Merge pull request #147 from bashclub/dev

Release
2026-04-18 14:56:06 +00:00 · 2026-04-09 18:04:02 +02:00
parent 639e8d6978 d3060354f9
commit b849b541a1
85 changed files with 1165 additions and 1347 deletions
--- a/conf/README.md
+++ b/conf/README.md
@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
+### ZMB_SHARES
-Defines the name of your Zamba share
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123'
 # Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
 ZMB_DOMAIN_ADMINS="domain admins"
-# Defines the name of your Zamba share
+# Defines the names of your Zamba shares in a comma separated list
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ############### Mailpiler-Section ###############
@@ -165,18 +165,6 @@ CMK_ADMIN_PW='Start!123'
 # free = limited version of the enterprise edition (25 hosts, 1 instance)
 CMK_EDITION=raw
 ############### Kopano-Section ###############
 # Define the FQDN of your Nextcloud server
 KOPANO_FQDN="kopano.zmb.rocks"
 # Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
 KOPANO_MAILGW="192.168.100.254"
 # Kopano test- or subscription-key offerd from 
 # https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 ############### vaultwarden Section ###############
 # Enable/disable signups (true/false)
--- a/install.sh
+++ b/install.sh
@@ -20,11 +20,12 @@ prog="$(basename $0)"
 usage() {
 	cat >&2 <<-EOF
-	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] [-p]
 	  installs a preconfigured lxc container on your proxmox server
    -i CTID      provide a container id instead of auto detection
    -s SERVICE   provide the service name and skip the selection dialog
    -c CFGFILE   use a different config file than 'zamba.conf'
    -p           preserve zamba.conf ans scripts inside container
    -d           Debug mode inside LXC container
    -h           displays this help text
  ---------------------------------------------------------------------------
@@ -39,13 +40,15 @@ ctid=0
 service=ask
 config=$PWD/conf/zamba.conf
 debug=0
 preserve_install_scripts=0
-while getopts "hi:s:c:d" opt; do
+while getopts "hi:s:c:dp" opt; do
  case $opt in
    h) usage 0 ;;
    i) ctid=$OPTARG ;;
    s) service=$OPTARG ;;
    c) config=$OPTARG ;;
    p) preserve_install_scripts=1 ;;
    d) debug=1 ;;
    *) usage 1 ;;
  esac
@@ -154,6 +157,10 @@ pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged
 set -u
 sleep 2;
 if [[ $SERVICE_TAGS == *"docker"* ]]; then
  echo "lxc.apparmor.profile: unconfined" >> /etc/pve/lxc/${LXC_NBR}.conf
 fi
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
@@ -185,18 +192,17 @@ sleep 5;
 pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
 pct push $LXC_NBR "$config" /root/zamba.conf
 for f in "$PWD/src/functions.sh" "$PWD/src/constants.conf" "$PWD/src/lxc-base.sh" "$PWD/src/$service/install-service.sh" "$PWD/src/$service/constants-service.conf"; do
  pct push $LXC_NBR $f /root/$(basename $f)
 done
 if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
  pct push $LXC_NBR scripts/zmb-ad_auto-map-root.sh /root/zmb-ad_auto-map-root.sh
  pct push $LXC_NBR scripts/create-service-account /usr/bin/create-service-account
 fi
 pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
 pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
 pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
 pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
 pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 if [[ $service == "zmb-ad-restore" ]]; then
    pct exec $LXC_NBR -- mkdir -p /backup/online
    pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
 fi
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
@@ -220,3 +226,9 @@ if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
  sleep 5
  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
 fi
 if [ $preserve_install_scripts -eq 0 ]; then
  for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do
    pct exec $LXC_NBR -- bash -c "if [ -f /root/$f ] ; then rm -f /root/${f} ; fi"
  done
 fi
--- a/6
+++ b/6
@@ -0,0 +1,6 @@
 repos ohne debian trixie support
 - manticore (fixed via bashclub repo)
 - 45drives
 - mongodb
 - influxdb
 - zammad
--- a/scripts/check_zambaconfonpve_trmm.sh
+++ b/scripts/check_zambaconfonpve_trmm.sh
--- a/scripts/create-service-account
+++ b/scripts/create-service-account
@@ -36,7 +36,7 @@ ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
 dn: $DN
 changetype: modify
 replace: userWorkstations
-userWorkstations: NONE
+userWorkstations: "NOWORKSTATION"
 EOF
 echo
--- a/scripts/nextcloud-for-mailcow-dockerized.conf
+++ b/scripts/nextcloud-for-mailcow-dockerized.conf
@@ -0,0 +1,44 @@
 server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.domain.tld;
    ssl_certificate     /etc/ssl/mail/cert.pem;
    ssl_certificate_key /etc/ssl/mail/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    # HTTP → HTTPS
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }
    location / {
        proxy_pass https://cloud.domain.tld;
        # Hostname & Forwarded-Header sauber durchreichen
        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
        proxy_set_header Referrer-Policy "no-referrer";
        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;
        client_max_body_size 10G;
    }
    # CalDAV/CardDAV Redirects
    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
 }
--- a/src/ansible-semaphore/constants-service.conf
+++ b/src/ansible-semaphore/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@@ -5,15 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+inst_nginx
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+inst_postgresql
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
--- a/src/apt/install-service.sh
+++ b/src/apt/install-service.sh
@@ -1,273 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 source /etc/os-release
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
 # Create gpg key for apt repo signing
 gpg --batch --gen-key <<EOF
 Key-Type: 1
 Key-Length: 4096
 Subkey-Type: 1
 Subkey-Length: 4096
 Name-Real: ${AM_COMPANY_NAME}
 Name-Email: ${AM_COMPANY_EMAIL}
 Expire-Date: 0
 %no-protection
 EOF
 if [ -f /etc/nginx/sites-enabled/default ]; then
  unlink /etc/nginx/sites-enabled/default
 fi
 cat << EOF > /etc/aptly.conf
 {
  "rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
  "downloadConcurrency": 4,
  "downloadSpeedLimit": 0,
  "architectures": [
        "amd64",
        "armhf"
  ],
  "dependencyFollowSuggests": false,
  "dependencyFollowRecommends": false,
  "dependencyFollowAllVariants": false,
  "dependencyFollowSource": false,
  "dependencyVerboseResolve": true,
  "gpgDisableSign": false,
  "gpgDisableVerify": false,
  "gpgProvider": "gpg",
  "downloadSourcePackages": false,
  "skipLegacyPool": true,
  "ppaDistributorID": "$AM_COMPANY_NAME",
  "ppaCodename": ""
 }
 EOF
 cat << EOF > /usr/local/bin/update-apt-mirrors
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 for m in $(aptly mirror list -raw); do
  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
 done
 EOF
 chmod +x /usr/local/bin/update-apt-mirrors
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
        listen 80 default_server;
        listen [::]:80 default_server;
        # Force HTTPS connection. This rules is domain agnostic
        if (\$scheme != "https") {
                rewrite ^ https://\$host\$uri permanent;
        }
        # SSL configuration
        #
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 15.137.208.11 15.137.209.11 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        root /var/www/html;
        index index.html index.htm;
        server_name _;
        location /gpg {
                autoindex on;
        }
        location /graph {
                autoindex on;
        }
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                #try_files \$uri \$uri/ =404;
                proxy_set_header Host \$host;
                proxy_set_header X-Real-IP \$remote_addr;
                proxy_pass http://localhost:8080;
        }
        location /api {
                proxy_pass http://localhost:8000/api;
        }
        location /api/graph {
                return 403;
        }
 }
 EOF
 cat << EOF > /etc/systemd/system/aptly.service
 [Unit]
 Description=Aptly Repository service
 [Service]
 User=root
 ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
 KillSignal=SIGTERM
 KillMode=process
 TimeoutStopSec=15s
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /etc/systemd/system/aptly-api.service
 [Unit]
 Description=Aptly REST API service
 [Service]
 User=root
 ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
 KillSignal=SIGTERM
 KillMode=process
 TimeoutStopSec=15s
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /root/mirror-examples
 # import proxmox keyring
 wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
 # proxmox 8 no subscription mirror (about 11.5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
 # import debian keyring
 cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
 # debian 12 main mirror (about 87 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
 # debian 12 contrib mirror (about 600 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
 # debian 12 non-free mirror (about7,2 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
 # debian 12 non-free-firmware mirror (38 Packages)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
 # debian 12 update main mirror (about 2,5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
 # debian 12 update contrib mirror (currently empty)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
 # debian 12 updates non-free mirror (about 900 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
 # debian 12 updates non-free-firmware mirror (about 70 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
 # debian 12 security main mirror (about 5,5 GB)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
 # debian 12 security contrib mirror (2 packages)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
 # debian 12 security non-free mirror (currently empty)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
 # debian 12 security non-free-firmware mirror (1 package)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
 # debian 12 backports main mirror (about 14,5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
 # debian 12 backports contrib mirror (about 100 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
 # debian 12 backports non-free mirror (2 packages)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
 # debian 12 backports non-free-firmware mirror (currently empty)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
 EOF
 cat << EOF > /usr/local/bin/update-apt-mirrors 
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 for m in \$(aptly mirror list -raw); do
  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
 done
 EOF
 echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
 chmod +x /usr/local/bin/update-apt-mirrors 
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
 chown -R www-data:www-data /var/www
 # Create required webserver folders
 sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
 # Export gpg key
 sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
 generate_dhparam
 systemctl daemon-reload
 systemctl enable --now aptly aptly-api
 systemctl restart nginx
 echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."
