From 75559ca34b021bb1dd5100f8affda6b7d7b9bf89 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 29 Sep 2025 20:40:22 +0200 Subject: [PATCH 01/59] rename computername for service login --- scripts/create-service-account | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/create-service-account b/scripts/create-service-account index 573e350..78401a3 100644 --- a/scripts/create-service-account +++ b/scripts/create-service-account @@ -36,7 +36,7 @@ ldbmodify -H /var/lib/samba/private/sam.ldb < Date: Thu, 2 Oct 2025 12:45:52 +0200 Subject: [PATCH 02/59] Create nextcloud.conf Upstream as Reverse Proxy --- scripts/nextcloud.conf | 44 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 scripts/nextcloud.conf diff --git a/scripts/nextcloud.conf b/scripts/nextcloud.conf new file mode 100644 index 0000000..fd53a71 --- /dev/null +++ b/scripts/nextcloud.conf @@ -0,0 +1,44 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name cloud.domain.tld; + + ssl_certificate /etc/ssl/mail/cert.pem; + ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_stapling on; + ssl_stapling_verify on; + + # HTTP → HTTPS + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + location / { + proxy_pass https://nc.sysops.de; + + # Hostname & Forwarded-Header sauber durchreichen + proxy_set_header Host 192.168.178.253; # explizit der Upstream-Name + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; # TLS endet hier + proxy_set_header X-Forwarded-Host $host; # also cloud.sysops.de + proxy_set_header X-Forwarded-Port 443; + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host"; + proxy_set_header Referrer-Policy "no-referrer"; + + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + client_max_body_size 10G; + } + + # CalDAV/CardDAV Redirects + location /.well-known/carddav { return 301 https://$host/remote.php/dav; } + location /.well-known/caldav { return 301 https://$host/remote.php/dav; } +} From 5b263acbb2c0f2df995762936ea66244fc53056b Mon Sep 17 00:00:00 2001 From: Chriz Date: Thu, 2 Oct 2025 12:47:05 +0200 Subject: [PATCH 03/59] Rename nextcloud.conf to nextcloud-for-mailcow-dockerized.conf This is an Example for Nextcloud Upstream with Mailcow Dockerized as Reverse Proxy --- scripts/{nextcloud.conf => nextcloud-for-mailcow-dockerized.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scripts/{nextcloud.conf => nextcloud-for-mailcow-dockerized.conf} (100%) diff --git a/scripts/nextcloud.conf b/scripts/nextcloud-for-mailcow-dockerized.conf similarity index 100% rename from scripts/nextcloud.conf rename to scripts/nextcloud-for-mailcow-dockerized.conf From 0460e3e5a1c0ceb16a7ff404d4c93328ad196deb Mon Sep 17 00:00:00 2001 From: Chriz Date: Thu, 2 Oct 2025 12:55:23 +0200 Subject: [PATCH 04/59] Update nextcloud-for-mailcow-dockerized.conf fixes --- scripts/nextcloud-for-mailcow-dockerized.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/nextcloud-for-mailcow-dockerized.conf b/scripts/nextcloud-for-mailcow-dockerized.conf index fd53a71..c8712ba 100644 --- a/scripts/nextcloud-for-mailcow-dockerized.conf +++ b/scripts/nextcloud-for-mailcow-dockerized.conf @@ -19,14 +19,14 @@ server { } location / { - proxy_pass https://nc.sysops.de; + proxy_pass https://cloud.domain.tld; # Hostname & Forwarded-Header sauber durchreichen proxy_set_header Host 192.168.178.253; # explizit der Upstream-Name proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # TLS endet hier - proxy_set_header X-Forwarded-Host $host; # also cloud.sysops.de + proxy_set_header X-Forwarded-Host $host; # also cloud.domain.tld proxy_set_header X-Forwarded-Port 443; proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host"; proxy_set_header Referrer-Policy "no-referrer"; From 54ef036b78a770d306fbb01d7490037bdbcbfa47 Mon Sep 17 00:00:00 2001 From: Stefan Rutzmoser <7551295+redhawk07@users.noreply.github.com> Date: Wed, 8 Oct 2025 18:49:48 +0200 Subject: [PATCH 05/59] Allow multiple shares for ZMB-MEMBER --- conf/zamba.conf.example | 4 ++-- src/zmb-member/install-service.sh | 21 +++++++++++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 7a3736a..0595879 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123' # Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case) ZMB_DOMAIN_ADMINS="domain admins" -# Defines the name of your Zamba share -ZMB_SHARE="share" +# Defines the names of your Zamba shares in a comma separated list +ZMB_SHARES="share1,share2" ############### Mailpiler-Section ############### diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index 0cc07d6..87e14fc 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -75,8 +75,13 @@ cat > /etc/samba/smb.conf <> /etc/samba/smb.conf << EOF [$ZMB_SHARE] - comment = Main Share path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE read only = No create mask = 0660 @@ -84,6 +89,7 @@ cat > /etc/samba/smb.conf < Date: Wed, 15 Oct 2025 18:33:38 +0200 Subject: [PATCH 06/59] Fix zammad nginx configuration --- src/zammad/install-service.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index db36772..b876a1a 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -39,13 +39,14 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem -sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \ - -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \ - -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \ - -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \ - -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \ +echo "Customizing nginx configuration..." +sed -e "s|$(grep -m1 server_name /etc/nginx/sites-available/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \ + -e "s|$(grep -m1 ssl_certificate /etc/nginx/sites-available/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \ + -e "s|$(grep -m1 ssl_certificate_key /etc/nginx/sites-available/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \ + -e "s|$(grep -m1 ssl_protocols /etc/nginx/sites-available/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \ + -e "s|$(grep -m1 ssl_trusted_certificate /etc/nginx/sites-available/zammad_ssl.conf)|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf - +echo "Linking nginx configuration..." ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/ From 818cbfc7324c02c41bb7241603dc6ade63fd4ecb Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Wed, 15 Oct 2025 18:36:18 +0200 Subject: [PATCH 07/59] Fix nginx configuration --- src/zammad/install-service.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index b876a1a..feb0d85 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -40,14 +40,13 @@ ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem echo "Customizing nginx configuration..." -sed -e "s|$(grep -m1 server_name /etc/nginx/sites-available/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \ - -e "s|$(grep -m1 ssl_certificate /etc/nginx/sites-available/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \ - -e "s|$(grep -m1 ssl_certificate_key /etc/nginx/sites-available/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \ - -e "s|$(grep -m1 ssl_protocols /etc/nginx/sites-available/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \ - -e "s|$(grep -m1 ssl_trusted_certificate /etc/nginx/sites-available/zammad_ssl.conf)|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \ +sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \ + -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \ + -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \ + -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \ + -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf -echo "Linking nginx configuration..." -ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/ + # configure elasticsearch From 85caaac8483622ca6a50b994492f36cfb287bdf8 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 16 Oct 2025 19:16:11 +0200 Subject: [PATCH 08/59] Fix Matrix admin password --- src/matrix/install-service.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index f0532c3..5f141df 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -154,6 +154,6 @@ systemctl restart matrix-synapse rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc -register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008 +register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008 -echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n" \ No newline at end of file +echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n" From a31ebfb0e3130755c4c9b23be1736e142506d60e Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 16 Oct 2025 19:31:35 +0200 Subject: [PATCH 09/59] Fix dhparam and nginx cfg link --- src/zammad/install-service.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index feb0d85..aa482c4 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -44,10 +44,11 @@ sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|serv -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \ + -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \ -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf - + ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/ # configure elasticsearch /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment From f37757a08adb1ae75ca75a733cd49f9e0e379e18 Mon Sep 17 00:00:00 2001 From: Stefan Rutzmoser <7551295+redhawk07@users.noreply.github.com> Date: Thu, 16 Oct 2025 21:28:41 +0200 Subject: [PATCH 10/59] Also for standalone --- src/zmb-standalone/install-service.sh | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 190a8c0..2b8c358 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -65,14 +65,18 @@ EOF net conf import /etc/samba/import.template -mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES" +for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" +do + mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -net conf setparm $ZMB_SHARE readonly no -net conf setparm $ZMB_SHARE browseable yes -net conf setparm $ZMB_SHARE createmask 0660 -net conf setparm $ZMB_SHARE directorymask 0770 + net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE + net conf setparm $ZMB_SHARE readonly no + net conf setparm $ZMB_SHARE browseable yes + net conf setparm $ZMB_SHARE createmask 0660 + net conf setparm $ZMB_SHARE directorymask 0770 +done systemctl restart smbd nmbd wsdd From 9537faaaab70c17f2a06a44457b364b5a34078ee Mon Sep 17 00:00:00 2001 From: Stefan Rutzmoser <7551295+redhawk07@users.noreply.github.com> Date: Thu, 16 Oct 2025 21:29:24 +0200 Subject: [PATCH 11/59] Update README --- conf/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/README.md b/conf/README.md index 9bbbfb3..0d03fba 100644 --- a/conf/README.md +++ b/conf/README.md @@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123' ``` Please use 'single quotation marks' to avoid unexpected behaviour. `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail. -### ZMB_SHARE -Defines the name of your Zamba share +### ZMB_SHARES +Defines the names of your Zamba shares ```bash -ZMB_SHARE="share" +ZMB_SHARES="share1,share2" ```
From 3e257d053403a6a33ca5832f464bf0463d69d4b9 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Fri, 17 Oct 2025 23:22:46 +0200 Subject: [PATCH 12/59] fix folder creation --- src/zmb-member/install-service.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index 87e14fc..b682833 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -102,7 +102,9 @@ systemctl restart winbind nmbd wbinfo -u wbinfo -g -for SHARE in "${ZMB_SHARES_ARRAY[@]}" +unset ZMB_SHARE + +for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" do mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE From 9a644fd1492b9f078f8846ae5de554b9b62a5611 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 18 Oct 2025 17:50:47 +0200 Subject: [PATCH 13/59] remove debian 10,11 sources, add debian 13 sources --- src/lxc-base.sh | 42 +++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/src/lxc-base.sh b/src/lxc-base.sh index 006f48d..524bc25 100644 --- a/src/lxc-base.sh +++ b/src/lxc-base.sh @@ -24,29 +24,7 @@ EOF locale-gen $LXC_LOCALE # Generate sources -if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then - -cat << EOF > /etc/apt/sources.list -deb http://deb.debian.org/debian/ buster main contrib - -deb http://deb.debian.org/debian/ buster-updates main contrib - -# security updates -deb http://security.debian.org/debian-security buster/updates main contrib -EOF - -elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then - -cat << EOF > /etc/apt/sources.list -deb http://deb.debian.org/debian/ bullseye main contrib - -deb http://deb.debian.org/debian/ bullseye-updates main contrib - -# security updates -deb http://security.debian.org/debian-security bullseye-security main contrib -EOF - -elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then +if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then cat << EOF > /etc/apt/sources.list deb http://deb.debian.org/debian/ bookworm main contrib @@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib # security updates deb http://security.debian.org/debian-security bookworm-security main contrib EOF +elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then + +if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi +cat << EOF > /etc/apt/sources.list.d/debian.sources +Types: deb deb-src +URIs: https://deb.debian.org/debian +Suites: trixie trixie-updates +Components: main non-free-firmware contrib non-free +Enabled: yes +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg + +Types: deb deb-src +URIs: https://security.debian.org/debian-security +Suites: trixie-security +Components: main non-free-firmware contrib non-free +Enabled: yes +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg +EOF else echo "LXC Debian Version false. Please check configuration files!" ; exit fi From 9a076c575a29d1542cff589c39019a44ce3f97af Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 18 Oct 2025 19:02:40 +0200 Subject: [PATCH 14/59] prepare functions for debian 13 --- src/functions.sh | 56 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/src/functions.sh b/src/functions.sh index dd0c346..dfe52bb 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -24,29 +24,71 @@ apt_repo() { apt_key_url=$2 apt_key_path=/usr/share/keyrings/${apt_name}.gpg apt_repo_url=$3 + apt_suites=$4 + apt_components=$5 + tmp_key_file=$(mktemp) + if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then + echo "❌ Fehler beim Herunterladen des Schlüssels." + rm -f "${tmp_key_file}" + exit 1 + fi + if file "${tmp_key_file}" | grep -q "ASCII"; then + echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..." + # Wenn es ASCII ist, konvertiere es mit --dearmor + if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then + echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert." + else + echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels." + rm -f "${tmp_key_file}" # Temporäre Datei aufräumen + exit 1 + fi + else + echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..." + # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei + if sudo mv "${tmp_key_file}" "${apt_key_path}"; then + echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert." + else + echo "❌ Fehler beim Kopieren des binären Schlüssels." + rm -f "${tmp_key_file}" + exit 1 + fi + fi - wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path} - echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list + if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then + cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources +Types: deb +URIs: $apt_repo_url +Suites: $apt_suites +Components: $apt_components +Enabled: yes +Signed-By: $apt_key_path +EOF + else + echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list + fi } + #### Set repo and install Nginx #### inst_nginx() { - apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx" + apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx" apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx } + #### Set repo and install PHP #### inst_php() { - curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg - echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list + apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main" apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline} } + #### Set repo and install Postgresql #### inst_postgresql() { - apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" + apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main" apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION } + #### Set repo and install Crowdsec #### inst_crowdsec() { - apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main" + apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main" apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables } From 75f67002fa192d68095da03cca5d4fba0dd93a1c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 27 Nov 2025 23:22:30 +0100 Subject: [PATCH 15/59] add websocket support for vaultwarden --- src/vaultwarden/install-service.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh index 2fcc438..2ee9866 100644 --- a/src/vaultwarden/install-service.sh +++ b/src/vaultwarden/install-service.sh @@ -149,6 +149,9 @@ server { proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8000; proxy_read_timeout 90; + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; } } From 4bc444fe1cf0d79eefb28d35a03c4bd1cf1cea20 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Fri, 19 Dec 2025 13:33:29 +0000 Subject: [PATCH 16/59] remove software-properties-common --- src/constants.