Hermann.Brauer/zamba-lxc-toolbox
1
0
Fork 0
mirror of https://github.com/bashclub/zamba-lxc-toolbox.git synced 2026-04-18 11:56:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #147 from bashclub/dev

Browse Source 
Release
This commit is contained in:
Thorsten Spille
2026-04-09 18:04:02 +02:00
committed by GitHub
parent 639e8d6978 d3060354f9
commit b849b541a1
85 changed files with 1165 additions and 1347 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
conf/README.md
View File

@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
```
Please use 'single quotation marks' to avoid unexpected behaviour.
`zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
### ZMB_SHARE
Defines the name of your Zamba share
### ZMB_SHARES
Defines the names of your Zamba shares
```bash
ZMB_SHARE="share"
ZMB_SHARES="share1,share2"
```
<br>

16
conf/zamba.conf.example
View File

@@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123'
# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
ZMB_DOMAIN_ADMINS="domain admins"
# Defines the name of your Zamba share
ZMB_SHARE="share"
# Defines the names of your Zamba shares in a comma separated list
ZMB_SHARES="share1,share2"
############### Mailpiler-Section ###############
@@ -165,18 +165,6 @@ CMK_ADMIN_PW='Start!123'
# free = limited version of the enterprise edition (25 hosts, 1 instance)
CMK_EDITION=raw
############### Kopano-Section ###############
# Define the FQDN of your Nextcloud server
KOPANO_FQDN="kopano.zmb.rocks"
# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
KOPANO_MAILGW="192.168.100.254"
# Kopano test- or subscription-key offerd from
# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
KOPANO_REPKEY="1234567890abcdefghijklmno"
############### vaultwarden Section ###############
# Enable/disable signups (true/false)

36
install.sh
View File

@@ -20,11 +20,12 @@ prog="$(basename $0)"
usage() {
cat >&2 <<-EOF
usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] [-p]
installs a preconfigured lxc container on your proxmox server
-i CTID provide a container id instead of auto detection
-s SERVICE provide the service name and skip the selection dialog
-c CFGFILE use a different config file than 'zamba.conf'
-p preserve zamba.conf ans scripts inside container
-d Debug mode inside LXC container
-h displays this help text
---------------------------------------------------------------------------
@@ -39,13 +40,15 @@ ctid=0
service=ask
config=$PWD/conf/zamba.conf
debug=0
preserve_install_scripts=0
while getopts "hi:s:c:d" opt; do
while getopts "hi:s:c:dp" opt; do
case $opt in
h) usage 0 ;;
i) ctid=$OPTARG ;;
s) service=$OPTARG ;;
c) config=$OPTARG ;;
p) preserve_install_scripts=1 ;;
d) debug=1 ;;
*) usage 1 ;;
esac
@@ -154,6 +157,10 @@ pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged
set -u
sleep 2;
if [[ $SERVICE_TAGS == *"docker"* ]]; then
echo "lxc.apparmor.profile: unconfined" >> /etc/pve/lxc/${LXC_NBR}.conf
fi
# Check vlan configuration
if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
# Reconfigure conatiner
@@ -185,18 +192,17 @@ sleep 5;
pct exec $LXC_NBR -- mkdir -p /root/.ssh
pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
pct push $LXC_NBR "$config" /root/zamba.conf
for f in "$PWD/src/functions.sh" "$PWD/src/constants.conf" "$PWD/src/lxc-base.sh" "$PWD/src/$service/install-service.sh" "$PWD/src/$service/constants-service.conf"; do
pct push $LXC_NBR $f /root/$(basename $f)
done
if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
pct push $LXC_NBR scripts/zmb-ad_auto-map-root.sh /root/zmb-ad_auto-map-root.sh
pct push $LXC_NBR scripts/create-service-account /usr/bin/create-service-account
fi
pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
if [[ $service == "zmb-ad-restore" ]]; then
pct exec $LXC_NBR -- mkdir -p /backup/online
pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
fi
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
@@ -220,3 +226,9 @@ if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
sleep 5
pct exec $LXC_NBR /usr/local/bin/smb-backup 7
fi
if [ $preserve_install_scripts -eq 0 ]; then
for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do
pct exec $LXC_NBR -- bash -c "if [ -f /root/$f ] ; then rm -f /root/${f} ; fi"
done
fi

6
outaged_repos Normal file
View File

@@ -0,0 +1,6 @@
repos ohne debian trixie support
- manticore (fixed via bashclub repo)
- 45drives
- mongodb
- influxdb
- zammad

0
check_zambaconfonpve_trmm.sh → scripts/check_zambaconfonpve_trmm.sh
View File

2
scripts/create-service-account
View File

@@ -36,7 +36,7 @@ ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
dn: $DN
changetype: modify
replace: userWorkstations
userWorkstations: NONE
userWorkstations: "NOWORKSTATION"
EOF
echo

44
scripts/nextcloud-for-mailcow-dockerized.conf Normal file
View File

@@ -0,0 +1,44 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.domain.tld;
ssl_certificate /etc/ssl/mail/cert.pem;
ssl_certificate_key /etc/ssl/mail/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
# HTTP → HTTPS
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass https://cloud.domain.tld;
# Hostname & Forwarded-Header sauber durchreichen
proxy_set_header Host 192.168.178.253; # explizit der Upstream-Name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # TLS endet hier
proxy_set_header X-Forwarded-Host $host; # also cloud.domain.tld
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
proxy_set_header Referrer-Policy "no-referrer";
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
client_max_body_size 10G;
}
# CalDAV/CardDAV Redirects
location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
}

2
src/ansible-semaphore/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

9
src/ansible-semaphore/install-service.sh
View File

@@ -5,15 +5,14 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
inst_nginx
inst_postgresql
apt update

273
src/apt/install-service.sh
View File

@@ -1,273 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
source /etc/os-release
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
# Create gpg key for apt repo signing
gpg --batch --gen-key <<EOF
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: ${AM_COMPANY_NAME}
Name-Email: ${AM_COMPANY_EMAIL}
Expire-Date: 0
%no-protection
EOF
if [ -f /etc/nginx/sites-enabled/default ]; then
unlink /etc/nginx/sites-enabled/default
fi
cat << EOF > /etc/aptly.conf
{
"rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
"downloadConcurrency": 4,
"downloadSpeedLimit": 0,
"architectures": [
"amd64",
"armhf"
],
"dependencyFollowSuggests": false,
"dependencyFollowRecommends": false,
"dependencyFollowAllVariants": false,
"dependencyFollowSource": false,
"dependencyVerboseResolve": true,
"gpgDisableSign": false,
"gpgDisableVerify": false,
"gpgProvider": "gpg",
"downloadSourcePackages": false,
"skipLegacyPool": true,
"ppaDistributorID": "$AM_COMPANY_NAME",
"ppaCodename": ""
}
EOF
cat << EOF > /usr/local/bin/update-apt-mirrors
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
for m in $(aptly mirror list -raw); do
aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
done
EOF
chmod +x /usr/local/bin/update-apt-mirrors
cat << EOF > /etc/nginx/conf.d/default.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
# Force HTTPS connection. This rules is domain agnostic
if (\$scheme != "https") {
rewrite ^ https://\$host\$uri permanent;
}
# SSL configuration
#
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 15.137.208.11 15.137.209.11 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
root /var/www/html;
index index.html index.htm;
server_name _;
location /gpg {
autoindex on;
}
location /graph {
autoindex on;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files \$uri \$uri/ =404;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_pass http://localhost:8080;
}
location /api {
proxy_pass http://localhost:8000/api;
}
location /api/graph {
return 403;
}
}
EOF
cat << EOF > /etc/systemd/system/aptly.service
[Unit]
Description=Aptly Repository service
[Service]
User=root
ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
KillSignal=SIGTERM
KillMode=process
TimeoutStopSec=15s
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/aptly-api.service
[Unit]
Description=Aptly REST API service
[Service]
User=root
ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
KillSignal=SIGTERM
KillMode=process
TimeoutStopSec=15s
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /root/mirror-examples
# import proxmox keyring
wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
# proxmox 8 no subscription mirror (about 11.5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
# import debian keyring
cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