--- a/src/authentik/constants-service.conf
+++ b/src/authentik/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/authentik/install-service.sh
+++ b/src/authentik/install-service.sh
@@ -5,19 +5,16 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # Add Docker's official GPG key:
-install -m 0755 -d /etc/apt/keyrings
+inst_docker
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
-# Add the repository to Apt sources:
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq pwgen
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
--- a/src/bashclub-cmk/constants-service.conf
+++ b/src/bashclub-cmk/constants-service.conf
@@ -8,12 +8,13 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
-LXC_MP=0
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
+LXC_SHAREFS_MOUNTPOINT="var/lib/cmk-push-agent"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
@@ -26,11 +27,13 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
-# set ecodms release version
+# checkmk version
-ECODMS_RELEASE=ecodms_230164
+CMK_VERSION=2.4.0p19
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=6144
+LXC_MEM_MIN=2048
 # service dependent meta tags
-SERVICE_TAGS="java,postgresql"
+SERVICE_TAGS="apache2"
--- a/src/bashclub-cmk/install-service.sh
+++ b/src/bashclub-cmk/install-service.sh
@@ -0,0 +1,88 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/testing $(lsb_release -cs) main" > /etc/apt/sources.list.d/bashclub.list
 apt update
 cd /tmp
 wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
 omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
 cat << EOF > /etc/apache2/sites-available/000-default.conf
 <VirtualHost *:80>
 	RewriteEngine On
 	RewriteCond %{HTTPS} !=on
 	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
 </VirtualHost>
 EOF
 cat << EOF > /etc/apache2/sites-available/default-ssl.conf
 <VirtualHost *:443>
 	RewriteEngine On
 	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
 	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
 	ServerAdmin webmaster@localhost
 	DocumentRoot /var/www/html
 	ErrorLog \${APACHE_LOG_DIR}/error.log
 	CustomLog \${APACHE_LOG_DIR}/access.log combined
 	SSLEngine on
 	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
 	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
 	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
 	#SSLCACertificatePath /etc/ssl/certs/
 	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
 	#SSLCARevocationPath /etc/apache2/ssl.crl/
 	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
 	#SSLVerifyClient require
 	#SSLVerifyDepth  10
 	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
 		SSLOptions +StdEnvVars
 	</FilesMatch>
 	<Directory /usr/lib/cgi-bin>
 		SSLOptions +StdEnvVars
 	</Directory>
 </VirtualHost>
 EOF
 a2enmod ssl
 a2enmod rewrite
 a2ensite default-ssl
 systemctl restart apache2.service
 omd start $CMK_INSTANCE
 # install matrix notification plugin
 wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
 chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
 chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server
 cmk-push-setup
--- a/src/bookstack/constants-service.conf
+++ b/src/bookstack/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@@ -7,6 +7,8 @@ set -euo pipefail
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -14,9 +16,11 @@ source /root/constants-service.conf
 BOOKSTACK_DB_PWD=$(random_password)
 webroot=/var/www/bookstack/public
 inst_php cli,fpm,mysql,fpm,xml,mbstring,gd,tokenizer,curl,ldap,tidy,zip 8.5
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client redis-server
 curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
--- a/src/checkmk/constants-service.conf
+++ b/src/checkmk/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
@@ -28,7 +28,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 # checkmk version
-CMK_VERSION=2.3.0p6
+CMK_VERSION=2.4.0p18
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/cloudpanel/constants-service.conf
+++ b/src/cloudpanel/constants-service.conf
@@ -6,7 +6,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/cloudpanel/install-service.sh
+++ b/src/cloudpanel/install-service.sh
@@ -10,5 +10,4 @@ source zamba.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
-echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
+DB_ENGINE=MARIADB_11.8 SWAP=false bash install.sh
 DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh
--- a/src/constants.conf
+++ b/src/constants.conf
@@ -8,4 +8,4 @@
 # This file contains the project constants on container level
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux jq"
--- a/src/debian-priv/constants-service.conf
+++ b/src/debian-priv/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/debian-unpriv/constants-service.conf
+++ b/src/debian-unpriv/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/docker/constants-service.conf
+++ b/src/docker/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/docker/install-service.sh
+++ b/src/docker/install-service.sh
@@ -5,19 +5,13 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-# Add Docker's official GPG key:
+inst_docker
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
@@ -26,8 +20,6 @@ install_portainer_full() {
    mkdir -p /opt/portainer/data
    cd /opt/portainer
    cat << EOF > /opt/portainer/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always
@@ -52,8 +44,6 @@ install_portainer_agent() {
    mkdir -p /opt/portainer-agent/data
    cd /opt/portainer-agent
    cat << EOF > /opt/portainer-agent/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always  
--- a/src/ecodms/install-service.sh
+++ b/src/ecodms/install-service.sh
@@ -1,21 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
 echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
 echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
 wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver
--- a/src/freescout/constants-service.conf
+++ b/src/freescout/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -29,5 +29,7 @@ LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 FS_PHP_VERSION=8.4
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/freescout/install-service.sh
+++ b/src/freescout/install-service.sh
@@ -18,10 +18,12 @@ MYSQL_PASSWORD="$(random_password)"
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
+inst_php cli,zip,curl,intl,fpm,mysql,imap,xml,mbstring,gd $FS_PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client ssl-cert git
-echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini
+echo ‘cgi.fix_pathinfo=0’ >> /etc/php/$FS_PHP_VERSION/fpm/php.ini
 cat << EOF > /etc/nginx/sites-available/default
 server {
@@ -52,7 +54,7 @@ server {
    location ~ .php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php${FS_PHP_VERSION}-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    	include fastcgi_params;
@@ -104,10 +106,10 @@ GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD'
 CREATE DATABASE IF NOT EXISTS freescout;
 GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
-curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
+curl -s https://api.github.com/repos/freescout-help-desk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
 cd $webroot
 tar -vxf freescout.tar.gz
-dir=$(ls -d freescout-helpdesk-freescout*)
+dir=$(ls -d freescout-help-desk-freescout*)
 mv -v $dir freescout
 chown -R www-data:www-data /var/www/html
 find /var/www/html -type f -exec chmod 664 {} \;    
@@ -125,8 +127,8 @@ cat << EOF > /etc/cron.d/freescout
 * * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
 EOF
-systemctl enable --now php8.2-fpm
+systemctl enable --now php${FS_PHP_VERSION}-fpm
-systemctl restart php8.2-fpm nginx
+systemctl restart php${FS_PHP_VERSION}-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
--- a/src/functions.sh
+++ b/src/functions.sh
@@ -22,31 +22,114 @@ EOF
 apt_repo() {
    apt_name=$1
    apt_key_url=$2
-    apt_key_path=/usr/share/keyrings/${apt_name}.gpg
+    apt_key_path=/usr/share/keyrings/${apt_name}-archive-keyring.gpg
    apt_repo_url=$3
    apt_suites=$4
    apt_components=$5
    tmp_key_file=$(mktemp)
    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
        echo "❌ Fehler beim Herunterladen des Schlüssels."