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.conf b/src/constants.conf index 2bd09ff..184a8de 100644 --- a/src/constants.conf +++ b/src/constants.conf @@ -8,4 +8,4 @@ # This file contains the project constants on container level # Define your (administrative) tools, you always want to have installed into your LXC container -LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux" +LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https wget ssl-cert tmux" From 94b18e8061f02ce9f960b59a857c3b575f083366 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Fri, 19 Dec 2025 13:33:54 +0000 Subject: [PATCH 17/59] add bashclub-cmk --- src/bashclub-cmk/constants-service.conf | 39 +++++++++++ src/bashclub-cmk/install-service.sh | 86 +++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 src/bashclub-cmk/constants-service.conf create mode 100644 src/bashclub-cmk/install-service.sh diff --git a/src/bashclub-cmk/constants-service.conf b/src/bashclub-cmk/constants-service.conf new file mode 100644 index 0000000..84c2348 --- /dev/null +++ b/src/bashclub-cmk/constants-service.conf @@ -0,0 +1,39 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-13-standard" + + +# Create sharefs mountpoint +LXC_MP=1 +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="var/lib/cmk-push-agent" +# Defines the recordsize of mp0 +LXC_MP_RECORDSIZE="16K" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# enable keyctl feature +LXC_KEYCTL="0" + +# checkmk version +CMK_VERSION=2.4.0p18 +# build number of the debian package (needs to start with underscore) +CMK_BUILD=_0 + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=2048 + +# service dependent meta tags +SERVICE_TAGS="apache2" diff --git a/src/bashclub-cmk/install-service.sh b/src/bashclub-cmk/install-service.sh new file mode 100644 index 0000000..5c576d6 --- /dev/null +++ b/src/bashclub-cmk/install-service.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +set -euo pipefail + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/testing $(lsb_release -cs) main" > /etc/apt/sources.list.d/bashclub.list +apt update + +cd /tmp +wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb +omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE + +cat << EOF > /etc/apache2/sites-available/000-default.conf + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L] + +EOF + +cat << EOF > /etc/apache2/sites-available/default-ssl.conf + + RewriteEngine On + RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE + RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L] + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + ErrorLog \${APACHE_LOG_DIR}/error.log + CustomLog \${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + #SSLVerifyClient require + #SSLVerifyDepth 10 + + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + +EOF + +a2enmod ssl +a2enmod rewrite +a2ensite default-ssl + +systemctl restart apache2.service + +omd start $CMK_INSTANCE + +# install matrix notification plugin + +wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py +chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py +chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py + + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server From 63e195849d1e2b4c9e8e83e91cd6eeaf561be0f5 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Fri, 19 Dec 2025 13:34:50 +0000 Subject: [PATCH 18/59] update checkmk to 2.4p18, debian 13 --- src/checkmk/constants-service.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/checkmk/constants-service.conf b/src/checkmk/constants-service.conf index 4bd1582..9715ad6 100644 --- a/src/checkmk/constants-service.conf +++ b/src/checkmk/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint @@ -28,7 +28,7 @@ LXC_NESTING="1" LXC_KEYCTL="0" # checkmk version -CMK_VERSION=2.3.0p6 +CMK_VERSION=2.4.0p18 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 From cf5f0ca1460ec0a9656921550230d627662ab3bb Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Fri, 19 Dec 2025 17:30:03 +0000 Subject: [PATCH 19/59] remove instance setup from postinst --- src/bashclub-cmk/install-service.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/bashclub-cmk/install-service.sh b/src/bashclub-cmk/install-service.sh index 5c576d6..cf2a1ef 100644 --- a/src/bashclub-cmk/install-service.sh +++ b/src/bashclub-cmk/install-service.sh @@ -84,3 +84,5 @@ chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notificati DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server + +cmk-push-setup \ No newline at end of file From 52312d6a588d01279c82fe8800661907c9d14c61 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 21 Dec 2025 19:49:20 +0000 Subject: [PATCH 20/59] fix ntpdate, remove wsdd --- src/zmb-ad-join/constants-service.conf | 2 +- src/zmb-ad-join/install-service.sh | 2 +- src/zmb-ad/constants-service.conf | 2 +- src/zmb-ad/install-service.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf index 1042bbc..b0b5cc3 100644 --- a/src/zmb-ad-join/constants-service.conf +++ b/src/zmb-ad-join/constants-service.conf @@ -36,7 +36,7 @@ LXC_KEYCTL="0" # Example: # OPTIONAL_FEATURES=(wsdd) # OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=(wsdd) +OPTIONAL_FEATURES=() # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index 9fdfa1f..bf0f3aa 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -33,7 +33,7 @@ done apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf index 6016953..256801e 100644 --- a/src/zmb-ad/constants-service.conf +++ b/src/zmb-ad/constants-service.conf @@ -36,7 +36,7 @@ LXC_KEYCTL="0" # Example: # OPTIONAL_FEATURES=(wsdd) # OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=(wsdd) +OPTIONAL_FEATURES=() # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index fbc3340..3455650 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -33,7 +33,7 @@ done apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils From 9f779d3065f192063301f99909fd707e9b0817d4 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 21 Dec 2025 19:51:21 +0000 Subject: [PATCH 21/59] debian 13 for ad --- src/zmb-ad-join/constants-service.conf | 2 +- src/zmb-ad/constants-service.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf index b0b5cc3..26ceb7b 100644 --- a/src/zmb-ad-join/constants-service.conf +++ b/src/zmb-ad-join/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf index 256801e..d96197f 100644 --- a/src/zmb-ad/constants-service.conf +++ b/src/zmb-ad/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 From de06881a9700f9386a6d7119fe8b00cf2e64c04c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 21 Dec 2025 20:08:33 +0000 Subject: [PATCH 22/59] zmb-member debian 13 --- src/zmb-member/constants-service.conf | 2 +- src/zmb-member/install-service.sh | 10 +++------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/src/zmb-member/constants-service.conf b/src/zmb-member/constants-service.conf index 71c2446..658075e 100644 --- a/src/zmb-member/constants-service.conf +++ b/src/zmb-member/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index b682833..aa8ee25 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -9,12 +9,9 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -# echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list - apt update -#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules mv /etc/krb5.conf /etc/krb5.conf.bak cat > /etc/krb5.conf < /etc/samba/smb.conf <> /etc/samba/smb.conf << EOF [$ZMB_SHARE] path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE @@ -115,4 +111,4 @@ do setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE done -systemctl restart smbd nmbd winbind wsdd +systemctl restart smbd nmbd winbind From 34b393835062e1add76daa9f82d7f8bdfa62f077 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 6 Jan 2026 11:35:44 +0000 Subject: [PATCH 23/59] mailcow -> debian 13 --- src/mailcow/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mailcow/constants-service.conf b/src/mailcow/constants-service.conf index 2097c74..5fefb28 100644 --- a/src/mailcow/constants-service.conf +++ b/src/mailcow/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 From bdcc74535d464e85f0a9db2c98fc31d1f6f9ffa3 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 6 Jan 2026 11:47:56 +0000 Subject: [PATCH 24/59] fix lxc config if docker --- install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install.sh b/install.sh index 53f763b..025b69a 100755 --- a/install.sh +++ b/install.sh @@ -154,6 +154,10 @@ pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged set -u sleep 2; +if [[ $SERVICE_TAGS == *"docker"* ]]; then + echo "lxc.apparmor.profile: unconfined" >> /etc/pve/lxc/${LXC_NBR}.conf +fi + # Check vlan configuration if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi # Reconfigure conatiner From 95d04fd28c4014580f05f4d2fdc93e53252859c8 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 6 Jan 2026 12:50:40 +0000 Subject: [PATCH 25/59] fix docker settings --- src/mailcow/install-service.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/mailcow/install-service.sh b/src/mailcow/install-service.sh index 93a3aa2..16a1bcc 100644 --- a/src/mailcow/install-service.sh +++ b/src/mailcow/install-service.sh @@ -78,9 +78,9 @@ cat << EOF > /etc/docker/daemon.json { "default-ulimits": { "nproc": { - "name": "nproc", - "soft": -1, - "hard": -1 + "Name": "nproc", + "Soft": 4096, + "Hard": 4096 } } } From 44121d78c5d0ab16689ea48bc55bc2b1c2a45892 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 11 Jan 2026 20:39:05 +0000 Subject: [PATCH 26/59] update urbackup --- src/urbackup/constants-service.conf | 4 ++-- src/urbackup/install-service.sh | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/urbackup/constants-service.conf b/src/urbackup/constants-service.conf index 9222b47..5a49863 100644 --- a/src/urbackup/constants-service.conf +++ b/src/urbackup/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 @@ -30,7 +30,7 @@ LXC_KEYCTL="0" URBACKUP_DATA="urbackup" # OS codename for opensuse / urbackup repo -REPO_CODENAME="Debian_12" +REPO_CODENAME="Debian_13" # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh index 64e0f34..39fcc4f 100644 --- a/src/urbackup/install-service.sh +++ b/src/urbackup/install-service.sh @@ -18,10 +18,11 @@ echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" ssl-cert urbackup-server nginx -mkdir -p /etc/nginx/ssl -openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" +install -d -m 0750 -o root -g root /etc/nginx/ssl +ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem +ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem ln -s /usr/share/urbackup/www /var/www/urbackup @@ -45,8 +46,8 @@ server { index index.htm; ssl on; - ssl_certificate /etc/nginx/ssl/urbackup.crt; - ssl_certificate_key /etc/nginx/ssl/urbackup.key; + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; location /x { include /etc/nginx/fastcgi_params; From 4c9a0cd7751f72b709e3363a45de5b40e655478e Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 11 Jan 2026 20:39:24 +0000 Subject: [PATCH 27/59] update debian containers --- src/debian-priv/constants-service.conf | 2 +- src/debian-unpriv/constants-service.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/debian-priv/constants-service.conf b/src/debian-priv/constants-service.conf index 48ffd59..1a01f9e 100644 --- a/src/debian-priv/constants-service.conf +++ b/src/debian-priv/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/debian-unpriv/constants-service.conf b/src/debian-unpriv/constants-service.conf index a7e36f5..eab9506 100644 --- a/src/debian-unpriv/constants-service.conf +++ b/src/debian-unpriv/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 From 37f6bb940af69fe30a12b71394de0f6d2126247f Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 16:43:04 +0000 Subject: [PATCH 28/59] remove apt lxc --- src/apt/constants-service.conf | 33 ---- src/apt/install-service.sh | 273 --------------------------------- 2 files changed, 306 deletions(-) delete mode 100644 src/apt/constants-service.conf delete mode 100644 src/apt/install-service.sh diff --git a/src/apt/constants-service.conf b/src/apt/constants-service.conf deleted file mode 100644 index c538e56..0000000 --- a/src/apt/constants-service.conf +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -# This file contains the project constants on service level - -# Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" - -# Create sharefs mountpoint -LXC_MP=1 -# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) -LXC_SHAREFS_MOUNTPOINT="srv" -# Defines the recordsize of mp0 -LXC_MP_RECORDSIZE="16K" - -# Create unprivileged container -LXC_UNPRIVILEGED="1" - -# enable nesting feature -LXC_NESTING="1" - -# enable keyctl feature -LXC_KEYCTL="0" - -# Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=1024 - -# service dependent meta tags -SERVICE_TAGS="aptly,nginx" diff --git a/src/apt/install-service.sh b/src/apt/install-service.sh deleted file mode 100644 index 34bca19..0000000 --- a/src/apt/install-service.sh +++ /dev/null @@ -1,273 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -source /root/functions.sh -source /root/zamba.conf -source /root/constants-service.conf -source /etc/os-release - -apt update - -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc - -# Create gpg key for apt repo signing -gpg --batch --gen-key < /etc/aptly.conf -{ - "rootDir": "/$LXC_SHAREFS_MOUNTPOINT", - "downloadConcurrency": 4, - "downloadSpeedLimit": 0, - "architectures": [ - "amd64", - "armhf" - ], - "dependencyFollowSuggests": false, - "dependencyFollowRecommends": false, - "dependencyFollowAllVariants": false, - "dependencyFollowSource": false, - "dependencyVerboseResolve": true, - "gpgDisableSign": false, - "gpgDisableVerify": false, - "gpgProvider": "gpg", - "downloadSourcePackages": false, - "skipLegacyPool": true, - "ppaDistributorID": "$AM_COMPANY_NAME", - "ppaCodename": "" -} -EOF - -cat << EOF > /usr/local/bin/update-apt-mirrors -#!/bin/bash -PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" - -for m in $(aptly mirror list -raw); do - aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m -done -EOF - -chmod +x /usr/local/bin/update-apt-mirrors - - -cat << EOF > /etc/nginx/conf.d/default.conf -server { - listen 80 default_server; - listen [::]:80 default_server; - - # Force HTTPS connection. This rules is domain agnostic - if (\$scheme != "https") { - rewrite ^ https://\$host\$uri permanent; - } - - # SSL configuration - # - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; - ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 - ssl_session_timeout 10m; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; # Requires nginx >= 1.5.9 - ssl_stapling on; # Requires nginx >= 1.3.7 - ssl_stapling_verify on; # Requires nginx => 1.3.7 - resolver 15.137.208.11 15.137.209.11 valid=300s; - resolver_timeout 5s; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - root /var/www/html; - index index.html index.htm; - - server_name _; - - location /gpg { - autoindex on; - } - - location /graph { - autoindex on; - } - - location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - #try_files \$uri \$uri/ =404; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_pass http://localhost:8080; - - } - - location /api { - proxy_pass http://localhost:8000/api; - } - - location /api/graph { - return 403; - } -} -EOF - -cat << EOF > /etc/systemd/system/aptly.service -[Unit] -Description=Aptly Repository service - -[Service] -User=root -ExecStart=/usr/bin/aptly serve -listen="localhost:8080" -KillSignal=SIGTERM -KillMode=process -TimeoutStopSec=15s - -[Install] -WantedBy=multi-user.target - -EOF - -cat << EOF > /etc/systemd/system/aptly-api.service -[Unit] -Description=Aptly REST API service - -[Service] -User=root -ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock -KillSignal=SIGTERM -KillMode=process -TimeoutStopSec=15s - -[Install] -WantedBy=multi-user.target -EOF - -cat << EOF > /root/mirror-examples -# import proxmox keyring -wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import - -# proxmox 8 no subscription mirror (about 11.5 GB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription - -# import debian keyring -cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import - -# debian 12 main mirror (about 87 GB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main - -# debian 12 contrib mirror (about 600 MB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib - -# debian 12 non-free mirror (about7,2 GB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free - -# debian 12 non-free-firmware mirror (38 Packages) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware - -# debian 12 update main mirror (about 2,5 GB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update - -# debian 12 update contrib mirror (currently empty) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates - -# debian 12 updates non-free mirror (about 900 MB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates - -# debian 12 updates non-free-firmware mirror (about 70 MB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates - -# debian 12 security main mirror (about 5,5 GB) -aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security - -# debian 12 security contrib mirror (2 packages) -aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security - -# debian 12 security non-free mirror (currently empty) -aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security - -# debian 12 security non-free-firmware mirror (1 package) -aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security - -# debian 12 backports main mirror (about 14,5 GB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports - -# debian 12 backports contrib mirror (about 100 MB) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports - -# debian 12 backports non-free mirror (2 packages) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports - -# debian 12 backports non-free-firmware mirror (currently empty) -aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware -aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports -EOF - -cat << EOF > /usr/local/bin/update-apt-mirrors -#!/bin/bash -PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" - -for m in \$(aptly mirror list -raw); do - aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m -done -EOF - -echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors - -chmod +x /usr/local/bin/update-apt-mirrors - -chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT - -chown -R www-data:www-data /var/www - -# Create required webserver folders -sudo -u www-data mkdir -p /var/www/html/{gpg,graph} - -# Export gpg key -sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub - -generate_dhparam - -systemctl daemon-reload -systemctl enable --now aptly aptly-api -systemctl restart nginx - -echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples." \ No newline at end of file From 2d55a1b2227cf03827c81a5561f1ae9507e8b43a Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 16:43:39 +0000 Subject: [PATCH 29/59] fix urbackup nginx conf --- src/urbackup/install-service.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh index 39fcc4f..5212346 100644 --- a/src/urbackup/install-service.sh +++ b/src/urbackup/install-service.sh @@ -45,7 +45,6 @@ server { index index.htm; - ssl on; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; From 1c6ec8f73cd30b5a655b11c4bf4c99bf789dc500 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 17:15:54 +0000 Subject: [PATCH 30/59] Debian 13 for nextcloud and semaphore --- src/ansible-semaphore/constants-service.conf | 2 +- src/ansible-semaphore/install-service.sh | 7 ++----- src/functions.sh | 8 ++++++-- src/nextcloud/constants-service.conf | 4 ++-- src/nextcloud/install-service.sh | 2 +- 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/src/ansible-semaphore/constants-service.conf b/src/ansible-semaphore/constants-service.conf index 9204cd7..1f75517 100644 --- a/src/ansible-semaphore/constants-service.conf +++ b/src/ansible-semaphore/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/ansible-semaphore/install-service.sh b/src/ansible-semaphore/install-service.sh index 09b743a..a9dc2ca 100644 --- a/src/ansible-semaphore/install-service.sh +++ b/src/ansible-semaphore/install-service.sh @@ -9,11 +9,8 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null -echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list - -wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null -echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list +inst_nginx +inst_postgresql apt update diff --git a/src/functions.sh b/src/functions.sh index dfe52bb..0f41c41 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -76,14 +76,18 @@ inst_nginx() { #### Set repo and install PHP #### inst_php() { + PHP_MODULES=${1} + PHP_VERSION=${2:-8.5} apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main" - apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline} + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php${PHP_VERSION}-${PHP_MODULES} } #### Set repo and install Postgresql #### +# First paramater is postgres version, default ist curren version postgres 18 inst_postgresql() { + POSTGRES_VERSION=${1:-18} apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main" - apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION} } #### Set repo and install Crowdsec #### diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index e4665e2..3f7932d 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 @@ -33,7 +33,7 @@ NEXTCLOUD_VERSION="latest" NEXTCLOUD_PHP_VERSION="8.3" # Defines the postgresql version to install -POSTGRES_VERSION=16 +POSTGRES_VERSION=18 # Defines the IP from the SQL server NEXTCLOUD_DB_IP="127.0.0.1" diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index 8e50e50..fe4df18 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -549,7 +549,7 @@ echo "=> Modifying Nginx config for Nextcloud ..." mod_nginx echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..." -inst_php +inst_php {fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline} $NEXTCLOUD_PHP_VERSION echo "=> Modifying PHP config for Nextcloud ..." mod_php From f2f1beb8a5a3d903c3c1b1cebe83411d5ab72351 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 17:45:52 +0000 Subject: [PATCH 31/59] fix gpg keys --- src/constants.conf | 2 +- src/functions.sh | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/constants.conf b/src/constants.conf index 184a8de..177ebd4 100644 --- a/src/constants.conf +++ b/src/constants.conf @@ -8,4 +8,4 @@ # This file contains the project constants on container level # Define your (administrative) tools, you always want to have installed into your LXC container -LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https wget ssl-cert tmux" +LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux" diff --git a/src/functions.sh b/src/functions.sh index 0f41c41..b0c3318 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -22,7 +22,7 @@ EOF apt_repo() { apt_name=$1 apt_key_url=$2 - apt_key_path=/usr/share/keyrings/${apt_name}.gpg + apt_key_path=/usr/share/keyrings/${apt_name}-archive-keyring.gpg apt_repo_url=$3 apt_suites=$4 apt_components=$5 @@ -36,6 +36,7 @@ apt_repo() { echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..." # Wenn es ASCII ist, konvertiere es mit --dearmor if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then + chmod 644 ${apt_key_path} echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert." else echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels." @@ -47,6 +48,7 @@ apt_repo() { # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei if sudo mv "${tmp_key_file}" "${apt_key_path}"; then echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert." + chmod 644 ${apt_key_path} else echo "❌ Fehler beim Kopieren des binären Schlüssels." rm -f "${tmp_key_file}" From eaa39e55bd4b7d6dd7c59c9624323969894ba47c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 19:29:53 +0000 Subject: [PATCH 32/59] fix nextcloud --- src/functions.sh | 14 +++++++++++++- src/nextcloud/constants-service.conf | 2 +- src/nextcloud/install-service.sh | 17 ++++++++--------- 3 files changed, 22 insertions(+), 11 deletions(-) diff --git a/src/functions.sh b/src/functions.sh index b0c3318..de745c8 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -80,14 +80,20 @@ inst_nginx() { inst_php() { PHP_MODULES=${1} PHP_VERSION=${2:-8.5} + IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES" + PKGS=() + for PHP_MODULE in "${MODULE_ARRAY[@]}"; do + PKGS+=( "php${PHP_VERSION}-${PHP_MODULE}" ) + done apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main" - apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php${PHP_VERSION}-${PHP_MODULES} + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common "${PKGS[@]}" } #### Set repo and install Postgresql #### # First paramater is postgres version, default ist curren version postgres 18 inst_postgresql() { POSTGRES_VERSION=${1:-18} + apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main" apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION} } @@ -98,3 +104,9 @@ inst_crowdsec() { apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables } + +#### Set repo and install 45drives (cockpit) #### +inst_45drives() { + apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main" + apt update +} \ No newline at end of file diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index 3f7932d..0e24149 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -30,7 +30,7 @@ LXC_KEYCTL="0" NEXTCLOUD_VERSION="latest" # Defines the php version to install -NEXTCLOUD_PHP_VERSION="8.3" +NEXTCLOUD_PHP_VERSION="8.4" # Defines the postgresql version to install POSTGRES_VERSION=18 diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index fe4df18..c87068c 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -248,7 +248,7 @@ cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/f cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak -cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak +cp /etc/ImageMagick-7/policy.xml /etc/ImageMagick-7/policy.xml.bak sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf @@ -298,10 +298,10 @@ sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods- sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini -sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml -sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml -sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml -sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml +sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-7/policy.xml +sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-7/policy.xml +sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-7/policy.xml +sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-7/policy.xml sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini @@ -350,13 +350,12 @@ sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf usermod -aG redis www-data -cp /etc/sysctl.conf /etc/sysctl.conf.bak -sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf +echo 'vm.overcommit_memory = 1' > /etc/sysctl.d/overcommit_memory.conf } #### Install some more packages inst_packages() { -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-7.q16-10-extra timedatectl set-timezone $LXC_TIMEZONE mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www @@ -549,7 +548,7 @@ echo "=> Modifying Nginx config for Nextcloud ..." mod_nginx echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..." -inst_php {fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline} $NEXTCLOUD_PHP_VERSION +inst_php fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline $NEXTCLOUD_PHP_VERSION echo "=> Modifying PHP config for Nextcloud ..." mod_php From a9780e6b7ba602b08bd43b7dad4134bea017393c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 19:45:31 +0000 Subject: [PATCH 33/59] set postgres 17 for nextcloud --- src/nextcloud/constants-service.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index 0e24149..8c7c995 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -33,7 +33,7 @@ NEXTCLOUD_VERSION="latest" NEXTCLOUD_PHP_VERSION="8.4" # Defines the postgresql version to install -POSTGRES_VERSION=18 +POSTGRES_VERSION=17 # Defines the IP from the SQL server NEXTCLOUD_DB_IP="127.0.0.1" From 2f6658f0aefda6725b2cf4564bd35d2a405b66da Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 20:14:32 +0000 Subject: [PATCH 34/59] update authentik --- src/authentik/constants-service.conf | 2 +- src/authentik/install-service.sh | 9 ++------- src/functions.sh | 6 ++++++ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/authentik/constants-service.conf b/src/authentik/constants-service.conf index af4c4ca..8be41e4 100644 --- a/src/authentik/constants-service.conf +++ b/src/authentik/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/authentik/install-service.sh b/src/authentik/install-service.sh index 766f38d..3333df4 100644 --- a/src/authentik/install-service.sh +++ b/src/authentik/install-service.sh @@ -10,14 +10,9 @@ source /root/zamba.conf source /root/constants-service.conf # Add Docker's official GPG key: -install -m 0755 -d /etc/apt/keyrings -curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg -chmod a+r /etc/apt/keyrings/docker.gpg +inst_docker -# Add the repository to Apt sources: -echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null -apt-get update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq pwgen SECRET=$(random_password) myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1) diff --git a/src/functions.sh b/src/functions.sh index de745c8..35d70a6 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -109,4 +109,10 @@ inst_crowdsec() { inst_45drives() { apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main" apt update +} + +inst_docker() { + apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable + apt update + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen } \ No newline at end of file From dcceeb5a63af525a64112091e260394e24aeb09d Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 17 Jan 2026 21:54:11 +0000 Subject: [PATCH 35/59] update multiple containers --- src/bashclub-cmk/constants-service.conf | 2 +- src/bookstack/constants-service.conf | 2 +- src/bookstack/install-service.sh | 4 +- src/cloudpanel/constants-service.conf | 2 +- src/functions.sh | 2 +- src/zmb-ad-join/install-service.sh | 4 +- src/zmb-ad-restore/constants-service.conf | 2 +- src/zmb-ad-restore/install-service.sh | 4 +- src/zmb-ad/constants-service.conf | 12 --- src/zmb-ad/install-service.sh | 94 +++-------------------- src/zmb-cups/constants-service.conf | 2 +- src/zmb-cups/install-service.sh | 4 +- src/zmb-member/install-service.sh | 6 +- src/zmb-standalone/constants-service.conf | 2 +- src/zmb-standalone/install-service.sh | 4 +- 15 files changed, 31 insertions(+), 115 deletions(-) diff --git a/src/bashclub-cmk/constants-service.conf b/src/bashclub-cmk/constants-service.conf index 84c2348..e360c84 100644 --- a/src/bashclub-cmk/constants-service.conf +++ b/src/bashclub-cmk/constants-service.conf @@ -28,7 +28,7 @@ LXC_NESTING="1" LXC_KEYCTL="0" # checkmk version -CMK_VERSION=2.4.0p18 +CMK_VERSION=2.4.0p19 # build number of the debian package (needs to start with underscore) CMK_BUILD=_0 diff --git a/src/bookstack/constants-service.conf b/src/bookstack/constants-service.conf index c4548eb..50fd76b 100644 --- a/src/bookstack/constants-service.conf +++ b/src/bookstack/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh index fa5acd1..a040873 100644 --- a/src/bookstack/install-service.sh +++ b/src/bookstack/install-service.sh @@ -14,9 +14,11 @@ source /root/constants-service.conf BOOKSTACK_DB_PWD=$(random_password) webroot=/var/www/bookstack/public +inst_php cli,fpm,mysql,fpm,xml,mbstring,gd,tokenizer,curl,ldap,tidy,zip 8.5 + apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client redis-server curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i - DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb diff --git a/src/cloudpanel/constants-service.conf b/src/cloudpanel/constants-service.conf index d207969..8476909 100644 --- a/src/cloudpanel/constants-service.conf +++ b/src/cloudpanel/constants-service.conf @@ -6,7 +6,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/functions.sh b/src/functions.sh index 35d70a6..bf424a6 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -79,7 +79,7 @@ inst_nginx() { #### Set repo and install PHP #### inst_php() { PHP_MODULES=${1} - PHP_VERSION=${2:-8.5} + PHP_VERSION=${2:-8.4} IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES" PKGS=() for PHP_MODULE in "${MODULE_ARRAY[@]}"; do diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index bf0f3aa..9b9a76d 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -13,8 +13,8 @@ ZMB_DNS_BACKEND="SAMBA_INTERNAL" for f in ${OPTIONAL_FEATURES[@]}; do if [[ "$f" == "wsdd" ]]; then - ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" + ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES" elif [[ "$f" == "splitdns" ]]; then ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" diff --git a/src/zmb-ad-restore/constants-service.conf b/src/zmb-ad-restore/constants-service.conf index 1042bbc..e849a50 100644 --- a/src/zmb-ad-restore/constants-service.conf +++ b/src/zmb-ad-restore/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/zmb-ad-restore/install-service.sh b/src/zmb-ad-restore/install-service.sh index b3c14c8..a0045bf 100644 --- a/src/zmb-ad-restore/install-service.sh +++ b/src/zmb-ad-restore/install-service.sh @@ -13,8 +13,8 @@ ZMB_DNS_BACKEND="SAMBA_INTERNAL" for f in ${OPTIONAL_FEATURES[@]}; do if [[ "$f" == "wsdd" ]]; then - ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" + ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES" elif [[ "$f" == "splitdns" ]]; then ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" diff --git a/src/zmb-ad/constants-service.conf b/src/zmb-ad/constants-service.conf index d96197f..e621c1b 100644 --- a/src/zmb-ad/constants-service.conf +++ b/src/zmb-ad/constants-service.conf @@ -26,18 +26,6 @@ LXC_NESTING="1" # enable keyctl feature LXC_KEYCTL="0" -# add optional features to samba ad dc - -# CURRENTLY SUPPORTED: -# wsdd = add windows service discovery -# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup -# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ - -# Example: -# OPTIONAL_FEATURES=(wsdd) -# OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=() - # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index 3455650..6fca4cc 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -5,38 +5,20 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -ZMB_DNS_BACKEND="SAMBA_INTERNAL" - -for f in ${OPTIONAL_FEATURES[@]}; do - if [[ "$f" == "wsdd" ]]; then - ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" - elif [[ "$f" == "splitdns" ]]; then - ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" - elif [[ "$f" == "bind9dlz" ]]; then - ZMB_DNS_BACKEND="BIND9_DLZ" - ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" - else - echo "Unsupported optional feature $f" - fi -done - -# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list - # update packages apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils - +echo "configuring chrony" mkdir -p /etc/chrony/conf.d mkdir -p /etc/systemd/system/chrony.service.d @@ -61,72 +43,16 @@ server europe.pool.ntp.org iburst allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev) ntpsigndsocket /var/lib/samba/ntp_signd EOF - -if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then - cat << EOF > /etc/nginx/sites-available/default -server { - listen 80 default_server; - server_name _; - return 301 http://www.$LXC_DOMAIN\$request_uri; -} -EOF -fi - -if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then - # configure bind dns service - cat << EOF > /etc/default/bind9 -# -# run resolvconf? -RESOLVCONF=no - -# startup options for the server -OPTIONS="-4 -u bind" -EOF - - cat << EOF > /etc/bind/named.conf.local -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; -dlz "$LXC_DOMAIN" { - database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; -}; -EOF - - cat << EOF > /etc/bind/named.conf.options -options { - directory "/var/cache/bind"; - - forwarders { - $LXC_DNS; - }; - - allow-query { any;}; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - listen-on-v6 { any; }; - listen-on { any; }; - - tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; - minimal-responses yes; -}; -EOF - - mkdir -p /var/lib/samba/bind-dns/dns -fi - +echo "disabling services" # stop + disable samba services and remove default config -systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1 +systemctl disable --now smbd nmbd winbind > /dev/null 2>&1 rm -f /etc/samba/smb.conf rm -f /etc/krb5.conf +echo "provisioning domain" # provision zamba domain -samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND - +samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL +echo "provosioning finished" ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf # disable password expiry for administrator @@ -134,7 +60,7 @@ samba-tool user setexpiry Administrator --noexpiry systemctl unmask samba-ad-dc systemctl enable samba-ad-dc -systemctl restart samba-ad-dc $ADDITIONAL_SERVICES +systemctl restart samba-ad-dc # configure ad backup cat << EOF > /usr/local/bin/smb-backup diff --git a/src/zmb-cups/constants-service.conf b/src/zmb-cups/constants-service.conf index 5bf228d..8e571e7 100644 --- a/src/zmb-cups/constants-service.conf +++ b/src/zmb-cups/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh index 636a723..0f8333c 100644 --- a/src/zmb-cups/install-service.sh +++ b/src/zmb-cups/install-service.sh @@ -14,7 +14,7 @@ source /root/constants-service.conf apt update # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd2 mv /etc/krb5.conf /etc/krb5.conf.bak cat > /etc/krb5.conf < /etc/krb5.conf < /etc/samba/smb.conf < Date: Sat, 17 Jan 2026 22:37:14 +0000 Subject: [PATCH 36/59] fix zmb-ad --- src/zmb-ad-join/constants-service.conf | 12 ---- src/zmb-ad-join/install-service.sh | 98 +++++++------------------- src/zmb-ad/install-service.sh | 19 +++++ 3 files changed, 44 insertions(+), 85 deletions(-) diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf index 26ceb7b..e5cd4fe 100644 --- a/src/zmb-ad-join/constants-service.conf +++ b/src/zmb-ad-join/constants-service.conf @@ -26,18 +26,6 @@ LXC_NESTING="1" # enable keyctl feature LXC_KEYCTL="0" -# add optional features to samba ad dc - -# CURRENTLY SUPPORTED: -# wsdd = add windows service discovery -# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup -# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ - -# Example: -# OPTIONAL_FEATURES=(wsdd) -# OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=() - # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index 9b9a76d..8d9a3a0 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -5,35 +5,19 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -ZMB_DNS_BACKEND="SAMBA_INTERNAL" - -for f in ${OPTIONAL_FEATURES[@]}; do - if [[ "$f" == "wsdd" ]]; then - ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES" - elif [[ "$f" == "splitdns" ]]; then - ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" - elif [[ "$f" == "bind9dlz" ]]; then - ZMB_DNS_BACKEND="BIND9_DLZ" - ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" - else - echo "Unsupported optional feature $f" - fi -done - # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list # update packages apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade # install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils @@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r ntpsigndsocket /var/lib/samba/ntp_signd EOF -if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then - cat << EOF > /etc/nginx/sites-available/default -server { - listen 80 default_server; - server_name _; - return 301 http://www.$LXC_DOMAIN\$request_uri; -} -EOF -fi - -if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then - # configure bind dns service - cat << EOF > /etc/default/bind9 -# -# run resolvconf? -RESOLVCONF=no -# startup options for the server -OPTIONS="-4 -u bind" -EOF - - cat << EOF > /etc/bind/named.conf.local -// -// Do any local configuration here -// -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; -dlz "$LXC_DOMAIN" { - database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; -}; -EOF - - cat << EOF > /etc/bind/named.conf.options -options { - directory "/var/cache/bind"; - forwarders { - $LXC_DNS; - }; - allow-query { any;}; - dnssec-validation no; - auth-nxdomain no; # conform to RFC1035 - listen-on-v6 { any; }; - listen-on { any; }; - tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; - minimal-responses yes; -}; -EOF - - mkdir -p /var/lib/samba/bind-dns/dns -fi - mv /etc/krb5.conf /etc/krb5.conf.bak cat > /etc/krb5.conf < /etc/krb5.conf < /dev/null 2>&1 +systemctl disable --now smbd nmbd winbind > /dev/null 2>&1 rm -f /etc/samba/smb.conf +echo "fixing samba service to wait for lxc being online" + +install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d + +cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf +[Unit] +After=networking.service +Wants=networking.service + +[Service] +# Wait up to 30s for eth0 to get an IPv4 address +ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1' + +Restart=on-failure +RestartSec=3 +EOF + +systemctl daemon-reload + echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb @@ -160,7 +112,7 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096 systemctl unmask samba-ad-dc systemctl enable samba-ad-dc -systemctl restart samba-ad-dc $ADDITIONAL_SERVICES +systemctl restart samba-ad-dc # configure ad backup cat << EOF > /usr/local/bin/smb-backup @@ -168,7 +120,7 @@ cat << EOF > /usr/local/bin/smb-backup PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin rc=0 -keep=$1 +keep=\$1 if \$1 ; then keep=\$1 fi diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index 6fca4cc..6caab2a 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -49,6 +49,25 @@ systemctl disable --now smbd nmbd winbind > /dev/null 2>&1 rm -f /etc/samba/smb.conf rm -f /etc/krb5.conf +echo "fixing samba service to wait for lxc being online" + +install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d + +cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf +[Unit] +After=networking.service +Wants=networking.service + +[Service] +# Wait up to 30s for eth0 to get an IPv4 address +ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1' + +Restart=on-failure +RestartSec=3 +EOF + +systemctl daemon-reload + echo "provisioning domain" # provision zamba domain samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL From fc1ebd479ada38e9eb2794a10703c1ac2bf76faa Mon Sep 17 00:00:00 2001 From: Markus Date: Sun, 18 Jan 2026 12:24:10 +0100 Subject: [PATCH 37/59] onloyoffice, matrix, urbackup --- src/matrix/constants-service.conf | 2 +- src/matrix/install-service.sh | 19 ++++++++----------- src/onlyoffice/constants-service.conf | 2 +- src/onlyoffice/install-service.sh | 20 ++++++++++---------- src/urbackup/install-service.sh | 2 ++ 5 files changed, 22 insertions(+), 23 deletions(-) diff --git a/src/matrix/constants-service.conf b/src/matrix/constants-service.conf index 57f799e..7cad95f 100644 --- a/src/matrix/constants-service.conf +++ b/src/matrix/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index 5f141df..35b39c9 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -9,6 +9,8 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf +set -euo pipefail + MRX_PKE=$(random_password) ELE_DBNAME="synapse_db" @@ -17,15 +19,10 @@ ELE_DBPASS=$(random_password) ELE_PATH=/var/www/element-web WEBROOT=/var/www -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2 +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx python3-psycopg2 -wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3 -systemctl enable matrix-synapse - -ss -tulpen +inst_postgresql +inst_matrix mkdir -p /etc/nginx/ssl openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN" @@ -47,9 +44,9 @@ server { server { listen 443 ssl; listen [::]:443 ssl; + http2 on; server_name $MATRIX_FQDN; - ssl on; ssl_certificate /etc/nginx/ssl/matrix.crt; ssl_certificate_key /etc/nginx/ssl/matrix.key; @@ -62,9 +59,9 @@ server { server { listen 8448 ssl; listen [::]:8448 ssl; + http2 on; server_name $MATRIX_FQDN; - ssl on; ssl_certificate /etc/nginx/ssl/matrix.crt; ssl_certificate_key /etc/nginx/ssl/matrix.key; @@ -97,9 +94,9 @@ server { server { listen 443 ssl; listen [::]:443 ssl; + http2 on; server_name $MATRIX_ELEMENT_FQDN; - ssl on; ssl_certificate /etc/nginx/ssl/matrix.crt; ssl_certificate_key /etc/nginx/ssl/matrix.key; diff --git a/src/onlyoffice/constants-service.conf b/src/onlyoffice/constants-service.conf index e5ffe58..9801b05 100644 --- a/src/onlyoffice/constants-service.conf +++ b/src/onlyoffice/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh index 4b1627a..ff4c9f3 100644 --- a/src/onlyoffice/install-service.sh +++ b/src/onlyoffice/install-service.sh @@ -9,20 +9,20 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf +set -euo pipefail + ONLYOFFICE_DB_PASS=$(random_password) -curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null -echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list +inst_postgresql -cat > /etc/apt/preferences.d/onlyoffice << EOF -Package: onlyoffice-documentserver -Pin: version 7.1.1-23 -Pin-Priority: 900 -EOF +#cat > /etc/apt/preferences.d/onlyoffice << EOF +#Package: onlyoffice-documentserver +#Pin: version 7.1.1-23 +#Pin-Priority: 900 +#EOF -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq rabbitmq-server libstdc++6 supervisor su postgres < /root/onlyoffice.credentials ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh index 5212346..959aec8 100644 --- a/src/urbackup/install-service.sh +++ b/src/urbackup/install-service.sh @@ -9,6 +9,8 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf +set -euo pipefail + mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA mkdir -p /etc/urbackup From 6bb93c7c0efdab0984ec49e46d169bcc3bb1f7ed Mon Sep 17 00:00:00 2001 From: Markus Date: Sun, 18 Jan 2026 12:30:15 +0100 Subject: [PATCH 38/59] add 45drives to functions --- src/zmb-standalone/install-service.sh | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 95c079c..2d149f7 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -9,15 +9,8 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc -echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list +inst_45drives -# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list - -apt update - -#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd -#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd2 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator From e6acbd25d42ae08b9cf73add76adb2c97d40080c Mon Sep 17 00:00:00 2001 From: Markus Date: Sun, 18 Jan 2026 12:33:00 +0100 Subject: [PATCH 39/59] fix repos of matrix, onlyoffice --- src/functions.sh | 3 ++- src/matrix/install-service.sh | 7 +++++++ src/onlyoffice/install-service.sh | 7 +++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/functions.sh b/src/functions.sh index bf424a6..77dd007 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -111,8 +111,9 @@ inst_45drives() { apt update } +#### Set repo and install Docker #### inst_docker() { apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen -} \ No newline at end of file +} diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index 35b39c9..fa54e91 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -11,6 +11,13 @@ source /root/constants-service.conf set -euo pipefail +#### Set repo and install matrix #### +inst_matrix() { + apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main" + apt update + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq matrix-synapse-py3 && systemctl enable matrix-synapse +} + MRX_PKE=$(random_password) ELE_DBNAME="synapse_db" diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh index ff4c9f3..1bb429f 100644 --- a/src/onlyoffice/install-service.sh +++ b/src/onlyoffice/install-service.sh @@ -11,6 +11,13 @@ source /root/constants-service.conf set -euo pipefail +#### Set repo and install onlyoffice #### +inst_onlyoffice() { + apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main" + apt update + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq ttf-mscorefonts-installer onlyoffice-documentserver +} + ONLYOFFICE_DB_PASS=$(random_password) inst_postgresql From 0313a05f36f1e132d7a00839a15ae0cb9e8c2ff8 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 11:40:34 +0000 Subject: [PATCH 40/59] debian 13 for cloudpanel with mariadb 11.8 --- src/cloudpanel/install-service.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/cloudpanel/install-service.sh b/src/cloudpanel/install-service.sh index 9bce99b..bf70f62 100644 --- a/src/cloudpanel/install-service.sh +++ b/src/cloudpanel/install-service.sh @@ -10,5 +10,4 @@ source zamba.conf wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh -echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c -DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh +DB_ENGINE=MARIADB_11.8 SWAP=false bash install.sh From 9e5a779308c2f981c4feb5b8df0a08ff8233f50c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:04:48 +0000 Subject: [PATCH 41/59] update docker --- src/docker/constants-service.conf | 2 +- src/docker/install-service.sh | 14 +------------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/src/docker/constants-service.conf b/src/docker/constants-service.conf index 01b28ca..00f9f4c 100644 --- a/src/docker/constants-service.conf +++ b/src/docker/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/docker/install-service.sh b/src/docker/install-service.sh index c242173..6d08041 100644 --- a/src/docker/install-service.sh +++ b/src/docker/install-service.sh @@ -9,15 +9,7 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -# Add Docker's official GPG key: -install -m 0755 -d /etc/apt/keyrings -curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg -chmod a+r /etc/apt/keyrings/docker.gpg - -# Add the repository to Apt sources: -echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null -apt-get update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin +inst_docker SECRET=$(random_password) myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1) @@ -26,8 +18,6 @@ install_portainer_full() { mkdir -p /opt/portainer/data cd /opt/portainer cat << EOF > /opt/portainer/docker-compose.yml -version: "3.4" - services: portainer: restart: always @@ -52,8 +42,6 @@ install_portainer_agent() { mkdir -p /opt/portainer-agent/data cd /opt/portainer-agent cat << EOF > /opt/portainer-agent/docker-compose.yml -version: "3.4" - services: portainer: restart: always From 0a0e1a2adda1501839716220128b5623c21c5064 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:04:58 +0000 Subject: [PATCH 42/59] Remove ecodms --- src/ecodms/constants-service.conf | 36 ------------------------------- 1 file changed, 36 deletions(-) delete mode 100644 src/ecodms/constants-service.conf diff --git a/src/ecodms/constants-service.conf b/src/ecodms/constants-service.conf deleted file mode 100644 index c7744af..0000000 --- a/src/ecodms/constants-service.conf +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -# This file contains the project constants on service level - -# Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" - -# Create sharefs mountpoint -LXC_MP=0 -# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) -LXC_SHAREFS_MOUNTPOINT="tank" -# Defines the recordsize of mp0 -LXC_MP_RECORDSIZE="16K" - -# Create unprivileged container -LXC_UNPRIVILEGED="1" - -# enable nesting feature -LXC_NESTING="1" - -# enable keyctl feature -LXC_KEYCTL="0" - -# set ecodms release version -ECODMS_RELEASE=ecodms_230164 - -# Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=6144 - -# service dependent meta tags -SERVICE_TAGS="java,postgresql" \ No newline at end of file From af0850125891afc483dfb63da9fc07ed7960adec Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:05:06 +0000 Subject: [PATCH 43/59] remove ecodms --- src/ecodms/install-service.sh | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 src/ecodms/install-service.sh diff --git a/src/ecodms/install-service.sh b/src/ecodms/install-service.sh deleted file mode 100644 index 9eaf184..0000000 --- a/src/ecodms/install-service.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -source /root/functions.sh -source /root/zamba.conf -source /root/constants-service.conf - -echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections -echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections - -echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list -wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg - -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver \ No newline at end of file From cdbc3093ea7504fa745e2ef0460677f33c61308f Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:05:16 +0000 Subject: [PATCH 44/59] Update freescout --- src/freescout/constants-service.conf | 4 +++- src/freescout/install-service.sh | 12 +++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/freescout/constants-service.conf b/src/freescout/constants-service.conf index c4548eb..8ad4e55 100644 --- a/src/freescout/constants-service.conf +++ b/src/freescout/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 @@ -29,5 +29,7 @@ LXC_KEYCTL="0" # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 +FS_PHP_VERSION=8.4 + # service dependent meta tags SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/freescout/install-service.sh b/src/freescout/install-service.sh index cfe3b11..d910168 100644 --- a/src/freescout/install-service.sh +++ b/src/freescout/install-service.sh @@ -18,10 +18,12 @@ MYSQL_PASSWORD="$(random_password)" apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git +inst_php cli,zip,curl,intl,fpm,mysql,imap,xml,mbstring,gd $FS_PHP_VERSION + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client ssl-cert git -echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini +echo ‘cgi.fix_pathinfo=0’ >> /etc/php/$FS_PHP_VERSION/fpm/php.ini cat << EOF > /etc/nginx/sites-available/default server { @@ -52,7 +54,7 @@ server { location ~ .php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + fastcgi_pass unix:/var/run/php/php${FS_PHP_VERSION}-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; include fastcgi_params; @@ -125,8 +127,8 @@ cat << EOF > /etc/cron.d/freescout * * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1 EOF -systemctl enable --now php8.2-fpm -systemctl restart php8.2-fpm nginx +systemctl enable --now php${FS_PHP_VERSION}-fpm +systemctl restart php${FS_PHP_VERSION}-fpm nginx LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) From 39a70db706f18953b18b492a40aa81c910799b27 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:17:41 +0000 Subject: [PATCH 45/59] freesout fixes --- src/freescout/install-service.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freescout/install-service.sh b/src/freescout/install-service.sh index d910168..bc1f037 100644 --- a/src/freescout/install-service.sh +++ b/src/freescout/install-service.sh @@ -106,10 +106,10 @@ GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' CREATE DATABASE IF NOT EXISTS freescout; GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';" -curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i - +curl -s https://api.github.com/repos/freescout-help-desk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i - cd $webroot tar -vxf freescout.tar.gz -dir=$(ls -d freescout-helpdesk-freescout*) +dir=$(ls -d freescout-help-desk-freescout*) mv -v $dir freescout chown -R www-data:www-data /var/www/html find /var/www/html -type f -exec chmod 664 {} \; From cbad641b1bf3378a239129069084ba3f6ad4f714 Mon Sep 17 00:00:00 2001 From: Markus Date: Sun, 18 Jan 2026 13:24:06 +0100 Subject: [PATCH 46/59] Update PBS to 4 --- src/proxmox-pbs/constants-service.conf | 2 +- src/proxmox-pbs/install-service.sh | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/proxmox-pbs/constants-service.conf b/src/proxmox-pbs/constants-service.conf index 92b94cb..43aed2d 100644 --- a/src/proxmox-pbs/constants-service.conf +++ b/src/proxmox-pbs/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/proxmox-pbs/install-service.sh b/src/proxmox-pbs/install-service.sh index 249217a..33fb220 100644 --- a/src/proxmox-pbs/install-service.sh +++ b/src/proxmox-pbs/install-service.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -euo pipefail + # Authors: # (C) 2021 Idea an concept by Christian Zengel # (C) 2021 Script design and prototype by Markus Helmke @@ -9,16 +11,14 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list -# PBS pbs-no-subscription repository provided by proxmox.com, -# NOT recommended for production use -deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription -EOF - -wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null - +#### Set repo and install onlyoffice #### +inst_pbs() { + apt_repo "proxmox" "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" "http://download.proxmox.com/debian/pbs" "trixie" "pbs-no-subscription" apt update && apt upgrade -y DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server +} + +inst_pbs proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA From 753243e444fed8dd0998ebaf97c10684b48e67c4 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:37:48 +0000 Subject: [PATCH 47/59] Update to Debian 13 --- src/gitea/constants-service.conf | 2 +- src/gitea/install-service.sh | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf index 43c49cd..c534d11 100644 --- a/src/gitea/constants-service.conf +++ b/src/gitea/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh index bbda4c0..fd57e91 100644 --- a/src/gitea/install-service.sh +++ b/src/gitea/install-service.sh @@ -9,15 +9,13 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null -echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list +inst_nginx -wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null -echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list +inst_postgresql apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq git ssl-cert unzip zip systemctl enable --now postgresql From 6e009743f470469e0ea68071239b493b8d4b2a7a Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 12:52:37 +0000 Subject: [PATCH 48/59] remove kopano, ad-restore, enable strict mode in all installers --- TODO Debian 13 | 1 + src/ansible-semaphore/install-service.sh | 2 + src/authentik/install-service.sh | 2 + src/bookstack/install-service.sh | 2 + src/checkmk/install-service.sh | 2 + src/docker/install-service.sh | 2 + src/gitea/install-service.sh | 2 + src/icinga2/install-service.sh | 2 + src/kimai/constants-service.conf | 4 +- src/kimai/install-service.sh | 7 +- src/kopano-core/constants-service.conf | 53 ----- src/kopano-core/install-service.sh | 276 ---------------------- src/mailcow/install-service.sh | 2 + src/matrix/install-service.sh | 4 +- src/onlyoffice/install-service.sh | 4 +- src/open3a/install-service.sh | 2 + src/piler/install-service.sh | 2 + src/rei3/install-service.sh | 2 + src/urbackup/install-service.sh | 2 + src/vaultwarden/install-service.sh | 2 + src/zammad/install-service.sh | 2 + src/zmb-ad-restore/constants-service.conf | 45 ---- src/zmb-ad-restore/install-service.sh | 195 --------------- src/zmb-cups/install-service.sh | 2 + src/zmb-member/install-service.sh | 2 + src/zmb-standalone/install-service.sh | 2 + 26 files changed, 44 insertions(+), 579 deletions(-) create mode 100644 TODO Debian 13 delete mode 100644 src/kopano-core/constants-service.conf delete mode 100644 src/kopano-core/install-service.sh delete mode 100644 src/zmb-ad-restore/constants-service.conf delete mode 100644 src/zmb-ad-restore/install-service.sh diff --git a/TODO Debian 13 b/TODO Debian 13 new file mode 100644 index 0000000..ad91e89 --- /dev/null +++ b/TODO Debian 13 @@ -0,0 +1 @@ +- icinga2 diff --git a/src/ansible-semaphore/install-service.sh b/src/ansible-semaphore/install-service.sh index a9dc2ca..ffb4c26 100644 --- a/src/ansible-semaphore/install-service.sh +++ b/src/ansible-semaphore/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/authentik/install-service.sh b/src/authentik/install-service.sh index 3333df4..922975c 100644 --- a/src/authentik/install-service.sh +++ b/src/authentik/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/bookstack/install-service.sh b/src/bookstack/install-service.sh index a040873..7d12c05 100644 --- a/src/bookstack/install-service.sh +++ b/src/bookstack/install-service.sh @@ -7,6 +7,8 @@ set -euo pipefail # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/checkmk/install-service.sh b/src/checkmk/install-service.sh index d619409..499934e 100644 --- a/src/checkmk/install-service.sh +++ b/src/checkmk/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/docker/install-service.sh b/src/docker/install-service.sh index 6d08041..1856481 100644 --- a/src/docker/install-service.sh +++ b/src/docker/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh index fd57e91..68fa218 100644 --- a/src/gitea/install-service.sh +++ b/src/gitea/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh index 45a7228..749d725 100644 --- a/src/icinga2/install-service.sh +++ b/src/icinga2/install-service.sh @@ -1,4 +1,6 @@ +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/kimai/constants-service.conf b/src/kimai/constants-service.conf index a940f2e..27df3c5 100644 --- a/src/kimai/constants-service.conf +++ b/src/kimai/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 @@ -30,7 +30,7 @@ LXC_KEYCTL="0" #KIMAI_VERSION="main" # Defines the php version to install -KIMAI_PHP_VERSION="8.2" +KIMAI_PHP_VERSION="8.4" # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=1024 diff --git a/src/kimai/install-service.sh b/src/kimai/install-service.sh index ee941f7..19d4b2e 100644 --- a/src/kimai/install-service.sh +++ b/src/kimai/install-service.sh @@ -14,12 +14,11 @@ source /root/constants-service.conf KIMAI_DB_PWD=$(random_password) webroot=/var/www/kimai/public -#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - -#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list - apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl +inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client mkdir -p /etc/nginx/ssl openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" diff --git a/src/kopano-core/constants-service.conf b/src/kopano-core/constants-service.conf deleted file mode 100644 index 0dae961..0000000 --- a/src/kopano-core/constants-service.conf +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -# This file contains the project constants on service level - -# Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-11-standard" - -# Create sharefs mountpoint -LXC_MP=0 -# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) -LXC_SHAREFS_MOUNTPOINT="tank" -# Defines the recordsize of mp0 -LXC_MP_RECORDSIZE="16K" - -# Create unprivileged container -LXC_UNPRIVILEGED="1" - -# enable nesting feature -LXC_NESTING="1" - -# enable keyctl feature -LXC_KEYCTL="0" - -# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest') -KOPANO_VERSION="latest" - -# Defines the php version to install -KOPANO_PHP_VERSION="7.4" - -# Defines Maria DB Version -MARIA_DB_VERS="10.5" - -# Defines the name from the SQL database -MARIA_DB_NAME="kopano" - -# Defines the name from the SQL user -MARIA_DB_USER="kopano" - -# Build a strong password for the SQL user - could be overwritten with something fixed - -MARIA_ROOT_PWD=$(random_password) -MARIA_USER_PWD=$(random_password) - -# Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=4096 - -# service dependent meta tags -SERVICE_TAGS="php-fpm,nginx,mariadb" \ No newline at end of file diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh deleted file mode 100644 index fa73226..0000000 --- a/src/kopano-core/install-service.sh +++ /dev/null @@ -1,276 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -source /root/functions.sh -source /root/zamba.conf -source /root/constants-service.conf - -HOSTNAME=$(hostname -f) - -#wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add - -#echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list - -wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - -echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list - -wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add - -echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list - -apt update - -#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ -#php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \ -php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip} - -#timedatectl set-timezone Europe/Berlin -#mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www -#chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www - -#### Secure Maria Instance #### - -mysqladmin -u root password "[$MARIA_ROOT_PWD]" - -mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''" -mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" -#mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'" -mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" - -#### Create user and DB for Kopano #### - -mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'" -mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'" -mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES" - -echo "root-password: $MARIA_ROOT_PWD,\ -db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log - -cat > /etc/apt/sources.list.d/kopano.list << EOF - -# Kopano Core -deb https://download.kopano.io/supported/core:/final/Debian_11/ ./ - -# Kopano WebApp -deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./ - -# Kopano MobileDeviceManagement -deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./ - -# Kopano Files -deb https://download.kopano.io/supported/files:/final/Debian_11/ ./ - -# Z-Push -deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./ - -EOF - -cat > /etc/apt/auth.conf.d/kopano.conf << EOF - -machine download.kopano.io -login serial -password $KOPANO_REPKEY - -EOF - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add - -curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add - - -apt update && apt full-upgrade -y - -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \ -z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files - -#### Adjust kopano settings #### - -cat > /etc/kopano/ldap.cfg << EOF - -!include /usr/share/kopano/ldap.active-directory.cfg - -ldap_uri = ldap://192.168.100.100:389 -ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks -ldap_bind_passwd = Start123! -ldap_search_base = dc=zmb,dc=rocks - -#ldap_user_search_filter = (kopanoAccount=1) - -EOF - -cat > /etc/kopano/server.cfg << EOF - -server_listen = *:236 -local_admin_users = root kopano - -#database_engine = mysql -#mysql_host = localhost -#mysql_port = 3306 -mysql_user = $MARIA_DB_USER -mysql_password = $MARIA_USER_PWD -mysql_database = $MARIA_DB_NAME - -#user_plugin = ldap -#user_plugin_config = /etc/kopano/ldap.cfg - -EOF - -#### Adjust php settings #### - -sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php - -cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF - -[webapp] -listen = 127.0.0.1:9002 -user = www-data -group = www-data -listen.allowed_clients = 127.0.0.1 -pm = dynamic -pm.max_children = 150 -pm.start_servers = 35 -pm.min_spare_servers = 20 -pm.max_spare_servers = 50 -pm.max_requests = 200 -listen.backlog = -1 -request_terminate_timeout = 120s -rlimit_files = 131072 -rlimit_core = unlimited -catch_workers_output = yes - -EOF - -sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php - -#### Adjust nginx settings #### - -openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN" -generate_dhparam - -#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak - -cat > /etc/nginx/sites-available/webapp.conf << EOF -upstream php-handler { - #server 127.0.0.1:9002; - #server unix:/var/run/php5-fpm.sock; - server unix:/var/run/php/php7.4-fpm.sock; -} - -server{ - listen 80; - charset utf-8; - listen [::]:80; - server_name _; - - location / { - rewrite ^(.*) https://\$server_name\$1 permanent; - } - } - -server { - charset utf-8; - listen 443; - listen [::]:443 ssl; - server_name _; - ssl on; - client_max_body_size 1024m; - ssl_certificate /etc/ssl/certs/kopano.crt; - ssl_certificate_key /etc/ssl/private/kopano.key; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; - ssl_prefer_server_ciphers on; - # - # ssl_dhparam require you to create a dhparam.pem, this takes a long time - ssl_dhparam /etc/nginx/dhparam.pem; - # - - # add headers - server_tokens off; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - location /webapp { - alias /usr/share/kopano-webapp/; - index index.php; - - location ~ /webapp/presence/ { - rewrite ^/webapp/presence(/.*)$ \$1 break; - proxy_pass http://localhost:1234; - proxy_set_header Upgrade \$http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - } - - } - - location ~* ^/webapp/(.+\.php)$ { - alias /usr/share/kopano-webapp/; - - # deny access to .htaccess files - location ~ /\.ht { - deny all; - } - - fastcgi_param PHP_VALUE " - register_globals=off - magic_quotes_gpc=off - magic_quotes_runtime=off - post_max_size=31M - upload_max_filesize=30M - "; - fastcgi_param PHP_VALUE "post_max_size=31M - upload_max_filesize=30M - max_execution_time=3660 - "; - - include fastcgi_params; - fastcgi_index index.php; - #fastcgi_param HTTPS on; - fastcgi_param SCRIPT_FILENAME \$document_root\$1; - fastcgi_pass php-handler; - access_log /var/log/nginx/kopano-webapp-access.log; - error_log /var/log/nginx/kopano-webapp-error.log; - - # CSS and Javascript - location ~* \.(?:css|js)$ { - expires 1y; - access_log off; - add_header Cache-Control "public"; - } - - # All (static) resources set to 2 months expiration time. - location ~* \.(?:jpg|gif|png)\$ { - expires 2M; - access_log off; - add_header Cache-Control "public"; - } - - # enable gzip compression - gzip on; - gzip_min_length 1100; - gzip_buffers 4 32k; - gzip_types text/plain application/x-javascript text/xml text/css application/json; - gzip_vary on; - } - -} - -map \$http_upgrade \$connection_upgrade { - default upgrade; - '' close; -} -EOF - - - -ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/ - -phpenmod kopano -systemctl restart php7.4-fpm nginx diff --git a/src/mailcow/install-service.sh b/src/mailcow/install-service.sh index 16a1bcc..63dcd77 100644 --- a/src/mailcow/install-service.sh +++ b/src/mailcow/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/matrix/install-service.sh b/src/matrix/install-service.sh index fa54e91..eb929d5 100644 --- a/src/matrix/install-service.sh +++ b/src/matrix/install-service.sh @@ -5,12 +5,12 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -set -euo pipefail - #### Set repo and install matrix #### inst_matrix() { apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main" diff --git a/src/onlyoffice/install-service.sh b/src/onlyoffice/install-service.sh index 1bb429f..943d78b 100644 --- a/src/onlyoffice/install-service.sh +++ b/src/onlyoffice/install-service.sh @@ -5,12 +5,12 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -set -euo pipefail - #### Set repo and install onlyoffice #### inst_onlyoffice() { apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main" diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index ff96ff0..0fb565a 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/piler/install-service.sh b/src/piler/install-service.sh index 72a7e98..67125b2 100644 --- a/src/piler/install-service.sh +++ b/src/piler/install-service.sh @@ -3,6 +3,8 @@ # Author: # (C) 2024 Thorsten Spille +set -euo pipefail + source zamba.conf wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg diff --git a/src/rei3/install-service.sh b/src/rei3/install-service.sh index 7ecaaaf..6f2a3d5 100644 --- a/src/rei3/install-service.sh +++ b/src/rei3/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/urbackup/install-service.sh b/src/urbackup/install-service.sh index 959aec8..88fe70c 100644 --- a/src/urbackup/install-service.sh +++ b/src/urbackup/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh index 2ee9866..0fe53ec 100644 --- a/src/vaultwarden/install-service.sh +++ b/src/vaultwarden/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index aa482c4..b485846 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-ad-restore/constants-service.conf b/src/zmb-ad-restore/constants-service.conf deleted file mode 100644 index e849a50..0000000 --- a/src/zmb-ad-restore/constants-service.conf +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -# This file contains the project constants on service level - -# Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-13-standard" - -# Create sharefs mountpoint -LXC_MP=0 -# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) -LXC_SHAREFS_MOUNTPOINT="backup" -# Defines the recordsize of mp0 -LXC_MP_RECORDSIZE="16K" - -# Create unprivileged container -LXC_UNPRIVILEGED="0" - -# enable nesting feature -LXC_NESTING="1" - -# enable keyctl feature -LXC_KEYCTL="0" - -# add optional features to samba ad dc - -# CURRENTLY SUPPORTED: -# wsdd = add windows service discovery -# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup -# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ - -# Example: -# OPTIONAL_FEATURES=(wsdd) -# OPTIONAL_FEATURES=(wsdd splitdns) -OPTIONAL_FEATURES=(wsdd) - -# Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=1024 - -# service dependent meta tags -SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary" \ No newline at end of file diff --git a/src/zmb-ad-restore/install-service.sh b/src/zmb-ad-restore/install-service.sh deleted file mode 100644 index a0045bf..0000000 --- a/src/zmb-ad-restore/install-service.sh +++ /dev/null @@ -1,195 +0,0 @@ -#!