# debian 12 main mirror (about 87 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
# debian 12 contrib mirror (about 600 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
# debian 12 non-free mirror (about7,2 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
# debian 12 non-free-firmware mirror (38 Packages)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
# debian 12 update main mirror (about 2,5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
# debian 12 update contrib mirror (currently empty)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
# debian 12 updates non-free mirror (about 900 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
# debian 12 updates non-free-firmware mirror (about 70 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
# debian 12 security main mirror (about 5,5 GB)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
# debian 12 security contrib mirror (2 packages)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
# debian 12 security non-free mirror (currently empty)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
# debian 12 security non-free-firmware mirror (1 package)
aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
# debian 12 backports main mirror (about 14,5 GB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
# debian 12 backports contrib mirror (about 100 MB)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
# debian 12 backports non-free mirror (2 packages)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
# debian 12 backports non-free-firmware mirror (currently empty)
aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
EOF
cat << EOF > /usr/local/bin/update-apt-mirrors
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
for m in \$(aptly mirror list -raw); do
aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
done
EOF
echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
chmod +x /usr/local/bin/update-apt-mirrors
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
chown -R www-data:www-data /var/www
# Create required webserver folders
sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
# Export gpg key
sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
generate_dhparam
systemctl daemon-reload
systemctl enable --now aptly aptly-api
systemctl restart nginx
echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."

2
src/authentik/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

11
src/authentik/install-service.sh
View File

@@ -5,19 +5,16 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
inst_docker
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq pwgen
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)

17
src/ecodms/constants-service.conf → src/bashclub-cmk/constants-service.conf
View File

@@ -8,12 +8,13 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
LXC_SHAREFS_MOUNTPOINT="var/lib/cmk-push-agent"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
@@ -26,11 +27,13 @@ LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# set ecodms release version
ECODMS_RELEASE=ecodms_230164
# checkmk version
CMK_VERSION=2.4.0p19
# build number of the debian package (needs to start with underscore)
CMK_BUILD=_0
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=6144
LXC_MEM_MIN=2048
# service dependent meta tags
SERVICE_TAGS="java,postgresql"
SERVICE_TAGS="apache2"

88
src/bashclub-cmk/install-service.sh Normal file
View File

@@ -0,0 +1,88 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/testing $(lsb_release -cs) main" > /etc/apt/sources.list.d/bashclub.list
apt update
cd /tmp
wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
cat << EOF > /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
</VirtualHost>
EOF
cat << EOF > /etc/apache2/sites-available/default-ssl.conf
<VirtualHost *:443>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
EOF
a2enmod ssl
a2enmod rewrite
a2ensite default-ssl
systemctl restart apache2.service
omd start $CMK_INSTANCE
# install matrix notification plugin
wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server
cmk-push-setup

2
src/bookstack/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

6
src/bookstack/install-service.sh
View File

@@ -7,6 +7,8 @@ set -euo pipefail
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -14,9 +16,11 @@ source /root/constants-service.conf
BOOKSTACK_DB_PWD=$(random_password)
webroot=/var/www/bookstack/public
inst_php cli,fpm,mysql,fpm,xml,mbstring,gd,tokenizer,curl,ldap,tidy,zip 8.5
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client redis-server
curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb

4
src/checkmk/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
@@ -28,7 +28,7 @@ LXC_NESTING="1"
LXC_KEYCTL="0"
# checkmk version
CMK_VERSION=2.3.0p6
CMK_VERSION=2.4.0p18
# build number of the debian package (needs to start with underscore)
CMK_BUILD=_0

2
src/checkmk/install-service.sh
View File

@@ -5,6 +5,8 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf

2
src/cloudpanel/constants-service.conf
View File

@@ -6,7 +6,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

3
src/cloudpanel/install-service.sh
View File

@@ -10,5 +10,4 @@ source zamba.conf
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh
DB_ENGINE=MARIADB_11.8 SWAP=false bash install.sh

2
src/constants.conf
View File

@@ -8,4 +8,4 @@
# This file contains the project constants on container level
# Define your (administrative) tools, you always want to have installed into your LXC container
LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux jq"

2
src/debian-priv/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

2
src/debian-unpriv/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

2
src/docker/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

16
src/docker/install-service.sh
View File

@@ -5,19 +5,13 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# Add Docker's official GPG key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
inst_docker
SECRET=$(random_password)
myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
@@ -26,8 +20,6 @@ install_portainer_full() {
mkdir -p /opt/portainer/data
cd /opt/portainer
cat << EOF > /opt/portainer/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always
@@ -52,8 +44,6 @@ install_portainer_agent() {
mkdir -p /opt/portainer-agent/data
cd /opt/portainer-agent
cat << EOF > /opt/portainer-agent/docker-compose.yml
version: "3.4"
services:
portainer:
restart: always

21
src/ecodms/install-service.sh
View File

@@ -1,21 +0,0 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver

4
src/freescout/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -29,5 +29,7 @@ LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
FS_PHP_VERSION=8.4
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

16
src/freescout/install-service.sh
View File

@@ -18,10 +18,12 @@ MYSQL_PASSWORD="$(random_password)"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
inst_php cli,zip,curl,intl,fpm,mysql,imap,xml,mbstring,gd $FS_PHP_VERSION
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client ssl-cert git
echo cgi.fix_pathinfo=0 >> /etc/php/8.2/fpm/php.ini
echo cgi.fix_pathinfo=0 >> /etc/php/$FS_PHP_VERSION/fpm/php.ini
cat << EOF > /etc/nginx/sites-available/default
server {
@@ -52,7 +54,7 @@ server {
location ~ .php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_pass unix:/var/run/php/php${FS_PHP_VERSION}-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
include fastcgi_params;
@@ -104,10 +106,10 @@ GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD'
CREATE DATABASE IF NOT EXISTS freescout;
GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
curl -s https://api.github.com/repos/freescout-help-desk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
cd $webroot
tar -vxf freescout.tar.gz
dir=$(ls -d freescout-helpdesk-freescout*)
dir=$(ls -d freescout-help-desk-freescout*)
mv -v $dir freescout
chown -R www-data:www-data /var/www/html
find /var/www/html -type f -exec chmod 664 {} \;
@@ -125,8 +127,8 @@ cat << EOF > /etc/cron.d/freescout
* * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
EOF
systemctl enable --now php8.2-fpm
systemctl restart php8.2-fpm nginx
systemctl enable --now php${FS_PHP_VERSION}-fpm
systemctl restart php${FS_PHP_VERSION}-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)

103
src/functions.sh
View File

@@ -22,31 +22,114 @@ EOF
apt_repo() {
apt_name=$1
apt_key_url=$2
apt_key_path=/usr/share/keyrings/${apt_name}.gpg
apt_key_path=/usr/share/keyrings/${apt_name}-archive-keyring.gpg
apt_repo_url=$3
apt_suites=$4
apt_components=$5
tmp_key_file=$(mktemp)
if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
echo "❌ Fehler beim Herunterladen des Schlüssels."
