
+
+mkdir -p /var/lib/zabbix
+chown -R zabbix:zabbix /var/lib/zabbix/
+chmod 700 /var/lib/zabbix/
+
+
+psk=$(openssl rand -hex 32)
+echo "$psk" > /var/lib/zabbix/proxy.psk
+chown zabbix:zabbix /var/lib/zabbix/proxy.psk
+chmod 600 /var/lib/zabbix/proxy.psk
+
+sed -i "s/# TLSConnect=unencrypted/TLSConnect=psk/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
+
+systemctl enable zabbix-proxy zabbix-agent2
+
+systemctl restart zabbix-proxy zabbix-agent2 
+
+echo -e "Installation of zabbix-proxy finished."
+echo -e "\nPlease register the Proxy on yout zabbix server with following data:"
+echo -e "Proxy name:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
+echo -e "Proxy mode: Active"
+echo -e "Proxy address:\t$(ip a s dev eth0 | grep -m1 inet | cut -d ' ' -f6 | cut -d'/' -f1)"
+echo -e "Encryption:\tPSK"
+echo -e "PSK identity:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
+echo -e "PSK:\t\t${psk}"
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="data"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"
+
+ZABBIX_VERSION=7.0 #zabbix 7 beta
+POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+PHP_VERSION=8.2 # debian 12 default
+TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
--- a/src/zabbix/install-service.sh
+++ b/src/zabbix/install-service.sh
@ -0,0 +1,236 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+
+unlink /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/zabbix/nginx.conf
+server {
+        listen          80 default_server;
+        listen          [::]:80 default_server;
+        server_name _;
+
+        server_tokens off;
+
+        access_log /var/log/nginx/zabbix.access.log;
+        error_log /var/log/nginx/zabbix.error.log;
+
+        location /.well-known/ {
+        }
+
+        return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+        }
+
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+
+        server_tokens off;
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 180m;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 1.1.1.1 1.0.0.1;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        root    /usr/share/zabbix;
+
+        index   index.php;
+
+        location = /favicon.ico {
+                log_not_found   off;
+        }
+
+        location / {
+                try_files       \$uri \$uri/ =404;
+        }
+
+        location /assets {
+                access_log      off;
+                expires         10d;
+        }
+
+        location ~ /\.ht {
+                deny            all;
+        }
+
+        location ~ /(api\/|conf[^\.]|include|locale) {
+                deny            all;
+                return          404;
+        }
+
+        location /vendor {
+                deny            all;
+                return          404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+                fastcgi_pass    unix:/var/run/php/zabbix.sock;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index   index.php;
+
+                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
+                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
+                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
+
+                include fastcgi_params;
+                fastcgi_param   QUERY_STRING    \$query_string;
+                fastcgi_param   REQUEST_METHOD  \$request_method;
+                fastcgi_param   CONTENT_TYPE    \$content_type;
+                fastcgi_param   CONTENT_LENGTH  \$content_length;
+
+                fastcgi_intercept_errors        on;
+                fastcgi_ignore_client_abort     off;
+                fastcgi_connect_timeout         60;
+                fastcgi_send_timeout            180;
+                fastcgi_read_timeout            180;
+                fastcgi_buffer_size             128k;
+                fastcgi_buffers                 4 256k;
+                fastcgi_busy_buffers_size       256k;
+                fastcgi_temp_file_write_size    256k;
+        }
+}
+EOF
+
+cat << EOF > /etc/php/$PHP_VERSION/fpm/pool.d/zabbix-php-fpm.conf
+[zabbix]
+user = www-data
+group = www-data
+
+listen = /var/run/php/zabbix.sock
+listen.owner = www-data
+listen.allowed_clients = 127.0.0.1
+
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+pm.max_requests = 200
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/sessions/
+
+php_value[max_execution_time] = 300
+php_value[memory_limit] = 128M
+php_value[post_max_size] = 16M
+php_value[upload_max_filesize] = 2M
+php_value[max_input_time] = 300
+php_value[max_input_vars] = 10000
+EOF
+
+cat << EOF > /etc/zabbix/web/zabbix.conf.php 
+<?php
+// Zabbix GUI configuration file.
+
+\$DB['TYPE']				= 'POSTGRESQL';
+\$DB['SERVER']			= 'localhost';
+\$DB['PORT']				= '0';
+\$DB['DATABASE']			= '${ZABBIX_DB_NAME}';
+\$DB['USER']				= '${ZABBIX_DB_USR}';
+\$DB['PASSWORD']			= '${ZABBIX_DB_PWD}';
+
+// Schema name. Used for PostgreSQL.
+\$DB['SCHEMA']			= '';
+
+// Used for TLS connection.
+\$DB['ENCRYPTION']		= true;
+\$DB['KEY_FILE']			= '';
+\$DB['CERT_FILE']		= '';
+\$DB['CA_FILE']			= '';
+\$DB['VERIFY_HOST']		= false;
+\$DB['CIPHER_LIST']		= '';
+
+// Vault configuration. Used if database credentials are stored in Vault secrets manager.
+\$DB['VAULT_URL']		= '';
+\$DB['VAULT_DB_PATH']	= '';
+\$DB['VAULT_TOKEN']		= '';
+
+// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
+// This option is enabled by default for new Zabbix installations.
+// For upgraded installations, please read database upgrade notes before enabling this option.
+\$DB['DOUBLE_IEEE754']	= true;
+
+// Uncomment and set to desired values to override Zabbix hostname/IP and port.
+// \$ZBX_SERVER			= '';
+// \$ZBX_SERVER_PORT		= '';
+
+\$ZBX_SERVER_NAME		= '${LXC_HOSTNAME}';
+
+\$IMAGE_FORMAT_DEFAULT	= IMAGE_FORMAT_PNG;
+
+// Uncomment this block only if you are using Elasticsearch.
+// Elasticsearch url (can be string if same url is used for all types).
+//\$HISTORY['url'] = [
+//	'uint' => 'http://localhost:9200',
+//	'text' => 'http://localhost:9200'
+//];
+// Value types stored in Elasticsearch.
+//\$HISTORY['types'] = ['uint', 'text'];
+
+// Used for SAML authentication.
+// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
+//\$SSO['SP_KEY']			= 'conf/certs/sp.key';
+//\$SSO['SP_CERT']			= 'conf/certs/sp.crt';
+//\$SSO['IDP_CERT']		= 'conf/certs/idp.crt';
+//\$SSO['SETTINGS']		= [];