/bin/bash - -# Authors: -# (C) 2021 Idea an concept by Christian Zengel -# (C) 2021 Script design and prototype by Markus Helmke -# (C) 2021 Script rework and documentation by Thorsten Spille - -source /root/functions.sh -source /root/zamba.conf -source /root/constants-service.conf - -ZMB_DNS_BACKEND="SAMBA_INTERNAL" - -for f in ${OPTIONAL_FEATURES[@]}; do - if [[ "$f" == "wsdd" ]]; then - ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES" - elif [[ "$f" == "splitdns" ]]; then - ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" - elif [[ "$f" == "bind9dlz" ]]; then - ZMB_DNS_BACKEND="BIND9_DLZ" - ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" - ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" - else - echo "Unsupported optional feature $f" - fi -done - -# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list - -# update packages -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -# install required packages -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils - -mkdir -p /etc/chrony/conf.d -mkdir -p /etc/systemd/system/chrony.service.d - -cat << EOF > /etc/default/chrony -# This is a configuration file for /etc/init.d/chrony and -# /lib/systemd/system/chrony.service; it allows you to pass various options to -# the chrony daemon without editing the init script or service file. - -# Options to pass to chrony. -DAEMON_OPTS="-x -F 1" -EOF - -cat << EOF > /etc/systemd/system/chrony.service.d/override.conf -[Unit] -ConditionCapability= -EOF - -cat << EOF > /etc/chrony/conf.d/samba.conf -bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev) -server de.pool.ntp.org iburst -server europe.pool.ntp.org iburst -allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev) -ntpsigndsocket /var/lib/samba/ntp_signd -EOF - -if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then - cat << EOF > /etc/nginx/sites-available/default -server { - listen 80 default_server; - server_name _; - return 301 http://www.$LXC_DOMAIN\$request_uri; -} -EOF -fi - -if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then - # configure bind dns service - cat << EOF > /etc/default/bind9 -# -# run resolvconf? -RESOLVCONF=no - -# startup options for the server -OPTIONS="-4 -u bind" -EOF - - cat << EOF > /etc/bind/named.conf.local -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; -dlz "$LXC_DOMAIN" { - database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; -}; -EOF - - cat << EOF > /etc/bind/named.conf.options -options { - directory "/var/cache/bind"; - - forwarders { - $LXC_DNS; - }; - - allow-query { any;}; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - listen-on-v6 { any; }; - listen-on { any; }; - - tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; - minimal-responses yes; -}; -EOF - - mkdir -p /var/lib/samba/bind-dns/dns -fi - -# stop + disable samba services and remove default config -systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1 -rm -f /etc/samba/smb.conf -rm -f /etc/krb5.conf - -rm -r /var/lib/samba/* - -backupfile=$(find /backup/online -name samba-backup* | tail -1) -samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ - -ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf - -# disable password expiry for administrator -samba-tool user setexpiry Administrator --noexpiry - -systemctl unmask samba-ad-dc -systemctl enable samba-ad-dc -systemctl restart samba-ad-dc $ADDITIONAL_SERVICES - -# configure ad backup -cat << EOF > /usr/local/bin/smb-backup -#!/bin/bash -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -rc=0 -keep=\$1 - -mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline} - -prune () { - backup_type=\$1 - if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then - find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm - fi -} - -echo "\$(date) Starting samba-ad-dc online backup" -if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then - echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..." - prune online -else - echo "\$(date) samba-ad-dc online backup failed" - rc=\$((\$rc + 1)) -fi - -echo "\$(date) Starting samba-ad-dc offline backup" -if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then - echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..." - prune offline -else - echo "S(date) samba-ad-dc offline backup failed" - rc=\$((\$rc + 1)) -fi - -exit \$rc -EOF -chmod +x /usr/local/bin/smb-backup - -cat << EOF > /etc/cron.d/smb-backup -23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 -EOF - -cat << EOF > /etc/logrotate.d/smb-backup -/var/log/smb-backup.log { - weekly - rotate 12 - compress - delaycompress - missingok - notifempty - create 644 root root -} -EOF - -exit 0 \ No newline at end of file diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh index 0f8333c..a79b066 100644 --- a/src/zmb-cups/install-service.sh +++ b/src/zmb-cups/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index c211b1e..f75b26b 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 2d149f7..1cd4af6 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -5,6 +5,8 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf From 9b7ee21fae72ba8123936c1df358957198de32f4 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 13:33:10 +0000 Subject: [PATCH 49/59] fix mailcow --- src/mailcow/install-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mailcow/install-service.sh b/src/mailcow/install-service.sh index 63dcd77..fdc06ae 100644 --- a/src/mailcow/install-service.sh +++ b/src/mailcow/install-service.sh @@ -266,7 +266,7 @@ USE_WATCHDOG=y #WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # JSON body included in the webhook POST request. Needs to be in single quotes. # Following variables are available: SUBJECT, BODY -#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}' +#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**\${SUBJECT}**\n\${BODY}"}' # Notify about banned IP (includes whois lookup) WATCHDOG_NOTIFY_BAN=n From b8c3bb3438b1f11674bc9603afc14ebb48847ca4 Mon Sep 17 00:00:00 2001 From: Markus Date: Sun, 18 Jan 2026 14:43:55 +0100 Subject: [PATCH 50/59] Update unif & omada --- src/functions.sh | 18 +++++++++++++++++- src/omada/constants-service.conf | 2 +- src/omada/install-service.sh | 15 ++++++--------- src/unifi/constants-service.conf | 2 +- src/unifi/install-service.sh | 14 ++++++++------ 5 files changed, 33 insertions(+), 18 deletions(-) diff --git a/src/functions.sh b/src/functions.sh index 77dd007..510bdbd 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -115,5 +115,21 @@ inst_45drives() { inst_docker() { apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable apt update - DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen } +#### Set repo and install MongoDB #### +inst_mongodb() { + MONGODB_VERSION=${1:-8.0} + + apt_repo "mongodb" "https://www.mongodb.org/static/pgp/server-$MONGODB_VERSION.asc" "http://repo.mongodb.org/apt/debian" "bookworm/mongodb-org/$MONGODB_VERSION" "main" + apt update + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq mongodb-org +} + +#### Set repo and install MongoDB #### +inst_bashclub() { + BASHCLUB_COMPONENT=${1:-release} + + apt_repo "bashclub" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main" + apt update +} \ No newline at end of file diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf index 5194b1f..f6ed68e 100644 --- a/src/omada/constants-service.conf +++ b/src/omada/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/omada/install-service.sh b/src/omada/install-service.sh index 5692314..e3c0d65 100644 --- a/src/omada/install-service.sh +++ b/src/omada/install-service.sh @@ -10,14 +10,11 @@ set -euo pipefail source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg -wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg -wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg -echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list -# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list -echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list -apt update +inst_mongodb -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc + +inst_bashclub omada + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac \ No newline at end of file diff --git a/src/unifi/constants-service.conf b/src/unifi/constants-service.conf index 09898b2..83c6c31 100644 --- a/src/unifi/constants-service.conf +++ b/src/unifi/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/unifi/install-service.sh b/src/unifi/install-service.sh index 753fa77..595483d 100644 --- a/src/unifi/install-service.sh +++ b/src/unifi/install-service.sh @@ -11,12 +11,14 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg -wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg +inst_unifi() { + apt_repo "unifi" "https://dl.ubnt.com/unifi/unifi-repo.gpg" "http://www.ui.com/downloads/unifi/debian" "stable" "ubiquiti" + apt update + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unifi +} -echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list -echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list +inst_mongodb -apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi \ No newline at end of file +inst_unifi \ No newline at end of file From 2ec3e75c90a914c6941193cc63ce5045bc7399c5 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 23:42:39 +0000 Subject: [PATCH 51/59] fix multiple containers for debian 13 --- conf/zamba.conf.example | 12 ------------ src/functions.sh | 2 +- src/icinga2/constants-service.conf | 4 ++-- src/icinga2/install-service.sh | 9 +++++---- src/nextcloud/install-service.sh | 1 - src/open3a/constants-service.conf | 2 +- src/open3a/install-service.sh | 12 +++++++----- src/piler/constants-service.conf | 2 +- src/piler/install-service.sh | 11 +++++------ src/rei3/constants-service.conf | 2 +- src/rei3/install-service.sh | 5 ++--- src/vaultwarden/constants-service.conf | 2 +- src/vaultwarden/install-service.sh | 4 +++- src/zabbix-proxy/constants-service.conf | 6 +++--- src/zabbix-proxy/install-service.sh | 11 +++++++---- src/zabbix/constants-service.conf | 10 +++++----- src/zabbix/install-service.sh | 19 +++++++++++-------- src/zammad/constants-service.conf | 2 +- src/zmb-standalone/install-service.sh | 2 +- 19 files changed, 57 insertions(+), 61 deletions(-) diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 0595879..e8095ba 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -165,18 +165,6 @@ CMK_ADMIN_PW='Start!123' # free = limited version of the enterprise edition (25 hosts, 1 instance) CMK_EDITION=raw -############### Kopano-Section ############### - -# Define the FQDN of your Nextcloud server -KOPANO_FQDN="kopano.zmb.rocks" - -# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban -KOPANO_MAILGW="192.168.100.254" - -# Kopano test- or subscription-key offerd from -# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10 -KOPANO_REPKEY="1234567890abcdefghijklmno" - ############### vaultwarden Section ############### # Enable/disable signups (true/false) diff --git a/src/functions.sh b/src/functions.sh index 510bdbd..20aee4b 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -130,6 +130,6 @@ inst_mongodb() { inst_bashclub() { BASHCLUB_COMPONENT=${1:-release} - apt_repo "bashclub" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main" + apt_repo "bashclub-$BASHCLUB_COMPONENT" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main" apt update } \ No newline at end of file diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf index 944f7c9..ee6c969 100644 --- a/src/icinga2/constants-service.conf +++ b/src/icinga2/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 @@ -34,4 +34,4 @@ SERVICE_TAGS="php-fpm,nginx,mariadb" CRED_FILE="/root/.zamba_credentials/icinga_stack.txt" -PHP_VERSION=8.2 \ No newline at end of file +PHP_VERSION=8.4 \ No newline at end of file diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh index 749d725..869355b 100644 --- a/src/icinga2/install-service.sh +++ b/src/icinga2/install-service.sh @@ -18,8 +18,8 @@ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://pac curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list -curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list +curl -fsSL https://repos.influxdata.com/influxdata-archive.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian bookworm stable" > /etc/apt/sources.list.d/influxdata.list apt update @@ -347,7 +347,8 @@ database: password: ${NOTIFICATIONS_DB_PASS} EOF -cat << EOF > /etc/icingaweb2/modules/notifications/config.ini +mkdir -p /etc/icingaweb2/modules/notifications/ +cat << EOF > /etc/icingaweb2/modules/notifications/config.ini [database] resource = "notifications" EOF @@ -468,7 +469,7 @@ EOF icinga2 feature enable icingadb api influxdb2-writer perfdata -icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt +#icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert." icingacli module enable reactbundle diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index c87068c..b97fd77 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -576,4 +576,3 @@ echo "=> Modifying Crowdsec ..." mod_crowdsec echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################" -shutdown -r now diff --git a/src/open3a/constants-service.conf b/src/open3a/constants-service.conf index c4548eb..50fd76b 100644 --- a/src/open3a/constants-service.conf +++ b/src/open3a/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/open3a/install-service.sh b/src/open3a/install-service.sh index 0fb565a..a8b79e7 100644 --- a/src/open3a/install-service.sh +++ b/src/open3a/install-service.sh @@ -15,10 +15,13 @@ webroot=/var/www/html LXC_RANDOMPWD=20 MYSQL_PASSWORD="$(random_password)" +PHP_VERSION=8.4 apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd +inst_php cli,fpm,mysql,xml,mbstring,gd $PHP_VERSION + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client mkdir -p /etc/nginx/ssl openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN" @@ -41,13 +44,12 @@ server { index index.php; - ssl on; ssl_certificate /etc/nginx/ssl/open3a.crt; ssl_certificate_key /etc/nginx/ssl/open3a.key; location ~ .php$ { include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + fastcgi_pass unix:/var/run/php/php${PHP_VERSION}-fpm.sock; } } @@ -78,8 +80,8 @@ localhost &%%%&open3a &%%%&$MYSQL_PAS */ ?> EOF -systemctl enable --now php8.2-fpm -systemctl restart php8.2-fpm nginx +systemctl enable --now php${PHP_VERSION}-fpm +systemctl restart php${PHP_VERSION}-fpm nginx LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6) diff --git a/src/piler/constants-service.conf b/src/piler/constants-service.conf index 88aac0c..21b0d3a 100644 --- a/src/piler/constants-service.conf +++ b/src/piler/constants-service.conf @@ -6,7 +6,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=1 diff --git a/src/piler/install-service.sh b/src/piler/install-service.sh index 67125b2..a3c7262 100644 --- a/src/piler/install-service.sh +++ b/src/piler/install-service.sh @@ -5,13 +5,12 @@ set -euo pipefail -source zamba.conf +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf -wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg - -echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list -echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list -apt update +inst_bashclub manticore +inst_bashclub $PILER_BRANCH DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler diff --git a/src/rei3/constants-service.conf b/src/rei3/constants-service.conf index ac00ebb..783b680 100644 --- a/src/rei3/constants-service.conf +++ b/src/rei3/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/rei3/install-service.sh b/src/rei3/install-service.sh index 6f2a3d5..08b72d7 100644 --- a/src/rei3/install-service.sh +++ b/src/rei3/install-service.sh @@ -14,13 +14,12 @@ source /root/constants-service.conf mkdir /opt/rei3 wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3 -wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg -echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list +inst_postgresql apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends imagemagick ghostscript timedatectl set-timezone ${LXC_TIMEZONE} diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf index d9325a7..36b207b 100644 --- a/src/vaultwarden/constants-service.conf +++ b/src/vaultwarden/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh index 0fe53ec..539c584 100644 --- a/src/vaultwarden/install-service.sh +++ b/src/vaultwarden/install-service.sh @@ -13,7 +13,9 @@ source /root/constants-service.conf admin_token=$(openssl rand -base64 48) -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert +inst_postgresql + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx git ssl-cert systemctl enable --now postgresql diff --git a/src/zabbix-proxy/constants-service.conf b/src/zabbix-proxy/constants-service.conf index a931567..0eb2b46 100644 --- a/src/zabbix-proxy/constants-service.conf +++ b/src/zabbix-proxy/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 @@ -42,8 +42,8 @@ ZABBIX_DB_USR="zabbix" # Build a strong password for the SQL user - could be overwritten with something fixed ZABBIX_DB_PWD="$(random_password)" -ZABBIX_VERSION=7.0 #zabbix 7 beta -POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) +ZABBIX_VERSION=7.4 #zabbix 7 beta +POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=4096 diff --git a/src/zabbix-proxy/install-service.sh b/src/zabbix-proxy/install-service.sh index fc9472a..9e452db 100644 --- a/src/zabbix-proxy/install-service.sh +++ b/src/zabbix-proxy/install-service.sh @@ -11,13 +11,14 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main" -apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" +apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main" apt update +inst_postgresql $POSTGRES_VERSION + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert timedatectl set-timezone ${LXC_TIMEZONE} @@ -29,7 +30,7 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created." EOF -cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME} +cat /usr/share/zabbix/sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME} echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf @@ -53,6 +54,8 @@ sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf +mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off + systemctl enable zabbix-proxy zabbix-agent2 systemctl restart zabbix-proxy zabbix-agent2 diff --git a/src/zabbix/constants-service.conf b/src/zabbix/constants-service.conf index b074420..f228e7a 100644 --- a/src/zabbix/constants-service.conf +++ b/src/zabbix/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 @@ -42,10 +42,10 @@ ZABBIX_DB_USR="zabbix" # Build a strong password for the SQL user - could be overwritten with something fixed ZABBIX_DB_PWD="$(random_password)" -ZABBIX_VERSION=7.0 #zabbix 7 beta -POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) -PHP_VERSION=8.2 # debian 12 default -TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13) +ZABBIX_VERSION=7.4 #zabbix 7 beta +POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) +PHP_VERSION=8.4 # debian 12 default +TS_VERSION=2.23.0 # currently latest by zabbix supported version of timescaledb (2024-05-13) # Sets the minimum amount of RAM the service needs for operation LXC_MEM_MIN=4096 diff --git a/src/zabbix/install-service.sh b/src/zabbix/install-service.sh index 41b98e0..b290803 100644 --- a/src/zabbix/install-service.sh +++ b/src/zabbix/install-service.sh @@ -11,14 +11,15 @@ source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main" -apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" -apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main" +apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main" +apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/" "$(lsb_release -cs)" "main" +inst_postgresql ${POSTGRES_VERSION} +inst_php pgsql,fpm $PHP_VERSION apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION timescaledb-tools nginx zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert unlink /etc/nginx/sites-enabled/default @@ -216,18 +217,20 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created." EOF -sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php +#sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php -zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME} +zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME} timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf systemctl restart postgresql echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix -cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME} +cat /usr/share/zabbix/sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME} -echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf +echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.d/dbpassword.conf + +mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off generate_dhparam diff --git a/src/zammad/constants-service.conf b/src/zammad/constants-service.conf index 014cafd..e695b6f 100644 --- a/src/zammad/constants-service.conf +++ b/src/zammad/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-12-standard" +LXC_TEMPLATE_VERSION="debian-13-standard" # Create sharefs mountpoint LXC_MP=0 diff --git a/src/zmb-standalone/install-service.sh b/src/zmb-standalone/install-service.sh index 1cd4af6..47deddb 100644 --- a/src/zmb-standalone/install-service.sh +++ b/src/zmb-standalone/install-service.sh @@ -19,7 +19,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg:: USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}') useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER echo "$USER:$ZMB_ADMIN_PASS" | chpasswd -smbpasswd -x $USER +smbpasswd -x $USER || true (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER usermod -aG sudo $USER From c7f4cde980e7092ab0e5b1e076a462c30b1b04e9 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 18 Jan 2026 23:45:03 +0000 Subject: [PATCH 52/59] move trmm script to scripts folder --- .../check_zambaconfonpve_trmm.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename check_zambaconfonpve_trmm.sh => scripts/check_zambaconfonpve_trmm.sh (100%) diff --git a/check_zambaconfonpve_trmm.sh b/scripts/check_zambaconfonpve_trmm.sh similarity index 100% rename from check_zambaconfonpve_trmm.sh rename to scripts/check_zambaconfonpve_trmm.sh From c70aac949368e0991b442591931664d9a204da0d Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 19 Jan 2026 09:12:08 +0000 Subject: [PATCH 53/59] dc anhancements, script removal parameter, list outaged repos with wrong codename --- TODO Debian 13 | 1 - install.sh | 30 +++++++++++++++++++----------- outaged_repos | 6 ++++++ src/zmb-ad-join/install-service.sh | 3 +++ src/zmb-ad/install-service.sh | 3 +++ 5 files changed, 31 insertions(+), 12 deletions(-) delete mode 100644 TODO Debian 13 create mode 100644 outaged_repos diff --git a/TODO Debian 13 b/TODO Debian 13 deleted file mode 100644 index ad91e89..0000000 --- a/TODO Debian 13 +++ /dev/null @@ -1 +0,0 @@ -- icinga2 diff --git a/install.sh b/install.sh index 025b69a..f33b216 100755 --- a/install.sh +++ b/install.sh @@ -25,6 +25,7 @@ usage() { -i CTID provide a container id instead of auto detection -s SERVICE provide the service name and skip the selection dialog -c CFGFILE use a different config file than 'zamba.conf' + -r remove zamba.conf inside container -d Debug mode inside LXC container -h displays this help text --------------------------------------------------------------------------- @@ -39,13 +40,15 @@ ctid=0 service=ask config=$PWD/conf/zamba.conf debug=0 +preserve_install_scripts=1 -while getopts "hi:s:c:d" opt; do +while getopts "hi:s:c:dr" opt; do case $opt in h) usage 0 ;; i) ctid=$OPTARG ;; s) service=$OPTARG ;; c) config=$OPTARG ;; + r) preserve_install_scripts=0 ;; d) debug=1 ;; *) usage 1 ;; esac @@ -189,18 +192,17 @@ sleep 5; pct exec $LXC_NBR -- mkdir -p /root/.ssh pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys pct push $LXC_NBR "$config" /root/zamba.conf +for f in "$PWD/src/functions.sh" "$PWD/src/constants.conf" "$PWD/src/lxc-base.sh" "$PWD/src/$service/install-service.sh" "$PWD/src/$service/constants-service.conf"; do + pct push $LXC_NBR $f /root/$(basename $f) +done + +if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then + pct push $LXC_NBR scripts/zmb-ad_auto-map-root.sh /root/zmb-ad_auto-map-root.sh + pct push $LXC_NBR scripts/create-service-account /usr/bin/create-service-account +fi + pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf -pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh -pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf -pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh -pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh -pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf - -if [[ $service == "zmb-ad-restore" ]]; then - pct exec $LXC_NBR -- mkdir -p /backup/online - pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/ -fi if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi @@ -224,3 +226,9 @@ if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then sleep 5 pct exec $LXC_NBR /usr/local/bin/smb-backup 7 fi + +if [ $preserve_install_scripts -eq 0 ]; then + for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do + pct exec $LXC_NBR -- if [ -f /root/$f ] ; then rm -f /root/${f} ; fi + done +fi \ No newline at end of file diff --git a/outaged_repos b/outaged_repos new file mode 100644 index 0000000..53b44e4 --- /dev/null +++ b/outaged_repos @@ -0,0 +1,6 @@ +repos ohne debian trixie support +- manticore (fixed via bashclub repo) +- 45drives +- mongodb +- influxdb +- zammad \ No newline at end of file diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index 8d9a3a0..7878146 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -114,6 +114,9 @@ systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc +bash /root/zmb-ad_auto-map-root.sh +chmod +x /usr/bin/create-service-account + # configure ad backup cat << EOF > /usr/local/bin/smb-backup #!/bin/bash diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index 6caab2a..2e4476c 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -81,6 +81,9 @@ systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc +bash /root/zmb-ad_auto-map-root.sh +chmod +x /usr/bin/create-service-account + # configure ad backup cat << EOF > /usr/local/bin/smb-backup #!/bin/bash From 509abe150a90b7714d3dc42a7d6969c3b29240f5 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 19 Jan 2026 10:42:06 +0000 Subject: [PATCH 54/59] fix script deletion --- install.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/install.sh b/install.sh index f33b216..e7bf904 100755 --- a/install.sh +++ b/install.sh @@ -20,12 +20,12 @@ prog="$(basename $0)" usage() { cat >&2 <<-EOF - usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] + usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] [-p] installs a preconfigured lxc container on your proxmox server -i CTID provide a container id instead of auto detection -s SERVICE provide the service name and skip the selection dialog -c CFGFILE use a different config file than 'zamba.conf' - -r remove zamba.conf inside container + -p preserve zamba.conf ans scripts inside container -d Debug mode inside LXC container -h displays this help text --------------------------------------------------------------------------- @@ -40,15 +40,15 @@ ctid=0 service=ask config=$PWD/conf/zamba.conf debug=0 -preserve_install_scripts=1 +preserve_install_scripts=0 -while getopts "hi:s:c:dr" opt; do +while getopts "hi:s:c:dp" opt; do case $opt in h) usage 0 ;; i) ctid=$OPTARG ;; s) service=$OPTARG ;; c) config=$OPTARG ;; - r) preserve_install_scripts=0 ;; + p) preserve_install_scripts=1 ;; d) debug=1 ;; *) usage 1 ;; esac @@ -229,6 +229,6 @@ fi if [ $preserve_install_scripts -eq 0 ]; then for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do - pct exec $LXC_NBR -- if [ -f /root/$f ] ; then rm -f /root/${f} ; fi + pct exec $LXC_NBR -- bash -c "if [ -f /root/$f ] ; then rm -f /root/${f} ; fi" done fi \ No newline at end of file From 90fa3037612d5bf565fa7b63ae0f15436cb5c599 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 22 Jan 2026 21:59:22 +0100 Subject: [PATCH 55/59] Update constants.conf --- src/constants.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.conf b/src/constants.conf index 177ebd4..c6a7542 100644 --- a/src/constants.conf +++ b/src/constants.conf @@ -8,4 +8,4 @@ # This file contains the project constants on container level # Define your (administrative) tools, you always want to have installed into your LXC container -LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux" +LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux jq" From 1987dd29a7a7a9e37fa91314d727e061a2a4aa4a Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Wed, 28 Jan 2026 19:15:22 +0000 Subject: [PATCH 56/59] add wazuh container --- src/wazuh/constants-service.conf | 31 +++++++++++++++++++++++++++++++ src/wazuh/install-service.sh | 13 +++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 src/wazuh/constants-service.conf create mode 100644 src/wazuh/install-service.sh diff --git a/src/wazuh/constants-service.conf b/src/wazuh/constants-service.conf new file mode 100644 index 0000000..592299f --- /dev/null +++ b/src/wazuh/constants-service.conf @@ -0,0 +1,31 @@ +#!/bin/bash + +# Authors: +# (C) 2024 Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-13-standard" + +# Create sharefs mountpoint +LXC_MP=0 +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="var/lib/opensearch" +# Defines the recordsize of mp0 +LXC_MP_RECORDSIZE="16K" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# enable keyctl feature +LXC_KEYCTL="0" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=8192 + +# service dependent meta tags +SERVICE_TAGS="opensearch" \ No newline at end of file diff --git a/src/wazuh/install-service.sh b/src/wazuh/install-service.sh new file mode 100644 index 0000000..ff8af27 --- /dev/null +++ b/src/wazuh/install-service.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# Author: +# (C) 2024 Thorsten Spille + +set -euo pipefail + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +WAZUH_VERSION=4.14 +curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null From 03bb6186f23689be87b96c25be0fa94e5c6ed6d4 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Wed, 28 Jan 2026 19:40:21 +0000 Subject: [PATCH 57/59] Add password for aggent registration --- src/wazuh/install-service.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/wazuh/install-service.sh b/src/wazuh/install-service.sh index ff8af27..580df92 100644 --- a/src/wazuh/install-service.sh +++ b/src/wazuh/install-service.sh @@ -10,4 +10,15 @@ source /root/zamba.conf source /root/constants-service.conf WAZUH_VERSION=4.14 +REG_PASS=$(random_password) + curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null + + +sed -i "s|no|yes|" /var/ossec/etc/ossec.conf +echo "$REG_PASS" > /var/ossec/etc/authd.pass +chmod 640 /var/ossec/etc/authd.pass +chown root:wazuh /var/ossec/etc/authd.pass +systemctl restart wazuh-manager + +echo "Please use the following password for agent registration: $REG_PASS" \ No newline at end of file From 91f5296538a79e4e4c60b7e9b4e5b4e24e437378 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sat, 21 Feb 2026 20:15:06 +0000 Subject: [PATCH 58/59] add rspamd ai container --- src/pmg-ai-rspamd/Integration Guide.md | 115 ++++++++ src/pmg-ai-rspamd/constants-service.conf | 33 +++ src/pmg-ai-rspamd/install-service.sh | 350 +++++++++++++++++++++++ 3 files changed, 498 insertions(+) create mode 100644 src/pmg-ai-rspamd/Integration Guide.md create mode 100644 src/pmg-ai-rspamd/constants-service.conf create mode 100644 src/pmg-ai-rspamd/install-service.sh diff --git a/src/pmg-ai-rspamd/Integration Guide.md b/src/pmg-ai-rspamd/Integration Guide.md new file mode 100644 index 0000000..f400890 --- /dev/null +++ b/src/pmg-ai-rspamd/Integration Guide.md @@ -0,0 +1,115 @@ +# 🛡️ Integration Guide: PMG & Mailcow an Rspamd-AI + +Dieses Dokument beschreibt die Anbindung von Proxmox Mail Gateway (PMG) und Mailcow-Instanzen an das zentrale `pmg-ai-rspamd` Gehirn. + +## 1. Integration: Proxmox Mail Gateway (PMG) + +Das PMG dient als Grobfilter und nutzt den Rspamd-LXC via Milter-Protokoll für die KI-Analyse. + +### Schritt A: Whitelist-Eintrag im Rspamd-LXC + +Bevor das PMG senden darf, muss seine IP im Rspamd-LXC hinterlegt werden, damit Rspamd die Mail nicht als "Relay-Versuch von extern" blockiert. + + +1. Erstelle auf dem **Rspamd-LXC** eine neue Datei für das PMG: + + ```javascript + cat << 'EOF' > /etc/rspamd/local.d/local_addrs.d/pmg-gateway.conf + # IP des Proxmox Mail Gateways + local_addrs = "10.10.10.50"; + EOF + + ``` +2. Rspamd neu laden: `systemctl reload rspamd` + +### Schritt B: PMG Postfix Konfiguration + +Auf dem **PMG-Server** (via SSH): + + +1. Template-System vorbereiten: + + ```javascript + mkdir -p /etc/pmg/templates + cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/main.cf.in + + ``` +2. Am Ende von `/etc/pmg/templates/main.cf.in` einfügen: + + ```javascript + # Rspamd Milter Integration + smtpd_milters = inet:10.10.10.200:11332 + non_smtpd_milters = inet:10.10.10.200:11332 + milter_protocol = 6 + milter_default_action = accept + + ``` + + *(Ersetze* `*10.10.10.200*` *durch die IP deines Rspamd-LXC)*. +3. Aktivieren: `pmgconfig sync --restart 1` + + +--- + +## 2. Integration: Mailcow Remote Learning + +Hier bringen wir der Mailcow bei, Spam/Ham nicht lokal zu lernen, sondern an dein KI-Gehirn zu senden. + +### Option A: Via VPN (Sicherster Weg) + +**Voraussetzung:** Mailcow-IP ist im Rspamd-LXC unter `secure_ips.d/` hinterlegt. + + +1. Erstelle auf dem **Rspamd-LXC** den Eintrag: + + ```javascript + cat << 'EOF' > /etc/rspamd/local.d/secure_ips.d/kunde-mailcow.conf + secure_ip = "10.8.0.10"; # VPN-IP der Mailcow + EOF + + ``` +2. In der **Mailcow UI** unter *Konfiguration > System-Konfiguration > Rspamd*: + * **Rspamd-Host:** `10.8.0.200` (VPN-IP des LXC) + * **API-Key / Passwort:** Dein `rspamadm pw` Klartext-Passwort. + +### Option B: Via HTTPS (Ohne VPN über Public IP) + +Wenn kein VPN möglich ist, nutzen wir einen Reverse Proxy (z. B. Nginx) auf dem LXC-Host, um die API per TLS zu schützen. + +**Sicherheits-Warnung:** Öffne niemals Port 11334 direkt zum Internet! + + +1. Installiere Nginx auf dem LXC-Host (oder einem Proxy davor). +2. Nginx-Config (Auszug): + + ```javascript + server { + listen 443 ssl; + server_name rspamd-api.deine-domain.de; + # SSL-Zertifikat hier konfigurieren (Certbot) + + location / { + proxy_pass http://127.0.0.1:11334; + allow 1.2.3.4; # Nur die öffentliche IP der Mailcow erlauben! + deny all; + } + } + + ``` +3. In der **Mailcow** nun als Host `https://rspamd-api.deine-domain.de` eintragen. + + +--- + +## 3. Erfolgskontrolle (Debugging) + +Um zu sehen, ob die KI arbeitet, schau in das Log des Rspamd-LXC: + +```javascript +tail -f /var/log/rspamd/rspamd.log | grep -i "QWEN" +``` + +Wenn eine Mail vom PMG kommt, solltest du einen Eintrag wie diesen sehen: `... (main) <...> symbol: QWEN_LLM_FRAUD(2.50); ... score: 5 ...` + + +--- \ No newline at end of file diff --git a/src/pmg-ai-rspamd/constants-service.conf b/src/pmg-ai-rspamd/constants-service.conf new file mode 100644 index 0000000..5016179 --- /dev/null +++ b/src/pmg-ai-rspamd/constants-service.conf @@ -0,0 +1,33 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-13-standard" + +# Create sharefs mountpoint +LXC_MP=0 +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="tank" +# Defines the recordsize of mp0 +LXC_MP_RECORDSIZE="128K" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# enable keyctl feature +LXC_KEYCTL="0" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=8192 + +# service dependent meta tags +SERVICE_TAGS="rspamd,unbound,ollama" \ No newline at end of file diff --git a/src/pmg-ai-rspamd/install-service.sh b/src/pmg-ai-rspamd/install-service.sh new file mode 100644 index 0000000..1321eef --- /dev/null +++ b/src/pmg-ai-rspamd/install-service.sh @@ -0,0 +1,350 @@ +#!