rm -f "${tmp_key_file}"
exit 1
fi
if file "${tmp_key_file}" | grep -q "ASCII"; then
echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
# Wenn es ASCII ist, konvertiere es mit --dearmor
if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
chmod 644 ${apt_key_path}
echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
else
echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
exit 1
fi
else
echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
# Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
chmod 644 ${apt_key_path}
else
echo "❌ Fehler beim Kopieren des binären Schlüssels."
rm -f "${tmp_key_file}"
exit 1
fi
fi
wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
Types: deb
URIs: $apt_repo_url
Suites: $apt_suites
Components: $apt_components
Enabled: yes
Signed-By: $apt_key_path
EOF
else
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
fi
}
#### Set repo and install Nginx ####
inst_nginx() {
apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
}
#### Set repo and install PHP ####
inst_php() {
curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
PHP_MODULES=${1}
PHP_VERSION=${2:-8.4}
IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES"
PKGS=()
for PHP_MODULE in "${MODULE_ARRAY[@]}"; do
PKGS+=( "php${PHP_VERSION}-${PHP_MODULE}" )
done
apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common "${PKGS[@]}"
}
#### Set repo and install Postgresql ####
# First paramater is postgres version, default ist curren version postgres 18
inst_postgresql() {
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
POSTGRES_VERSION=${1:-18}
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION}
}
#### Set repo and install Crowdsec ####
inst_crowdsec() {
apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
}
#### Set repo and install 45drives (cockpit) ####
inst_45drives() {
apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main"
apt update
}
#### Set repo and install Docker ####
inst_docker() {
apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
}
#### Set repo and install MongoDB ####
inst_mongodb() {
MONGODB_VERSION=${1:-8.0}
apt_repo "mongodb" "https://www.mongodb.org/static/pgp/server-$MONGODB_VERSION.asc" "http://repo.mongodb.org/apt/debian" "bookworm/mongodb-org/$MONGODB_VERSION" "main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq mongodb-org
}
#### Set repo and install MongoDB ####
inst_bashclub() {
BASHCLUB_COMPONENT=${1:-release}
apt_repo "bashclub-$BASHCLUB_COMPONENT" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main"
apt update
}

2
src/gitea/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

10
src/gitea/install-service.sh
View File

@@ -5,19 +5,19 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
inst_nginx
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
inst_postgresql
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq git ssl-cert unzip zip
systemctl enable --now postgresql

4
src/icinga2/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -34,4 +34,4 @@ SERVICE_TAGS="php-fpm,nginx,mariadb"
CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
PHP_VERSION=8.2
PHP_VERSION=8.4

11
src/icinga2/install-service.sh
View File

@@ -1,4 +1,6 @@
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -16,8 +18,8 @@ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://pac
curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
curl -fsSL https://repos.influxdata.com/influxdata-archive.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian bookworm stable" > /etc/apt/sources.list.d/influxdata.list
apt update
@@ -345,7 +347,8 @@ database:
password: ${NOTIFICATIONS_DB_PASS}
EOF
cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
mkdir -p /etc/icingaweb2/modules/notifications/
cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
[database]
resource = "notifications"
EOF
@@ -466,7 +469,7 @@ EOF
icinga2 feature enable icingadb api influxdb2-writer perfdata
icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
#icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
icingacli module enable reactbundle

4
src/kimai/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
#KIMAI_VERSION="main"
# Defines the php version to install
KIMAI_PHP_VERSION="8.2"
KIMAI_PHP_VERSION="8.4"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024

7
src/kimai/install-service.sh
View File

@@ -14,12 +14,11 @@ source /root/constants-service.conf
KIMAI_DB_PWD=$(random_password)
webroot=/var/www/kimai/public
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"

53
src/kopano-core/constants-service.conf
View File

@@ -1,53 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
KOPANO_VERSION="latest"
# Defines the php version to install
KOPANO_PHP_VERSION="7.4"
# Defines Maria DB Version
MARIA_DB_VERS="10.5"
# Defines the name from the SQL database
MARIA_DB_NAME="kopano"
# Defines the name from the SQL user
MARIA_DB_USER="kopano"
# Build a strong password for the SQL user - could be overwritten with something fixed
MARIA_ROOT_PWD=$(random_password)
MARIA_USER_PWD=$(random_password)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"

276
src/kopano-core/install-service.sh
View File

@@ -1,276 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
HOSTNAME=$(hostname -f)
#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
#timedatectl set-timezone Europe/Berlin
#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#### Secure Maria Instance ####
mysqladmin -u root password "[$MARIA_ROOT_PWD]"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
#### Create user and DB for Kopano ####
mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
echo "root-password: $MARIA_ROOT_PWD,\
db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
cat > /etc/apt/sources.list.d/kopano.list << EOF
# Kopano Core
deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
# Kopano WebApp
deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
# Kopano MobileDeviceManagement
deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
# Kopano Files
deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
# Z-Push
deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
EOF
cat > /etc/apt/auth.conf.d/kopano.conf << EOF
machine download.kopano.io
login serial
password $KOPANO_REPKEY
EOF
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
apt update && apt full-upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files
#### Adjust kopano settings ####
cat > /etc/kopano/ldap.cfg << EOF
!include /usr/share/kopano/ldap.active-directory.cfg
ldap_uri = ldap://192.168.100.100:389
ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
ldap_bind_passwd = Start123!