        rm -f "${tmp_key_file}"
        exit 1
    fi
    if file "${tmp_key_file}" | grep -q "ASCII"; then
        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
        # Wenn es ASCII ist, konvertiere es mit --dearmor
        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
            chmod 644 ${apt_key_path}
            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
        else
            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
            exit 1
        fi
    else
        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
            chmod 644 ${apt_key_path}
        else
            echo "❌ Fehler beim Kopieren des binären Schlüssels."
            rm -f "${tmp_key_file}"
            exit 1
        fi
    fi
-    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
-    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
 Types: deb
 URIs: $apt_repo_url
 Suites: $apt_suites
 Components: $apt_components
 Enabled: yes
 Signed-By: $apt_key_path
 EOF
    else
        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
    fi
 }
 #### Set repo and install Nginx ####
 inst_nginx() {
-    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
 }
 #### Set repo and install PHP ####
 inst_php() {
-    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
+    PHP_MODULES=${1}
-    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
+    PHP_VERSION=${2:-8.4}
-    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
+    IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES"
    PKGS=()
    for PHP_MODULE in "${MODULE_ARRAY[@]}"; do
        PKGS+=( "php${PHP_VERSION}-${PHP_MODULE}" )
    done
    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common "${PKGS[@]}"
 }
 #### Set repo and install Postgresql ####
 # First paramater is postgres version, default ist curren version postgres 18
 inst_postgresql() {
-    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+    POSTGRES_VERSION=${1:-18}
-    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
+    
    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION}
 }
 #### Set repo and install Crowdsec ####
 inst_crowdsec() {
-    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }
 #### Set repo and install 45drives (cockpit) ####
 inst_45drives() {
    apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main"
    apt update
 }
 #### Set repo and install Docker ####
 inst_docker() {
    apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
 }
 #### Set repo and install MongoDB ####
 inst_mongodb() {
    MONGODB_VERSION=${1:-8.0}
    apt_repo "mongodb" "https://www.mongodb.org/static/pgp/server-$MONGODB_VERSION.asc" "http://repo.mongodb.org/apt/debian" "bookworm/mongodb-org/$MONGODB_VERSION" "main"
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq mongodb-org
 }
 #### Set repo and install MongoDB ####
 inst_bashclub() {
    BASHCLUB_COMPONENT=${1:-release}
    apt_repo "bashclub-$BASHCLUB_COMPONENT" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main"
    apt update
 }
--- a/src/gitea/constants-service.conf
+++ b/src/gitea/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@@ -5,19 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+inst_nginx
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
+inst_postgresql
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq git ssl-cert unzip zip
 systemctl enable --now postgresql
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -34,4 +34,4 @@ SERVICE_TAGS="php-fpm,nginx,mariadb"
 CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
-PHP_VERSION=8.2
+PHP_VERSION=8.4
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -1,4 +1,6 @@
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -16,8 +18,8 @@ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://pac
 curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
-curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+curl -fsSL https://repos.influxdata.com/influxdata-archive.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
-echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
+echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian bookworm stable" > /etc/apt/sources.list.d/influxdata.list
 apt update
@@ -345,7 +347,8 @@ database:
  password: ${NOTIFICATIONS_DB_PASS}
 EOF
-cat << EOF > /etc/icingaweb2/modules/notifications/config.ini 
+mkdir -p /etc/icingaweb2/modules/notifications/
 cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
 [database]
 resource = "notifications"
 EOF
@@ -466,7 +469,7 @@ EOF
 icinga2 feature enable icingadb api influxdb2-writer perfdata
-icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
+#icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 #KIMAI_VERSION="main"
 # Defines the php version to install
-KIMAI_PHP_VERSION="8.2"
+KIMAI_PHP_VERSION="8.4"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@@ -14,12 +14,11 @@ source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
+inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client  
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@@ -1,53 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"
 # Defines the php version to install
 KOPANO_PHP_VERSION="7.4"
 # Defines Maria DB Version
 MARIA_DB_VERS="10.5"
 # Defines the name from the SQL database
 MARIA_DB_NAME="kopano"
 # Defines the name from the SQL user
 MARIA_DB_USER="kopano"
 # Build a strong password for the SQL user - could be overwritten with something fixed 
 MARIA_ROOT_PWD=$(random_password)
 MARIA_USER_PWD=$(random_password)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kopano-core/install-service.sh
+++ b/src/kopano-core/install-service.sh
@@ -1,276 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 HOSTNAME=$(hostname -f)
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
 echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
 apt update
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 #php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 #timedatectl set-timezone Europe/Berlin
 #mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #### Secure Maria Instance ####
 mysqladmin -u root password "[$MARIA_ROOT_PWD]"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
 #mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 #### Create user and DB for Kopano ####
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 echo "root-password: $MARIA_ROOT_PWD,\
 db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
 cat > /etc/apt/sources.list.d/kopano.list << EOF
 # Kopano Core
 deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
 # Kopano WebApp
 deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
 # Kopano MobileDeviceManagement
 deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
 # Kopano Files
 deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
 # Z-Push
 deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
 EOF
 cat > /etc/apt/auth.conf.d/kopano.conf << EOF
 machine download.kopano.io
 login serial
 password $KOPANO_REPKEY
 EOF
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
 apt update && apt full-upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
 z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
 #### Adjust kopano settings ####
 cat > /etc/kopano/ldap.cfg << EOF
 !include /usr/share/kopano/ldap.active-directory.cfg
 ldap_uri = ldap://192.168.100.100:389
 ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
 ldap_bind_passwd = Start123!
