diff --git a/conf/README.md b/conf/README.md
index 9bbbfb3..0d03fba 100644
--- a/conf/README.md
+++ b/conf/README.md
@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
-Defines the name of your Zamba share
+### ZMB_SHARES
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>
 
diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example
index 7a3736a..e8095ba 100644
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123'
 # Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
 ZMB_DOMAIN_ADMINS="domain admins"
 
-# Defines the name of your Zamba share
-ZMB_SHARE="share"
+# Defines the names of your Zamba shares in a comma separated list
+ZMB_SHARES="share1,share2"
 
 ############### Mailpiler-Section ###############
 
@@ -165,18 +165,6 @@ CMK_ADMIN_PW='Start!123'
 # free = limited version of the enterprise edition (25 hosts, 1 instance)
 CMK_EDITION=raw
 
-############### Kopano-Section ###############
-
-# Define the FQDN of your Nextcloud server
-KOPANO_FQDN="kopano.zmb.rocks"
-
-# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
-KOPANO_MAILGW="192.168.100.254"
-
-# Kopano test- or subscription-key offerd from 
-# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
-KOPANO_REPKEY="1234567890abcdefghijklmno"
-
 ############### vaultwarden Section ###############
 
 # Enable/disable signups (true/false)
diff --git a/install.sh b/install.sh
index 53f763b..e7bf904 100755
--- a/install.sh
+++ b/install.sh
@@ -20,11 +20,12 @@ prog="$(basename $0)"
 
 usage() {
 	cat >&2 <<-EOF
-	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] [-p]
 	  installs a preconfigured lxc container on your proxmox server
     -i CTID      provide a container id instead of auto detection
     -s SERVICE   provide the service name and skip the selection dialog
     -c CFGFILE   use a different config file than 'zamba.conf'
+    -p           preserve zamba.conf ans scripts inside container
     -d           Debug mode inside LXC container
     -h           displays this help text
   ---------------------------------------------------------------------------
@@ -39,13 +40,15 @@ ctid=0
 service=ask
 config=$PWD/conf/zamba.conf
 debug=0
+preserve_install_scripts=0
 
-while getopts "hi:s:c:d" opt; do
+while getopts "hi:s:c:dp" opt; do
   case $opt in
     h) usage 0 ;;
     i) ctid=$OPTARG ;;
     s) service=$OPTARG ;;
     c) config=$OPTARG ;;
+    p) preserve_install_scripts=1 ;;
     d) debug=1 ;;
     *) usage 1 ;;
   esac
@@ -154,6 +157,10 @@ pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged
 set -u
 sleep 2;
 
+if [[ $SERVICE_TAGS == *"docker"* ]]; then
+  echo "lxc.apparmor.profile: unconfined" >> /etc/pve/lxc/${LXC_NBR}.conf
+fi
+
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
@@ -185,18 +192,17 @@ sleep 5;
 pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
 pct push $LXC_NBR "$config" /root/zamba.conf
+for f in "$PWD/src/functions.sh" "$PWD/src/constants.conf" "$PWD/src/lxc-base.sh" "$PWD/src/$service/install-service.sh" "$PWD/src/$service/constants-service.conf"; do
+  pct push $LXC_NBR $f /root/$(basename $f)
+done
+
+if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
+  pct push $LXC_NBR scripts/zmb-ad_auto-map-root.sh /root/zmb-ad_auto-map-root.sh
+  pct push $LXC_NBR scripts/create-service-account /usr/bin/create-service-account
+fi
+
 pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
 pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
-pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
-pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
-pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
-pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
-pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
-
-if [[ $service == "zmb-ad-restore" ]]; then
-    pct exec $LXC_NBR -- mkdir -p /backup/online
-    pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
-fi
 
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
 
@@ -220,3 +226,9 @@ if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
   sleep 5
   pct exec $LXC_NBR /usr/local/bin/smb-backup 7
 fi
+
+if [ $preserve_install_scripts -eq 0 ]; then
+  for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do
+    pct exec $LXC_NBR -- bash -c "if [ -f /root/$f ] ; then rm -f /root/${f} ; fi"
+  done
+fi
\ No newline at end of file
diff --git a/outaged_repos b/outaged_repos
new file mode 100644
index 0000000..53b44e4
--- /dev/null
+++ b/outaged_repos
@@ -0,0 +1,6 @@
+repos ohne debian trixie support
+- manticore (fixed via bashclub repo)
+- 45drives
+- mongodb
+- influxdb
+- zammad
\ No newline at end of file
diff --git a/check_zambaconfonpve_trmm.sh b/scripts/check_zambaconfonpve_trmm.sh
similarity index 100%
rename from check_zambaconfonpve_trmm.sh
rename to scripts/check_zambaconfonpve_trmm.sh
diff --git a/scripts/create-service-account b/scripts/create-service-account
index 573e350..78401a3 100644
--- a/scripts/create-service-account
+++ b/scripts/create-service-account
@@ -36,7 +36,7 @@ ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
 dn: $DN
 changetype: modify
 replace: userWorkstations
-userWorkstations: NONE
+userWorkstations: "NOWORKSTATION"
 EOF
 
 echo
diff --git a/scripts/nextcloud-for-mailcow-dockerized.conf b/scripts/nextcloud-for-mailcow-dockerized.conf
new file mode 100644
index 0000000..c8712ba
--- /dev/null
+++ b/scripts/nextcloud-for-mailcow-dockerized.conf
@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name cloud.domain.tld;
+
+    ssl_certificate     /etc/ssl/mail/cert.pem;
+    ssl_certificate_key /etc/ssl/mail/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # HTTP → HTTPS
+    if ($scheme = http) {
+        return 301 https://$host$request_uri;
+    }
+
+    location / {
+        proxy_pass https://cloud.domain.tld;
+
+        # Hostname & Forwarded-Header sauber durchreichen
+        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
+        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
+        proxy_set_header X-Forwarded-Port 443;
+        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
+        proxy_set_header Referrer-Policy "no-referrer";
+
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+        client_max_body_size 10G;
+    }
+
+    # CalDAV/CardDAV Redirects
+    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
+    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
+}
diff --git a/src/ansible-semaphore/constants-service.conf b/src/ansible-semaphore/constants-service.conf
index 9204cd7..1f75517 100644
--- a/src/ansible-semaphore/constants-service.conf
+++ b/src/ansible-semaphore/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/ansible-semaphore/install-service.sh b/src/ansible-semaphore/install-service.sh
index 09b743a..ffb4c26 100644
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@@ -5,15 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+inst_nginx
+inst_postgresql
 
 apt update
 
diff --git a/src/apt/install-service.sh b/src/apt/install-service.sh
deleted file mode 100644
index 34bca19..0000000
--- a/src/apt/install-service.sh
+++ /dev/null
@@ -1,273 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/functions.sh
-source /root/zamba.conf
-source /root/constants-service.conf
-source /etc/os-release
-
-apt update
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
-
-# Create gpg key for apt repo signing
-gpg --batch --gen-key <<EOF
-Key-Type: 1
-Key-Length: 4096
-Subkey-Type: 1
-Subkey-Length: 4096
-Name-Real: ${AM_COMPANY_NAME}
-Name-Email: ${AM_COMPANY_EMAIL}
-Expire-Date: 0
-%no-protection
-EOF
-
-if [ -f /etc/nginx/sites-enabled/default ]; then
-  unlink /etc/nginx/sites-enabled/default
-fi
-
-cat << EOF > /etc/aptly.conf
-{
-  "rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
-  "downloadConcurrency": 4,
-  "downloadSpeedLimit": 0,
-  "architectures": [
-        "amd64",
-        "armhf"
-  ],
-  "dependencyFollowSuggests": false,
-  "dependencyFollowRecommends": false,
-  "dependencyFollowAllVariants": false,
-  "dependencyFollowSource": false,
-  "dependencyVerboseResolve": true,
-  "gpgDisableSign": false,
-  "gpgDisableVerify": false,
-  "gpgProvider": "gpg",
-  "downloadSourcePackages": false,
-  "skipLegacyPool": true,
-  "ppaDistributorID": "$AM_COMPANY_NAME",
-  "ppaCodename": ""
-}
-EOF
-
-cat << EOF > /usr/local/bin/update-apt-mirrors
-#!/bin/bash
-PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
-
-for m in $(aptly mirror list -raw); do
-  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
-done
-EOF
-
-chmod +x /usr/local/bin/update-apt-mirrors
-
-
-cat << EOF > /etc/nginx/conf.d/default.conf
-server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-
-        # Force HTTPS connection. This rules is domain agnostic
-        if (\$scheme != "https") {
-                rewrite ^ https://\$host\$uri permanent;
-        }
-
-        # SSL configuration
-        #
-        listen 443 ssl http2 default_server;
-        listen [::]:443 ssl http2 default_server;
-
-        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-
-        ssl_protocols TLSv1.3;
-        ssl_prefer_server_ciphers on;
-        ssl_dhparam /etc/nginx/dhparam.pem;
-        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
-        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
-        ssl_session_timeout  10m;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_tickets off; # Requires nginx >= 1.5.9
-        ssl_stapling on; # Requires nginx >= 1.3.7
-        ssl_stapling_verify on; # Requires nginx => 1.3.7
-        resolver 15.137.208.11 15.137.209.11 valid=300s;
-        resolver_timeout 5s;
-        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-        add_header X-Frame-Options DENY;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-
-        root /var/www/html;
-        index index.html index.htm;
-
-        server_name _;
-
-        location /gpg {
-                autoindex on;
-        }
-
-        location /graph {
-                autoindex on;
-        }
-
-        location / {
-                # First attempt to serve request as file, then
-                # as directory, then fall back to displaying a 404.
-                #try_files \$uri \$uri/ =404;
-                proxy_set_header Host \$host;
-                proxy_set_header X-Real-IP \$remote_addr;
-                proxy_pass http://localhost:8080;
-
-        }
-
-        location /api {
-                proxy_pass http://localhost:8000/api;
-        }
-
-        location /api/graph {
-                return 403;
-        }
-}
-EOF
-
-cat << EOF > /etc/systemd/system/aptly.service
-[Unit]
-Description=Aptly Repository service
-
-[Service]
-User=root
-ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
-KillSignal=SIGTERM
-KillMode=process
-TimeoutStopSec=15s
-
-[Install]
-WantedBy=multi-user.target
-
-EOF
-
-cat << EOF > /etc/systemd/system/aptly-api.service
-[Unit]
-Description=Aptly REST API service
-
-[Service]
-User=root
-ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
-KillSignal=SIGTERM
-KillMode=process
-TimeoutStopSec=15s
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat << EOF > /root/mirror-examples
-# import proxmox keyring
-wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
-
-# proxmox 8 no subscription mirror (about 11.5 GB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
-
-# import debian keyring
-cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
-
-# debian 12 main mirror (about 87 GB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
-
-# debian 12 contrib mirror (about 600 MB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
-
-# debian 12 non-free mirror (about7,2 GB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
-
-# debian 12 non-free-firmware mirror (38 Packages)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
-
-# debian 12 update main mirror (about 2,5 GB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
-
-# debian 12 update contrib mirror (currently empty)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
-
-# debian 12 updates non-free mirror (about 900 MB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
-
-# debian 12 updates non-free-firmware mirror (about 70 MB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
-
-# debian 12 security main mirror (about 5,5 GB)
-aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
-
-# debian 12 security contrib mirror (2 packages)
-aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
-
-# debian 12 security non-free mirror (currently empty)
-aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
-
-# debian 12 security non-free-firmware mirror (1 package)
-aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
-
-# debian 12 backports main mirror (about 14,5 GB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
-
-# debian 12 backports contrib mirror (about 100 MB)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
-
-# debian 12 backports non-free mirror (2 packages)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
-
-# debian 12 backports non-free-firmware mirror (currently empty)
-aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
-aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
-EOF
-
-cat << EOF > /usr/local/bin/update-apt-mirrors 
-#!/bin/bash
-PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
-
-for m in \$(aptly mirror list -raw); do
-  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
-done
-EOF
-
-echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
-
-chmod +x /usr/local/bin/update-apt-mirrors 
-
-chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
-
-chown -R www-data:www-data /var/www
-
-# Create required webserver folders
-sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
-
-# Export gpg key
-sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
-
-generate_dhparam
-
-systemctl daemon-reload
-systemctl enable --now aptly aptly-api
-systemctl restart nginx
-
-echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."
\ No newline at end of file
diff --git a/src/authentik/constants-service.conf b/src/authentik/constants-service.conf
index af4c4ca..8be41e4 100644
--- a/src/authentik/constants-service.conf
+++ b/src/authentik/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/authentik/install-service.sh b/src/authentik/install-service.sh
index 766f38d..922975c 100644
--- a/src/authentik/install-service.sh
+++ b/src/authentik/install-service.sh
@@ -5,19 +5,16 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
 # Add Docker's official GPG key:
-install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-chmod a+r /etc/apt/keyrings/docker.gpg
+inst_docker
 
