prepare functions for debian 13

Allow multiple shares for ZMB-MEMBER

check_zambaconfonpve_trmm.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+export LC_ALL=C
+ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
+
+if [[ -f "$ZAMBA_CONF" ]]; then
+    # Prüfen, ob die Datei älter als 3 Tage ist
+    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
+        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
+        rm -f "$ZAMBA_CONF"
+        exit 0
+    else
+        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
+        exit 2
+    fi
+else
+    echo "✅ OK: zamba.conf ist nicht vorhanden"
+    exit 0
+fi

conf/README.md

@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
+### ZMB_SHARES
-Defines the name of your Zamba share
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>
 

conf/zamba.conf.example

@@ -99,19 +99,23 @@ LXC_TAGS="linux,debian,${service}"
 
 ############### Zamba-Server-Section ###############
 
-# Defines the REALM for the Active Directory (AD DC, AD member)
+# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
 ZMB_REALM="ZMB.ROCKS"
-# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
+# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_DOMAIN="ZMB"
 
-# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_ADMIN_USER="administrator"
+
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
 ZMB_ADMIN_PASS='Start!123'
 
-# Defines the name of your Zamba share
+# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
-ZMB_SHARE="share"
+ZMB_DOMAIN_ADMINS="domain admins"
+
+# Defines the names of your Zamba shares in a comma separated list
+ZMB_SHARES="share1,share2"
 
 ############### Mailpiler-Section ###############
 

install.sh

@@ -102,6 +102,15 @@ source "$config"
 
 source "$PWD/src/$service/constants-service.conf"
 
+if [[ $service == "zmb-ad-restore" ]]; then
+  if find ./ | grep samba-backup*.tar.bz2 ; then
+    sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
+  else
+    echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
+    exit 1
+  fi
+fi
+
 if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
   LXC_MEM=$LXC_MEM_MIN
 fi
@@ -119,8 +128,7 @@ if [ $ctid -gt 99 ]; then
   LXC_CHK=$ctid
 else
   # Get next free LXC-number
-  LXC_LST=$( lxc-ls -1 | tail -1 )
+  LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
-  LXC_CHK=$((LXC_LST+1));
 fi
 
 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
@@ -142,7 +150,7 @@ fi
 
 # Create the container
 set +u
-pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
 set -u
 sleep 2;
 
@@ -160,10 +168,12 @@ sleep 2
 
 if [ $LXC_MP -gt 0 ]; then
   pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
+  if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
     pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
     dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
     zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
   fi
+fi
 
 sleep 2;
 
@@ -183,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 
+if [[ $service == "zmb-ad-restore" ]]; then
+    pct exec $LXC_NBR -- mkdir -p /backup/online
+    pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
+fi
+
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
 
 echo "Installing basic container setup..."
@@ -194,6 +209,9 @@ pct shutdown $LXC_NBR
 if [[ $service == "zmb-ad" ]]; then
   ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
   pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-restore" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-join" ]]; then
   pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi

scripts/create-service-account

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+USER="$1"
+
+if [ -z "$USER" ]; then
+  echo "Usage: $0 <username>"
+  exit 1
+fi
+
+# Prüfen, ob ldbmodify verfügbar ist
+if ! command -v ldbmodify &> /dev/null; then
+  echo "Fehler: 'ldbmodify' ist nicht installiert. Bitte installiere 'ldb-tools' mit:"
+  echo "  sudo apt update && sudo apt install ldb-tools"
+  exit 10
+fi
+
+# Sicheres Passwort generieren (32 Zeichen, alphanumerisch + Sonderzeichen)
+PASSWORD=$(openssl rand -base64 24)
+
+# Benutzer anlegen mit generiertem Passwort
+samba-tool user create "$USER" "$PASSWORD"
+echo "✅ Benutzer $USER erfolgreich erstellt."
+
+# DN des Benutzers ermitteln
+DN=$(ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=$USER)" dn | awk '/^dn: / {print $2}')
+
+if [ -z "$DN" ]; then
+  echo "❌ Fehler: DN für $USER nicht gefunden." >&2
+  exit 3
+fi
+
+# userWorkstations=NONE setzen
+ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
+dn: $DN
+changetype: modify
+replace: userWorkstations
+userWorkstations: "NOWORKSTATION"
+EOF
+
+echo
+echo "------------------------------------------"
+echo "BENUTZER ERSTELLT:"
+echo "Username: $USER"
+echo "Passwort: $PASSWORD"
+echo "Distinguished Name:"
+echo "$DN"
+echo "------------------------------------------"
+echo "Bitte notiere Benutzername, Passwort und DN sicher."