+EOF
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+
+zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
+
+systemctl restart postgresql
+
+echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
+cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+
+generate_dhparam
+
+systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 
+
+systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,elasticsearch"
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/pkgr-zammad.gpg > /dev/null
+curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor | tee /etc/apt/trusted.gpg.d/elasticsearch.gpg> /dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"| tee -a /etc/apt/sources.list.d/elastic-7.x.list > /dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/pkgr-zammad.gpg] https://dl.packager.io/srv/deb/zammad/zammad/stable/debian 12 main"| tee /etc/apt/sources.list.d/zammad.list > /dev/null
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
+
+
+# Java set startup environment 
+mkdir -p /etc/elasticsearch/jvm.options.d
+cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
+# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
+# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
+-Xms1g
+-Xmx1g
+EOF
+
+# configure nginx
+generate_dhparam
+
+unlink /etc/nginx/sites-enabled/default
+unlink /etc/nginx/sites-enabled/zammad.conf
+
+mkdir -p /etc/nginx/ssl
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
+
+sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+ -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+ -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
+
+ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
+
+
+# configure elasticsearch
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+
+systemctl enable elasticsearch.service
+systemctl restart nginx elasticsearch.service
+
+# Elasticsearch conntact to Zammad
+zammad run rails r "Setting.set('es_url', 'http://127.0.0.1:9200')"
+zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
+zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
+systemctl restart elasticsearch.service
+zammad run rake zammad:searchindex:rebuild[$(nproc)]
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@ -0,0 +1,221 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "splitdns" ]]; then
+      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+      ZMB_DNS_BACKEND="BIND9_DLZ"
+      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+      echo "Unsupported optional feature $f"
+  fi
+done
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+	  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+  forwarders {
+    $LXC_DNS;
+  };
+  allow-query {  any;};
+  dnssec-validation no;
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
+
+
+rm /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+mkdir -p /mnt/sysvol
+
+cat << EOF > /root/.smbcredentials
+username=$ZMB_ADMIN_USER
+password=$ZMB_ADMIN_PASS
+domain=$ZMB_DOMAIN
+EOF
+
+echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
+
+mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
+
+cat > /etc/cron.d/sysvol-sync << EOF
+*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
+EOF
+
+/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+
+if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
+  samba-tool ntacl sysvolreset
+fi
+
+ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=$1
+if \$1 ; then
+  keep=\$1
+fi
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@ -0,0 +1,194 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+
+  forwarders {
+    $LXC_DNS;
+  };
+
+  allow-query {  any;};
+  dnssec-validation no;
+
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+rm -f /etc/krb5.conf
+
+# provision zamba domain
+samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
+
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
+exit 0
--- a/src/zmb-cups/constants-service.conf
+++ b/src/zmb-cups/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,cups,printserver"
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@ -0,0 +1,110 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+apt update
+
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist
+
+mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+cat > /etc/samba/smb.conf <<EOF
+[global]
+	workgroup = $ZMB_DOMAIN
+	security = ADS
+	realm = $ZMB_REALM
+	server string = %h server
+
+	vfs objects = acl_xattr shadow_copy2
+	map acl inherit = Yes
+	store dos attributes = Yes
+	idmap config *:backend = tdb
+	idmap config *:range = 3000000-4000000
+	idmap config *:schema_mode = rfc2307
+
+	winbind refresh tickets = Yes
+	winbind use default domain = Yes
+	winbind separator = /
+	winbind nested groups = yes
+	winbind nss info = rfc2307
+
+	pam password change = Yes
+	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+	passwd program = /usr/bin/passwd %u
+
+	template homedir = /home/%U
+	template shell = /bin/bash
+	bind interfaces only = Yes
+	interfaces = lo eth0
+	log file = /var/log/samba/log.%m
+	logging = syslog
+	max log size = 1000
+	panic action = /usr/share/samba/panic-action %d
+
+	dns proxy = No
+	shadow: snapdir = .zfs/snapshot
+	shadow: sort = desc
+	shadow: format = -%Y-%m-%d-%H%M
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+	shadow: delimiter = -20
+	
+	printing = CUPS
+	rpcd_spoolss:idle_seconds=300
+	rpcd_spoolss:num_workers = 10
+	spoolss: architecture = Windows x64
+
+[printers]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/spool
+	printable = yes
+
+[print$]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+	read only = no
+
+EOF
+
+systemctl restart smbd
+
+echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
+sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
+sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
+echo -e "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
+
+systemctl restart winbind nmbd
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
+cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
+chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+systemctl disable --now cups-browsed.service
+
+cupsctl --remote-admin
+
+systemctl restart cups smbd nmbd winbind wsdd
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,fileserver"
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@ -5,18 +5,16 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list