-# Add the repository to Apt sources:
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq pwgen
 
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
diff --git a/src/ecodms/constants-service.conf b/src/bashclub-cmk/constants-service.conf
similarity index 74%
rename from src/ecodms/constants-service.conf
rename to src/bashclub-cmk/constants-service.conf
index c7744af..e360c84 100644
--- a/src/ecodms/constants-service.conf
+++ b/src/bashclub-cmk/constants-service.conf
@@ -8,12 +8,13 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
 
 # Create sharefs mountpoint
-LXC_MP=0
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
+LXC_SHAREFS_MOUNTPOINT="var/lib/cmk-push-agent"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 
@@ -26,11 +27,13 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 
-# set ecodms release version
-ECODMS_RELEASE=ecodms_230164
+# checkmk version
+CMK_VERSION=2.4.0p19
+# build number of the debian package (needs to start with underscore)
+CMK_BUILD=_0
 
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=6144
+LXC_MEM_MIN=2048
 
 # service dependent meta tags
-SERVICE_TAGS="java,postgresql"
\ No newline at end of file
+SERVICE_TAGS="apache2"
diff --git a/src/bashclub-cmk/install-service.sh b/src/bashclub-cmk/install-service.sh
new file mode 100644
index 0000000..cf2a1ef
--- /dev/null
+++ b/src/bashclub-cmk/install-service.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/testing $(lsb_release -cs) main" > /etc/apt/sources.list.d/bashclub.list
+apt update
+
+cd /tmp
+wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
+
+cat << EOF > /etc/apache2/sites-available/000-default.conf
+<VirtualHost *:80>
+	RewriteEngine On
+	RewriteCond %{HTTPS} !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
+</VirtualHost>
+EOF
+
+cat << EOF > /etc/apache2/sites-available/default-ssl.conf
+<VirtualHost *:443>
+	RewriteEngine On
+	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
+	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
+
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/html
+
+	ErrorLog \${APACHE_LOG_DIR}/error.log
+	CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+	SSLEngine on
+
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2enmod ssl
+a2enmod rewrite
+a2ensite default-ssl
+
+systemctl restart apache2.service
+
+omd start $CMK_INSTANCE
+
+# install matrix notification plugin
+
+wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
+chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server
+
+cmk-push-setup
\ No newline at end of file
diff --git a/src/bookstack/constants-service.conf b/src/bookstack/constants-service.conf
index c4548eb..50fd76b 100644
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh
index fa5acd1..7d12c05 100644
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@@ -7,6 +7,8 @@ set -euo pipefail
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -14,9 +16,11 @@ source /root/constants-service.conf
 BOOKSTACK_DB_PWD=$(random_password)
 webroot=/var/www/bookstack/public
 
+inst_php cli,fpm,mysql,fpm,xml,mbstring,gd,tokenizer,curl,ldap,tidy,zip 8.5
+
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client redis-server
 curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
 
diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf
index 4bd1582..9715ad6 100644
--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 
 # Create sharefs mountpoint
@@ -28,7 +28,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 
 # checkmk version
-CMK_VERSION=2.3.0p6
+CMK_VERSION=2.4.0p18
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
 
diff --git a/src/checkmk/install-service.sh b/src/checkmk/install-service.sh
index d619409..499934e 100644
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
diff --git a/src/cloudpanel/constants-service.conf b/src/cloudpanel/constants-service.conf
index d207969..8476909 100644
--- a/src/cloudpanel/constants-service.conf
+++ b/src/cloudpanel/constants-service.conf
@@ -6,7 +6,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/cloudpanel/install-service.sh b/src/cloudpanel/install-service.sh
index 9bce99b..bf70f62 100644
--- a/src/cloudpanel/install-service.sh
+++ b/src/cloudpanel/install-service.sh
@@ -10,5 +10,4 @@ source zamba.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 
 curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
-echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
-DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh
+DB_ENGINE=MARIADB_11.8 SWAP=false bash install.sh
diff --git a/src/constants.conf b/src/constants.conf
index 2bd09ff..c6a7542 100644
--- a/src/constants.conf
+++ b/src/constants.conf
@@ -8,4 +8,4 @@
 # This file contains the project constants on container level
 
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux jq"
diff --git a/src/debian-priv/constants-service.conf b/src/debian-priv/constants-service.conf
index 48ffd59..1a01f9e 100644
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/debian-unpriv/constants-service.conf b/src/debian-unpriv/constants-service.conf
index a7e36f5..eab9506 100644
--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/docker/constants-service.conf b/src/docker/constants-service.conf
index 01b28ca..00f9f4c 100644
--- a/src/docker/constants-service.conf
+++ b/src/docker/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/docker/install-service.sh b/src/docker/install-service.sh
index c242173..1856481 100644
--- a/src/docker/install-service.sh
+++ b/src/docker/install-service.sh
@@ -5,19 +5,13 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-# Add Docker's official GPG key:
-install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-chmod a+r /etc/apt/keyrings/docker.gpg
-
-# Add the repository to Apt sources:
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+inst_docker
 
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
@@ -26,8 +20,6 @@ install_portainer_full() {
     mkdir -p /opt/portainer/data
     cd /opt/portainer
     cat << EOF > /opt/portainer/docker-compose.yml
-version: "3.4"
-
 services:
   portainer:
     restart: always
@@ -52,8 +44,6 @@ install_portainer_agent() {
     mkdir -p /opt/portainer-agent/data
     cd /opt/portainer-agent
     cat << EOF > /opt/portainer-agent/docker-compose.yml
-version: "3.4"
-
 services:
   portainer:
     restart: always  
diff --git a/src/ecodms/install-service.sh b/src/ecodms/install-service.sh
deleted file mode 100644
index 9eaf184..0000000
--- a/src/ecodms/install-service.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/functions.sh
-source /root/zamba.conf
-source /root/constants-service.conf
-
-echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
-echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
-
-echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
-wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver
\ No newline at end of file
diff --git a/src/freescout/constants-service.conf b/src/freescout/constants-service.conf
index c4548eb..8ad4e55 100644
--- a/src/freescout/constants-service.conf
+++ b/src/freescout/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -29,5 +29,7 @@ LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 
+FS_PHP_VERSION=8.4
+
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
\ No newline at end of file
diff --git a/src/freescout/install-service.sh b/src/freescout/install-service.sh
index cfe3b11..bc1f037 100644
--- a/src/freescout/install-service.sh
+++ b/src/freescout/install-service.sh
@@ -18,10 +18,12 @@ MYSQL_PASSWORD="$(random_password)"
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
+inst_php cli,zip,curl,intl,fpm,mysql,imap,xml,mbstring,gd $FS_PHP_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client ssl-cert git
 
 
-echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini
+echo ‘cgi.fix_pathinfo=0’ >> /etc/php/$FS_PHP_VERSION/fpm/php.ini
 
 cat << EOF > /etc/nginx/sites-available/default
 server {
@@ -52,7 +54,7 @@ server {
 
     location ~ .php$ {
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php${FS_PHP_VERSION}-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
     	include fastcgi_params;
@@ -104,10 +106,10 @@ GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD'
 CREATE DATABASE IF NOT EXISTS freescout;
 GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
 
-curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
+curl -s https://api.github.com/repos/freescout-help-desk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
 cd $webroot
 tar -vxf freescout.tar.gz
-dir=$(ls -d freescout-helpdesk-freescout*)
+dir=$(ls -d freescout-help-desk-freescout*)
 mv -v $dir freescout
 chown -R www-data:www-data /var/www/html
 find /var/www/html -type f -exec chmod 664 {} \;    
@@ -125,8 +127,8 @@ cat << EOF > /etc/cron.d/freescout
 * * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
 EOF
 
-systemctl enable --now php8.2-fpm
-systemctl restart php8.2-fpm nginx
+systemctl enable --now php${FS_PHP_VERSION}-fpm
+systemctl restart php${FS_PHP_VERSION}-fpm nginx
 
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 
diff --git a/src/functions.sh b/src/functions.sh
index dd0c346..20aee4b 100644
--- a/src/functions.sh
+++ b/src/functions.sh
@@ -22,31 +22,114 @@ EOF
 apt_repo() {
     apt_name=$1
     apt_key_url=$2
-    apt_key_path=/usr/share/keyrings/${apt_name}.gpg
+    apt_key_path=/usr/share/keyrings/${apt_name}-archive-keyring.gpg
     apt_repo_url=$3
+    apt_suites=$4
+    apt_components=$5
+    tmp_key_file=$(mktemp)
+    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
+        echo "❌ Fehler beim Herunterladen des Schlüssels."
+        rm -f "${tmp_key_file}"
+        exit 1
+    fi
+    if file "${tmp_key_file}" | grep -q "ASCII"; then
+        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
+        # Wenn es ASCII ist, konvertiere es mit --dearmor
+        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
+            chmod 644 ${apt_key_path}
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
+        else
+            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
+            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
+            exit 1
+        fi
+    else
+        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
+        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
+        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
+            chmod 644 ${apt_key_path}
+        else
+            echo "❌ Fehler beim Kopieren des binären Schlüssels."
+            rm -f "${tmp_key_file}"
+            exit 1
+        fi
+    fi
 
-    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
-    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
+Types: deb
+URIs: $apt_repo_url
+Suites: $apt_suites
+Components: $apt_components
+Enabled: yes
+Signed-By: $apt_key_path
+EOF
+    else
+        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
+    fi
 }
+
 #### Set repo and install Nginx ####
 inst_nginx() {
-    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
 }
+
 #### Set repo and install PHP ####
 inst_php() {
-    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
-    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
-    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
+    PHP_MODULES=${1}
+    PHP_VERSION=${2:-8.4}
+    IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES"
+    PKGS=()
+    for PHP_MODULE in "${MODULE_ARRAY[@]}"; do
+        PKGS+=( "php${PHP_VERSION}-${PHP_MODULE}" )
+    done
+    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common "${PKGS[@]}"
 }
+
 #### Set repo and install Postgresql ####
+# First paramater is postgres version, default ist curren version postgres 18
 inst_postgresql() {
-    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
-    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
+    POSTGRES_VERSION=${1:-18}
+    
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION}
 }
+
 #### Set repo and install Crowdsec ####
 inst_crowdsec() {
-    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
     DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }
+
+#### Set repo and install 45drives (cockpit) ####
+inst_45drives() {
+    apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main"
+    apt update
+}
+
+#### Set repo and install Docker ####
+inst_docker() {
+    apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+}
+#### Set repo and install MongoDB ####
+inst_mongodb() {
+    MONGODB_VERSION=${1:-8.0}
+
+    apt_repo "mongodb" "https://www.mongodb.org/static/pgp/server-$MONGODB_VERSION.asc" "http://repo.mongodb.org/apt/debian" "bookworm/mongodb-org/$MONGODB_VERSION" "main"
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq mongodb-org
+}
+
+#### Set repo and install MongoDB ####
+inst_bashclub() {
+    BASHCLUB_COMPONENT=${1:-release}
+
+    apt_repo "bashclub-$BASHCLUB_COMPONENT" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main"
+    apt update
+}
\ No newline at end of file
diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf
index 43c49cd..c534d11 100644
--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh
index bbda4c0..68fa218 100644
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@@ -5,19 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+inst_nginx
 
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+inst_postgresql
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq git ssl-cert unzip zip
 
 systemctl enable --now postgresql
 
diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 944f7c9..ee6c969 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -34,4 +34,4 @@ SERVICE_TAGS="php-fpm,nginx,mariadb"
 
 CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
 
-PHP_VERSION=8.2
\ No newline at end of file
+PHP_VERSION=8.4
\ No newline at end of file
diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 45a7228..869355b 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -1,4 +1,6 @@
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -16,8 +18,8 @@ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://pac
 curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
 
-curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
-echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
+curl -fsSL https://repos.influxdata.com/influxdata-archive.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian bookworm stable" > /etc/apt/sources.list.d/influxdata.list
 
 apt update
 
@@ -345,7 +347,8 @@ database:
   password: ${NOTIFICATIONS_DB_PASS}
 EOF
 
-cat << EOF > /etc/icingaweb2/modules/notifications/config.ini 
+mkdir -p /etc/icingaweb2/modules/notifications/
+cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
 [database]
 resource = "notifications"
 EOF
@@ -466,7 +469,7 @@ EOF
 
 icinga2 feature enable icingadb api influxdb2-writer perfdata
 
-icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
+#icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
 
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf
index a940f2e..27df3c5 100644
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 #KIMAI_VERSION="main"
 
 # Defines the php version to install
-KIMAI_PHP_VERSION="8.2"
+KIMAI_PHP_VERSION="8.4"
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh
index ee941f7..19d4b2e 100644
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@@ -14,12 +14,11 @@ source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
 
-#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
-#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
-
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
+inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client  
 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf
deleted file mode 100644
index 0dae961..0000000
--- a/src/kopano-core/constants-service.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-# This file contains the project constants on service level
-
-# Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
-
-# Create sharefs mountpoint
-LXC_MP=0
-# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
-# Defines the recordsize of mp0
-LXC_MP_RECORDSIZE="16K"
-
-# Create unprivileged container
-LXC_UNPRIVILEGED="1"
-
-# enable nesting feature
-LXC_NESTING="1"
-
-# enable keyctl feature
-LXC_KEYCTL="0"
-
-# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
-KOPANO_VERSION="latest"
-
-# Defines the php version to install
-KOPANO_PHP_VERSION="7.4"
-
-# Defines Maria DB Version
-MARIA_DB_VERS="10.5"
-
-# Defines the name from the SQL database
-MARIA_DB_NAME="kopano"
-
-# Defines the name from the SQL user
-MARIA_DB_USER="kopano"
-
-# Build a strong password for the SQL user - could be overwritten with something fixed 
-
-MARIA_ROOT_PWD=$(random_password)
-MARIA_USER_PWD=$(random_password)
-
-# Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=4096
-
-# service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,mariadb"
\ No newline at end of file
diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh
deleted file mode 100644
index fa73226..0000000
--- a/src/kopano-core/install-service.sh
+++ /dev/null
@@ -1,276 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/functions.sh
-source /root/zamba.conf
-source /root/constants-service.conf
-
-HOSTNAME=$(hostname -f)
-
-#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
-#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
-
-wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
-echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-
-wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
-echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
-
-apt update
-
-#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
-#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
-php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
-
-#timedatectl set-timezone Europe/Berlin
-#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-
-#### Secure Maria Instance ####
-
-mysqladmin -u root password "[$MARIA_ROOT_PWD]"
-
-mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
-mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
-#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
-mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
-
-#### Create user and DB for Kopano ####
-
-mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
-mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
-mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
-
-echo "root-password: $MARIA_ROOT_PWD,\
-db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
-
-cat > /etc/apt/sources.list.d/kopano.list << EOF
-
-# Kopano Core
-deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
-
-# Kopano WebApp
-deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
-
-# Kopano MobileDeviceManagement
-deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
-
-# Kopano Files
-deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
-
-# Z-Push
-deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
-
-EOF
-
-cat > /etc/apt/auth.conf.d/kopano.conf << EOF
-
-machine download.kopano.io
-login serial
-password $KOPANO_REPKEY
-
-EOF
-
-curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
-curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
-curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
-curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
-curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
-
-apt update && apt full-upgrade -y
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
-z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
-
-#### Adjust kopano settings ####
-
-cat > /etc/kopano/ldap.cfg << EOF
-
-!include /usr/share/kopano/ldap.active-directory.cfg
-
-ldap_uri = ldap://192.168.100.100:389
-ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
-ldap_bind_passwd = Start123!
-ldap_search_base = dc=zmb,dc=rocks
-
-#ldap_user_search_filter = (kopanoAccount=1)
-
-EOF
-
-cat > /etc/kopano/server.cfg << EOF
-
-server_listen = *:236
-local_admin_users = root kopano
-
-#database_engine = mysql
-#mysql_host = localhost
-#mysql_port = 3306
-mysql_user = $MARIA_DB_USER
-mysql_password = $MARIA_USER_PWD
-mysql_database = $MARIA_DB_NAME
-
-#user_plugin = ldap
-#user_plugin_config = /etc/kopano/ldap.cfg
-
-EOF
-
-#### Adjust php settings ####
-
-sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
-
-cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
-
-[webapp]
-listen = 127.0.0.1:9002
-user = www-data
-group = www-data
-listen.allowed_clients = 127.0.0.1
-pm = dynamic
-pm.max_children = 150
-pm.start_servers = 35
-pm.min_spare_servers = 20
-pm.max_spare_servers = 50
-pm.max_requests = 200
-listen.backlog = -1
-request_terminate_timeout = 120s
-rlimit_files = 131072
-rlimit_core = unlimited
-catch_workers_output = yes
-
-EOF
-
-sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
-
-#### Adjust nginx settings ####
-
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
-generate_dhparam
-
-#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
-
-cat > /etc/nginx/sites-available/webapp.conf << EOF
-upstream php-handler {
-    #server 127.0.0.1:9002;
-    #server unix:/var/run/php5-fpm.sock;
-    server unix:/var/run/php/php7.4-fpm.sock;
-}
- 
-server{
-    listen 80;
-    charset utf-8;
-    listen [::]:80;
-    server_name _;
- 
-    location / {
-        rewrite   ^(.*)   https://\$server_name\$1 permanent;
-    }  
- }
- 
-server {
-    charset utf-8;
-    listen 443;
-    listen [::]:443 ssl;
-    server_name _;
-    ssl on;
-    client_max_body_size 1024m;
-    ssl_certificate /etc/ssl/certs/kopano.crt;
-    ssl_certificate_key /etc/ssl/private/kopano.key;
-    ssl_session_cache shared:SSL:1m;
-    ssl_session_timeout 5m;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
-    ssl_prefer_server_ciphers on;
-    #
-    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
-    ssl_dhparam /etc/nginx/dhparam.pem;
-    #
- 
-    # add headers
-    server_tokens off;
-    add_header X-Frame-Options SAMEORIGIN;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-  
-    location /webapp {
-        alias /usr/share/kopano-webapp/;
-        index index.php;
-     
-    location ~ /webapp/presence/ {
-                rewrite ^/webapp/presence(/.*)$ \$1 break;
-                proxy_pass http://localhost:1234;
-                proxy_set_header Upgrade \$http_upgrade;
-                proxy_set_header Connection "upgrade";
-                proxy_http_version 1.1;
-                }
- 
-    }
- 
-    location ~* ^/webapp/(.+\.php)$ {
-        alias /usr/share/kopano-webapp/;
- 
-        # deny access to .htaccess files
-        location ~ /\.ht {
-                    deny all;
-        }
-  
-        fastcgi_param PHP_VALUE "
-            register_globals=off
-            magic_quotes_gpc=off
-            magic_quotes_runtime=off
-            post_max_size=31M
-            upload_max_filesize=30M
-        ";
-        fastcgi_param PHP_VALUE "post_max_size=31M
-                 upload_max_filesize=30M
-                 max_execution_time=3660
-        ";
- 
-        include fastcgi_params;
-        fastcgi_index index.php;
-        #fastcgi_param HTTPS on;
-        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
-        fastcgi_pass php-handler;
-        access_log /var/log/nginx/kopano-webapp-access.log;
-        error_log /var/log/nginx/kopano-webapp-error.log;
- 
-        # CSS and Javascript
-        location ~* \.(?:css|js)$ {
-            expires 1y;
-            access_log off;
-            add_header Cache-Control "public";
-        }
- 
-        # All (static) resources set to 2 months expiration time.
-        location ~* \.(?:jpg|gif|png)\$ {
-            expires 2M;
-            access_log off;
-            add_header Cache-Control "public";
-        }
- 
-        # enable gzip compression
-        gzip on;
-        gzip_min_length  1100;
-        gzip_buffers  4 32k;
-        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
-        gzip_vary on;
-        }
- 
-}
- 
-map \$http_upgrade \$connection_upgrade {
-        default upgrade;
-        '' close;
-}
-EOF
-
-
-
-ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
-
-phpenmod kopano
-systemctl restart php7.4-fpm nginx
diff --git a/src/lxc-base.sh b/src/lxc-base.sh
index 006f48d..524bc25 100644
--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@@ -24,29 +24,7 @@ EOF
 locale-gen $LXC_LOCALE 
 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ buster main contrib
-
-deb http://deb.debian.org/debian/ buster-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security buster/updates main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ bullseye main contrib
-
-deb http://deb.debian.org/debian/ bullseye-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security bullseye-security main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
+
+if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
+cat << EOF > /etc/apt/sources.list.d/debian.sources
+Types: deb deb-src
+URIs: https://deb.debian.org/debian
+Suites: trixie trixie-updates
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security
+Suites: trixie-security
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+EOF
 
