mirror of
https://github.com/bashclub/zamba-lxc-toolbox.git
synced 2025-12-06 07:58:44 +00:00
Compare commits
23 Commits
f4c3d6f6e1
...
dev
| Author | SHA1 | Date | |
|---|---|---|---|
|
75f67002fa | ||
|
|
9a076c575a | ||
|
|
9a644fd149 | ||
|
|
3e257d0534 | ||
|
|
3bf682657a | ||
|
|
9537faaaab | ||
|
|
f37757a08a | ||
|
|
a31ebfb0e3 | ||
|
|
85caaac848 | ||
|
|
818cbfc732 | ||
|
|
664bc6ac5e | ||
|
|
54ef036b78 | ||
|
|
0460e3e5a1 | ||
|
|
5b263acbb2 | ||
|
|
3ee9538074 | ||
|
|
75559ca34b | ||
|
|
a3bd70732f | ||
|
|
2ae38a3340 | ||
|
|
7d4b85d83e | ||
|
|
325747cf6d | ||
|
|
0171a19b7c | ||
|
|
cc46b53637 | ||
|
|
13834a0d2c |
@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
|
||||
```
|
||||
Please use 'single quotation marks' to avoid unexpected behaviour.
|
||||
`zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
|
||||
### ZMB_SHARE
|
||||
Defines the name of your Zamba share
|
||||
### ZMB_SHARES
|
||||
Defines the names of your Zamba shares
|
||||
```bash
|
||||
ZMB_SHARE="share"
|
||||
ZMB_SHARES="share1,share2"
|
||||
```
|
||||
<br>
|
||||
|
||||
|
||||
@@ -114,8 +114,8 @@ ZMB_ADMIN_PASS='Start!123'
|
||||
# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
|
||||
ZMB_DOMAIN_ADMINS="domain admins"
|
||||
|
||||
# Defines the name of your Zamba share
|
||||
ZMB_SHARE="share"
|
||||
# Defines the names of your Zamba shares in a comma separated list
|
||||
ZMB_SHARES="share1,share2"
|
||||
|
||||
############### Mailpiler-Section ###############
|
||||
|
||||
|
||||
50
scripts/create-service-account
Normal file
50
scripts/create-service-account
Normal file
@@ -0,0 +1,50 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
USER="$1"
|
||||
|
||||
if [ -z "$USER" ]; then
|
||||
echo "Usage: $0 <username>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Prüfen, ob ldbmodify verfügbar ist
|
||||
if ! command -v ldbmodify &> /dev/null; then
|
||||
echo "Fehler: 'ldbmodify' ist nicht installiert. Bitte installiere 'ldb-tools' mit:"
|
||||
echo " sudo apt update && sudo apt install ldb-tools"
|
||||
exit 10
|
||||
fi
|
||||
|
||||
# Sicheres Passwort generieren (32 Zeichen, alphanumerisch + Sonderzeichen)
|
||||
PASSWORD=$(openssl rand -base64 24)
|
||||
|
||||
# Benutzer anlegen mit generiertem Passwort
|
||||
samba-tool user create "$USER" "$PASSWORD"
|
||||
echo "✅ Benutzer $USER erfolgreich erstellt."
|
||||
|
||||
# DN des Benutzers ermitteln
|
||||
DN=$(ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=$USER)" dn | awk '/^dn: / {print $2}')
|
||||
|
||||
if [ -z "$DN" ]; then
|
||||
echo "❌ Fehler: DN für $USER nicht gefunden." >&2
|
||||
exit 3
|
||||
fi
|
||||
|
||||
# userWorkstations=NONE setzen
|
||||
ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
|
||||
dn: $DN
|
||||
changetype: modify
|
||||
replace: userWorkstations
|
||||
userWorkstations: "NOWORKSTATION"
|
||||
EOF
|
||||
|
||||
echo
|
||||
echo "------------------------------------------"
|
||||
echo "BENUTZER ERSTELLT:"
|
||||
echo "Username: $USER"
|
||||
echo "Passwort: $PASSWORD"
|
||||
echo "Distinguished Name:"
|
||||
echo "$DN"
|
||||
echo "------------------------------------------"
|
||||
echo "Bitte notiere Benutzername, Passwort und DN sicher."