/bin/bash + +set -euo pipefail + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +RSPAMD_PASSWORD=$(random_password) +LLM=llama3.1:8b + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y redis-server unbound python3-venv rspamd zstd nginx ssl-cert + +# Eine abgeschottete Python-Umgebung in /opt/oletools erstellen +python3 -m venv /opt/oletools + +# Oletools innerhalb dieser Umgebung installieren (berührt das System nicht!) +/opt/oletools/bin/pip install oletools python-magic +ln -s /opt/oletools/bin/olevba /usr/local/bin/olevba3 + + +# install olefy servvice +curl -o /usr/local/bin/olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py +chmod +x /usr/local/bin/olefy.py +sed -i "s/addr_re = re.compile('\[\\\[\" \\\]\]')/addr_re = re.compile(r'\[\\\[\" \\\]\]')/g" /usr/local/bin/olefy.py + +# olefy Systemd-Service anlegen +cat << 'EOF' > /etc/systemd/system/olefy.service +[Unit] +Description=Olefy Daemon for Rspamd +After=network.target + +[Service] +Type=simple +User=nobody +ExecStart=/opt/oletools/bin/python3 /usr/local/bin/olefy.py +Restart=always + +[Install] +WantedBy=multi-user.target +EOF + +# oletools update +cat << 'EOF' > /usr/local/bin/apt-hook-oletools.sh +#!/bin/bash +# Unterdrücke Standard-Ausgaben, fange aber das Ergebnis auf +UPDATE_OUT=$(/opt/oletools/bin/pip install --upgrade oletools 2>&1) + +# Prüfen, ob der Text "Successfully installed" im Output vorkommt +if echo "$UPDATE_OUT" | grep -q "Successfully installed"; then + # Neues Update wurde gefunden und installiert! Dienst neu starten: + systemctl restart olefy + # Einen sauberen Eintrag ins System-Log (syslog) schreiben + logger -t oletools-updater "Neues Oletools Update via APT-Hook installiert. Olefy Dienst neu gestartet." +fi + +# Immer erfolgreich beenden (Exit Code 0), damit apt niemals blockiert wird +exit 0 +EOF + +# Skript ausführbar machen +chmod +x /usr/local/bin/apt-hook-oletools.sh + +# apt hook +cat << EOF > /etc/apt/apt.conf.d/99oletools-update +# Automatisches Update von Oletools nach jedem dpkg-Lauf +DPkg::Post-Invoke { "/usr/local/bin/apt-hook-oletools.sh || true"; }; +EOF + +# download ollama +curl -fsSL https://ollama.com/install.sh | bash 2>/dev/null + +# konfiguriere ollama, dass llm dauerhaft geladen bleibt +mkdir -p /etc/systemd/system/ollama.service.d +cat << 'EOF' > /etc/systemd/system/ollama.service.d/override.conf +[Service] +Environment="OLLAMA_KEEP_ALIVE=-1" +EOF + +# qwen3 llm herunterladen +ollama pull $LLM + +# ollama qwen3 preload service erstellen +cat << EOF > /etc/systemd/system/ollama-preload.service +[Unit] +Description=Preload Qwen3 Model into Ollama +After=ollama.service +Requires=ollama.service + +[Service] +Type=oneshot +# Warteschleife: Prüfe im Sekundentakt, ob die API erreichbar ist, bevor wir weitermachen +ExecStartPre=/bin/bash -c 'until curl -s http://127.0.0.1:11434/ > /dev/null; do sleep 1; done' +# Erst wenn der Port antwortet, laden wir das Modell +ExecStart=/usr/bin/curl -s -X POST http://127.0.0.1:11434/api/generate -d '{"model": "$LLM", "keep_alive": -1}' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +EOF + +# milter socket für rspamd konfigurieren +cat << EOF > /etc/rspamd/local.d/worker-proxy.inc +# Lausche auf allen Schnittstellen (für das PMG) +bind_socket = "${LXC_IP%/*}:11332"; +# Aktiviere explizit das Milter-Protokoll +milter = yes; +EOF + +# rspamd an redis anbinden +cat << 'EOF' > /etc/rspamd/local.d/redis.conf +servers = "127.0.0.1"; +write_servers = "127.0.0.1"; +EOF + +# lua script for llm integration +cat << EOF > /etc/rspamd/lua.local.d/ollama_ai.lua +local logger = require "rspamd_logger" +local http = require "rspamd_http" +local ucl = require "ucl" + +local function ollama_check(task) + logger.errx(task, "KI-Check: ANALYSE START (Llama-3.1-8B)") + + local text_parts = task:get_text_parts() + local email_text = "" + + if text_parts then + for _, part in ipairs(text_parts) do + email_text = email_text .. tostring(part:get_content() or "") + end + end + + -- Abbruch bei zu kurzen Mails + if #email_text < 15 then + logger.errx(task, "KI-Check: Text zu kurz für Analyse") + return + end + + local req_data = { + model = "$LLM", + messages = { + { + role = "system", + content = "You are a cybersecurity analyst. Score the following email for fraud/phishing from 0 to 10. Output ONLY the integer number." + }, + { + role = "user", + content = "Rate this content: " .. string.sub(email_text, 1, 1000) + } + }, + stream = false, + options = { + num_predict = 5, + temperature = 0.0 + } + } + + http.request({ + task = task, + url = 'http://127.0.0.1:11434/api/chat', + body = ucl.to_format(req_data, 'json'), + timeout = 25.0, + callback = function(err, code, body, headers) + -- Falls der Dienst nicht erreichbar ist + if err or code ~= 200 then + logger.errx(task, "KI-Check: Ollama API Fehler oder Timeout") + return + end + + local parser = ucl.parser() + local res, _ = parser:parse_string(body) + if res then + local data = parser:get_object() + local reply = data.message and data.message.content or "" + local score_num = reply:match("%d+") + + if score_num then + local score = tonumber(score_num) + logger.errx(task, "KI-Check: Ergebnis erhalten: %s/10", score) + + -- 1. Header: Basis-Info (Wird immer gesetzt, wenn KI geantwortet hat) + task:set_milter_reply({ + ['add_header'] = {['X-AI-Scanner'] = 'Llama-3.1-8B-Verified'} + }) + + -- 2. Header & Symbol: Nur bei Verdacht (Score >= 7) + if score >= 7 then + task:insert_result('OLLAMA_LLM_FRAUD', 1.0, "Score " .. score .. "/10") + task:set_milter_reply({ + ['add_header'] = {['X-AI-Fraud-Rating'] = tostring(score) .. '/10'} + }) + logger.errx(task, "KI-Check: Symbol und Header gesetzt (Betrugsverdacht)") + end + end + end + end + }) +end + +rspamd_config:register_symbol({ + name = 'OLLAMA_LLM_FRAUD', + callback = ollama_check, + flags = 'async', + score = 6.0, + description = 'AI-based fraud detection using Llama-3.1-8B' +}) +EOF + +# dns resolver konfigurieren +cat << 'EOF' > /etc/rspamd/local.d/options.inc +dns { + nameserver = ["127.0.0.1"]; +} + +# Basis-Regeln, die immer gelten müssen +local_addrs = "127.0.0.1"; +local_addrs = "::1"; + +task_timeout = 59s; + +# Lade alle Server-spezifischen Dateien (*.conf) +.include(try=true,glob=true) "$LOCAL_CONFDIR/local_addrs.d/*.conf" +EOF + +PWHASH=$(rspamadm pw --password "$RSPAMD_PASSWORD") +cat << EOF > /etc/rspamd/local.d/worker-controller.inc + +bind_socket = "127.0.0.1:11334"; +password = "$PWHASH"; + +# Basis-Regeln (LXC-interner Zugriff) +secure_ip = "127.0.0.1"; +secure_ip = "::1"; +secure_ip = "${LXC_IP%/*}"; + +# Lade alle Server-spezifischen Dateien (*.conf) +.include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf" +EOF + +# oletools aktivieren +cat << 'EOF' > /etc/rspamd/local.d/oletools.conf +enabled = true; +servers = "127.0.0.1:10050"; # Standard-Port von olefy +EOF + +# learning aktivieren +cat << 'EOF' > /etc/rspamd/local.d/classifier-ham-spam.conf +# Nutze Redis als Backend für gelerntes Wissen +backend = "redis"; +# Erlaube das Lernen (wichtig für deine Mailcows!) +autolearn = true; +EOF + +# betreffzeilen anzeigen +cat << 'EOF' > /etc/rspamd/local.d/history_redis.conf +# Speichere die letzten Mail-Logs in Redis für die WebUI +subject_privacy = false; # Zeigt Betreffzeilen im Dashboard an (hilfreich für MSPs) +EOF + +# set include for local modules +cat << 'EOF' > /etc/rspamd/local.d/groups.conf +# Lade alle Symbol-Definitionen aus dem scores.d Verzeichnis +.include(try=true,glob=true) "$LOCAL_CONFDIR/scores.d/*.conf" +EOF + +# create folder for trusted addresses +mkdir -p /etc/rspamd/local.d/local_addrs.d +mkdir -p /etc/rspamd/local.d/secure_ips.d + +# persistenz in redis aktivieren +sed -i 's/appendonly no/appendonly yes/g' /etc/redis/redis.conf +sed -i 's/^#\? \?appendfsync .*/appendfsync everysec/g' /etc/redis/redis.conf + +# nginx konfigurieren +mkdir -p /etc/nginx/ssl + +# Symlinks auf Snakeoil (Pfade ggf. anpassen, falls ssl-cert nicht installiert ist) +ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem +ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem + +# Starke Diffie-Hellman Parameter generieren (wichtig!) +openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + +# generiere config +cat << EOF > /etc/nginx/sites-available/rspamd_proxy +# HTTP - Redirect auf HTTPS +server { + listen 80; + listen [::]:80; + server_name $LXC_HOSTNAME.$LXC_DOMAIN; + return 301 https://\$host\$request_uri; +} + +# HTTPS - Sicherer Proxy +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name $LXC_HOSTNAME.$LXC_DOMAIN; + + # Zertifikate + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # TLS Sicherheit nach Stand der Technik (Modern) + ssl_protocols TLSv1.3; # TLS 1.2 entfernt für maximale Sicherheit + ssl_prefer_server_ciphers off; + + # Security Headers + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"; + + # Proxy-Einstellungen + location / { + proxy_pass http://127.0.0.1:11334; # Dein Rspamd Controller/UI + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + # Wichtig für lange KI-Analysen + proxy_read_timeout 120s; + proxy_connect_timeout 120s; + + # Optional: Zusätzlicher Schutz auf Nginx-Ebene + # allow 1.2.3.4; # Deine Admin IP + # deny all; + } +} +EOF +ln -s /etc/nginx/sites-available/rspamd_proxy /etc/nginx/sites-enabled/ +nginx -t + +# dienste aktivieren +systemctl daemon-reload +systemctl enable --now unbound olefy ollama ollama-preload.service +systemctl restart redis-server rspamd nginx + +echo "Your rspamd instance setup is finished!" +echo "Please visit http://${LXC_IP%/*}:11334/" +echo "rspamd password is: $RSPAMD_PASSWORD" \ No newline at end of file From d3060354f91f54049500fbac2b2a823555c4eab0 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 22 Feb 2026 11:55:05 +0000 Subject: [PATCH 59/59] Update PMG Integration and rejecting behviour --- src/pmg-ai-rspamd/Integration Guide.md | 115 --------------------- src/pmg-ai-rspamd/PMG Integration Guide.md | 111 ++++++++++++++++++++ src/pmg-ai-rspamd/install-service.sh | 23 +++++ 3 files changed, 134 insertions(+), 115 deletions(-) delete mode 100644 src/pmg-ai-rspamd/Integration Guide.md create mode 100644 src/pmg-ai-rspamd/PMG Integration Guide.md diff --git a/src/pmg-ai-rspamd/Integration Guide.md b/src/pmg-ai-rspamd/Integration Guide.md deleted file mode 100644 index f400890..0000000 --- a/src/pmg-ai-rspamd/Integration Guide.md +++ /dev/null @@ -1,115 +0,0 @@ -# 🛡️ Integration Guide: PMG & Mailcow an Rspamd-AI - -Dieses Dokument beschreibt die Anbindung von Proxmox Mail Gateway (PMG) und Mailcow-Instanzen an das zentrale `pmg-ai-rspamd` Gehirn. - -## 1. Integration: Proxmox Mail Gateway (PMG) - -Das PMG dient als Grobfilter und nutzt den Rspamd-LXC via Milter-Protokoll für die KI-Analyse. - -### Schritt A: Whitelist-Eintrag im Rspamd-LXC - -Bevor das PMG senden darf, muss seine IP im Rspamd-LXC hinterlegt werden, damit Rspamd die Mail nicht als "Relay-Versuch von extern" blockiert. - - -1. Erstelle auf dem **Rspamd-LXC** eine neue Datei für das PMG: - - ```javascript - cat << 'EOF' > /etc/rspamd/local.d/local_addrs.d/pmg-gateway.conf - # IP des Proxmox Mail Gateways - local_addrs = "10.10.10.50"; - EOF - - ``` -2. Rspamd neu laden: `systemctl reload rspamd` - -### Schritt B: PMG Postfix Konfiguration - -Auf dem **PMG-Server** (via SSH): - - -1. Template-System vorbereiten: - - ```javascript - mkdir -p /etc/pmg/templates - cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/main.cf.in - - ``` -2. Am Ende von `/etc/pmg/templates/main.cf.in` einfügen: - - ```javascript - # Rspamd Milter Integration - smtpd_milters = inet:10.10.10.200:11332 - non_smtpd_milters = inet:10.10.10.200:11332 - milter_protocol = 6 - milter_default_action = accept - - ``` - - *(Ersetze* `*10.10.10.200*` *durch die IP deines Rspamd-LXC)*. -3. Aktivieren: `pmgconfig sync --restart 1` - - ---- - -## 2. Integration: Mailcow Remote Learning - -Hier bringen wir der Mailcow bei, Spam/Ham nicht lokal zu lernen, sondern an dein KI-Gehirn zu senden. - -### Option A: Via VPN (Sicherster Weg) - -**Voraussetzung:** Mailcow-IP ist im Rspamd-LXC unter `secure_ips.d/` hinterlegt. - - -1. Erstelle auf dem **Rspamd-LXC** den Eintrag: - - ```javascript - cat << 'EOF' > /etc/rspamd/local.d/secure_ips.d/kunde-mailcow.conf - secure_ip = "10.8.0.10"; # VPN-IP der Mailcow - EOF - - ``` -2. In der **Mailcow UI** unter *Konfiguration > System-Konfiguration > Rspamd*: - * **Rspamd-Host:** `10.8.0.200` (VPN-IP des LXC) - * **API-Key / Passwort:** Dein `rspamadm pw` Klartext-Passwort. - -### Option B: Via HTTPS (Ohne VPN über Public IP) - -Wenn kein VPN möglich ist, nutzen wir einen Reverse Proxy (z. B. Nginx) auf dem LXC-Host, um die API per TLS zu schützen. - -**Sicherheits-Warnung:** Öffne niemals Port 11334 direkt zum Internet! - - -1. Installiere Nginx auf dem LXC-Host (oder einem Proxy davor). -2. Nginx-Config (Auszug): - - ```javascript - server { - listen 443 ssl; - server_name rspamd-api.deine-domain.de; - # SSL-Zertifikat hier konfigurieren (Certbot) - - location / { - proxy_pass http://127.0.0.1:11334; - allow 1.2.3.4; # Nur die öffentliche IP der Mailcow erlauben! - deny all; - } - } - - ``` -3. In der **Mailcow** nun als Host `https://rspamd-api.deine-domain.de` eintragen. - - ---- - -## 3. Erfolgskontrolle (Debugging) - -Um zu sehen, ob die KI arbeitet, schau in das Log des Rspamd-LXC: - -```javascript -tail -f /var/log/rspamd/rspamd.log | grep -i "QWEN" -``` - -Wenn eine Mail vom PMG kommt, solltest du einen Eintrag wie diesen sehen: `... (main) <...> symbol: QWEN_LLM_FRAUD(2.50); ... score: 5 ...` - - ---- \ No newline at end of file diff --git a/src/pmg-ai-rspamd/PMG Integration Guide.md b/src/pmg-ai-rspamd/PMG Integration Guide.md new file mode 100644 index 0000000..10f9fe0 --- /dev/null +++ b/src/pmg-ai-rspamd/PMG Integration Guide.md @@ -0,0 +1,111 @@ +# PMG-Integration des KI-Rspamd Filters + +Diese Anleitung beschreibt, wie das PMG als zentrale Filter-Instanz die Scores deines externen Rspamd-LXC abfragt, visualisiert und gewichtet, ohne die eigene Filterhoheit zu verlieren. + +## 1. Architektur-Übersicht + +Das PMG fungiert als SMTP-Relay. Der externe Rspamd wird als **Before-Queue Milter** eingebunden. Er verarbeitet die Mail, setzt Header-Attribute und das PMG wertet diese Header innerhalb seines eigenen Regelwerks aus. + + +--- + +## 2. Persistente Milter-Anbindung (Updatesicher) + +Damit Postfix den Rspamd-LXC anspricht, muss die Konfiguration über das PMG-Template-System erfolgen. + + +1. **Template-Verzeichnis erstellen:** + + ```javascript + mkdir -p /etc/pmg/templates + cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/ + + ``` +2. **Milter in `main.cf.in` eintragen:** Öffne `/etc/pmg/templates/main.cf.in` und füge am Ende (vor den lokalen Overrides) folgende Zeilen hinzu: + + ```javascript + smtpd_milters = inet:IP_DEINES_LXC:11332 + milter_default_action = accept + milter_protocol = 6 + + ``` +3. **Konfiguration generieren:** + + ```javascript + pmgconfig sync + + ``` + + +--- + +## 3. Score-Gewichtung (SpamAssassin-Integration) + +Da das PMG-UI keine direkte Punkte-Addition erlaubt, integrieren wir die Rspamd-Ergebnisse direkt in den internen Scan-Prozess. Dies stellt sicher, dass die Scores im **Tracking Center** namentlich auftauchen. + + +1. **Konfigurationsdatei erstellen:** Erstelle auf dem PMG-Host: `/etc/mail/spamassassin/rspamd_scores.cf` +2. **Regeln definieren:** Kopiere diesen Block in die Datei: + + ```javascript + # Rspamd Medium (4 - 5.9) + header RSPAMD_MEDIUM X-Rspamd-Score =~ /^([45]\.[0-9]+)/ + describe RSPAMD_MEDIUM Rspamd bewertet diese Mail als leicht verdaechtig (4-5.9) + score RSPAMD_MEDIUM 1.5 + + # Rspamd High (6 - 14.9) + header RSPAMD_HIGH X-Rspamd-Score =~ /^([6-9]|1[0-4])\.[0-9]+/ + describe RSPAMD_HIGH Rspamd bewertet diese Mail als Spam (6-14.9) + score RSPAMD_HIGH 4.0 + + # Rspamd Critical (15+) + header RSPAMD_CRITICAL X-Rspamd-Score =~ /^(1[5-9]|[2-9][0-9]|[1-9][0-9][0-9])\.[0-9]+/ + describe RSPAMD_CRITICAL Rspamd (KI/Llama) ist sich absolut sicher: Scam/Betrug (15+) + score RSPAMD_CRITICAL 10.0 + + ``` +3. **Dienst neu starten:** + + ```javascript + systemctl restart pmg-smtp-filter + + ``` + + +--- + +## 4. UI-Logik für harte Aktionen (Optional) + +Wenn du für extrem hohe Scores (`RSPAMD_CRITICAL`) eine sofortige Quarantäne erzwingen möchtest, kannst du dies im WebUI ergänzen: + + +1. **What Object:** Erstelle unter *Mail Filter > What Objects* ein **Match Field**. + * **Name:** `Rspamd-Critical-Header` + * **Field:** `X-Rspamd-Score` + * **Value:** `^(1[5-9]|[2-9][0-9])\..*` +2. **Rule:** Erstelle eine Regel mit Priorität **99**. + * **What:** `Rspamd-Critical-Header` + * **Action:** `Quarantine` + + +--- + +## 5. Verifizierung & Monitoring + +Nach der Integration sollten eingehende E-Mails im PMG Tracking Center detailliert aufgeschlüsselt werden. + +* **Live-Log Prüfung:** Überwache die Auswertung der neuen Header live auf der Konsole: + + ```javascript + tail -f /var/log/mail.log | grep -E "RSPAMD_(MEDIUM|HIGH|CRITICAL)" + + ``` +* **Tracking Center:** In der Detailansicht einer E-Mail unter **Spam Analysis** erscheint nun z. B. der Eintrag: `RSPAMD_HIGH (4.00)` + + +--- + +### Wartungshinweise + +* **Persistent:** Die `.cf`-Dateien unter `/etc/mail/spamassassin/` bleiben bei PMG-Updates erhalten. +* **Anpassung:** Sollten zu viele False Positives auftreten, senke einfach die `score`-Werte in der `rspamd_scores.cf` und starte den `pmg-smtp-filter` neu. \ No newline at end of file diff --git a/src/pmg-ai-rspamd/install-service.sh b/src/pmg-ai-rspamd/install-service.sh index 1321eef..eea1eba 100644 --- a/src/pmg-ai-rspamd/install-service.sh +++ b/src/pmg-ai-rspamd/install-service.sh @@ -243,6 +243,29 @@ secure_ip = "${LXC_IP%/*}"; .include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf" EOF +cat << EOF > /etc/rspamd/local.d/actions.conf +# Alle Aktionen, die normalerweise ablehnen würden, auf null setzen +reject = null; # Niemals ablehnen +add_header = 6.0; # Ab diesem Score den X-Spam-Header setzen +greylist = null; # Greylisting deaktivieren (macht PMG schon besser) +rewrite_subject = null; +EOF + +cat << EOF > /etc/rspamd/local.d/milter_headers.conf +# Diese Header werden für jede Mail geschrieben +use = ["spam-header", "symbols", "score"]; + +header_names { + "spam-header" = "X-Spam-Flag"; + "symbols" = "X-Rspamd-Symbols"; + "score" = "X-Rspamd-Score"; +} + +# Fügt den Score immer hinzu, egal wie hoch er ist +skip_local = false; +extended_symbols = true; +EOF + # oletools aktivieren cat << 'EOF' > /etc/rspamd/local.d/oletools.conf enabled = true;