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi
diff --git a/src/mailcow/constants-service.conf b/src/mailcow/constants-service.conf
index 2097c74..5fefb28 100644
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/mailcow/install-service.sh b/src/mailcow/install-service.sh
index 93a3aa2..fdc06ae 100644
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -78,9 +80,9 @@ cat << EOF > /etc/docker/daemon.json
 {
   "default-ulimits": {
     "nproc": {
-      "name": "nproc",
-      "soft": -1,
-      "hard": -1
+      "Name": "nproc",
+      "Soft": 4096,
+      "Hard": 4096
     }
   }
 }
@@ -264,7 +266,7 @@ USE_WATCHDOG=y
 #WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # JSON body included in the webhook POST request. Needs to be in single quotes.
 # Following variables are available: SUBJECT, BODY
-#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**\${SUBJECT}**\n\${BODY}"}'
 
 # Notify about banned IP (includes whois lookup)
 WATCHDOG_NOTIFY_BAN=n
diff --git a/src/matrix/constants-service.conf b/src/matrix/constants-service.conf
index 57f799e..7cad95f 100644
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh
index f0532c3..eb929d5 100644
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@@ -5,10 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
+#### Set repo and install matrix ####
+inst_matrix() {
+    apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main"
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq matrix-synapse-py3 && systemctl enable matrix-synapse
+}
+
 MRX_PKE=$(random_password)
 
 ELE_DBNAME="synapse_db"
@@ -17,15 +26,10 @@ ELE_DBPASS=$(random_password)
 ELE_PATH=/var/www/element-web
 WEBROOT=/var/www
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx python3-psycopg2
 
-wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
-echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
-systemctl enable matrix-synapse
-
-ss -tulpen
+inst_postgresql
+inst_matrix
 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
@@ -47,9 +51,9 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
+    http2 on;
     server_name $MATRIX_FQDN;
 
-    ssl on;
     ssl_certificate /etc/nginx/ssl/matrix.crt;
     ssl_certificate_key /etc/nginx/ssl/matrix.key;
 
@@ -62,9 +66,9 @@ server {
 server {
     listen 8448 ssl;
     listen [::]:8448 ssl;
+    http2 on;
     server_name $MATRIX_FQDN;
 
-    ssl on;
     ssl_certificate /etc/nginx/ssl/matrix.crt;
     ssl_certificate_key /etc/nginx/ssl/matrix.key;
 
@@ -97,9 +101,9 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
+    http2 on;
     server_name $MATRIX_ELEMENT_FQDN;
 
-    ssl on;
     ssl_certificate /etc/nginx/ssl/matrix.crt;
     ssl_certificate_key /etc/nginx/ssl/matrix.key;
 
@@ -154,6 +158,6 @@ systemctl restart matrix-synapse
 
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
 
-echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
\ No newline at end of file
+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf
index e4665e2..8c7c995 100644
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
@@ -30,10 +30,10 @@ LXC_KEYCTL="0"
 NEXTCLOUD_VERSION="latest"
 
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.3"
+NEXTCLOUD_PHP_VERSION="8.4"
 
 # Defines the postgresql version to install
-POSTGRES_VERSION=16 
+POSTGRES_VERSION=17
 
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh
index 8e50e50..b97fd77 100644
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -248,7 +248,7 @@ cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/f
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
+cp /etc/ImageMagick-7/policy.xml /etc/ImageMagick-7/policy.xml.bak
 
 sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
@@ -298,10 +298,10 @@ sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-
 sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 
-sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-7/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-7/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-7/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-7/policy.xml
 
 sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
@@ -350,13 +350,12 @@ sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
 sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
 sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
-cp /etc/sysctl.conf /etc/sysctl.conf.bak
-sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
+echo 'vm.overcommit_memory = 1' > /etc/sysctl.d/overcommit_memory.conf
 }
 
 #### Install some more packages
 inst_packages() {
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-7.q16-10-extra
 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@@ -549,7 +548,7 @@ echo "=> Modifying Nginx config for Nextcloud ..."
 mod_nginx
 
 echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
-inst_php
+inst_php fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline $NEXTCLOUD_PHP_VERSION
 echo "=> Modifying PHP config for Nextcloud ..."
 mod_php
 
@@ -577,4 +576,3 @@ echo "=> Modifying Crowdsec ..."
 mod_crowdsec
 
 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
-shutdown -r now
diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf
index 5194b1f..f6ed68e 100644
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/omada/install-service.sh b/src/omada/install-service.sh
index 5692314..e3c0d65 100644
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@@ -10,14 +10,11 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
-wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
-wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
-# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
-echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
 
-apt update
+inst_mongodb 
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc
+
+inst_bashclub omada
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
\ No newline at end of file
diff --git a/src/onlyoffice/constants-service.conf b/src/onlyoffice/constants-service.conf
index e5ffe58..9801b05 100644
--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh
index 4b1627a..943d78b 100644
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@@ -5,24 +5,31 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
+#### Set repo and install onlyoffice ####
+inst_onlyoffice() {
+    apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main"
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq ttf-mscorefonts-installer onlyoffice-documentserver
+}
+
 ONLYOFFICE_DB_PASS=$(random_password)
 
-curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
-echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
+inst_postgresql
 
-cat > /etc/apt/preferences.d/onlyoffice << EOF
-Package: onlyoffice-documentserver
-Pin: version 7.1.1-23
-Pin-Priority: 900
-EOF
+#cat > /etc/apt/preferences.d/onlyoffice << EOF
+#Package: onlyoffice-documentserver
+#Pin: version 7.1.1-23
+#Pin-Priority: 900
+#EOF
 
-apt update 
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq rabbitmq-server libstdc++6 supervisor
 
 su postgres <<EOF
 psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
@@ -36,7 +43,7 @@ echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | d
 echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
 echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
+inst_onlyoffice
 
 cat << EOF > /root/onlyoffice.credentials
 ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
diff --git a/src/open3a/constants-service.conf b/src/open3a/constants-service.conf
index c4548eb..50fd76b 100644
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh
index ff96ff0..a8b79e7 100644
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -13,10 +15,13 @@ webroot=/var/www/html
 
 LXC_RANDOMPWD=20
 MYSQL_PASSWORD="$(random_password)"
+PHP_VERSION=8.4
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+inst_php cli,fpm,mysql,xml,mbstring,gd $PHP_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client 
 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
@@ -39,13 +44,12 @@ server {
 
     index index.php;
 
-    ssl on;
     ssl_certificate /etc/nginx/ssl/open3a.crt;
     ssl_certificate_key /etc/nginx/ssl/open3a.key;
 
     location ~ .php$ {
         include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php${PHP_VERSION}-fpm.sock;
     }
 }
 
@@ -76,8 +80,8 @@ localhost                               &%%%&open3a              &%%%&$MYSQL_PAS
 */ ?>
 EOF
 
-systemctl enable --now php8.2-fpm
-systemctl restart php8.2-fpm nginx
+systemctl enable --now php${PHP_VERSION}-fpm
+systemctl restart php${PHP_VERSION}-fpm nginx
 
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
 
diff --git a/src/piler/constants-service.conf b/src/piler/constants-service.conf
index 88aac0c..21b0d3a 100644
--- a/src/piler/constants-service.conf
+++ b/src/piler/constants-service.conf
@@ -6,7 +6,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/piler/install-service.sh b/src/piler/install-service.sh
index 72a7e98..a3c7262 100644
--- a/src/piler/install-service.sh
+++ b/src/piler/install-service.sh
@@ -3,13 +3,14 @@
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 
-source zamba.conf
+set -euo pipefail
 
-wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
 
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
-apt update
+inst_bashclub manticore
+inst_bashclub $PILER_BRANCH
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
 
diff --git a/src/pmg-ai-rspamd/PMG Integration Guide.md b/src/pmg-ai-rspamd/PMG Integration Guide.md
new file mode 100644
index 0000000..10f9fe0
--- /dev/null
+++ b/src/pmg-ai-rspamd/PMG Integration Guide.md	
@@ -0,0 +1,111 @@
+# PMG-Integration des KI-Rspamd Filters
+
+Diese Anleitung beschreibt, wie das PMG als zentrale Filter-Instanz die Scores deines externen Rspamd-LXC abfragt, visualisiert und gewichtet, ohne die eigene Filterhoheit zu verlieren.
+
+## 1. Architektur-Übersicht
+
+Das PMG fungiert als SMTP-Relay. Der externe Rspamd wird als **Before-Queue Milter** eingebunden. Er verarbeitet die Mail, setzt Header-Attribute und das PMG wertet diese Header innerhalb seines eigenen Regelwerks aus.
+
+
+---
+
+## 2. Persistente Milter-Anbindung (Updatesicher)
+
+Damit Postfix den Rspamd-LXC anspricht, muss die Konfiguration über das PMG-Template-System erfolgen.
+
+
+1. **Template-Verzeichnis erstellen:**
+
+   ```javascript
+   mkdir -p /etc/pmg/templates
+   cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
+   
+   ```
+2. **Milter in `main.cf.in` eintragen:** Öffne `/etc/pmg/templates/main.cf.in` und füge am Ende (vor den lokalen Overrides) folgende Zeilen hinzu:
+
+   ```javascript
+   smtpd_milters = inet:IP_DEINES_LXC:11332
+   milter_default_action = accept
+   milter_protocol = 6
+   
+   ```
+3. **Konfiguration generieren:**
+
+   ```javascript
+   pmgconfig sync
+   
+   ```
+
+
+---
+
+## 3. Score-Gewichtung (SpamAssassin-Integration)
+
+Da das PMG-UI keine direkte Punkte-Addition erlaubt, integrieren wir die Rspamd-Ergebnisse direkt in den internen Scan-Prozess. Dies stellt sicher, dass die Scores im **Tracking Center** namentlich auftauchen.
+
+
+1. **Konfigurationsdatei erstellen:** Erstelle auf dem PMG-Host: `/etc/mail/spamassassin/rspamd_scores.cf`
+2. **Regeln definieren:** Kopiere diesen Block in die Datei:
+
+   ```javascript
+   # Rspamd Medium (4 - 5.9)
+   header RSPAMD_MEDIUM X-Rspamd-Score =~ /^([45]\.[0-9]+)/
+   describe RSPAMD_MEDIUM Rspamd bewertet diese Mail als leicht verdaechtig (4-5.9)
+   score RSPAMD_MEDIUM 1.5
+   
+   # Rspamd High (6 - 14.9)
+   header RSPAMD_HIGH X-Rspamd-Score =~ /^([6-9]|1[0-4])\.[0-9]+/
+   describe RSPAMD_HIGH Rspamd bewertet diese Mail als Spam (6-14.9)
+   score RSPAMD_HIGH 4.0
+   
+   # Rspamd Critical (15+)
+   header RSPAMD_CRITICAL X-Rspamd-Score =~ /^(1[5-9]|[2-9][0-9]|[1-9][0-9][0-9])\.[0-9]+/
+   describe RSPAMD_CRITICAL Rspamd (KI/Llama) ist sich absolut sicher: Scam/Betrug (15+)
+   score RSPAMD_CRITICAL 10.0
+   
+   ```
+3. **Dienst neu starten:**
+
+   ```javascript
+   systemctl restart pmg-smtp-filter
+   
+   ```
+
+
+---
+
+## 4. UI-Logik für harte Aktionen (Optional)
+
+Wenn du für extrem hohe Scores (`RSPAMD_CRITICAL`) eine sofortige Quarantäne erzwingen möchtest, kannst du dies im WebUI ergänzen:
+
+
+1. **What Object:** Erstelle unter *Mail Filter > What Objects* ein **Match Field**.
+   * **Name:** `Rspamd-Critical-Header`
+   * **Field:** `X-Rspamd-Score`
+   * **Value:** `^(1[5-9]|[2-9][0-9])\..*`
+2. **Rule:** Erstelle eine Regel mit Priorität **99**.
+   * **What:** `Rspamd-Critical-Header`
+   * **Action:** `Quarantine`
+
+
+---
+
+## 5. Verifizierung & Monitoring
+
+Nach der Integration sollten eingehende E-Mails im PMG Tracking Center detailliert aufgeschlüsselt werden.
+
+* **Live-Log Prüfung:** Überwache die Auswertung der neuen Header live auf der Konsole:
+
+  ```javascript
+  tail -f /var/log/mail.log | grep -E "RSPAMD_(MEDIUM|HIGH|CRITICAL)"
+  
+  ```
+* **Tracking Center:** In der Detailansicht einer E-Mail unter **Spam Analysis** erscheint nun z. B. der Eintrag: `RSPAMD_HIGH (4.00)`
+
+
+---
+
+### Wartungshinweise
+
+* **Persistent:** Die `.cf`-Dateien unter `/etc/mail/spamassassin/` bleiben bei PMG-Updates erhalten.
+* **Anpassung:** Sollten zu viele False Positives auftreten, senke einfach die `score`-Werte in der `rspamd_scores.cf` und starte den `pmg-smtp-filter` neu.
\ No newline at end of file
diff --git a/src/apt/constants-service.conf b/src/pmg-ai-rspamd/constants-service.conf
similarity index 82%
rename from src/apt/constants-service.conf
rename to src/pmg-ai-rspamd/constants-service.conf
index c538e56..5016179 100644
--- a/src/apt/constants-service.conf
+++ b/src/pmg-ai-rspamd/constants-service.conf
@@ -8,14 +8,14 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
-LXC_MP=1
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="srv"
+LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
-LXC_MP_RECORDSIZE="16K"
+LXC_MP_RECORDSIZE="128K"
 
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=1024
+LXC_MEM_MIN=8192
 
 # service dependent meta tags
-SERVICE_TAGS="aptly,nginx"
+SERVICE_TAGS="rspamd,unbound,ollama"
\ No newline at end of file
diff --git a/src/pmg-ai-rspamd/install-service.sh b/src/pmg-ai-rspamd/install-service.sh
new file mode 100644
index 0000000..eea1eba
--- /dev/null
+++ b/src/pmg-ai-rspamd/install-service.sh
@@ -0,0 +1,373 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+RSPAMD_PASSWORD=$(random_password)
+LLM=llama3.1:8b
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y redis-server unbound python3-venv rspamd zstd nginx ssl-cert
+
+# Eine abgeschottete Python-Umgebung in /opt/oletools erstellen
+python3 -m venv /opt/oletools
+
+# Oletools innerhalb dieser Umgebung installieren (berührt das System nicht!)
+/opt/oletools/bin/pip install oletools python-magic
+ln -s /opt/oletools/bin/olevba /usr/local/bin/olevba3
+
+
+# install olefy servvice
+curl -o /usr/local/bin/olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py
+chmod +x /usr/local/bin/olefy.py
+sed -i "s/addr_re = re.compile('\[\\\[\" \\\]\]')/addr_re = re.compile(r'\[\\\[\" \\\]\]')/g" /usr/local/bin/olefy.py
+
+# olefy Systemd-Service anlegen
+cat << 'EOF' > /etc/systemd/system/olefy.service
+[Unit]
+Description=Olefy Daemon for Rspamd
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+ExecStart=/opt/oletools/bin/python3 /usr/local/bin/olefy.py
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# oletools update
+cat << 'EOF' > /usr/local/bin/apt-hook-oletools.sh
+#!/bin/bash
+# Unterdrücke Standard-Ausgaben, fange aber das Ergebnis auf
+UPDATE_OUT=$(/opt/oletools/bin/pip install --upgrade oletools 2>&1)
+
+# Prüfen, ob der Text "Successfully installed" im Output vorkommt
+if echo "$UPDATE_OUT" | grep -q "Successfully installed"; then
+    # Neues Update wurde gefunden und installiert! Dienst neu starten:
+    systemctl restart olefy
+    # Einen sauberen Eintrag ins System-Log (syslog) schreiben
+    logger -t oletools-updater "Neues Oletools Update via APT-Hook installiert. Olefy Dienst neu gestartet."
+fi
+
+# Immer erfolgreich beenden (Exit Code 0), damit apt niemals blockiert wird
+exit 0
+EOF
+
+# Skript ausführbar machen
+chmod +x /usr/local/bin/apt-hook-oletools.sh
+
+# apt hook
+cat << EOF > /etc/apt/apt.conf.d/99oletools-update
+# Automatisches Update von Oletools nach jedem dpkg-Lauf
+DPkg::Post-Invoke { "/usr/local/bin/apt-hook-oletools.sh || true"; };
+EOF
+
+# download ollama
+curl -fsSL https://ollama.com/install.sh | bash 2>/dev/null
+
+# konfiguriere ollama, dass llm dauerhaft geladen bleibt
+mkdir -p /etc/systemd/system/ollama.service.d
+cat << 'EOF' > /etc/systemd/system/ollama.service.d/override.conf
+[Service]
+Environment="OLLAMA_KEEP_ALIVE=-1"
+EOF
+
+# qwen3 llm herunterladen
+ollama pull $LLM
+
+# ollama qwen3 preload service erstellen
+cat << EOF > /etc/systemd/system/ollama-preload.service
+[Unit]
+Description=Preload Qwen3 Model into Ollama
+After=ollama.service
+Requires=ollama.service
+
+[Service]
+Type=oneshot
+# Warteschleife: Prüfe im Sekundentakt, ob die API erreichbar ist, bevor wir weitermachen
+ExecStartPre=/bin/bash -c 'until curl -s http://127.0.0.1:11434/ > /dev/null; do sleep 1; done'
+# Erst wenn der Port antwortet, laden wir das Modell
+ExecStart=/usr/bin/curl -s -X POST http://127.0.0.1:11434/api/generate -d '{"model": "$LLM", "keep_alive": -1}'
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# milter socket für rspamd konfigurieren
+cat << EOF > /etc/rspamd/local.d/worker-proxy.inc
+# Lausche auf allen Schnittstellen (für das PMG)
+bind_socket = "${LXC_IP%/*}:11332";
+# Aktiviere explizit das Milter-Protokoll
+milter = yes;
+EOF
+
+# rspamd an redis anbinden
+cat << 'EOF' > /etc/rspamd/local.d/redis.conf
+servers = "127.0.0.1";
+write_servers = "127.0.0.1";
+EOF
+
+# lua script for llm integration
+cat << EOF > /etc/rspamd/lua.local.d/ollama_ai.lua
+local logger = require "rspamd_logger"
+local http = require "rspamd_http"
+local ucl = require "ucl"
+
+local function ollama_check(task)
+    logger.errx(task, "KI-Check: ANALYSE START (Llama-3.1-8B)")
+    
+    local text_parts = task:get_text_parts()
+    local email_text = ""
+    
+    if text_parts then
+        for _, part in ipairs(text_parts) do
+            email_text = email_text .. tostring(part:get_content() or "")
+        end
+    end
+
+    -- Abbruch bei zu kurzen Mails
+    if #email_text < 15 then 
+        logger.errx(task, "KI-Check: Text zu kurz für Analyse")
+        return 
+    end
+
+    local req_data = {
+      model = "$LLM",
+      messages = {
+        {
+          role = "system",
+          content = "You are a cybersecurity analyst. Score the following email for fraud/phishing from 0 to 10. Output ONLY the integer number."
+        },
+        {
+          role = "user",
+          content = "Rate this content: " .. string.sub(email_text, 1, 1000)
+        }
+      },
+      stream = false,
+      options = {
+        num_predict = 5,
+        temperature = 0.0
+      }
+    }
+
+    http.request({
+      task = task,
+      url = 'http://127.0.0.1:11434/api/chat',
+      body = ucl.to_format(req_data, 'json'),
+      timeout = 25.0,
+      callback = function(err, code, body, headers)
+        -- Falls der Dienst nicht erreichbar ist
+        if err or code ~= 200 then
+            logger.errx(task, "KI-Check: Ollama API Fehler oder Timeout")
+            return 
+        end
+
+        local parser = ucl.parser()
+        local res, _ = parser:parse_string(body)
+        if res then
+            local data = parser:get_object()
+            local reply = data.message and data.message.content or ""
+            local score_num = reply:match("%d+")
+            
+            if score_num then
+                local score = tonumber(score_num)
+                logger.errx(task, "KI-Check: Ergebnis erhalten: %s/10", score)
+                
+                -- 1. Header: Basis-Info (Wird immer gesetzt, wenn KI geantwortet hat)
+                task:set_milter_reply({
+                    ['add_header'] = {['X-AI-Scanner'] = 'Llama-3.1-8B-Verified'}
+                })
+
+                -- 2. Header & Symbol: Nur bei Verdacht (Score >= 7)
+                if score >= 7 then
+                    task:insert_result('OLLAMA_LLM_FRAUD', 1.0, "Score " .. score .. "/10")
+                    task:set_milter_reply({
+                        ['add_header'] = {['X-AI-Fraud-Rating'] = tostring(score) .. '/10'}
+                    })
+                    logger.errx(task, "KI-Check: Symbol und Header gesetzt (Betrugsverdacht)")
+                end
+            end
+        end
+      end
+    })
+end
+
+rspamd_config:register_symbol({
+  name = 'OLLAMA_LLM_FRAUD',
+  callback = ollama_check,
+  flags = 'async',
+  score = 6.0,
+  description = 'AI-based fraud detection using Llama-3.1-8B'
+})
+EOF
+
+# dns resolver konfigurieren
+cat << 'EOF' > /etc/rspamd/local.d/options.inc
+dns {
+    nameserver = ["127.0.0.1"];
+}
+
+# Basis-Regeln, die immer gelten müssen
+local_addrs = "127.0.0.1";
+local_addrs = "::1";
+
+task_timeout = 59s;
+
+# Lade alle Server-spezifischen Dateien (*.conf)
+.include(try=true,glob=true) "$LOCAL_CONFDIR/local_addrs.d/*.conf"
+EOF
+
+PWHASH=$(rspamadm pw --password "$RSPAMD_PASSWORD")
+cat << EOF > /etc/rspamd/local.d/worker-controller.inc
+
+bind_socket = "127.0.0.1:11334";
+password = "$PWHASH"; 
+
+# Basis-Regeln (LXC-interner Zugriff)
+secure_ip = "127.0.0.1";
+secure_ip = "::1";
+secure_ip = "${LXC_IP%/*}";
+
+# Lade alle Server-spezifischen Dateien (*.conf)
+.include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf"
+EOF
+
+cat << EOF > /etc/rspamd/local.d/actions.conf
+# Alle Aktionen, die normalerweise ablehnen würden, auf null setzen
+reject = null;      # Niemals ablehnen
+add_header = 6.0;   # Ab diesem Score den X-Spam-Header setzen
+greylist = null;    # Greylisting deaktivieren (macht PMG schon besser)
+rewrite_subject = null;
+EOF
+
+cat << EOF > /etc/rspamd/local.d/milter_headers.conf
+# Diese Header werden für jede Mail geschrieben
+use = ["spam-header", "symbols", "score"];
+
+header_names {
+    "spam-header" = "X-Spam-Flag";
+    "symbols" = "X-Rspamd-Symbols";
+    "score" = "X-Rspamd-Score";
+}
+
+# Fügt den Score immer hinzu, egal wie hoch er ist
+skip_local = false;
+extended_symbols = true;
+EOF
+
+# oletools aktivieren
+cat << 'EOF' > /etc/rspamd/local.d/oletools.conf
+enabled = true;
+servers = "127.0.0.1:10050"; # Standard-Port von olefy
+EOF
+
+# learning aktivieren
+cat << 'EOF' > /etc/rspamd/local.d/classifier-ham-spam.conf
+# Nutze Redis als Backend für gelerntes Wissen
+backend = "redis";
+# Erlaube das Lernen (wichtig für deine Mailcows!)
+autolearn = true;
+EOF
+
+# betreffzeilen anzeigen
+cat << 'EOF' > /etc/rspamd/local.d/history_redis.conf
+# Speichere die letzten Mail-Logs in Redis für die WebUI
+subject_privacy = false; # Zeigt Betreffzeilen im Dashboard an (hilfreich für MSPs)
+EOF
+
+# set include for local modules
+cat << 'EOF' > /etc/rspamd/local.d/groups.conf
+# Lade alle Symbol-Definitionen aus dem scores.d Verzeichnis
+.include(try=true,glob=true) "$LOCAL_CONFDIR/scores.d/*.conf"
+EOF
+
+# create folder for trusted addresses
+mkdir -p /etc/rspamd/local.d/local_addrs.d
+mkdir -p /etc/rspamd/local.d/secure_ips.d
+
+# persistenz in redis aktivieren
+sed -i 's/appendonly no/appendonly yes/g' /etc/redis/redis.conf
+sed -i 's/^#\? \?appendfsync .*/appendfsync everysec/g' /etc/redis/redis.conf
+
+# nginx konfigurieren
+mkdir -p /etc/nginx/ssl
+
+# Symlinks auf Snakeoil (Pfade ggf. anpassen, falls ssl-cert nicht installiert ist)
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+
+# Starke Diffie-Hellman Parameter generieren (wichtig!)
+openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
+
+# generiere config
+cat << EOF > /etc/nginx/sites-available/rspamd_proxy
+# HTTP - Redirect auf HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+    return 301 https://\$host\$request_uri;
+}
+
+# HTTPS - Sicherer Proxy
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    # Zertifikate
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # TLS Sicherheit nach Stand der Technik (Modern)
+    ssl_protocols TLSv1.3; # TLS 1.2 entfernt für maximale Sicherheit
+    ssl_prefer_server_ciphers off;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
+
+    # Proxy-Einstellungen
+    location / {
+        proxy_pass http://127.0.0.1:11334; # Dein Rspamd Controller/UI
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+
+        # Wichtig für lange KI-Analysen
+        proxy_read_timeout 120s;
+        proxy_connect_timeout 120s;
+
+        # Optional: Zusätzlicher Schutz auf Nginx-Ebene
+        # allow 1.2.3.4; # Deine Admin IP
+        # deny all;
+    }
+}
+EOF
+ln -s /etc/nginx/sites-available/rspamd_proxy /etc/nginx/sites-enabled/
+nginx -t
+
+# dienste aktivieren
+systemctl daemon-reload
+systemctl enable --now unbound olefy ollama ollama-preload.service
+systemctl restart redis-server rspamd nginx
+
+echo "Your rspamd instance setup is finished!"
+echo "Please visit http://${LXC_IP%/*}:11334/"
+echo "rspamd password is: $RSPAMD_PASSWORD"
\ No newline at end of file
diff --git a/src/proxmox-pbs/constants-service.conf b/src/proxmox-pbs/constants-service.conf
index 92b94cb..43aed2d 100644
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/proxmox-pbs/install-service.sh b/src/proxmox-pbs/install-service.sh
index 249217a..33fb220 100644
--- a/src/proxmox-pbs/install-service.sh
+++ b/src/proxmox-pbs/install-service.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -euo pipefail
+
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
@@ -9,16 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list 
-# PBS pbs-no-subscription repository provided by proxmox.com,
-# NOT recommended for production use
-deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
-EOF
-
-wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
-
+#### Set repo and install onlyoffice ####
+inst_pbs() {
+    apt_repo "proxmox" "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" "http://download.proxmox.com/debian/pbs" "trixie" "pbs-no-subscription"
 apt update && apt upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
+}
+
+inst_pbs
 
 proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
 
diff --git a/src/rei3/constants-service.conf b/src/rei3/constants-service.conf
index ac00ebb..783b680 100644
--- a/src/rei3/constants-service.conf
+++ b/src/rei3/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/rei3/install-service.sh b/src/rei3/install-service.sh
index 7ecaaaf..08b72d7 100644
--- a/src/rei3/install-service.sh
+++ b/src/rei3/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -12,13 +14,12 @@ source /root/constants-service.conf
 mkdir /opt/rei3
 wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
 
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
-echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+inst_postgresql
 
 apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends imagemagick ghostscript
 
 timedatectl set-timezone ${LXC_TIMEZONE}
 
diff --git a/src/unifi/constants-service.conf b/src/unifi/constants-service.conf
index 09898b2..83c6c31 100644
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/unifi/install-service.sh b/src/unifi/install-service.sh
index 753fa77..595483d 100644
--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@@ -11,12 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
-wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
+inst_unifi() {
+    apt_repo "unifi" "https://dl.ubnt.com/unifi/unifi-repo.gpg" "http://www.ui.com/downloads/unifi/debian" "stable" "ubiquiti"
+    apt update 
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unifi
+}
 
-echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
-echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
+inst_mongodb
 
-apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi
\ No newline at end of file
+inst_unifi
\ No newline at end of file
diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf
index 9222b47..5a49863 100644
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 URBACKUP_DATA="urbackup"
 
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_12"
+REPO_CODENAME="Debian_13"
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh
index 64e0f34..88fe70c 100644
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@@ -5,10 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
+set -euo pipefail
+
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
 mkdir -p /etc/urbackup
@@ -18,10 +22,11 @@ echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/
 curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
 
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" ssl-cert urbackup-server nginx
 
-mkdir -p /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+install -d -m 0750 -o root -g root /etc/nginx/ssl
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 
 ln -s /usr/share/urbackup/www /var/www/urbackup
 
@@ -44,9 +49,8 @@ server {
 
     index index.htm;
 
-    ssl on;
-    ssl_certificate /etc/nginx/ssl/urbackup.crt;
-    ssl_certificate_key /etc/nginx/ssl/urbackup.key;
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
 
     location /x {
         include /etc/nginx/fastcgi_params;
diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf
index d9325a7..36b207b 100644
--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh
index 2fcc438..539c584 100644
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@@ -5,13 +5,17 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
 admin_token=$(openssl rand -base64 48)
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
+inst_postgresql 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx git ssl-cert
 
 systemctl enable --now postgresql
 
@@ -149,6 +153,9 @@ server {
         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
         proxy_pass http://127.0.0.1:8000;
         proxy_read_timeout 90;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
     }
 }
 
diff --git a/src/wazuh/constants-service.conf b/src/wazuh/constants-service.conf
new file mode 100644
index 0000000..592299f
--- /dev/null
+++ b/src/wazuh/constants-service.conf
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/opensearch"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="opensearch"
\ No newline at end of file
diff --git a/src/wazuh/install-service.sh b/src/wazuh/install-service.sh
new file mode 100644
index 0000000..580df92
--- /dev/null
+++ b/src/wazuh/install-service.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+WAZUH_VERSION=4.14
+REG_PASS=$(random_password)
+
+curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null
+
+
+sed -i "s|<use_password>no</use_password>|<use_password>yes</use_password>|" /var/ossec/etc/ossec.conf
+echo "$REG_PASS" > /var/ossec/etc/authd.pass
+chmod 640 /var/ossec/etc/authd.pass
+chown root:wazuh /var/ossec/etc/authd.pass
+systemctl restart wazuh-manager
+
+echo "Please use the following password for agent registration: $REG_PASS"
\ No newline at end of file
diff --git a/src/zabbix-proxy/constants-service.conf b/src/zabbix-proxy/constants-service.conf
index a931567..0eb2b46 100644
--- a/src/zabbix-proxy/constants-service.conf
+++ b/src/zabbix-proxy/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -42,8 +42,8 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
 
-ZABBIX_VERSION=7.0 #zabbix 7 beta
-POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+ZABBIX_VERSION=7.4 #zabbix 7 beta
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
diff --git a/src/zabbix-proxy/install-service.sh b/src/zabbix-proxy/install-service.sh
index fc9472a..9e452db 100644
--- a/src/zabbix-proxy/install-service.sh
+++ b/src/zabbix-proxy/install-service.sh
@@ -11,13 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
-apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
 
 apt update
 
+inst_postgresql $POSTGRES_VERSION
+
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 
 timedatectl set-timezone ${LXC_TIMEZONE}
 
@@ -29,7 +30,7 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
 
-cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+cat /usr/share/zabbix/sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
 
@@ -53,6 +54,8 @@ sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
 
+mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
+
 systemctl enable zabbix-proxy zabbix-agent2
 
 systemctl restart zabbix-proxy zabbix-agent2 
diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf
index b074420..f228e7a 100644
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -42,10 +42,10 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
 
-ZABBIX_VERSION=7.0 #zabbix 7 beta
-POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
-PHP_VERSION=8.2 # debian 12 default
-TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+ZABBIX_VERSION=7.4 #zabbix 7 beta
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
+PHP_VERSION=8.4 # debian 12 default
+TS_VERSION=2.23.0 # currently latest by zabbix supported version of timescaledb (2024-05-13)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh
index 41b98e0..b290803 100644
--- a/src/zabbix/install-service.sh
+++ b/src/zabbix/install-service.sh
@@ -11,14 +11,15 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
-apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
-apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/" "$(lsb_release -cs)" "main"
+inst_postgresql ${POSTGRES_VERSION}
+inst_php pgsql,fpm $PHP_VERSION
 
 apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION timescaledb-tools nginx  zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 
 unlink /etc/nginx/sites-enabled/default
 
@@ -216,18 +217,20 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
 
-sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+#sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
 
-zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 
 timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
 
 systemctl restart postgresql
 
 echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
-cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+cat /usr/share/zabbix/sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 
-echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.d/dbpassword.conf
+
+mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
 
 generate_dhparam
 
diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf
index 014cafd..e695b6f 100644
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh
index db36772..b485846 100644
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -39,15 +41,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
 
-sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
- -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
- -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
- -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
- -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+echo "Customizing nginx configuration..."
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
+ -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
  /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
 
-ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
-
+ ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
 
 # configure elasticsearch
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf
index 1042bbc..e5cd4fe 100644
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 
-# add optional features to samba ad dc
-
-# CURRENTLY SUPPORTED:
-# wsdd = add windows service discovery
-# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
-# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
-
-# Example:
-# OPTIONAL_FEATURES=(wsdd)
-# OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd)
-
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 
diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh
index 9fdfa1f..7878146 100644
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@@ -5,35 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
-for f in ${OPTIONAL_FEATURES[@]}; do
-  if [[ "$f" == "wsdd" ]]; then
-      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
-      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "splitdns" ]]; then
-      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
-      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "bind9dlz" ]]; then
-      ZMB_DNS_BACKEND="BIND9_DLZ"
-      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
-      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
-  else
-      echo "Unsupported optional feature $f"
-  fi
-done
-
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 
@@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 
-if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
-	  cat << EOF > /etc/nginx/sites-available/default
-server {
-    listen 80 default_server;
-    server_name _;
-    return 301 http://www.$LXC_DOMAIN\$request_uri;
-}
-EOF
-fi
-
-if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
-  # configure bind dns service
-  cat << EOF > /etc/default/bind9
-#
-# run resolvconf?
-RESOLVCONF=no
-# startup options for the server
-OPTIONS="-4 -u bind"
-EOF
-
-  cat << EOF > /etc/bind/named.conf.local
-//
-// Do any local configuration here
-//
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-dlz "$LXC_DOMAIN" {
-  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
-};
-EOF
-
-  cat << EOF > /etc/bind/named.conf.options
-options {
-  directory "/var/cache/bind";
-  forwarders {
-    $LXC_DNS;
-  };
-  allow-query {  any;};
-  dnssec-validation no;
-  auth-nxdomain no;    # conform to RFC1035
-  listen-on-v6 { any; };
-  listen-on { any; };
-  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
-  minimal-responses yes;
-};
-EOF
-
-  mkdir -p /var/lib/samba/bind-dns/dns
-fi
-
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
 [libdefaults]
@@ -124,9 +57,28 @@ cat > /etc/krb5.conf <<EOF
 EOF
 
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 
+echo "fixing samba service to wait for lxc being online"
+
+install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
+
+cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
+[Unit]
+After=networking.service
+Wants=networking.service
+
+[Service]
+# Wait up to 30s for eth0 to get an IPv4 address
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
+
+Restart=on-failure
+RestartSec=3
+EOF
+
+systemctl daemon-reload
+
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
 
@@ -160,7 +112,10 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
+
+bash /root/zmb-ad_auto-map-root.sh
+chmod +x /usr/bin/create-service-account
 