|
||||
67
scripts/mailcow-update
Normal file
67
scripts/mailcow-update
Normal file
@@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Konfiguration
|
||||
MAILCOW_PATH="/opt/mailcow-dockerized"
|
||||
SPOOL_DIR="/var/lib/check_mk_agent/spool"
|
||||
INTERVAL_SECONDS=87000 # z. B. alle 24 Stunden + Toleranz
|
||||
SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
|
||||
|
||||
# Sicherstellen, dass das Spool-Verzeichnis existiert
|
||||
mkdir -p "$SPOOL_DIR"
|
||||
|
||||
# Temporäre Datei vorbereiten
|
||||
TMP_FILE="$(mktemp)"
|
||||
|
||||
# Header für Local Check
|
||||
echo "<<<local>>>" > "$TMP_FILE"
|
||||
|
||||
# In das Mailcow-Verzeichnis wechseln
|
||||
if ! cd "$MAILCOW_PATH"; then
|
||||
echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
|
||||
echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
|
||||
mv "$TMP_FILE" "$SPOOL_FILE"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
# Aktuelle Uhrzeit für Log
|
||||
NOW="$(date '+%Y-%m-%d %H:%M:%S')"
|
||||
|
||||
# Mailcow-Version auslesen
|
||||
GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
|
||||
GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
|
||||
|
||||
if [[ -n "$GIT_TAG" ]]; then
|
||||
echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
|
||||
else
|
||||
echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
|
||||
fi
|
||||
|
||||
# Auf Updates prüfen
|
||||
UPDATE_CHECK=$(./update.sh --check 2>&1)
|
||||
if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
|
||||
echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
|
||||
mv "$TMP_FILE" "$SPOOL_FILE"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Erstes Update versuchen
|
||||
UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
|
||||
EXIT_CODE=$?
|
||||
|
||||
# Sonderfall: Skript wurde geändert und muss erneut ausgeführt werden
|
||||
if echo "$UPDATE_OUTPUT" | grep -q "update.sh changed, please run this script again"; then
|
||||
UPDATE_OUTPUT_2=$(./update.sh --force --skip-ping-check 2>&1)
|
||||
EXIT_CODE=$?
|
||||
UPDATE_OUTPUT="${UPDATE_OUTPUT}\n--- retry ---\n${UPDATE_OUTPUT_2}"
|
||||
fi
|
||||
|
||||
if [ "$EXIT_CODE" -eq 0 ]; then
|
||||
echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
|
||||
else
|
||||
echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
|
||||
echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
|
||||
fi
|
||||
|
||||
# Ergebnis schreiben
|
||||
mv "$TMP_FILE" "$SPOOL_FILE"
|
||||
exit "$EXIT_CODE"
|
||||
44
scripts/nextcloud-for-mailcow-dockerized.conf
Normal file
44
scripts/nextcloud-for-mailcow-dockerized.conf
Normal file
@@ -0,0 +1,44 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name cloud.domain.tld;
|
||||
|
||||
ssl_certificate /etc/ssl/mail/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/mail/key.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# HTTP → HTTPS
|
||||
if ($scheme = http) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass https://cloud.domain.tld;
|
||||
|
||||
# Hostname & Forwarded-Header sauber durchreichen
|
||||
proxy_set_header Host 192.168.178.253; # explizit der Upstream-Name
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https; # TLS endet hier
|
||||
proxy_set_header X-Forwarded-Host $host; # also cloud.domain.tld
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
|
||||
proxy_set_header Referrer-Policy "no-referrer";
|
||||
|
||||
proxy_connect_timeout 600;
|
||||
proxy_send_timeout 600;
|
||||
proxy_read_timeout 600;
|
||||
send_timeout 600;
|
||||
client_max_body_size 10G;
|
||||
}
|
||||
|
||||
# CalDAV/CardDAV Redirects
|
||||
location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
|
||||
location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
|
||||
}
|
||||
103
scripts/zmb-ad_auto-map-root.sh
Normal file
103
scripts/zmb-ad_auto-map-root.sh
Normal file
@@ -0,0 +1,103 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
SMB_CONF="/etc/samba/smb.conf"
|
||||
USERMAP_FILE="/etc/samba/user.map"
|
||||
KEYTAB_PATH="/root/admin.keytab"
|
||||
SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
|
||||
SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
|
||||
BASH_PROFILE="/root/.bash_profile"
|
||||
|
||||
# 1. Domain & Realm aus smb.conf auslesen
|
||||
DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
|
||||
REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
|
||||
|
||||
if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
|
||||
echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[INFO] Domain: $DOMAIN_NAME"
|
||||
echo "[INFO] Realm: $REALM_NAME"
|
||||
|
||||
# 2. user.map schreiben
|
||||
echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
|
||||
echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
|
||||
|
||||
# 3. smb.conf patchen
|
||||
if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
|
||||
sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
|
||||
echo "[OK] smb.conf wurde um 'username map' ergänzt."
|
||||
else
|
||||
echo "[INFO] 'username map' bereits gesetzt."
|
||||
fi
|
||||
|
||||
# 4. Keytab erzeugen
|
||||
echo "[INFO] Erzeuge Keytab für Administrator..."
|
||||
samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
|
||||
chmod 600 "$KEYTAB_PATH"
|
||||
echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
|
||||
|
||||
# 5. systemd-Service + Timer für automatisches kinit
|
||||
echo "[INFO] Erstelle systemd-Service & Timer..."
|
||||
|
||||
cat > "$SYSTEMD_SERVICE" <<EOF
|
||||
[Unit]
|
||||
Description=Kerberos Kinit für Administrator
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
|
||||
EOF
|
||||
|
||||
cat > "$SYSTEMD_TIMER" <<EOF
|
||||
[Unit]
|
||||
Description=Kerberos Kinit für Administrator (Boot)
|
||||
|
||||
[Timer]
|
||||
OnBootSec=10sec
|
||||
Unit=kinit-admin.service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
# Aktivieren
|
||||
systemctl daemon-reexec
|
||||
systemctl daemon-reload
|
||||
systemctl enable --now kinit-admin.timer
|
||||
|
||||
# 6. root-Login: .bash_profile anpassen
|
||||
echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
|
||||
mkdir -p "$(dirname "$BASH_PROFILE")"
|
||||
touch "$BASH_PROFILE"
|
||||
|
||||
# Block nur hinzufügen, wenn er nicht bereits vorhanden ist
|
||||
if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
|
||||
cat >> "$BASH_PROFILE" <<EOF
|
||||
|
||||
# Automatisches Kerberos-Ticket beim Login holen
|
||||
if ! klist -s; then
|
||||
echo "[INFO] Kein gültiges Kerberos-Ticket – führe kinit aus..."
|
||||
kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
|
||||
fi
|
||||
EOF
|
||||
echo "[OK] .bash_profile angepasst."
|
||||
else
|
||||
echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
|
||||
fi
|
||||
|
||||
# 7. samba-ad-dc neu starten
|
||||
echo "[INFO] Starte samba-ad-dc neu..."
|
||||
systemctl restart samba-ad-dc
|
||||
|
||||
# 8. Testausgaben
|
||||
echo "[INFO] getent passwd root:"
|
||||
getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
|
||||
|
||||
echo
|
||||
echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
|
||||
samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"
|
||||
|
||||
@@ -24,29 +24,71 @@ apt_repo() {
|
||||
apt_key_url=$2
|
||||
apt_key_path=/usr/share/keyrings/${apt_name}.gpg
|
||||
apt_repo_url=$3
|
||||
apt_suites=$4
|
||||
apt_components=$5
|
||||
tmp_key_file=$(mktemp)
|
||||
if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
|
||||
echo "❌ Fehler beim Herunterladen des Schlüssels."
|
||||
rm -f "${tmp_key_file}"
|
||||
exit 1
|
||||
fi
|
||||
if file "${tmp_key_file}" | grep -q "ASCII"; then
|
||||
echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
|
||||
# Wenn es ASCII ist, konvertiere es mit --dearmor
|
||||
if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
|
||||
echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
|
||||
else
|
||||
echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
|
||||
rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
|
||||
# Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
|
||||
if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
|
||||
echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
|
||||
else
|
||||
echo "❌ Fehler beim Kopieren des binären Schlüssels."
|
||||
rm -f "${tmp_key_file}"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
|
||||
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
|
||||
if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
|
||||
cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
|
||||
Types: deb
|
||||
URIs: $apt_repo_url
|
||||
Suites: $apt_suites
|
||||
Components: $apt_components
|
||||
Enabled: yes
|
||||
Signed-By: $apt_key_path
|
||||
EOF
|
||||
else
|
||||
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
|
||||
fi
|
||||
}
|
||||
|
||||
#### Set repo and install Nginx ####
|
||||
inst_nginx() {
|
||||
apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
|
||||
apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
|
||||
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
|
||||
}
|
||||
|
||||
#### Set repo and install PHP ####
|
||||
inst_php() {
|
||||
curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
|
||||
echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
|
||||
apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
|
||||
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
|
||||
}
|
||||
|
||||
#### Set repo and install Postgresql ####
|
||||
inst_postgresql() {
|
||||
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
|
||||
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
|
||||
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
|
||||
}
|
||||
|
||||
#### Set repo and install Crowdsec ####
|
||||
inst_crowdsec() {
|
||||
apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
|
||||
apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
|
||||
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
|
||||
}
|
||||
|
||||
@@ -24,29 +24,7 @@ EOF
|
||||
locale-gen $LXC_LOCALE
|
||||
|
||||
# Generate sources
|
||||
if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
|
||||
|
||||
cat << EOF > /etc/apt/sources.list
|
||||
deb http://deb.debian.org/debian/ buster main contrib
|
||||
|
||||
deb http://deb.debian.org/debian/ buster-updates main contrib
|
||||
|
||||
# security updates
|
||||
deb http://security.debian.org/debian-security buster/updates main contrib
|
||||
EOF
|
||||
|
||||
elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
|
||||
|
||||
cat << EOF > /etc/apt/sources.list
|
||||
deb http://deb.debian.org/debian/ bullseye main contrib
|
||||
|
||||
deb http://deb.debian.org/debian/ bullseye-updates main contrib
|
||||
|
||||
# security updates
|
||||
deb http://security.debian.org/debian-security bullseye-security main contrib
|
||||
EOF
|
||||
|
||||
elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
|
||||
if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
|
||||
|
||||
cat << EOF > /etc/apt/sources.list
|
||||
deb http://deb.debian.org/debian/ bookworm main contrib
|
||||
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
|
||||
# security updates
|
||||
deb http://security.debian.org/debian-security bookworm-security main contrib
|
||||
EOF
|
||||
elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
|
||||
|
||||
if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
|
||||
cat << EOF > /etc/apt/sources.list.d/debian.sources
|
||||
Types: deb deb-src
|
||||
URIs: https://deb.debian.org/debian
|
||||
Suites: trixie trixie-updates
|
||||
Components: main non-free-firmware contrib non-free
|
||||
Enabled: yes
|
||||
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
|
||||
|
||||
Types: deb deb-src
|
||||
URIs: https://security.debian.org/debian-security
|
||||
Suites: trixie-security
|
||||
Components: main non-free-firmware contrib non-free
|
||||
Enabled: yes
|
||||
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
|
||||
EOF
|
||||
|
||||
else echo "LXC Debian Version false. Please check configuration files!" ; exit
|
||||
fi
|
||||
|
||||
@@ -17,7 +17,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
|
||||
# Add the repository to Apt sources:
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
|
||||
|
||||
SECRET=$(random_password)
|
||||
@@ -73,6 +73,21 @@ EOF
|
||||
|
||||
}
|
||||
|
||||
# fix docker errors for slow machines
|
||||
cat << EOF > /etc/docker/daemon.json
|
||||
{
|
||||
"default-ulimits": {
|
||||
"nproc": {
|
||||
"name": "nproc",
|
||||
"soft": -1,
|
||||
"hard": -1
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
systemctl restart docker
|
||||
|
||||
|
||||
cd /opt
|
||||
git clone https://github.com/mailcow/mailcow-dockerized
|
||||
cd mailcow-dockerized
|
||||
@@ -104,6 +119,8 @@ DBUSER=mailcow
|
||||
DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||
DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||
|
||||
REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
|
||||
|
||||
# ------------------------------
|
||||
# HTTP/S Bindings
|
||||
# ------------------------------
|
||||
@@ -367,23 +384,6 @@ HTTP_REDIRECT=y
|
||||
|
||||
EOF
|
||||
|
||||
cat << EOF > data/conf/nginx/redirect.conf
|
||||
server {
|
||||
root /web;
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
include /etc/nginx/conf.d/server_name.active;
|
||||
if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
allow all;
|
||||
default_type "text/plain";
|
||||
}
|
||||
location / {
|
||||
return 301 https://\$host\$uri\$is_args\$args;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/cron.daily/mailcowbackup
|
||||
#!/bin/bash
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
@@ -154,6 +154,6 @@ systemctl restart matrix-synapse
|
||||
|
||||
rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
|
||||
|
||||
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
|
||||
register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
|
||||
|
||||
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
|
||||
echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
|
||||
|
||||
@@ -149,6 +149,9 @@ server {
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_pass http://127.0.0.1:8000;
|
||||
proxy_read_timeout 90;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade \$http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -39,15 +39,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
|
||||
ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
|
||||
ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
|
||||
|
||||
sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
|
||||
-e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
|
||||
-e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
|
||||
-e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
|
||||
-e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
|
||||
echo "Customizing nginx configuration..."
|
||||
sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
|
||||
-e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
|
||||
-e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
|
||||
-e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
|
||||
-e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
|
||||
-e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
|
||||
/opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
|
||||
|
||||
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
|
||||
|
||||
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
|
||||
|
||||
# configure elasticsearch
|
||||
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
|
||||
|
||||
@@ -75,8 +75,13 @@ cat > /etc/samba/smb.conf <<EOF
|
||||
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
|
||||
shadow: delimiter = -20
|
||||
|
||||
EOF
|
||||
|
||||
IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
|
||||
for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
|
||||
do
|
||||
cat >> /etc/samba/smb.conf << EOF
|
||||
[$ZMB_SHARE]
|
||||
comment = Main Share
|
||||
path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
read only = No
|
||||
create mask = 0660
|
||||
@@ -84,6 +89,7 @@ cat > /etc/samba/smb.conf <<EOF
|
||||
inherit acls = Yes
|
||||
|
||||
EOF
|
||||
done
|
||||
|
||||
systemctl restart smbd
|
||||
|
||||
@@ -96,12 +102,17 @@ systemctl restart winbind nmbd
|
||||
wbinfo -u
|
||||
wbinfo -g
|
||||
|
||||
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
unset ZMB_SHARE
|
||||
|
||||
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
|
||||
chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
|
||||
do
|
||||
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
|
||||
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
|
||||
chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
|
||||
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
done
|
||||
|
||||
systemctl restart smbd nmbd winbind wsdd
|
||||
|
||||
@@ -65,14 +65,18 @@ EOF
|
||||
|
||||
net conf import /etc/samba/import.template
|
||||
|
||||
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
|
||||
for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
|
||||
do
|
||||
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
|
||||
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
net conf setparm $ZMB_SHARE readonly no
|
||||
net conf setparm $ZMB_SHARE browseable yes
|
||||
net conf setparm $ZMB_SHARE createmask 0660
|
||||
net conf setparm $ZMB_SHARE directorymask 0770
|
||||
net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
|
||||
net conf setparm $ZMB_SHARE readonly no
|
||||
net conf setparm $ZMB_SHARE browseable yes
|
||||
net conf setparm $ZMB_SHARE createmask 0660
|
||||
net conf setparm $ZMB_SHARE directorymask 0770
|
||||
done
|
||||
|
||||
systemctl restart smbd nmbd wsdd
|
||||
|
||||
Reference in New Issue
Block a user