 ldap_search_base = dc=zmb,dc=rocks
 #ldap_user_search_filter = (kopanoAccount=1)
 EOF
 cat > /etc/kopano/server.cfg << EOF
 server_listen = *:236
 local_admin_users = root kopano
 #database_engine = mysql
 #mysql_host = localhost
 #mysql_port = 3306
 mysql_user = $MARIA_DB_USER
 mysql_password = $MARIA_USER_PWD
 mysql_database = $MARIA_DB_NAME
 #user_plugin = ldap
 #user_plugin_config = /etc/kopano/ldap.cfg
 EOF
 #### Adjust php settings ####
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
 [webapp]
 listen = 127.0.0.1:9002
 user = www-data
 group = www-data
 listen.allowed_clients = 127.0.0.1
 pm = dynamic
 pm.max_children = 150
 pm.start_servers = 35
 pm.min_spare_servers = 20
 pm.max_spare_servers = 50
 pm.max_requests = 200
 listen.backlog = -1
 request_terminate_timeout = 120s
 rlimit_files = 131072
 rlimit_core = unlimited
 catch_workers_output = yes
 EOF
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 #### Adjust nginx settings ####
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
 generate_dhparam
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 cat > /etc/nginx/sites-available/webapp.conf << EOF
 upstream php-handler {
    #server 127.0.0.1:9002;
    #server unix:/var/run/php5-fpm.sock;
    server unix:/var/run/php/php7.4-fpm.sock;
 }
 server{
    listen 80;
    charset utf-8;
    listen [::]:80;
    server_name _;
    location / {
        rewrite   ^(.*)   https://\$server_name\$1 permanent;
    }  
 }
 server {
    charset utf-8;
    listen 443;
    listen [::]:443 ssl;
    server_name _;
    ssl on;
    client_max_body_size 1024m;
    ssl_certificate /etc/ssl/certs/kopano.crt;
    ssl_certificate_key /etc/ssl/private/kopano.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    ssl_dhparam /etc/nginx/dhparam.pem;
    #
    # add headers
    server_tokens off;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
    location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ \$1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade \$http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                }
    }
    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;
        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;
        }
        fastcgi_param PHP_VALUE "
            register_globals=off
            magic_quotes_gpc=off
            magic_quotes_runtime=off
            post_max_size=31M
            upload_max_filesize=30M
        ";
        fastcgi_param PHP_VALUE "post_max_size=31M
                 upload_max_filesize=30M
                 max_execution_time=3660
        ";
        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;
        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
        }
        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)\$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";
        }
        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;
        }
 }
 map \$http_upgrade \$connection_upgrade {
        default upgrade;
        '' close;
 }
 EOF
 ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
 phpenmod kopano
 systemctl restart php7.4-fpm nginx
--- a/src/lxc-base.sh
+++ b/src/lxc-base.sh
@@ -24,29 +24,7 @@ EOF
 locale-gen $LXC_LOCALE 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ buster main contrib
 deb http://deb.debian.org/debian/ buster-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security buster/updates main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bullseye main contrib
 deb http://deb.debian.org/debian/ bullseye-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bullseye-security main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
 if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
 cat << EOF > /etc/apt/sources.list.d/debian.sources
 Types: deb deb-src
 URIs: https://deb.debian.org/debian
 Suites: trixie trixie-updates
 Components: main non-free-firmware contrib non-free
 Enabled: yes
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 Types: deb deb-src
 URIs: https://security.debian.org/debian-security
 Suites: trixie-security
 Components: main non-free-firmware contrib non-free
 Enabled: yes
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -78,9 +80,9 @@ cat << EOF > /etc/docker/daemon.json
 {
  "default-ulimits": {
    "nproc": {
-      "name": "nproc",
+      "Name": "nproc",
-      "soft": -1,
+      "Soft": 4096,
-      "hard": -1
+      "Hard": 4096
    }
  }
 }
@@ -264,7 +266,7 @@ USE_WATCHDOG=y
 #WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # JSON body included in the webhook POST request. Needs to be in single quotes.
 # Following variables are available: SUBJECT, BODY
-#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**\${SUBJECT}**\n\${BODY}"}'
 # Notify about banned IP (includes whois lookup)
 WATCHDOG_NOTIFY_BAN=n
--- a/src/matrix/constants-service.conf
+++ b/src/matrix/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@@ -5,10 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 #### Set repo and install matrix ####
 inst_matrix() {
    apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main"
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq matrix-synapse-py3 && systemctl enable matrix-synapse
 }
 MRX_PKE=$(random_password)
 ELE_DBNAME="synapse_db"
@@ -17,15 +26,10 @@ ELE_DBPASS=$(random_password)
 ELE_PATH=/var/www/element-web
 WEBROOT=/var/www
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx python3-psycopg2
-wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+inst_postgresql
-echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
+inst_matrix
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
 systemctl enable matrix-synapse
 ss -tulpen
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
@@ -47,9 +51,9 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name $MATRIX_FQDN;
    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -62,9 +66,9 @@ server {
 server {
    listen 8448 ssl;
    listen [::]:8448 ssl;
    http2 on;
    server_name $MATRIX_FQDN;
    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -97,9 +101,9 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name $MATRIX_ELEMENT_FQDN;
    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -154,6 +158,6 @@ systemctl restart matrix-synapse
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
-echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -30,10 +30,10 @@ LXC_KEYCTL="0"
 NEXTCLOUD_VERSION="latest"
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.3"
+NEXTCLOUD_PHP_VERSION="8.4"
 # Defines the postgresql version to install
-POSTGRES_VERSION=16 
+POSTGRES_VERSION=17
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -248,7 +248,7 @@ cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/f
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
+cp /etc/ImageMagick-7/policy.xml /etc/ImageMagick-7/policy.xml.bak
 sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
@@ -298,10 +298,10 @@ sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-
 sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
-sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-7/policy.xml
-sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-7/policy.xml
-sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-7/policy.xml
-sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-7/policy.xml
 sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
@@ -350,13 +350,12 @@ sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
 sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
 sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
-cp /etc/sysctl.conf /etc/sysctl.conf.bak
+echo 'vm.overcommit_memory = 1' > /etc/sysctl.d/overcommit_memory.conf
 sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
 }
 #### Install some more packages
 inst_packages() {
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-7.q16-10-extra
 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
@@ -549,7 +548,7 @@ echo "=> Modifying Nginx config for Nextcloud ..."
 mod_nginx
 echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
-inst_php
+inst_php fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline $NEXTCLOUD_PHP_VERSION
 echo "=> Modifying PHP config for Nextcloud ..."
 mod_php
@@ -577,4 +576,3 @@ echo "=> Modifying Crowdsec ..."
 mod_crowdsec
 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
 shutdown -r now
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@@ -10,14 +10,11 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
 # echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
 echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
-apt update
+inst_mongodb 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
+
 inst_bashclub omada
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
--- a/src/onlyoffice/constants-service.conf
+++ b/src/onlyoffice/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@@ -5,24 +5,31 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 #### Set repo and install onlyoffice ####
 inst_onlyoffice() {
    apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main"
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq ttf-mscorefonts-installer onlyoffice-documentserver
 }
 ONLYOFFICE_DB_PASS=$(random_password)
-curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
+inst_postgresql
 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
-cat > /etc/apt/preferences.d/onlyoffice << EOF
+#cat > /etc/apt/preferences.d/onlyoffice << EOF
-Package: onlyoffice-documentserver
+#Package: onlyoffice-documentserver
-Pin: version 7.1.1-23
+#Pin: version 7.1.1-23
-Pin-Priority: 900
+#Pin-Priority: 900
-EOF
+#EOF
 apt update 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq rabbitmq-server libstdc++6 supervisor
 su postgres <<EOF
 psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
@@ -36,7 +43,7 @@ echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | d
 echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
 echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
+inst_onlyoffice
 cat << EOF > /root/onlyoffice.credentials
 ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
--- a/src/open3a/constants-service.conf
+++ b/src/open3a/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -13,10 +15,13 @@ webroot=/var/www/html
 LXC_RANDOMPWD=20
 MYSQL_PASSWORD="$(random_password)"
 PHP_VERSION=8.4
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+inst_php cli,fpm,mysql,xml,mbstring,gd $PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
@@ -39,13 +44,12 @@ server {
    index index.php;
    ssl on;
    ssl_certificate /etc/nginx/ssl/open3a.crt;
    ssl_certificate_key /etc/nginx/ssl/open3a.key;
    location ~ .php$ {
        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php${PHP_VERSION}-fpm.sock;
    }
 }
@@ -76,8 +80,8 @@ localhost                               &%%%&open3a              &%%%&$MYSQL_PAS
 */ ?>
 EOF
-systemctl enable --now php8.2-fpm
+systemctl enable --now php${PHP_VERSION}-fpm
-systemctl restart php8.2-fpm nginx
+systemctl restart php${PHP_VERSION}-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
--- a/src/piler/constants-service.conf
+++ b/src/piler/constants-service.conf
@@ -6,7 +6,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/piler/install-service.sh
+++ b/src/piler/install-service.sh
@@ -3,13 +3,14 @@
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
-source zamba.conf
+set -euo pipefail
-wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
+inst_bashclub manticore
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
+inst_bashclub $PILER_BRANCH
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
--- a/src/pmg-ai-rspamd/PMG
+++ b/src/pmg-ai-rspamd/PMG
@@ -0,0 +1,111 @@
 # PMG-Integration des KI-Rspamd Filters
 Diese Anleitung beschreibt, wie das PMG als zentrale Filter-Instanz die Scores deines externen Rspamd-LXC abfragt, visualisiert und gewichtet, ohne die eigene Filterhoheit zu verlieren.
 ## 1. Architektur-Übersicht
 Das PMG fungiert als SMTP-Relay. Der externe Rspamd wird als **Before-Queue Milter** eingebunden. Er verarbeitet die Mail, setzt Header-Attribute und das PMG wertet diese Header innerhalb seines eigenen Regelwerks aus.
 ---
 ## 2. Persistente Milter-Anbindung (Updatesicher)
 Damit Postfix den Rspamd-LXC anspricht, muss die Konfiguration über das PMG-Template-System erfolgen.
 1. **Template-Verzeichnis erstellen:**
   ```javascript
   mkdir -p /etc/pmg/templates
   cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
   ```
 2. **Milter in `main.cf.in` eintragen:** Öffne `/etc/pmg/templates/main.cf.in` und füge am Ende (vor den lokalen Overrides) folgende Zeilen hinzu:
   ```javascript
   smtpd_milters = inet:IP_DEINES_LXC:11332
   milter_default_action = accept
   milter_protocol = 6
   ```
 3. **Konfiguration generieren:**
   ```javascript
   pmgconfig sync
   ```
 ---
 ## 3. Score-Gewichtung (SpamAssassin-Integration)
 Da das PMG-UI keine direkte Punkte-Addition erlaubt, integrieren wir die Rspamd-Ergebnisse direkt in den internen Scan-Prozess. Dies stellt sicher, dass die Scores im **Tracking Center** namentlich auftauchen.
 1. **Konfigurationsdatei erstellen:** Erstelle auf dem PMG-Host: `/etc/mail/spamassassin/rspamd_scores.cf`
 2. **Regeln definieren:** Kopiere diesen Block in die Datei:
   ```javascript
   # Rspamd Medium (4 - 5.9)
   header RSPAMD_MEDIUM X-Rspamd-Score =~ /^([45]\.[0-9]+)/
   describe RSPAMD_MEDIUM Rspamd bewertet diese Mail als leicht verdaechtig (4-5.9)
   score RSPAMD_MEDIUM 1.5
   # Rspamd High (6 - 14.9)
   header RSPAMD_HIGH X-Rspamd-Score =~ /^([6-9]|1[0-4])\.[0-9]+/
   describe RSPAMD_HIGH Rspamd bewertet diese Mail als Spam (6-14.9)
   score RSPAMD_HIGH 4.0
   # Rspamd Critical (15+)
   header RSPAMD_CRITICAL X-Rspamd-Score =~ /^(1[5-9]|[2-9][0-9]|[1-9][0-9][0-9])\.[0-9]+/
   describe RSPAMD_CRITICAL Rspamd (KI/Llama) ist sich absolut sicher: Scam/Betrug (15+)
   score RSPAMD_CRITICAL 10.0
   ```
 3. **Dienst neu starten:**
   ```javascript
   systemctl restart pmg-smtp-filter
   ```
 ---
 ## 4. UI-Logik für harte Aktionen (Optional)
 Wenn du für extrem hohe Scores (`RSPAMD_CRITICAL`) eine sofortige Quarantäne erzwingen möchtest, kannst du dies im WebUI ergänzen:
 1. **What Object:** Erstelle unter *Mail Filter > What Objects* ein **Match Field**.
   * **Name:** `Rspamd-Critical-Header`
   * **Field:** `X-Rspamd-Score`
   * **Value:** `^(1[5-9]|[2-9][0-9])\..*`
 2. **Rule:** Erstelle eine Regel mit Priorität **99**.
   * **What:** `Rspamd-Critical-Header`
   * **Action:** `Quarantine`
 ---
 ## 5. Verifizierung & Monitoring
 Nach der Integration sollten eingehende E-Mails im PMG Tracking Center detailliert aufgeschlüsselt werden.
 * **Live-Log Prüfung:** Überwache die Auswertung der neuen Header live auf der Konsole:
  ```javascript
  tail -f /var/log/mail.log | grep -E "RSPAMD_(MEDIUM|HIGH|CRITICAL)"
  ```
 * **Tracking Center:** In der Detailansicht einer E-Mail unter **Spam Analysis** erscheint nun z. B. der Eintrag: `RSPAMD_HIGH (4.00)`
 ---
 ### Wartungshinweise
 * **Persistent:** Die `.cf`-Dateien unter `/etc/mail/spamassassin/` bleiben bei PMG-Updates erhalten.
 * **Anpassung:** Sollten zu viele False Positives auftreten, senke einfach die `score`-Werte in der `rspamd_scores.cf` und starte den `pmg-smtp-filter` neu.
--- a/src/pmg-ai-rspamd/constants-service.conf
+++ b/src/pmg-ai-rspamd/constants-service.conf
@@ -8,14 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
-LXC_MP=1
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="srv"
+LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
-LXC_MP_RECORDSIZE="16K"
+LXC_MP_RECORDSIZE="128K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=1024
+LXC_MEM_MIN=8192
 # service dependent meta tags
-SERVICE_TAGS="aptly,nginx"
+SERVICE_TAGS="rspamd,unbound,ollama"
--- a/src/pmg-ai-rspamd/install-service.sh
+++ b/src/pmg-ai-rspamd/install-service.sh
@@ -0,0 +1,373 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 RSPAMD_PASSWORD=$(random_password)
 LLM=llama3.1:8b
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y redis-server unbound python3-venv rspamd zstd nginx ssl-cert
 # Eine abgeschottete Python-Umgebung in /opt/oletools erstellen
 python3 -m venv /opt/oletools
 # Oletools innerhalb dieser Umgebung installieren (berührt das System nicht!)
 /opt/oletools/bin/pip install oletools python-magic
 ln -s /opt/oletools/bin/olevba /usr/local/bin/olevba3
 # install olefy servvice
 curl -o /usr/local/bin/olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py
 chmod +x /usr/local/bin/olefy.py
 sed -i "s/addr_re = re.compile('\[\\\[\" \\\]\]')/addr_re = re.compile(r'\[\\\[\" \\\]\]')/g" /usr/local/bin/olefy.py
 # olefy Systemd-Service anlegen
 cat << 'EOF' > /etc/systemd/system/olefy.service
 [Unit]
 Description=Olefy Daemon for Rspamd
 After=network.target
 [Service]
 Type=simple
 User=nobody
 ExecStart=/opt/oletools/bin/python3 /usr/local/bin/olefy.py
 Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
 # oletools update
 cat << 'EOF' > /usr/local/bin/apt-hook-oletools.sh
 #!/bin/bash
 # Unterdrücke Standard-Ausgaben, fange aber das Ergebnis auf
 UPDATE_OUT=$(/opt/oletools/bin/pip install --upgrade oletools 2>&1)
 # Prüfen, ob der Text "Successfully installed" im Output vorkommt
 if echo "$UPDATE_OUT" | grep -q "Successfully installed"; then
    # Neues Update wurde gefunden und installiert! Dienst neu starten:
    systemctl restart olefy
    # Einen sauberen Eintrag ins System-Log (syslog) schreiben
    logger -t oletools-updater "Neues Oletools Update via APT-Hook installiert. Olefy Dienst neu gestartet."
 fi
 # Immer erfolgreich beenden (Exit Code 0), damit apt niemals blockiert wird
 exit 0
 EOF
 # Skript ausführbar machen
 chmod +x /usr/local/bin/apt-hook-oletools.sh
 # apt hook
 cat << EOF > /etc/apt/apt.conf.d/99oletools-update
 # Automatisches Update von Oletools nach jedem dpkg-Lauf
 DPkg::Post-Invoke { "/usr/local/bin/apt-hook-oletools.sh || true"; };
 EOF
 # download ollama
 curl -fsSL https://ollama.com/install.sh | bash 2>/dev/null
 # konfiguriere ollama, dass llm dauerhaft geladen bleibt
 mkdir -p /etc/systemd/system/ollama.service.d
 cat << 'EOF' > /etc/systemd/system/ollama.service.d/override.conf
 [Service]
 Environment="OLLAMA_KEEP_ALIVE=-1"
 EOF
 # qwen3 llm herunterladen
 ollama pull $LLM
 # ollama qwen3 preload service erstellen
 cat << EOF > /etc/systemd/system/ollama-preload.service
 [Unit]
 Description=Preload Qwen3 Model into Ollama
 After=ollama.service
 Requires=ollama.service
 [Service]
 Type=oneshot
 # Warteschleife: Prüfe im Sekundentakt, ob die API erreichbar ist, bevor wir weitermachen
 ExecStartPre=/bin/bash -c 'until curl -s http://127.0.0.1:11434/ > /dev/null; do sleep 1; done'
 # Erst wenn der Port antwortet, laden wir das Modell
 ExecStart=/usr/bin/curl -s -X POST http://127.0.0.1:11434/api/generate -d '{"model": "$LLM", "keep_alive": -1}'
 RemainAfterExit=yes
 [Install]
 WantedBy=multi-user.target
 EOF
 # milter socket für rspamd konfigurieren
 cat << EOF > /etc/rspamd/local.d/worker-proxy.inc
 # Lausche auf allen Schnittstellen (für das PMG)
 bind_socket = "${LXC_IP%/*}:11332";
 # Aktiviere explizit das Milter-Protokoll
 milter = yes;
 EOF
 # rspamd an redis anbinden
 cat << 'EOF' > /etc/rspamd/local.d/redis.conf
 servers = "127.0.0.1";
 write_servers = "127.0.0.1";
 EOF
 # lua script for llm integration
 cat << EOF > /etc/rspamd/lua.local.d/ollama_ai.lua
 local logger = require "rspamd_logger"
 local http = require "rspamd_http"
 local ucl = require "ucl"
 local function ollama_check(task)
    logger.errx(task, "KI-Check: ANALYSE START (Llama-3.1-8B)")
    local text_parts = task:get_text_parts()
    local email_text = ""
    if text_parts then
        for _, part in ipairs(text_parts) do
            email_text = email_text .. tostring(part:get_content() or "")
        end
    end
    -- Abbruch bei zu kurzen Mails
    if #email_text < 15 then 
        logger.errx(task, "KI-Check: Text zu kurz für Analyse")
        return 
    end
    local req_data = {
      model = "$LLM",
      messages = {
        {
          role = "system",
          content = "You are a cybersecurity analyst. Score the following email for fraud/phishing from 0 to 10. Output ONLY the integer number."
        },
        {
          role = "user",
          content = "Rate this content: " .. string.sub(email_text, 1, 1000)
        }
      },
      stream = false,
      options = {
        num_predict = 5,
        temperature = 0.0
      }
    }
    http.request({
      task = task,
      url = 'http://127.0.0.1:11434/api/chat',
      body = ucl.to_format(req_data, 'json'),
      timeout = 25.0,
      callback = function(err, code, body, headers)
        -- Falls der Dienst nicht erreichbar ist
        if err or code ~= 200 then
            logger.errx(task, "KI-Check: Ollama API Fehler oder Timeout")
            return 
        end
        local parser = ucl.parser()
        local res, _ = parser:parse_string(body)
        if res then
            local data = parser:get_object()
            local reply = data.message and data.message.content or ""
            local score_num = reply:match("%d+")
            if score_num then
                local score = tonumber(score_num)
                logger.errx(task, "KI-Check: Ergebnis erhalten: %s/10", score)
                -- 1. Header: Basis-Info (Wird immer gesetzt, wenn KI geantwortet hat)
                task:set_milter_reply({
                    ['add_header'] = {['X-AI-Scanner'] = 'Llama-3.1-8B-Verified'}
                })
                -- 2. Header & Symbol: Nur bei Verdacht (Score >= 7)
                if score >= 7 then
                    task:insert_result('OLLAMA_LLM_FRAUD', 1.0, "Score " .. score .. "/10")
                    task:set_milter_reply({
                        ['add_header'] = {['X-AI-Fraud-Rating'] = tostring(score) .. '/10'}
                    })
                    logger.errx(task, "KI-Check: Symbol und Header gesetzt (Betrugsverdacht)")
                end
            end
        end
      end
    })
 end
 rspamd_config:register_symbol({
  name = 'OLLAMA_LLM_FRAUD',
  callback = ollama_check,
  flags = 'async',
  score = 6.0,
  description = 'AI-based fraud detection using Llama-3.1-8B'
 })
 EOF
 # dns resolver konfigurieren
 cat << 'EOF' > /etc/rspamd/local.d/options.inc
 dns {
    nameserver = ["127.0.0.1"];
 }
 # Basis-Regeln, die immer gelten müssen
 local_addrs = "127.0.0.1";
 local_addrs = "::1";
 task_timeout = 59s;
 # Lade alle Server-spezifischen Dateien (*.conf)
 .include(try=true,glob=true) "$LOCAL_CONFDIR/local_addrs.d/*.conf"
 EOF
 PWHASH=$(rspamadm pw --password "$RSPAMD_PASSWORD")
 cat << EOF > /etc/rspamd/local.d/worker-controller.inc
 bind_socket = "127.0.0.1:11334";
 password = "$PWHASH"; 
 # Basis-Regeln (LXC-interner Zugriff)
 secure_ip = "127.0.0.1";
 secure_ip = "::1";
 secure_ip = "${LXC_IP%/*}";
 # Lade alle Server-spezifischen Dateien (*.conf)
 .include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf"
 EOF
 cat << EOF > /etc/rspamd/local.d/actions.conf
 # Alle Aktionen, die normalerweise ablehnen würden, auf null setzen
 reject = null;      # Niemals ablehnen
 add_header = 6.0;   # Ab diesem Score den X-Spam-Header setzen
 greylist = null;    # Greylisting deaktivieren (macht PMG schon besser)
 rewrite_subject = null;
 EOF
 cat << EOF > /etc/rspamd/local.d/milter_headers.conf
 # Diese Header werden für jede Mail geschrieben
 use = ["spam-header", "symbols", "score"];
 header_names {
    "spam-header" = "X-Spam-Flag";
    "symbols" = "X-Rspamd-Symbols";
    "score" = "X-Rspamd-Score";
 }
 # Fügt den Score immer hinzu, egal wie hoch er ist
 skip_local = false;
 extended_symbols = true;
 EOF
 # oletools aktivieren
 cat << 'EOF' > /etc/rspamd/local.d/oletools.conf
 enabled = true;
 servers = "127.0.0.1:10050"; # Standard-Port von olefy
 EOF
 # learning aktivieren
 cat << 'EOF' > /etc/rspamd/local.d/classifier-ham-spam.conf
 # Nutze Redis als Backend für gelerntes Wissen
 backend = "redis";
 # Erlaube das Lernen (wichtig für deine Mailcows!)
 autolearn = true;
 EOF
 # betreffzeilen anzeigen
 cat << 'EOF' > /etc/rspamd/local.d/history_redis.conf
 # Speichere die letzten Mail-Logs in Redis für die WebUI
 subject_privacy = false; # Zeigt Betreffzeilen im Dashboard an (hilfreich für MSPs)
 EOF
 # set include for local modules
 cat << 'EOF' > /etc/rspamd/local.d/groups.conf
 # Lade alle Symbol-Definitionen aus dem scores.d Verzeichnis
 .include(try=true,glob=true) "$LOCAL_CONFDIR/scores.d/*.conf"
 EOF
 # create folder for trusted addresses
 mkdir -p /etc/rspamd/local.d/local_addrs.d
 mkdir -p /etc/rspamd/local.d/secure_ips.d
 # persistenz in redis aktivieren
 sed -i 's/appendonly no/appendonly yes/g' /etc/redis/redis.conf
 sed -i 's/^#\? \?appendfsync .*/appendfsync everysec/g' /etc/redis/redis.conf
 # nginx konfigurieren
 mkdir -p /etc/nginx/ssl
 # Symlinks auf Snakeoil (Pfade ggf. anpassen, falls ssl-cert nicht installiert ist)
 ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 # Starke Diffie-Hellman Parameter generieren (wichtig!)
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
 # generiere config
 cat << EOF > /etc/nginx/sites-available/rspamd_proxy
 # HTTP - Redirect auf HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    return 301 https://\$host\$request_uri;
 }
 # HTTPS - Sicherer Proxy
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    # Zertifikate
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # TLS Sicherheit nach Stand der Technik (Modern)
    ssl_protocols TLSv1.3; # TLS 1.2 entfernt für maximale Sicherheit
    ssl_prefer_server_ciphers off;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
    # Proxy-Einstellungen
    location / {
        proxy_pass http://127.0.0.1:11334; # Dein Rspamd Controller/UI
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        # Wichtig für lange KI-Analysen
        proxy_read_timeout 120s;
        proxy_connect_timeout 120s;
        # Optional: Zusätzlicher Schutz auf Nginx-Ebene
        # allow 1.2.3.4; # Deine Admin IP
        # deny all;
    }
 }
 EOF
 ln -s /etc/nginx/sites-available/rspamd_proxy /etc/nginx/sites-enabled/
 nginx -t
 # dienste aktivieren
 systemctl daemon-reload
 systemctl enable --now unbound olefy ollama ollama-preload.service
 systemctl restart redis-server rspamd nginx
 echo "Your rspamd instance setup is finished!"
 echo "Please visit http://${LXC_IP%/*}:11334/"
 echo "rspamd password is: $RSPAMD_PASSWORD"
--- a/src/proxmox-pbs/constants-service.conf
+++ b/src/proxmox-pbs/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/proxmox-pbs/install-service.sh
+++ b/src/proxmox-pbs/install-service.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
@@ -9,16 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list 
+#### Set repo and install onlyoffice ####
-# PBS pbs-no-subscription repository provided by proxmox.com,
+inst_pbs() {
-# NOT recommended for production use
+    apt_repo "proxmox" "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" "http://download.proxmox.com/debian/pbs" "trixie" "pbs-no-subscription"
 deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
 EOF
 wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
 apt update && apt upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
 }
 inst_pbs
 proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
--- a/src/rei3/constants-service.conf
+++ b/src/rei3/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/rei3/install-service.sh
+++ b/src/rei3/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -12,13 +14,12 @@ source /root/constants-service.conf
 mkdir /opt/rei3
 wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
+inst_postgresql
 echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends imagemagick ghostscript
 timedatectl set-timezone ${LXC_TIMEZONE}
--- a/src/unifi/constants-service.conf
+++ b/src/unifi/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/unifi/install-service.sh
+++ b/src/unifi/install-service.sh
@@ -11,12 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
+inst_unifi() {
-wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
+    apt_repo "unifi" "https://dl.ubnt.com/unifi/unifi-repo.gpg" "http://www.ui.com/downloads/unifi/debian" "stable" "ubiquiti"
    apt update 
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unifi
 }
-echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
+inst_mongodb
 echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
-apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi
+inst_unifi
--- a/src/urbackup/constants-service.conf
+++ b/src/urbackup/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 URBACKUP_DATA="urbackup"
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_12"
+REPO_CODENAME="Debian_13"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@@ -5,10 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 set -euo pipefail
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
 mkdir -p /etc/urbackup
@@ -18,10 +22,11 @@ echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/
 curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" ssl-cert urbackup-server nginx
-mkdir -p /etc/nginx/ssl
+install -d -m 0750 -o root -g root /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -s /usr/share/urbackup/www /var/www/urbackup
@@ -44,9 +49,8 @@ server {
    index index.htm;
-    ssl on;
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
-    ssl_certificate /etc/nginx/ssl/urbackup.crt;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_certificate_key /etc/nginx/ssl/urbackup.key;
    location /x {
        include /etc/nginx/fastcgi_params;
--- a/src/vaultwarden/constants-service.conf
+++ b/src/vaultwarden/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@@ -5,13 +5,17 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 admin_token=$(openssl rand -base64 48)
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
+inst_postgresql 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx git ssl-cert
 systemctl enable --now postgresql
@@ -149,6 +153,9 @@ server {
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8000;
        proxy_read_timeout 90;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/src/wazuh/constants-service.conf
+++ b/src/wazuh/constants-service.conf
@@ -0,0 +1,31 @@
 #!/bin/bash
 # Authors:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="var/lib/opensearch"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=8192
 # service dependent meta tags
 SERVICE_TAGS="opensearch"
--- a/src/wazuh/install-service.sh
+++ b/src/wazuh/install-service.sh
@@ -0,0 +1,24 @@
 #!/bin/bash
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 WAZUH_VERSION=4.14
 REG_PASS=$(random_password)
 curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null
 sed -i "s|<use_password>no</use_password>|<use_password>yes</use_password>|" /var/ossec/etc/ossec.conf
 echo "$REG_PASS" > /var/ossec/etc/authd.pass
 chmod 640 /var/ossec/etc/authd.pass
 chown root:wazuh /var/ossec/etc/authd.pass
 systemctl restart wazuh-manager
 echo "Please use the following password for agent registration: $REG_PASS"
--- a/src/zabbix-proxy/constants-service.conf
+++ b/src/zabbix-proxy/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -42,8 +42,8 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
-ZABBIX_VERSION=7.0 #zabbix 7 beta
+ZABBIX_VERSION=7.4 #zabbix 7 beta
-POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
--- a/src/zabbix-proxy/install-service.sh
+++ b/src/zabbix-proxy/install-service.sh
@@ -11,13 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
 apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
 apt update
 inst_postgresql $POSTGRES_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 timedatectl set-timezone ${LXC_TIMEZONE}
@@ -29,7 +30,7 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
-cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+cat /usr/share/zabbix/sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
@@ -53,6 +54,8 @@ sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
 mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
 systemctl enable zabbix-proxy zabbix-agent2
 systemctl restart zabbix-proxy zabbix-agent2 
--- a/src/zabbix/constants-service.conf
+++ b/src/zabbix/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -42,10 +42,10 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
-ZABBIX_VERSION=7.0 #zabbix 7 beta
+ZABBIX_VERSION=7.4 #zabbix 7 beta
-POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
-PHP_VERSION=8.2 # debian 12 default
+PHP_VERSION=8.4 # debian 12 default
-TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+TS_VERSION=2.23.0 # currently latest by zabbix supported version of timescaledb (2024-05-13)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
--- a/src/zabbix/install-service.sh
+++ b/src/zabbix/install-service.sh
@@ -11,14 +11,15 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
-apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/" "$(lsb_release -cs)" "main"
-apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
+inst_postgresql ${POSTGRES_VERSION}
 inst_php pgsql,fpm $PHP_VERSION
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION timescaledb-tools nginx  zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 unlink /etc/nginx/sites-enabled/default
@@ -216,18 +217,20 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
-sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+#sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
-zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
 systemctl restart postgresql
 echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
-cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+cat /usr/share/zabbix/sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
-echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.d/dbpassword.conf
 mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
 generate_dhparam
--- a/src/zammad/constants-service.conf
+++ b/src/zammad/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -39,15 +41,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
-sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+echo "Customizing nginx configuration..."
- -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
- -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
- -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
- -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
 -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
 -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
 /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
-ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
+ ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
 # configure elasticsearch
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@@ -5,35 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
      ZMB_DNS_BACKEND="BIND9_DLZ"
      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
      echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
@@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
 [libdefaults]
@@ -124,9 +57,28 @@ cat > /etc/krb5.conf <<EOF
 EOF
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 echo "fixing samba service to wait for lxc being online"
 install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
 cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
 [Unit]
 After=networking.service
 Wants=networking.service
 [Service]
 # Wait up to 30s for eth0 to get an IPv4 address
 ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
 Restart=on-failure
 RestartSec=3
 EOF
 systemctl daemon-reload
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
@@ -160,7 +112,10 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
 bash /root/zmb-ad_auto-map-root.sh
 chmod +x /usr/bin/create-service-account
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
@@ -168,7 +123,7 @@ cat << EOF > /usr/local/bin/smb-backup
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
-keep=$1
+keep=\$1
 if \$1 ; then
  keep=\$1
 fi
--- a/src/zmb-ad-restore/constants-service.conf
+++ b/src/zmb-ad-restore/constants-service.conf
@@ -1,45 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-restore/install-service.sh
+++ b/src/zmb-ad-restore/install-service.sh
@@ -1,195 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
    ZMB_DNS_BACKEND="BIND9_DLZ"
    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
    echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
 cat << EOF > /etc/default/chrony
 # This is a configuration file for /etc/init.d/chrony and
 # /lib/systemd/system/chrony.service; it allows you to pass various options to
 # the chrony daemon without editing the init script or service file.
 # Options to pass to chrony.
 DAEMON_OPTS="-x -F 1"
 EOF
 cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
 [Unit]
 ConditionCapability=
 EOF
 cat << EOF > /etc/chrony/conf.d/samba.conf
 bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
 server de.pool.ntp.org iburst
 server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 # stop + disable samba services and remove default config
 systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 rm -r /var/lib/samba/*
 backupfile=$(find /backup/online -name samba-backup* | tail -1)
 samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 # disable password expiry for administrator
 samba-tool user setexpiry Administrator --noexpiry
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
 keep=\$1
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
 prune () {
  backup_type=\$1
  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
  fi
 }
 echo "\$(date) Starting samba-ad-dc online backup"
 if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
  prune online
 else
  echo "\$(date) samba-ad-dc online backup failed"
  rc=\$((\$rc + 1))
 fi
 echo "\$(date) Starting samba-ad-dc offline backup"
 if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
  prune offline
 else
  echo "S(date) samba-ad-dc offline backup failed"
  rc=\$((\$rc + 1))
 fi
 exit \$rc
 EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
 23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
 /var/log/smb-backup.log {
        weekly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
 }
 EOF
 exit 0
--- a/src/zmb-ad/constants-service.conf
+++ b/src/zmb-ad/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@@ -5,38 +5,20 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
    ZMB_DNS_BACKEND="BIND9_DLZ"
    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
    echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-
+echo "configuring chrony"
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
@@ -61,72 +43,35 @@ server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
-
+echo "disabling services"
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
-# provision zamba domain
+echo "fixing samba service to wait for lxc being online"
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
 install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
 cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
 [Unit]
 After=networking.service
 Wants=networking.service
 [Service]
 # Wait up to 30s for eth0 to get an IPv4 address
 ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
 Restart=on-failure
 RestartSec=3
 EOF
 systemctl daemon-reload
 echo "provisioning domain"
 # provision zamba domain
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL
 echo "provosioning finished"
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 # disable password expiry for administrator
@@ -134,7 +79,10 @@ samba-tool user setexpiry Administrator --noexpiry
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
 bash /root/zmb-ad_auto-map-root.sh
 chmod +x /usr/bin/create-service-account
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
--- a/src/zmb-cups/constants-service.conf
+++ b/src/zmb-cups/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -14,7 +16,7 @@ source /root/constants-service.conf
 apt update
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd2
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -107,4 +109,4 @@ systemctl disable --now cups-browsed.service
 cupsctl --remote-admin
-systemctl restart cups smbd nmbd winbind wsdd
+systemctl restart cups smbd nmbd winbind wsdd2
--- a/src/zmb-member/constants-service.conf
+++ b/src/zmb-member/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@@ -5,16 +5,15 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 apt update
-#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -26,9 +25,6 @@ cat > /etc/krb5.conf <<EOF
 	renew_lifetime = 7d
 EOF
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 klist
 mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
 cat > /etc/samba/smb.conf <<EOF
 [global]
@@ -75,8 +71,12 @@ cat > /etc/samba/smb.conf <<EOF
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 EOF
 IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
 for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" ; do
    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
 	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
@@ -84,6 +84,10 @@ cat > /etc/samba/smb.conf <<EOF
 	inherit acls = Yes
 EOF
 done
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 klist
 systemctl restart smbd
@@ -96,12 +100,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+unset ZMB_SHARE
-# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
-chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+do
  mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-systemctl restart smbd nmbd winbind wsdd
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 done
 systemctl restart smbd nmbd winbind
--- a/src/zmb-standalone/constants-service.conf
+++ b/src/zmb-standalone/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@@ -5,26 +5,21 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
+inst_45drives
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
-# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd2
 apt update
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
 useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
 echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
+smbpasswd -x $USER || true
 (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
 usermod -aG sudo $USER
@@ -65,14 +60,18 @@ EOF
 net conf import /etc/samba/import.template
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+do
    mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
    chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
    chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf setparm $ZMB_SHARE readonly no
+    net conf setparm $ZMB_SHARE readonly no
-net conf setparm $ZMB_SHARE browseable yes
+    net conf setparm $ZMB_SHARE browseable yes
-net conf setparm $ZMB_SHARE createmask 0660
+    net conf setparm $ZMB_SHARE createmask 0660
-net conf setparm $ZMB_SHARE directorymask 0770
+    net conf setparm $ZMB_SHARE directorymask 0770
 done
-systemctl restart smbd nmbd wsdd
+systemctl restart smbd nmbd wsdd2