add websocket support for vaultwarden

Allow multiple shares for ZMB-MEMBER

conf/README.md

@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
-Defines the name of your Zamba share
+### ZMB_SHARES
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>
 

conf/zamba.conf.example

@@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123'
 # Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
 ZMB_DOMAIN_ADMINS="domain admins"
 
-# Defines the name of your Zamba share
-ZMB_SHARE="share"
+# Defines the names of your Zamba shares in a comma separated list
+ZMB_SHARES="share1,share2"
 
 ############### Mailpiler-Section ###############
 

scripts/create-service-account

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+USER="$1"
+
+if [ -z "$USER" ]; then
+  echo "Usage: $0 <username>"
+  exit 1
+fi
+
+# Prüfen, ob ldbmodify verfügbar ist
+if ! command -v ldbmodify &> /dev/null; then
+  echo "Fehler: 'ldbmodify' ist nicht installiert. Bitte installiere 'ldb-tools' mit:"
+  echo "  sudo apt update && sudo apt install ldb-tools"
+  exit 10
+fi
+
+# Sicheres Passwort generieren (32 Zeichen, alphanumerisch + Sonderzeichen)
+PASSWORD=$(openssl rand -base64 24)
+
+# Benutzer anlegen mit generiertem Passwort
+samba-tool user create "$USER" "$PASSWORD"
+echo "✅ Benutzer $USER erfolgreich erstellt."
+
+# DN des Benutzers ermitteln
+DN=$(ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=$USER)" dn | awk '/^dn: / {print $2}')
+
+if [ -z "$DN" ]; then
+  echo "❌ Fehler: DN für $USER nicht gefunden." >&2
+  exit 3
+fi
+
+# userWorkstations=NONE setzen
+ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
+dn: $DN
+changetype: modify
+replace: userWorkstations
+userWorkstations: "NOWORKSTATION"
+EOF
+
+echo
+echo "------------------------------------------"
+echo "BENUTZER ERSTELLT:"
+echo "Username: $USER"
+echo "Passwort: $PASSWORD"
+echo "Distinguished Name:"
+echo "$DN"
+echo "------------------------------------------"
+echo "Bitte notiere Benutzername, Passwort und DN sicher."

scripts/mailcow-update

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Konfiguration
+MAILCOW_PATH="/opt/mailcow-dockerized"
+SPOOL_DIR="/var/lib/check_mk_agent/spool"
+INTERVAL_SECONDS=87000  # z. B. alle 24 Stunden + Toleranz
+SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
+
+# Sicherstellen, dass das Spool-Verzeichnis existiert
+mkdir -p "$SPOOL_DIR"
+
+# Temporäre Datei vorbereiten
+TMP_FILE="$(mktemp)"
+
+# Header für Local Check
+echo "<<<local>>>" > "$TMP_FILE"
+
+# In das Mailcow-Verzeichnis wechseln
+if ! cd "$MAILCOW_PATH"; then
+  echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
+  echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
+  mv "$TMP_FILE" "$SPOOL_FILE"
+  exit 2
+fi
+
+# Aktuelle Uhrzeit für Log
+NOW="$(date '+%Y-%m-%d %H:%M:%S')"
+
+# Mailcow-Version auslesen
+GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
+GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
+
+if [[ -n "$GIT_TAG" ]]; then
+  echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
+else
+  echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
+fi
+
+# Auf Updates prüfen
+UPDATE_CHECK=$(./update.sh --check 2>&1)
+if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
+  echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
+  mv "$TMP_FILE" "$SPOOL_FILE"
+  exit 0
+fi
+
+# Erstes Update versuchen
+UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
+EXIT_CODE=$?
+
+# Sonderfall: Skript wurde geändert und muss erneut ausgeführt werden
+if echo "$UPDATE_OUTPUT" | grep -q "update.sh changed, please run this script again"; then
+  UPDATE_OUTPUT_2=$(./update.sh --force --skip-ping-check 2>&1)
+  EXIT_CODE=$?
+  UPDATE_OUTPUT="${UPDATE_OUTPUT}\n--- retry ---\n${UPDATE_OUTPUT_2}"
+fi
+
+if [ "$EXIT_CODE" -eq 0 ]; then
+  echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
+else
+  echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
+  echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
+fi
+
+# Ergebnis schreiben
+mv "$TMP_FILE" "$SPOOL_FILE"
+exit "$EXIT_CODE"

scripts/nextcloud-for-mailcow-dockerized.conf

@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name cloud.domain.tld;
+
+    ssl_certificate     /etc/ssl/mail/cert.pem;
+    ssl_certificate_key /etc/ssl/mail/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # HTTP → HTTPS
+    if ($scheme = http) {
+        return 301 https://$host$request_uri;
+    }
+
+    location / {
+        proxy_pass https://cloud.domain.tld;
+
+        # Hostname & Forwarded-Header sauber durchreichen
+        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
+        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
+        proxy_set_header X-Forwarded-Port 443;
+        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
+        proxy_set_header Referrer-Policy "no-referrer";
+
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+        client_max_body_size 10G;
+    }
+
+    # CalDAV/CardDAV Redirects
+    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
+    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
+}