ldap_search_base = dc=zmb,dc=rocks
#ldap_user_search_filter = (kopanoAccount=1)
EOF
cat > /etc/kopano/server.cfg << EOF
server_listen = *:236
local_admin_users = root kopano
#database_engine = mysql
#mysql_host = localhost
#mysql_port = 3306
mysql_user = $MARIA_DB_USER
mysql_password = $MARIA_USER_PWD
mysql_database = $MARIA_DB_NAME
#user_plugin = ldap
#user_plugin_config = /etc/kopano/ldap.cfg
EOF
#### Adjust php settings ####
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
[webapp]
listen = 127.0.0.1:9002
user = www-data
group = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 150
pm.start_servers = 35
pm.min_spare_servers = 20
pm.max_spare_servers = 50
pm.max_requests = 200
listen.backlog = -1
request_terminate_timeout = 120s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes
EOF
sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
#### Adjust nginx settings ####
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
generate_dhparam
#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/sites-available/webapp.conf << EOF
upstream php-handler {
#server 127.0.0.1:9002;
#server unix:/var/run/php5-fpm.sock;
server unix:/var/run/php/php7.4-fpm.sock;
}
server{
listen 80;
charset utf-8;
listen [::]:80;
server_name _;
location / {
rewrite ^(.*) https://\$server_name\$1 permanent;
}
}
server {
charset utf-8;
listen 443;
listen [::]:443 ssl;
server_name _;
ssl on;
client_max_body_size 1024m;
ssl_certificate /etc/ssl/certs/kopano.crt;
ssl_certificate_key /etc/ssl/private/kopano.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
#
# ssl_dhparam require you to create a dhparam.pem, this takes a long time
ssl_dhparam /etc/nginx/dhparam.pem;
#
# add headers
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location /webapp {
alias /usr/share/kopano-webapp/;
index index.php;
location ~ /webapp/presence/ {
rewrite ^/webapp/presence(/.*)$ \$1 break;
proxy_pass http://localhost:1234;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
location ~* ^/webapp/(.+\.php)$ {
alias /usr/share/kopano-webapp/;
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
fastcgi_param PHP_VALUE "
register_globals=off
magic_quotes_gpc=off
magic_quotes_runtime=off
post_max_size=31M
upload_max_filesize=30M
";
fastcgi_param PHP_VALUE "post_max_size=31M
upload_max_filesize=30M
max_execution_time=3660
";
include fastcgi_params;
fastcgi_index index.php;
#fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME \$document_root\$1;
fastcgi_pass php-handler;
access_log /var/log/nginx/kopano-webapp-access.log;
error_log /var/log/nginx/kopano-webapp-error.log;
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# All (static) resources set to 2 months expiration time.
location ~* \.(?:jpg|gif|png)\$ {
expires 2M;
access_log off;
add_header Cache-Control "public";
}
# enable gzip compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css application/json;
gzip_vary on;
}
}
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
EOF
ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
phpenmod kopano
systemctl restart php7.4-fpm nginx

42
src/lxc-base.sh
View File

@@ -24,29 +24,7 @@ EOF
locale-gen $LXC_LOCALE
# Generate sources
if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main contrib
deb http://deb.debian.org/debian/ buster-updates main contrib
# security updates
deb http://security.debian.org/debian-security buster/updates main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bullseye main contrib
deb http://deb.debian.org/debian/ bullseye-updates main contrib
# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
cat << EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib
EOF
elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
cat << EOF > /etc/apt/sources.list.d/debian.sources
Types: deb deb-src
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main non-free-firmware contrib non-free
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb deb-src
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main non-free-firmware contrib non-free
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF
else echo "LXC Debian Version false. Please check configuration files!" ; exit
fi

2
src/mailcow/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

10
src/mailcow/install-service.sh
View File

@@ -5,6 +5,8 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -78,9 +80,9 @@ cat << EOF > /etc/docker/daemon.json
{
"default-ulimits": {
"nproc": {
"name": "nproc",
"soft": -1,
"hard": -1
"Name": "nproc",
"Soft": 4096,
"Hard": 4096
}
}
}
@@ -264,7 +266,7 @@ USE_WATCHDOG=y
#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# JSON body included in the webhook POST request. Needs to be in single quotes.
# Following variables are available: SUBJECT, BODY
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**\${SUBJECT}**\n\${BODY}"}'
# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n

2
src/matrix/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

30
src/matrix/install-service.sh
View File

@@ -5,10 +5,19 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
#### Set repo and install matrix ####
inst_matrix() {
apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq matrix-synapse-py3 && systemctl enable matrix-synapse
}
MRX_PKE=$(random_password)
ELE_DBNAME="synapse_db"
@@ -17,15 +26,10 @@ ELE_DBPASS=$(random_password)
ELE_PATH=/var/www/element-web
WEBROOT=/var/www
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx python3-psycopg2
wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
systemctl enable matrix-synapse
ss -tulpen
inst_postgresql
inst_matrix
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
@@ -47,9 +51,9 @@ server {
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name $MATRIX_FQDN;
ssl on;
ssl_certificate /etc/nginx/ssl/matrix.crt;
ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -62,9 +66,9 @@ server {
server {
listen 8448 ssl;
listen [::]:8448 ssl;
http2 on;
server_name $MATRIX_FQDN;
ssl on;
ssl_certificate /etc/nginx/ssl/matrix.crt;
ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -97,9 +101,9 @@ server {
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name $MATRIX_ELEMENT_FQDN;
ssl on;
ssl_certificate /etc/nginx/ssl/matrix.crt;
ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -154,6 +158,6 @@ systemctl restart matrix-synapse
rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"

6
src/nextcloud/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1
@@ -30,10 +30,10 @@ LXC_KEYCTL="0"
NEXTCLOUD_VERSION="latest"
# Defines the php version to install
NEXTCLOUD_PHP_VERSION="8.3"
NEXTCLOUD_PHP_VERSION="8.4"
# Defines the postgresql version to install
POSTGRES_VERSION=16
POSTGRES_VERSION=17
# Defines the IP from the SQL server
NEXTCLOUD_DB_IP="127.0.0.1"

18
src/nextcloud/install-service.sh
View File

@@ -248,7 +248,7 @@ cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/f
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
cp /etc/ImageMagick-7/policy.xml /etc/ImageMagick-7/policy.xml.bak
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
@@ -298,10 +298,10 @@ sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-
sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-7/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-7/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-7/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-7/policy.xml
sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
@@ -350,13 +350,12 @@ sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
usermod -aG redis www-data
cp /etc/sysctl.conf /etc/sysctl.conf.bak
sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
echo 'vm.overcommit_memory = 1' > /etc/sysctl.d/overcommit_memory.conf
}
#### Install some more packages
inst_packages() {
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-7.q16-10-extra
timedatectl set-timezone $LXC_TIMEZONE
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@@ -549,7 +548,7 @@ echo "=> Modifying Nginx config for Nextcloud ..."
mod_nginx
echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
inst_php
inst_php fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline $NEXTCLOUD_PHP_VERSION
echo "=> Modifying PHP config for Nextcloud ..."
mod_php
@@ -577,4 +576,3 @@ echo "=> Modifying Crowdsec ..."
mod_crowdsec
echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################"
shutdown -r now

2
src/omada/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

15
src/omada/install-service.sh
View File

@@ -10,14 +10,11 @@ set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
inst_mongodb
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc
inst_bashclub omada
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac

2
src/onlyoffice/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

27
src/onlyoffice/install-service.sh
View File

@@ -5,24 +5,31 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
#### Set repo and install onlyoffice ####
inst_onlyoffice() {
apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq ttf-mscorefonts-installer onlyoffice-documentserver
}
ONLYOFFICE_DB_PASS=$(random_password)
curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
inst_postgresql
cat > /etc/apt/preferences.d/onlyoffice << EOF
Package: onlyoffice-documentserver
Pin: version 7.1.1-23
Pin-Priority: 900
EOF
#cat > /etc/apt/preferences.d/onlyoffice << EOF
#Package: onlyoffice-documentserver
#Pin: version 7.1.1-23
#Pin-Priority: 900
#EOF
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq rabbitmq-server libstdc++6 supervisor
su postgres <<EOF
psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
@@ -36,7 +43,7 @@ echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | d
echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
inst_onlyoffice
cat << EOF > /root/onlyoffice.credentials
ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST

2
src/open3a/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

14
src/open3a/install-service.sh
View File

@@ -5,6 +5,8 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -13,10 +15,13 @@ webroot=/var/www/html
LXC_RANDOMPWD=20
MYSQL_PASSWORD="$(random_password)"
PHP_VERSION=8.4
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
inst_php cli,fpm,mysql,xml,mbstring,gd $PHP_VERSION
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
@@ -39,13 +44,12 @@ server {
index index.php;
ssl on;
ssl_certificate /etc/nginx/ssl/open3a.crt;
ssl_certificate_key /etc/nginx/ssl/open3a.key;
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_pass unix:/var/run/php/php${PHP_VERSION}-fpm.sock;
}
}
@@ -76,8 +80,8 @@ localhost &%%%&open3a &%%%&$MYSQL_PAS
*/ ?>
EOF
systemctl enable --now php8.2-fpm
systemctl restart php8.2-fpm nginx
systemctl enable --now php${PHP_VERSION}-fpm
systemctl restart php${PHP_VERSION}-fpm nginx
LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)

2
src/piler/constants-service.conf
View File

@@ -6,7 +6,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

11
src/piler/install-service.sh
View File

@@ -3,13 +3,14 @@
# Author:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
source zamba.conf
set -euo pipefail
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
apt update
inst_bashclub manticore
inst_bashclub $PILER_BRANCH
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler

111
src/pmg-ai-rspamd/PMG Integration Guide.md Normal file
View File

@@ -0,0 +1,111 @@
# PMG-Integration des KI-Rspamd Filters
Diese Anleitung beschreibt, wie das PMG als zentrale Filter-Instanz die Scores deines externen Rspamd-LXC abfragt, visualisiert und gewichtet, ohne die eigene Filterhoheit zu verlieren.
## 1. Architektur-Übersicht
Das PMG fungiert als SMTP-Relay. Der externe Rspamd wird als **Before-Queue Milter** eingebunden. Er verarbeitet die Mail, setzt Header-Attribute und das PMG wertet diese Header innerhalb seines eigenen Regelwerks aus.
---
## 2. Persistente Milter-Anbindung (Updatesicher)
Damit Postfix den Rspamd-LXC anspricht, muss die Konfiguration über das PMG-Template-System erfolgen.
1. **Template-Verzeichnis erstellen:**
```javascript
mkdir -p /etc/pmg/templates
cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
```
2. **Milter in `main.cf.in` eintragen:** Öffne `/etc/pmg/templates/main.cf.in` und füge am Ende (vor den lokalen Overrides) folgende Zeilen hinzu:
```javascript
smtpd_milters = inet:IP_DEINES_LXC:11332
milter_default_action = accept
milter_protocol = 6
```
3. **Konfiguration generieren:**
```javascript
pmgconfig sync
```
---
## 3. Score-Gewichtung (SpamAssassin-Integration)
Da das PMG-UI keine direkte Punkte-Addition erlaubt, integrieren wir die Rspamd-Ergebnisse direkt in den internen Scan-Prozess. Dies stellt sicher, dass die Scores im **Tracking Center** namentlich auftauchen.
1. **Konfigurationsdatei erstellen:** Erstelle auf dem PMG-Host: `/etc/mail/spamassassin/rspamd_scores.cf`
2. **Regeln definieren:** Kopiere diesen Block in die Datei:
```javascript
# Rspamd Medium (4 - 5.9)
header RSPAMD_MEDIUM X-Rspamd-Score =~ /^([45]\.[0-9]+)/
describe RSPAMD_MEDIUM Rspamd bewertet diese Mail als leicht verdaechtig (4-5.9)
score RSPAMD_MEDIUM 1.5
# Rspamd High (6 - 14.9)
header RSPAMD_HIGH X-Rspamd-Score =~ /^([6-9]|1[0-4])\.[0-9]+/
describe RSPAMD_HIGH Rspamd bewertet diese Mail als Spam (6-14.9)
score RSPAMD_HIGH 4.0
# Rspamd Critical (15+)
header RSPAMD_CRITICAL X-Rspamd-Score =~ /^(1[5-9]|[2-9][0-9]|[1-9][0-9][0-9])\.[0-9]+/
describe RSPAMD_CRITICAL Rspamd (KI/Llama) ist sich absolut sicher: Scam/Betrug (15+)
score RSPAMD_CRITICAL 10.0
```
3. **Dienst neu starten:**
```javascript
systemctl restart pmg-smtp-filter
```
---
## 4. UI-Logik für harte Aktionen (Optional)
Wenn du für extrem hohe Scores (`RSPAMD_CRITICAL`) eine sofortige Quarantäne erzwingen möchtest, kannst du dies im WebUI ergänzen:
1. **What Object:** Erstelle unter *Mail Filter > What Objects* ein **Match Field**.
* **Name:** `Rspamd-Critical-Header`
* **Field:** `X-Rspamd-Score`
* **Value:** `^(1[5-9]|[2-9][0-9])\..*`
2. **Rule:** Erstelle eine Regel mit Priorität **99**.
* **What:** `Rspamd-Critical-Header`
* **Action:** `Quarantine`
---
## 5. Verifizierung & Monitoring
Nach der Integration sollten eingehende E-Mails im PMG Tracking Center detailliert aufgeschlüsselt werden.
* **Live-Log Prüfung:** Überwache die Auswertung der neuen Header live auf der Konsole:
```javascript
tail -f /var/log/mail.log | grep -E "RSPAMD_(MEDIUM|HIGH|CRITICAL)"
```
* **Tracking Center:** In der Detailansicht einer E-Mail unter **Spam Analysis** erscheint nun z. B. der Eintrag: `RSPAMD_HIGH (4.00)`
---
### Wartungshinweise
* **Persistent:** Die `.cf`-Dateien unter `/etc/mail/spamassassin/` bleiben bei PMG-Updates erhalten.
* **Anpassung:** Sollten zu viele False Positives auftreten, senke einfach die `score`-Werte in der `rspamd_scores.cf` und starte den `pmg-smtp-filter` neu.

12
src/apt/constants-service.conf → src/pmg-ai-rspamd/constants-service.conf
View File

@@ -8,14 +8,14 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="srv"
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
LXC_MP_RECORDSIZE="128K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
@@ -27,7 +27,7 @@ LXC_NESTING="1"
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
LXC_MEM_MIN=8192
# service dependent meta tags
SERVICE_TAGS="aptly,nginx"
SERVICE_TAGS="rspamd,unbound,ollama"

373
src/pmg-ai-rspamd/install-service.sh Normal file
View File

@@ -0,0 +1,373 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
RSPAMD_PASSWORD=$(random_password)
LLM=llama3.1:8b
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y redis-server unbound python3-venv rspamd zstd nginx ssl-cert
# Eine abgeschottete Python-Umgebung in /opt/oletools erstellen
python3 -m venv /opt/oletools
# Oletools innerhalb dieser Umgebung installieren (berührt das System nicht!)
/opt/oletools/bin/pip install oletools python-magic
ln -s /opt/oletools/bin/olevba /usr/local/bin/olevba3
# install olefy servvice
curl -o /usr/local/bin/olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py
chmod +x /usr/local/bin/olefy.py
sed -i "s/addr_re = re.compile('\[\\\[\" \\\]\]')/addr_re = re.compile(r'\[\\\[\" \\\]\]')/g" /usr/local/bin/olefy.py
# olefy Systemd-Service anlegen
cat << 'EOF' > /etc/systemd/system/olefy.service
[Unit]
Description=Olefy Daemon for Rspamd
After=network.target
[Service]
Type=simple
User=nobody
ExecStart=/opt/oletools/bin/python3 /usr/local/bin/olefy.py
Restart=always
[Install]
WantedBy=multi-user.target
EOF
# oletools update
cat << 'EOF' > /usr/local/bin/apt-hook-oletools.sh
#!/bin/bash
# Unterdrücke Standard-Ausgaben, fange aber das Ergebnis auf
UPDATE_OUT=$(/opt/oletools/bin/pip install --upgrade oletools 2>&1)
# Prüfen, ob der Text "Successfully installed" im Output vorkommt
if echo "$UPDATE_OUT" | grep -q "Successfully installed"; then
# Neues Update wurde gefunden und installiert! Dienst neu starten:
systemctl restart olefy
# Einen sauberen Eintrag ins System-Log (syslog) schreiben
logger -t oletools-updater "Neues Oletools Update via APT-Hook installiert. Olefy Dienst neu gestartet."
fi
# Immer erfolgreich beenden (Exit Code 0), damit apt niemals blockiert wird
exit 0
EOF
# Skript ausführbar machen
chmod +x /usr/local/bin/apt-hook-oletools.sh
# apt hook
cat << EOF > /etc/apt/apt.conf.d/99oletools-update
# Automatisches Update von Oletools nach jedem dpkg-Lauf
DPkg::Post-Invoke { "/usr/local/bin/apt-hook-oletools.sh || true"; };
EOF
# download ollama
curl -fsSL https://ollama.com/install.sh | bash 2>/dev/null
# konfiguriere ollama, dass llm dauerhaft geladen bleibt
mkdir -p /etc/systemd/system/ollama.service.d
cat << 'EOF' > /etc/systemd/system/ollama.service.d/override.conf
[Service]
Environment="OLLAMA_KEEP_ALIVE=-1"
EOF
# qwen3 llm herunterladen
ollama pull $LLM
# ollama qwen3 preload service erstellen
cat << EOF > /etc/systemd/system/ollama-preload.service
[Unit]
Description=Preload Qwen3 Model into Ollama
After=ollama.service
Requires=ollama.service
[Service]
Type=oneshot
# Warteschleife: Prüfe im Sekundentakt, ob die API erreichbar ist, bevor wir weitermachen
ExecStartPre=/bin/bash -c 'until curl -s http://127.0.0.1:11434/ > /dev/null; do sleep 1; done'
# Erst wenn der Port antwortet, laden wir das Modell
ExecStart=/usr/bin/curl -s -X POST http://127.0.0.1:11434/api/generate -d '{"model": "$LLM", "keep_alive": -1}'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
# milter socket für rspamd konfigurieren
cat << EOF > /etc/rspamd/local.d/worker-proxy.inc
# Lausche auf allen Schnittstellen (für das PMG)
bind_socket = "${LXC_IP%/*}:11332";
# Aktiviere explizit das Milter-Protokoll
milter = yes;
EOF
# rspamd an redis anbinden
cat << 'EOF' > /etc/rspamd/local.d/redis.conf
servers = "127.0.0.1";
write_servers = "127.0.0.1";
EOF
# lua script for llm integration
cat << EOF > /etc/rspamd/lua.local.d/ollama_ai.lua
local logger = require "rspamd_logger"
local http = require "rspamd_http"
local ucl = require "ucl"
local function ollama_check(task)
logger.errx(task, "KI-Check: ANALYSE START (Llama-3.1-8B)")
local text_parts = task:get_text_parts()
local email_text = ""
if text_parts then
for _, part in ipairs(text_parts) do
email_text = email_text .. tostring(part:get_content() or "")
end
end
-- Abbruch bei zu kurzen Mails
if #email_text < 15 then
logger.errx(task, "KI-Check: Text zu kurz für Analyse")
return
end
local req_data = {
model = "$LLM",
messages = {
{
role = "system",
content = "You are a cybersecurity analyst. Score the following email for fraud/phishing from 0 to 10. Output ONLY the integer number."
},
{
role = "user",
content = "Rate this content: " .. string.sub(email_text, 1, 1000)
}
},
stream = false,
options = {
num_predict = 5,
temperature = 0.0
}
}
http.request({
task = task,
url = 'http://127.0.0.1:11434/api/chat',
body = ucl.to_format(req_data, 'json'),
timeout = 25.0,
callback = function(err, code, body, headers)
-- Falls der Dienst nicht erreichbar ist
if err or code ~= 200 then
logger.errx(task, "KI-Check: Ollama API Fehler oder Timeout")
return
end
local parser = ucl.parser()
local res, _ = parser:parse_string(body)
if res then
local data = parser:get_object()
local reply = data.message and data.message.content or ""
local score_num = reply:match("%d+")
if score_num then
local score = tonumber(score_num)
logger.errx(task, "KI-Check: Ergebnis erhalten: %s/10", score)
-- 1. Header: Basis-Info (Wird immer gesetzt, wenn KI geantwortet hat)
task:set_milter_reply({
['add_header'] = {['X-AI-Scanner'] = 'Llama-3.1-8B-Verified'}
})
-- 2. Header & Symbol: Nur bei Verdacht (Score >= 7)
if score >= 7 then
task:insert_result('OLLAMA_LLM_FRAUD', 1.0, "Score " .. score .. "/10")
task:set_milter_reply({
['add_header'] = {['X-AI-Fraud-Rating'] = tostring(score) .. '/10'}
})
logger.errx(task, "KI-Check: Symbol und Header gesetzt (Betrugsverdacht)")
end
end
end
end
})
end
rspamd_config:register_symbol({
name = 'OLLAMA_LLM_FRAUD',
callback = ollama_check,
flags = 'async',
score = 6.0,
description = 'AI-based fraud detection using Llama-3.1-8B'
})
EOF
# dns resolver konfigurieren
cat << 'EOF' > /etc/rspamd/local.d/options.inc
dns {
nameserver = ["127.0.0.1"];
}
# Basis-Regeln, die immer gelten müssen
local_addrs = "127.0.0.1";
local_addrs = "::1";
task_timeout = 59s;
# Lade alle Server-spezifischen Dateien (*.conf)
.include(try=true,glob=true) "$LOCAL_CONFDIR/local_addrs.d/*.conf"
EOF
PWHASH=$(rspamadm pw --password "$RSPAMD_PASSWORD")
cat << EOF > /etc/rspamd/local.d/worker-controller.inc
bind_socket = "127.0.0.1:11334";
password = "$PWHASH";
# Basis-Regeln (LXC-interner Zugriff)
secure_ip = "127.0.0.1";
secure_ip = "::1";
secure_ip = "${LXC_IP%/*}";
# Lade alle Server-spezifischen Dateien (*.conf)
.include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf"
EOF
cat << EOF > /etc/rspamd/local.d/actions.conf
# Alle Aktionen, die normalerweise ablehnen würden, auf null setzen
reject = null; # Niemals ablehnen
add_header = 6.0; # Ab diesem Score den X-Spam-Header setzen
greylist = null; # Greylisting deaktivieren (macht PMG schon besser)
rewrite_subject = null;
EOF
cat << EOF > /etc/rspamd/local.d/milter_headers.conf
# Diese Header werden für jede Mail geschrieben
use = ["spam-header", "symbols", "score"];
header_names {
"spam-header" = "X-Spam-Flag";
"symbols" = "X-Rspamd-Symbols";
"score" = "X-Rspamd-Score";
}
# Fügt den Score immer hinzu, egal wie hoch er ist
skip_local = false;
extended_symbols = true;
EOF
# oletools aktivieren
cat << 'EOF' > /etc/rspamd/local.d/oletools.conf
enabled = true;
servers = "127.0.0.1:10050"; # Standard-Port von olefy
EOF
# learning aktivieren
cat << 'EOF' > /etc/rspamd/local.d/classifier-ham-spam.conf
# Nutze Redis als Backend für gelerntes Wissen
backend = "redis";