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
@@ -168,7 +123,7 @@ cat << EOF > /usr/local/bin/smb-backup
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 rc=0
-keep=$1
+keep=\$1
 if \$1 ; then
   keep=\$1
 fi
diff --git a/src/zmb-ad-restore/constants-service.conf b/src/zmb-ad-restore/constants-service.conf
deleted file mode 100644
index 1042bbc..0000000
--- a/src/zmb-ad-restore/constants-service.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-# This file contains the project constants on service level
-
-# Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
-
-# Create sharefs mountpoint
-LXC_MP=0
-# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="backup"
-# Defines the recordsize of mp0
-LXC_MP_RECORDSIZE="16K"
-
-# Create unprivileged container
-LXC_UNPRIVILEGED="0"
-
-# enable nesting feature
-LXC_NESTING="1"
-
-# enable keyctl feature
-LXC_KEYCTL="0"
-
-# add optional features to samba ad dc
-
-# CURRENTLY SUPPORTED:
-# wsdd = add windows service discovery
-# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
-# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
-
-# Example:
-# OPTIONAL_FEATURES=(wsdd)
-# OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd)
-
-# Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=1024
-
-# service dependent meta tags
-SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
\ No newline at end of file
diff --git a/src/zmb-ad-restore/install-service.sh b/src/zmb-ad-restore/install-service.sh
deleted file mode 100644
index b3c14c8..0000000
--- a/src/zmb-ad-restore/install-service.sh
+++ /dev/null
@@ -1,195 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/functions.sh
-source /root/zamba.conf
-source /root/constants-service.conf
-
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
-for f in ${OPTIONAL_FEATURES[@]}; do
-  if [[ "$f" == "wsdd" ]]; then
-    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
-    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "splitdns" ]]; then
-    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
-    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "bind9dlz" ]]; then
-    ZMB_DNS_BACKEND="BIND9_DLZ"
-    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
-    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
-  else
-    echo "Unsupported optional feature $f"
-  fi
-done
-
-# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-
-# update packages
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-# install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-
-mkdir -p /etc/chrony/conf.d
-mkdir -p /etc/systemd/system/chrony.service.d
-
-cat << EOF > /etc/default/chrony
-# This is a configuration file for /etc/init.d/chrony and
-# /lib/systemd/system/chrony.service; it allows you to pass various options to
-# the chrony daemon without editing the init script or service file.
-
-# Options to pass to chrony.
-DAEMON_OPTS="-x -F 1"
-EOF
-
-cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
-[Unit]
-ConditionCapability=
-EOF
-
-cat << EOF > /etc/chrony/conf.d/samba.conf
-bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
-server de.pool.ntp.org iburst
-server europe.pool.ntp.org iburst
-allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
-ntpsigndsocket /var/lib/samba/ntp_signd
-EOF
-
-if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
-  cat << EOF > /etc/nginx/sites-available/default
-server {
-    listen 80 default_server;
-    server_name _;
-    return 301 http://www.$LXC_DOMAIN\$request_uri;
-}
-EOF
-fi
-
-if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
-  # configure bind dns service
-  cat << EOF > /etc/default/bind9
-#
-# run resolvconf?
-RESOLVCONF=no
-
-# startup options for the server
-OPTIONS="-4 -u bind"
-EOF
-
-  cat << EOF > /etc/bind/named.conf.local
-//
-// Do any local configuration here
-//
-
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-dlz "$LXC_DOMAIN" {
-  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
-};
-EOF
-
-  cat << EOF > /etc/bind/named.conf.options
-options {
-  directory "/var/cache/bind";
-
-  forwarders {
-    $LXC_DNS;
-  };
-
-  allow-query {  any;};
-  dnssec-validation no;
-
-  auth-nxdomain no;    # conform to RFC1035
-  listen-on-v6 { any; };
-  listen-on { any; };
-
-  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
-  minimal-responses yes;
-};
-EOF
-
-  mkdir -p /var/lib/samba/bind-dns/dns
-fi
-
-# stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
-rm -f /etc/samba/smb.conf
-rm -f /etc/krb5.conf
-
-rm -r /var/lib/samba/*
-
-backupfile=$(find /backup/online -name samba-backup* | tail -1)
-samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
-
-ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
-
-# disable password expiry for administrator
-samba-tool user setexpiry Administrator --noexpiry
-
-systemctl unmask samba-ad-dc
-systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
-
-# configure ad backup
-cat << EOF > /usr/local/bin/smb-backup
-#!/bin/bash
-PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-
-rc=0
-keep=\$1
-
-mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
-
-prune () {
-  backup_type=\$1
-  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
-    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
-  fi
-}
-
-echo "\$(date) Starting samba-ad-dc online backup"
-if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
-  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
-  prune online
-else
-  echo "\$(date) samba-ad-dc online backup failed"
-  rc=\$((\$rc + 1))
-fi
-
-echo "\$(date) Starting samba-ad-dc offline backup"
-if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
-  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
-  prune offline
-else
-  echo "S(date) samba-ad-dc offline backup failed"
-  rc=\$((\$rc + 1))
-fi
-
-exit \$rc
-EOF
-chmod +x /usr/local/bin/smb-backup
-
-cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
-EOF
-
-cat << EOF > /etc/logrotate.d/smb-backup
-/var/log/smb-backup.log {
-        weekly
-        rotate 12
-        compress
-        delaycompress
-        missingok
-        notifempty
-        create 644 root root
-}
-EOF
-
-exit 0
\ No newline at end of file
diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf
index 6016953..e621c1b 100644
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 
-# add optional features to samba ad dc
-
-# CURRENTLY SUPPORTED:
-# wsdd = add windows service discovery
-# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
-# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
-
-# Example:
-# OPTIONAL_FEATURES=(wsdd)
-# OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=(wsdd)
-
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 
diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh
index fbc3340..2e4476c 100644
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@@ -5,38 +5,20 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
-for f in ${OPTIONAL_FEATURES[@]}; do
-  if [[ "$f" == "wsdd" ]]; then
-    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
-    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "splitdns" ]]; then
-    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
-    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "bind9dlz" ]]; then
-    ZMB_DNS_BACKEND="BIND9_DLZ"
-    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
-    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
-  else
-    echo "Unsupported optional feature $f"
-  fi
-done
-
-# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-
+echo "configuring chrony"
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
 
@@ -61,72 +43,35 @@ server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
-
-if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
-  cat << EOF > /etc/nginx/sites-available/default
-server {
-    listen 80 default_server;
-    server_name _;
-    return 301 http://www.$LXC_DOMAIN\$request_uri;
-}
-EOF
-fi
-
-if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
-  # configure bind dns service
-  cat << EOF > /etc/default/bind9
-#
-# run resolvconf?
-RESOLVCONF=no
-
-# startup options for the server
-OPTIONS="-4 -u bind"
-EOF
-
-  cat << EOF > /etc/bind/named.conf.local
-//
-// Do any local configuration here
-//
-
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-dlz "$LXC_DOMAIN" {
-  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
-};
-EOF
-
-  cat << EOF > /etc/bind/named.conf.options
-options {
-  directory "/var/cache/bind";
-
-  forwarders {
-    $LXC_DNS;
-  };
-
-  allow-query {  any;};
-  dnssec-validation no;
-
-  auth-nxdomain no;    # conform to RFC1035
-  listen-on-v6 { any; };
-  listen-on { any; };
-
-  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
-  minimal-responses yes;
-};
-EOF
-
-  mkdir -p /var/lib/samba/bind-dns/dns
-fi
-
+echo "disabling services"
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 
-# provision zamba domain
-samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
+echo "fixing samba service to wait for lxc being online"
 
+install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
+
+cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
+[Unit]
+After=networking.service
+Wants=networking.service
+
+[Service]
+# Wait up to 30s for eth0 to get an IPv4 address
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
+
+Restart=on-failure
+RestartSec=3
+EOF
+
+systemctl daemon-reload
+
+echo "provisioning domain"
+# provision zamba domain
+samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL
+echo "provosioning finished"
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 
 # disable password expiry for administrator
@@ -134,7 +79,10 @@ samba-tool user setexpiry Administrator --noexpiry
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
+
+bash /root/zmb-ad_auto-map-root.sh
+chmod +x /usr/bin/create-service-account
 
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
diff --git a/src/zmb-cups/constants-service.conf b/src/zmb-cups/constants-service.conf
index 5bf228d..8e571e7 100644
--- a/src/zmb-cups/constants-service.conf
+++ b/src/zmb-cups/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh
index 636a723..a79b066 100644
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -14,7 +16,7 @@ source /root/constants-service.conf
 apt update
 
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd2
 
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -107,4 +109,4 @@ systemctl disable --now cups-browsed.service
 
 cupsctl --remote-admin
 
-systemctl restart cups smbd nmbd winbind wsdd
\ No newline at end of file
+systemctl restart cups smbd nmbd winbind wsdd2
\ No newline at end of file
diff --git a/src/zmb-member/constants-service.conf b/src/zmb-member/constants-service.conf
index 71c2446..658075e 100644
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh
index 0cc07d6..f75b26b 100644
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@@ -5,16 +5,15 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-
 apt update
 
-#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules
 
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -26,9 +25,6 @@ cat > /etc/krb5.conf <<EOF
 	renew_lifetime = 7d
 EOF
 
-echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
-klist
-
 mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
 cat > /etc/samba/smb.conf <<EOF
 [global]
@@ -75,8 +71,12 @@ cat > /etc/samba/smb.conf <<EOF
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 
+EOF
+
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" ; do
+    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
-	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
@@ -84,6 +84,10 @@ cat > /etc/samba/smb.conf <<EOF
 	inherit acls = Yes
 
 EOF
+done
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist
 
 systemctl restart smbd
 
@@ -96,12 +100,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
 
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+unset ZMB_SHARE
 
-# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+  mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-systemctl restart smbd nmbd winbind wsdd
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+done
+
+systemctl restart smbd nmbd winbind
diff --git a/src/zmb-standalone/constants-service.conf b/src/zmb-standalone/constants-service.conf
index ffe82ed..704e98c 100644
--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 
 # Create sharefs mountpoint
 LXC_MP=1
diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh
index 190a8c0..47deddb 100644
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@@ -5,26 +5,21 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
-echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
+inst_45drives
 
-# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
-
-apt update
-
-#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
-#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd2
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
 useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
 echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
+smbpasswd -x $USER || true
 (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
 
 usermod -aG sudo $USER
@@ -65,14 +60,18 @@ EOF
 
 net conf import /etc/samba/import.template
 
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+    mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf setparm $ZMB_SHARE readonly no
-net conf setparm $ZMB_SHARE browseable yes
-net conf setparm $ZMB_SHARE createmask 0660
-net conf setparm $ZMB_SHARE directorymask 0770
+    net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    net conf setparm $ZMB_SHARE readonly no
+    net conf setparm $ZMB_SHARE browseable yes
+    net conf setparm $ZMB_SHARE createmask 0660
+    net conf setparm $ZMB_SHARE directorymask 0770
+done
 
-systemctl restart smbd nmbd wsdd
+systemctl restart smbd nmbd wsdd2