scripts/zmb-ad_auto-map-root.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+set -e
+
+SMB_CONF="/etc/samba/smb.conf"
+USERMAP_FILE="/etc/samba/user.map"
+KEYTAB_PATH="/root/admin.keytab"
+SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
+SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
+BASH_PROFILE="/root/.bash_profile"
+
+# 1. Domain & Realm aus smb.conf auslesen
+DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
+REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
+
+if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
+    echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
+    exit 1
+fi
+
+echo "[INFO] Domain: $DOMAIN_NAME"
+echo "[INFO] Realm: $REALM_NAME"
+
+# 2. user.map schreiben
+echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
+echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
+
+# 3. smb.conf patchen
+if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
+    sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
+    echo "[OK] smb.conf wurde um 'username map' ergänzt."
+else
+    echo "[INFO] 'username map' bereits gesetzt."
+fi
+
+# 4. Keytab erzeugen
+echo "[INFO] Erzeuge Keytab für Administrator..."
+samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
+chmod 600 "$KEYTAB_PATH"
+echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
+
+# 5. systemd-Service + Timer für automatisches kinit
+echo "[INFO] Erstelle systemd-Service & Timer..."
+
+cat > "$SYSTEMD_SERVICE" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
+EOF
+
+cat > "$SYSTEMD_TIMER" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator (Boot)
+
+[Timer]
+OnBootSec=10sec
+Unit=kinit-admin.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Aktivieren
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl enable --now kinit-admin.timer
+
+# 6. root-Login: .bash_profile anpassen
+echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
+mkdir -p "$(dirname "$BASH_PROFILE")"
+touch "$BASH_PROFILE"
+
+# Block nur hinzufügen, wenn er nicht bereits vorhanden ist
+if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
+    cat >> "$BASH_PROFILE" <<EOF
+
+# Automatisches Kerberos-Ticket beim Login holen
+if ! klist -s; then
+    echo "[INFO] Kein gültiges Kerberos-Ticket – führe kinit aus..."
+    kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
+fi
+EOF
+    echo "[OK] .bash_profile angepasst."
+else
+    echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
+fi
+
+# 7. samba-ad-dc neu starten
+echo "[INFO] Starte samba-ad-dc neu..."
+systemctl restart samba-ad-dc
+
+# 8. Testausgaben
+echo "[INFO] getent passwd root:"
+getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
+
+echo
+echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
+samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"
+

src/functions.sh

@@ -24,29 +24,71 @@ apt_repo() {
     apt_key_url=$2
     apt_key_path=/usr/share/keyrings/${apt_name}.gpg
     apt_repo_url=$3
+    apt_suites=$4
+    apt_components=$5
+    tmp_key_file=$(mktemp)
+    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
+        echo "❌ Fehler beim Herunterladen des Schlüssels."
+        rm -f "${tmp_key_file}"
+        exit 1
+    fi
+    if file "${tmp_key_file}" | grep -q "ASCII"; then
+        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
+        # Wenn es ASCII ist, konvertiere es mit --dearmor
+        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
+        else
+            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
+            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
+            exit 1
+        fi
+    else
+        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
+        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
+        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
+        else
+            echo "❌ Fehler beim Kopieren des binären Schlüssels."
+            rm -f "${tmp_key_file}"
+            exit 1
+        fi
+    fi
 
-    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
-    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
+Types: deb
+URIs: $apt_repo_url
+Suites: $apt_suites
+Components: $apt_components
+Enabled: yes
+Signed-By: $apt_key_path
+EOF
+    else
+        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
+    fi
 }
+
 #### Set repo and install Nginx ####
 inst_nginx() {
-    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
 }
+
 #### Set repo and install PHP ####
 inst_php() {
-    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
-    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
+    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
 }
+
 #### Set repo and install Postgresql ####
 inst_postgresql() {
-    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
 }
+
 #### Set repo and install Crowdsec ####
 inst_crowdsec() {
-    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
     apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
     DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }

src/icinga2/install-service.sh

@@ -23,8 +23,8 @@ apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
         icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
-        mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
-        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto \
+        mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \
         monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
 
 
@@ -32,6 +32,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq -
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)
 DIRECTOR_DB_PASS=$(_generate_local_password 24)
 ICINGADB_PASS=$(_generate_local_password 24)
+ICINGA_X509_DB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
 NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
@@ -44,16 +45,19 @@ mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE
 mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 
 mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';"
 
 mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';"
 mysql -e "FLUSH PRIVILEGES;"
 
 systemctl start influxdb
@@ -371,11 +375,13 @@ IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
 ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
 NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
+X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql"
 
 if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi
 
 
 if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
@@ -393,11 +399,17 @@ if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"
     mysql icingadb < "$ICINGADB_SCHEMA"
 fi
 
-if ! mysql -e "use notifications; show tables;" | grep -q "icingadb_schema_migration"; then
-    echo "[INFO] Importiere IcingaDB-Schema..."
+if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then
+    echo "[INFO] Importiere Notifications-Schema..."
     mysql notifications < "$NOTIFICATIONS_SCHEMA"
 fi
 
+if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then
+    echo "[INFO] Importiere x509-Schema..."
+    mysql x509 < "$X509_SCHEMA"
+fi
+
+
 cat > /etc/icingaweb2/config.ini <<EOF
 [global]
 show_stacktraces = "0"
@@ -454,6 +466,8 @@ EOF
 
 icinga2 feature enable icingadb api influxdb2-writer perfdata
 
+icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
+
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
 icingacli module enable incubator

src/lxc-base.sh

@@ -24,29 +24,7 @@ EOF
 locale-gen $LXC_LOCALE 
 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ buster main contrib
-
-deb http://deb.debian.org/debian/ buster-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security buster/updates main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ bullseye main contrib
-
-deb http://deb.debian.org/debian/ bullseye-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security bullseye-security main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
+
+if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
+cat << EOF > /etc/apt/sources.list.d/debian.sources
+Types: deb deb-src
+URIs: https://deb.debian.org/debian
+Suites: trixie trixie-updates
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security
+Suites: trixie-security
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+EOF
 
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi

src/mailcow/install-service.sh

@@ -17,7 +17,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
 
 SECRET=$(random_password)
@@ -73,6 +73,21 @@ EOF
 
 }
 
+# fix docker errors for slow machines
+cat << EOF > /etc/docker/daemon.json
+{
+  "default-ulimits": {
+    "nproc": {
+      "name": "nproc",
+      "soft": -1,
+      "hard": -1
+    }
+  }
+}
+EOF
+systemctl restart docker
+
+
 cd /opt
 git clone https://github.com/mailcow/mailcow-dockerized
 cd mailcow-dockerized
@@ -104,6 +119,8 @@ DBUSER=mailcow
 DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
 # ------------------------------
 # HTTP/S Bindings
 # ------------------------------
@@ -367,23 +384,6 @@ HTTP_REDIRECT=y
 
 EOF
 
-cat << EOF > data/conf/nginx/redirect.conf
-server {
-  root /web;
-  listen 80 default_server;
-  listen [::]:80 default_server;
-  include /etc/nginx/conf.d/server_name.active;
-  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
-  location ^~ /.well-known/acme-challenge/ {
-    allow all;
-    default_type "text/plain";
-  }
-  location / {
-    return 301 https://\$host\$uri\$is_args\$args;
-  }
-}
-EOF
-
 cat << EOF > /etc/cron.daily/mailcowbackup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

src/matrix/install-service.sh

@@ -154,6 +154,6 @@ systemctl restart matrix-synapse
 
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
 
 echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"

src/vaultwarden/install-service.sh

@@ -149,6 +149,9 @@ server {
         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
         proxy_pass http://127.0.0.1:8000;
         proxy_read_timeout 90;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
     }
 }
 

src/zammad/install-service.sh

@@ -39,15 +39,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
 
-sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
- -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
- -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
- -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
- -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+echo "Customizing nginx configuration..."
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
+ -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
  /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
 
-ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
-
+ ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
 
 # configure elasticsearch
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment

src/zmb-member/install-service.sh

@@ -75,8 +75,13 @@ cat > /etc/samba/smb.conf <<EOF
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 
+EOF
+
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
-	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
@@ -84,6 +89,7 @@ cat > /etc/samba/smb.conf <<EOF
 	inherit acls = Yes
 
 EOF
+done
 
 systemctl restart smbd
 
@@ -96,12 +102,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
 
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+unset ZMB_SHARE
 
-# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+  mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+done
 
 systemctl restart smbd nmbd winbind wsdd

src/zmb-standalone/install-service.sh

@@ -65,14 +65,18 @@ EOF
 
 net conf import /etc/samba/import.template
 
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+    mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf setparm $ZMB_SHARE readonly no
-net conf setparm $ZMB_SHARE browseable yes
-net conf setparm $ZMB_SHARE createmask 0660
-net conf setparm $ZMB_SHARE directorymask 0770
+    net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    net conf setparm $ZMB_SHARE readonly no
+    net conf setparm $ZMB_SHARE browseable yes
+    net conf setparm $ZMB_SHARE createmask 0660
+    net conf setparm $ZMB_SHARE directorymask 0770
+done
 
 systemctl restart smbd nmbd wsdd