# Erlaube das Lernen (wichtig für deine Mailcows!)
autolearn = true;
EOF
# betreffzeilen anzeigen
cat << 'EOF' > /etc/rspamd/local.d/history_redis.conf
# Speichere die letzten Mail-Logs in Redis für die WebUI
subject_privacy = false; # Zeigt Betreffzeilen im Dashboard an (hilfreich für MSPs)
EOF
# set include for local modules
cat << 'EOF' > /etc/rspamd/local.d/groups.conf
# Lade alle Symbol-Definitionen aus dem scores.d Verzeichnis
.include(try=true,glob=true) "$LOCAL_CONFDIR/scores.d/*.conf"
EOF
# create folder for trusted addresses
mkdir -p /etc/rspamd/local.d/local_addrs.d
mkdir -p /etc/rspamd/local.d/secure_ips.d
# persistenz in redis aktivieren
sed -i 's/appendonly no/appendonly yes/g' /etc/redis/redis.conf
sed -i 's/^#\? \?appendfsync .*/appendfsync everysec/g' /etc/redis/redis.conf
# nginx konfigurieren
mkdir -p /etc/nginx/ssl
# Symlinks auf Snakeoil (Pfade ggf. anpassen, falls ssl-cert nicht installiert ist)
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
# Starke Diffie-Hellman Parameter generieren (wichtig!)
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# generiere config
cat << EOF > /etc/nginx/sites-available/rspamd_proxy
# HTTP - Redirect auf HTTPS
server {
listen 80;
listen [::]:80;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
return 301 https://\$host\$request_uri;
}
# HTTPS - Sicherer Proxy
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $LXC_HOSTNAME.$LXC_DOMAIN;
# Zertifikate
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# TLS Sicherheit nach Stand der Technik (Modern)
ssl_protocols TLSv1.3; # TLS 1.2 entfernt für maximale Sicherheit
ssl_prefer_server_ciphers off;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
# Proxy-Einstellungen
location / {
proxy_pass http://127.0.0.1:11334; # Dein Rspamd Controller/UI
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
# Wichtig für lange KI-Analysen
proxy_read_timeout 120s;
proxy_connect_timeout 120s;
# Optional: Zusätzlicher Schutz auf Nginx-Ebene
# allow 1.2.3.4; # Deine Admin IP
# deny all;
}
}
EOF
ln -s /etc/nginx/sites-available/rspamd_proxy /etc/nginx/sites-enabled/
nginx -t
# dienste aktivieren
systemctl daemon-reload
systemctl enable --now unbound olefy ollama ollama-preload.service
systemctl restart redis-server rspamd nginx
echo "Your rspamd instance setup is finished!"
echo "Please visit http://${LXC_IP%/*}:11334/"
echo "rspamd password is: $RSPAMD_PASSWORD"

2
src/proxmox-pbs/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

16
src/proxmox-pbs/install-service.sh
View File

@@ -1,5 +1,7 @@
#!/bin/bash
set -euo pipefail
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
@@ -9,16 +11,14 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list
# PBS pbs-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
EOF
wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
#### Set repo and install onlyoffice ####
inst_pbs() {
apt_repo "proxmox" "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" "http://download.proxmox.com/debian/pbs" "trixie" "pbs-no-subscription"
apt update && apt upgrade -y
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
}
inst_pbs
proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA

2
src/rei3/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

7
src/rei3/install-service.sh
View File

@@ -5,6 +5,8 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -12,13 +14,12 @@ source /root/constants-service.conf
mkdir /opt/rei3
wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
inst_postgresql
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends imagemagick ghostscript
timedatectl set-timezone ${LXC_TIMEZONE}

2
src/unifi/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

14
src/unifi/install-service.sh
View File

@@ -11,12 +11,14 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
inst_unifi() {
apt_repo "unifi" "https://dl.ubnt.com/unifi/unifi-repo.gpg" "http://www.ui.com/downloads/unifi/debian" "stable" "ubiquiti"
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unifi
}
echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list
inst_mongodb
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi
inst_unifi

4
src/urbackup/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
URBACKUP_DATA="urbackup"
# OS codename for opensuse / urbackup repo
REPO_CODENAME="Debian_12"
REPO_CODENAME="Debian_13"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024

16
src/urbackup/install-service.sh
View File

@@ -5,10 +5,14 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
set -euo pipefail
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
mkdir -p /etc/urbackup
@@ -18,10 +22,11 @@ echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/
curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" ssl-cert urbackup-server nginx
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
install -d -m 0750 -o root -g root /etc/nginx/ssl
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
ln -s /usr/share/urbackup/www /var/www/urbackup
@@ -44,9 +49,8 @@ server {
index index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/urbackup.crt;
ssl_certificate_key /etc/nginx/ssl/urbackup.key;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
location /x {
include /etc/nginx/fastcgi_params;

2
src/vaultwarden/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

9
src/vaultwarden/install-service.sh
View File

@@ -5,13 +5,17 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
admin_token=$(openssl rand -base64 48)
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
inst_postgresql
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx git ssl-cert
systemctl enable --now postgresql
@@ -149,6 +153,9 @@ server {
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
}
}

31
src/wazuh/constants-service.conf Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
# Authors:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/opensearch"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=8192
# service dependent meta tags
SERVICE_TAGS="opensearch"

24
src/wazuh/install-service.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# Author:
# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
WAZUH_VERSION=4.14
REG_PASS=$(random_password)
curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null
sed -i "s|<use_password>no</use_password>|<use_password>yes</use_password>|" /var/ossec/etc/ossec.conf
echo "$REG_PASS" > /var/ossec/etc/authd.pass
chmod 640 /var/ossec/etc/authd.pass
chown root:wazuh /var/ossec/etc/authd.pass
systemctl restart wazuh-manager
echo "Please use the following password for agent registration: $REG_PASS"

6
src/zabbix-proxy/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -42,8 +42,8 @@ ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
ZABBIX_VERSION=7.0 #zabbix 7 beta
POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13)
ZABBIX_VERSION=7.4 #zabbix 7 beta
POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096

11
src/zabbix-proxy/install-service.sh
View File

@@ -11,13 +11,14 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
apt update
inst_postgresql $POSTGRES_VERSION
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
timedatectl set-timezone ${LXC_TIMEZONE}
@@ -29,7 +30,7 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
cat /usr/share/zabbix/sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
@@ -53,6 +54,8 @@ sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
systemctl enable zabbix-proxy zabbix-agent2
systemctl restart zabbix-proxy zabbix-agent2

10
src/zabbix/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -42,10 +42,10 @@ ZABBIX_DB_USR="zabbix"
# Build a strong password for the SQL user - could be overwritten with something fixed
ZABBIX_DB_PWD="$(random_password)"
ZABBIX_VERSION=7.0 #zabbix 7 beta
POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13)
PHP_VERSION=8.2 # debian 12 default
TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
ZABBIX_VERSION=7.4 #zabbix 7 beta
POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13)
PHP_VERSION=8.4 # debian 12 default
TS_VERSION=2.23.0 # currently latest by zabbix supported version of timescaledb (2024-05-13)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=4096

19
src/zabbix/install-service.sh
View File

@@ -11,14 +11,15 @@ source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/" "$(lsb_release -cs)" "main"
inst_postgresql ${POSTGRES_VERSION}
inst_php pgsql,fpm $PHP_VERSION
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION timescaledb-tools nginx zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
unlink /etc/nginx/sites-enabled/default
@@ -216,18 +217,20 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
EOF
sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
#sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
systemctl restart postgresql
echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
cat /usr/share/zabbix/sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.d/dbpassword.conf
mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
generate_dhparam

2
src/zammad/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0

17
src/zammad/install-service.sh
View File

@@ -5,6 +5,8 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -39,15 +41,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
-e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
-e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
-e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
-e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
echo "Customizing nginx configuration..."
sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
-e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
-e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
-e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
-e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
-e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
/opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
# configure elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment

14
src/zmb-ad-join/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -26,18 +26,6 @@ LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024

101
src/zmb-ad-join/install-service.sh
View File

@@ -5,35 +5,19 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
@@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
[libdefaults]
@@ -124,9 +57,28 @@ cat > /etc/krb5.conf <<EOF
EOF
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
rm -f /etc/samba/smb.conf
echo "fixing samba service to wait for lxc being online"
install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
[Unit]
After=networking.service
Wants=networking.service
[Service]
# Wait up to 30s for eth0 to get an IPv4 address
ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
Restart=on-failure
RestartSec=3
EOF
systemctl daemon-reload
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
@@ -160,7 +112,10 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
systemctl restart samba-ad-dc
bash /root/zmb-ad_auto-map-root.sh
chmod +x /usr/bin/create-service-account
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
@@ -168,7 +123,7 @@ cat << EOF > /usr/local/bin/smb-backup
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=$1
keep=\$1
if \$1 ; then
keep=\$1
fi

45
src/zmb-ad-restore/constants-service.conf
View File

@@ -1,45 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"

195
src/zmb-ad-restore/install-service.sh
View File

@@ -1,195 +0,0 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS="-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[Unit]
ConditionCapability=
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
rm -r /var/lib/samba/*
backupfile=$(find /backup/online -name samba-backup* | tail -1)
samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
# disable password expiry for administrator
samba-tool user setexpiry Administrator --noexpiry
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=\$1
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
prune () {
backup_type=\$1
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc=\$((\$rc + 1))
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc=\$((\$rc + 1))
fi
exit \$rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
exit 0

14
src/zmb-ad/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1
@@ -26,18 +26,6 @@ LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024

116
src/zmb-ad/install-service.sh
View File

@@ -5,38 +5,20 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
echo "configuring chrony"
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
@@ -61,72 +43,35 @@ server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
echo "disabling services"
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
# provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
echo "fixing samba service to wait for lxc being online"
install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
[Unit]
After=networking.service
Wants=networking.service
[Service]
# Wait up to 30s for eth0 to get an IPv4 address
ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
Restart=on-failure
RestartSec=3
EOF
systemctl daemon-reload
echo "provisioning domain"
# provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL
echo "provosioning finished"
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
# disable password expiry for administrator
@@ -134,7 +79,10 @@ samba-tool user setexpiry Administrator --noexpiry
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
systemctl restart samba-ad-dc
bash /root/zmb-ad_auto-map-root.sh
chmod +x /usr/bin/create-service-account
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup

2
src/zmb-cups/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

6
src/zmb-cups/install-service.sh
View File

@@ -5,6 +5,8 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
@@ -14,7 +16,7 @@ source /root/constants-service.conf
apt update
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd2
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
@@ -107,4 +109,4 @@ systemctl disable --now cups-browsed.service
cupsctl --remote-admin
systemctl restart cups smbd nmbd winbind wsdd
systemctl restart cups smbd nmbd winbind wsdd2

2
src/zmb-member/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

37
src/zmb-member/install-service.sh
View File

@@ -5,16 +5,15 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules
mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF
@@ -26,9 +25,6 @@ cat > /etc/krb5.conf <<EOF
renew_lifetime = 7d
EOF
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
klist
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
cat > /etc/samba/smb.conf <<EOF
[global]
@@ -75,8 +71,12 @@ cat > /etc/samba/smb.conf <<EOF
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
shadow: delimiter = -20
EOF
IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" ; do
cat >> /etc/samba/smb.conf << EOF
[$ZMB_SHARE]
comment = Main Share
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
read only = No
create mask = 0660
@@ -84,6 +84,10 @@ cat > /etc/samba/smb.conf <<EOF
inherit acls = Yes
EOF
done
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
klist
systemctl restart smbd
@@ -96,12 +100,17 @@ systemctl restart winbind nmbd
wbinfo -u
wbinfo -g
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
unset ZMB_SHARE
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
do
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd winbind wsdd
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
done
systemctl restart smbd nmbd winbind

2
src/zmb-standalone/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
LXC_TEMPLATE_VERSION="debian-13-standard"
# Create sharefs mountpoint
LXC_MP=1

37
src/zmb-standalone/install-service.sh
View File

@@ -5,26 +5,21 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
inst_45drives
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
apt update
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd2
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
smbpasswd -x $USER
smbpasswd -x $USER || true
(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
usermod -aG sudo $USER
@@ -65,14 +60,18 @@ EOF
net conf import /etc/samba/import.template
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
do
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf setparm $ZMB_SHARE readonly no
net conf setparm $ZMB_SHARE browseable yes
net conf setparm $ZMB_SHARE createmask 0660
net conf setparm $ZMB_SHARE directorymask 0770
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
net conf setparm $ZMB_SHARE readonly no
net conf setparm $ZMB_SHARE browseable yes
net conf setparm $ZMB_SHARE createmask 0660
net conf setparm $ZMB_SHARE directorymask 0770
done
systemctl restart smbd nmbd wsdd
systemctl restart smbd nmbd wsdd2