 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules 
+
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd

 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@ -70,12 +68,11 @@ cat > /etc/samba/smb.conf <<EOF
 	printing = bsd
 	disable spoolss = Yes

-	allow trusted domains = No
 	dns proxy = No
 	shadow: snapdir = .zfs/snapshot
 	shadow: sort = desc
 	shadow: format = -%Y-%m-%d-%H%M
-	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20

 [$ZMB_SHARE]
@ -86,8 +83,6 @@ cat > /etc/samba/smb.conf <<EOF
 	directory mask = 0770
 	inherit acls = Yes

-
-
 EOF

 systemctl restart smbd
@ -101,13 +96,12 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g

-mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

-setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd winbind
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

+systemctl restart smbd nmbd winbind wsdd
--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
+echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+apt update
+
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
+
+USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
+useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
+echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
+smbpasswd -x $USER
+(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
+
+usermod -aG sudo $USER
+
+cat << EOF | sudo tee -i /etc/samba/smb.conf
+[global]
+    include = registry
+EOF
+
+cat << EOF | sudo tee -i /etc/samba/import.template
+[global]
+    workgroup = WORKGROUP
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    log level = 3
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
+    vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
+    map acl inherit = yes
+    acl_xattr:ignore system acls = yes
+    shadow: snapdir = .zfs/snapshot
+    shadow: sort = desc
+    shadow: format = -%Y-%m-%d-%H%M
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
+    shadow: delimiter = -20
+    fruit:encoding = native
+    fruit:metadata = stream
+    fruit:zero_file_id = yes
+    fruit:nfs_aces = no
+EOF
+
+net conf import /etc/samba/import.template
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+net conf setparm $ZMB_SHARE readonly no
+net conf setparm $ZMB_SHARE browseable yes
+net conf setparm $ZMB_SHARE createmask 0660
+net conf setparm $ZMB_SHARE directorymask 0770
+
+systemctl restart smbd nmbd wsdd
--- a/zmb-ad.sh
+++ b/zmb-ad.sh
@ -1,119 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  BINDNINE=bind9
-fi
-
-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-
-# No restrictions for "localhost"
-restrict 127.0.0.1
-
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-
-tinker panic 0
-EOF
-
-# update packages
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-# install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
-
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  # configure bind dns service
-  cat << EOF > /etc/default/bind9
-#
-# run resolvconf?
-RESOLVCONF=no
-
-# startup options for the server
-OPTIONS="-4 -u bind"
-EOF
-
-cat << EOF > /etc/bind/named.conf.local
-//
-// Do any local configuration here
-//
-
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-dlz "$LXC_DOMAIN" {
-  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
-};
-EOF
-
-  cat << EOF > /etc/bind/named.conf.options
-options {
-  directory "/var/cache/bind";
-
-  forwarders {
-    $LXC_DNS;
-  };
-
-  allow-query {  any;};
-  dnssec-validation no;
-
-  auth-nxdomain no;    # conform to RFC1035
-  listen-on-v6 { any; };
-  listen-on { any; };
-
-  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
-  minimal-responses yes;
-};
-EOF
-
-  mkdir -p /var/lib/samba/bind-dns/dns
-fi
-
-# stop + disable samba services and remove default config
-systemctl stop smbd nmbd winbind
-systemctl disable smbd nmbd winbind
-rm -f /etc/samba/smb.conf
-rm -f /etc/krb5.conf
-
-# provision zamba domain
-samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
-
-cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
-
-systemctl unmask samba-ad-dc
-systemctl enable samba-ad-dc $BINDNINE
-systemctl restart samba-ad-dc $BINDNINE
-
-exit 0
--- a/zmb-standalone.sh
+++ b/zmb-standalone.sh
@ -1,44 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba samba-dsdb-modules samba-vfs-modules 
-
-USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
-useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
-echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
-(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
-
-cat << EOF >> /etc/samba/smb.conf
-[share]
-    comment = Main Share
-    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-    read only = No
-    vfs objects = shadow_copy2
-    shadow: snapdir = .zfs/snapshot
-    shadow: sort = desc
-    shadow: format = -%Y-%m-%d-%H%M
-    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
-    shadow: delimiter = -20
-EOF
-
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd