add websocket support for vaultwarden

Allow multiple shares for ZMB-MEMBER

conf/README.md

@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
+### ZMB_SHARES
-Defines the name of your Zamba share
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>
 

conf/zamba.conf.example

@@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123'
 # Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
 ZMB_DOMAIN_ADMINS="domain admins"
 
-# Defines the name of your Zamba share
+# Defines the names of your Zamba shares in a comma separated list
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 
 ############### Mailpiler-Section ###############
 

scripts/create-service-account

@@ -36,7 +36,7 @@ ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
 dn: $DN
 changetype: modify
 replace: userWorkstations
-userWorkstations: NONE
+userWorkstations: "NOWORKSTATION"
 EOF
 
 echo

scripts/nextcloud-for-mailcow-dockerized.conf

@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name cloud.domain.tld;
+
+    ssl_certificate     /etc/ssl/mail/cert.pem;
+    ssl_certificate_key /etc/ssl/mail/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # HTTP → HTTPS
+    if ($scheme = http) {
+        return 301 https://$host$request_uri;
+    }
+
+    location / {
+        proxy_pass https://cloud.domain.tld;
+
+        # Hostname & Forwarded-Header sauber durchreichen
+        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
+        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
+        proxy_set_header X-Forwarded-Port 443;
+        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
+        proxy_set_header Referrer-Policy "no-referrer";
+
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+        client_max_body_size 10G;
+    }
+
+    # CalDAV/CardDAV Redirects
+    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
+    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
+}

src/functions.sh

@@ -24,29 +24,71 @@ apt_repo() {
     apt_key_url=$2
     apt_key_path=/usr/share/keyrings/${apt_name}.gpg
     apt_repo_url=$3
+    apt_suites=$4
+    apt_components=$5
+    tmp_key_file=$(mktemp)
+    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
+        echo "❌ Fehler beim Herunterladen des Schlüssels."
+        rm -f "${tmp_key_file}"
+        exit 1
+    fi
+    if file "${tmp_key_file}" | grep -q "ASCII"; then
+        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
+        # Wenn es ASCII ist, konvertiere es mit --dearmor
+        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
+        else
+            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
+            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
+            exit 1
+        fi
+    else
+        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
+        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
+        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
+        else
+            echo "❌ Fehler beim Kopieren des binären Schlüssels."
+            rm -f "${tmp_key_file}"
+            exit 1
+        fi
+    fi
 
-    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
-    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
+Types: deb
+URIs: $apt_repo_url
+Suites: $apt_suites
+Components: $apt_components
+Enabled: yes
+Signed-By: $apt_key_path
+EOF
+    else
+        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
+    fi
 }
+
 #### Set repo and install Nginx ####
 inst_nginx() {
-    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
 }
+
 #### Set repo and install PHP ####
 inst_php() {
-    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
+    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
-    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
 }
+
 #### Set repo and install Postgresql ####
 inst_postgresql() {
-    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
 }
+
 #### Set repo and install Crowdsec ####
 inst_crowdsec() {
-    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
     DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }

src/lxc-base.sh

@@ -24,29 +24,7 @@ EOF
 locale-gen $LXC_LOCALE 
 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ buster main contrib
-
-deb http://deb.debian.org/debian/ buster-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security buster/updates main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ bullseye main contrib
-
-deb http://deb.debian.org/debian/ bullseye-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security bullseye-security main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
+
+if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
+cat << EOF > /etc/apt/sources.list.d/debian.sources
+Types: deb deb-src
+URIs: https://deb.debian.org/debian
+Suites: trixie trixie-updates
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security
+Suites: trixie-security
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+EOF
 
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi

src/matrix/install-service.sh

@@ -154,6 +154,6 @@ systemctl restart matrix-synapse
 
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
 
-echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"

src/vaultwarden/install-service.sh

@@ -149,6 +149,9 @@ server {
         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
         proxy_pass http://127.0.0.1:8000;
         proxy_read_timeout 90;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
     }
 }
 

src/zammad/install-service.sh

@@ -39,15 +39,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
 
-sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+echo "Customizing nginx configuration..."
- -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
- -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
- -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
- -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
+ -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
  /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
 
-ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
+ ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
-
 
 # configure elasticsearch
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment

src/zmb-member/install-service.sh

@@ -75,8 +75,13 @@ cat > /etc/samba/smb.conf <<EOF
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 
+EOF
+
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
-	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
@@ -84,6 +89,7 @@ cat > /etc/samba/smb.conf <<EOF
 	inherit acls = Yes
 
 EOF
+done
 
 systemctl restart smbd
 
@@ -96,12 +102,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
 
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+unset ZMB_SHARE
 
-# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
-chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+do
+  mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+done
 
 systemctl restart smbd nmbd winbind wsdd

src/zmb-standalone/install-service.sh

@@ -65,14 +65,18 @@ EOF
 
 net conf import /etc/samba/import.template
 
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+do
+    mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf setparm $ZMB_SHARE readonly no
+    net conf setparm $ZMB_SHARE readonly no
-net conf setparm $ZMB_SHARE browseable yes
+    net conf setparm $ZMB_SHARE browseable yes
-net conf setparm $ZMB_SHARE createmask 0660
+    net conf setparm $ZMB_SHARE createmask 0660
-net conf setparm $ZMB_SHARE directorymask 0770
+    net conf setparm $ZMB_SHARE directorymask 0770
+done
 
 systemctl restart smbd nmbd wsdd