scripts/mailcow-update

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Konfiguration
+MAILCOW_PATH="/opt/mailcow-dockerized"
+SPOOL_DIR="/var/lib/check_mk_agent/spool"
+INTERVAL_SECONDS=87000  # z. B. alle 24 Stunden + Toleranz
+SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
+
+# Sicherstellen, dass das Spool-Verzeichnis existiert
+mkdir -p "$SPOOL_DIR"
+
+# Temporäre Datei vorbereiten
+TMP_FILE="$(mktemp)"
+
+# Header für Local Check
+echo "<<<local>>>" > "$TMP_FILE"
+
+# In das Mailcow-Verzeichnis wechseln
+if ! cd "$MAILCOW_PATH"; then
+  echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
+  echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
+  mv "$TMP_FILE" "$SPOOL_FILE"
+  exit 2
+fi
+
+# Aktuelle Uhrzeit für Log
+NOW="$(date '+%Y-%m-%d %H:%M:%S')"
+
+# Mailcow-Version auslesen
+GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
+GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
+
+if [[ -n "$GIT_TAG" ]]; then
+  echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
+else
+  echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
+fi
+
+# Auf Updates prüfen
+UPDATE_CHECK=$(./update.sh --check 2>&1)
+if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
+  echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
+  mv "$TMP_FILE" "$SPOOL_FILE"
+  exit 0
+fi
+
+# Erstes Update versuchen
+UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
+EXIT_CODE=$?
+
+# Sonderfall: Skript wurde geändert und muss erneut ausgeführt werden
+if echo "$UPDATE_OUTPUT" | grep -q "update.sh changed, please run this script again"; then
+  UPDATE_OUTPUT_2=$(./update.sh --force --skip-ping-check 2>&1)
+  EXIT_CODE=$?
+  UPDATE_OUTPUT="${UPDATE_OUTPUT}\n--- retry ---\n${UPDATE_OUTPUT_2}"
+fi
+
+if [ "$EXIT_CODE" -eq 0 ]; then
+  echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
+else
+  echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
+  echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
+fi
+
+# Ergebnis schreiben
+mv "$TMP_FILE" "$SPOOL_FILE"
+exit "$EXIT_CODE"

scripts/nextcloud-for-mailcow-dockerized.conf

@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name cloud.domain.tld;
+
+    ssl_certificate     /etc/ssl/mail/cert.pem;
+    ssl_certificate_key /etc/ssl/mail/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # HTTP → HTTPS
+    if ($scheme = http) {
+        return 301 https://$host$request_uri;
+    }
+
+    location / {
+        proxy_pass https://cloud.domain.tld;
+
+        # Hostname & Forwarded-Header sauber durchreichen
+        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
+        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
+        proxy_set_header X-Forwarded-Port 443;
+        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
+        proxy_set_header Referrer-Policy "no-referrer";
+
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+        client_max_body_size 10G;
+    }
+
+    # CalDAV/CardDAV Redirects
+    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
+    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
+}

scripts/nextcloud-update

@@ -1,17 +1,47 @@
 #!/bin/bash
-#
-# Update nextcloud
-# place in /etc/cron.daily and make executable with chmod +x  /etc/cron.daily/nextcloud-update
-user=www-data
-phpversion=php8.0
-path=/var/www/nextcloud
 
-alias ncc="sudo -u $user $phpversion $path/occ"
+# Update Nextcloud
-alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
+# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
+
+user=www-data
+phpversion=php8.3
+path=/var/www/nextcloud
+logfile="/var/log/nextcloud-update.log"
+
+ncc() {
+  sudo -u "$user" "$phpversion" "$path/occ" "$@"
+}
+
+updater() {
+  sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
+}
+
+{
+  echo "===== $(date): Nextcloud Update Start ====="
 
   updater --no-backup --no-interaction
 
-subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
+  subcommands=(
-for cmd in ${subcommands[@]}; do
+    "db:add-missing-primary-keys"
+    "db:add-missing-indices"
+    "db:add-missing-columns"
+    "db:convert-filecache-bigint"
+    "files:scan-app-data"
+    "upgrade"
+  )
+
+  for cmd in "${subcommands[@]}"; do
+    echo "Running: occ $cmd"
     ncc -n $cmd
   done
+
+  # App Updates
+  echo "Updating apps..."
+  apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
+  for app in $apps; do
+    echo "Updating app: $app"
+    ncc app:update "$app"
+  done
+
+  echo "===== $(date): Nextcloud Update Finished ====="
+} >> "$logfile" 2>&1

scripts/zmb-ad_auto-map-root.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+set -e
+
+SMB_CONF="/etc/samba/smb.conf"
+USERMAP_FILE="/etc/samba/user.map"
+KEYTAB_PATH="/root/admin.keytab"
+SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
+SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
+BASH_PROFILE="/root/.bash_profile"
+
+# 1. Domain & Realm aus smb.conf auslesen
+DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
+REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
+
+if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
+    echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
+    exit 1
+fi
+
+echo "[INFO] Domain: $DOMAIN_NAME"
+echo "[INFO] Realm: $REALM_NAME"
+
+# 2. user.map schreiben
+echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
+echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
+
+# 3. smb.conf patchen
+if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
+    sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
+    echo "[OK] smb.conf wurde um 'username map' ergänzt."
+else
+    echo "[INFO] 'username map' bereits gesetzt."
+fi
+
+# 4. Keytab erzeugen
+echo "[INFO] Erzeuge Keytab für Administrator..."
+samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
+chmod 600 "$KEYTAB_PATH"
+echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
+
+# 5. systemd-Service + Timer für automatisches kinit
+echo "[INFO] Erstelle systemd-Service & Timer..."
+
+cat > "$SYSTEMD_SERVICE" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
+EOF
+
+cat > "$SYSTEMD_TIMER" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator (Boot)
+
+[Timer]
+OnBootSec=10sec
+Unit=kinit-admin.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Aktivieren
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl enable --now kinit-admin.timer
+
+# 6. root-Login: .bash_profile anpassen
+echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
+mkdir -p "$(dirname "$BASH_PROFILE")"
+touch "$BASH_PROFILE"
+
+# Block nur hinzufügen, wenn er nicht bereits vorhanden ist
+if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
+    cat >> "$BASH_PROFILE" <<EOF
+
+# Automatisches Kerberos-Ticket beim Login holen
+if ! klist -s; then
+    echo "[INFO] Kein gültiges Kerberos-Ticket – führe kinit aus..."
+    kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
+fi
+EOF
+    echo "[OK] .bash_profile angepasst."
+else
+    echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
+fi
+
+# 7. samba-ad-dc neu starten
+echo "[INFO] Starte samba-ad-dc neu..."
+systemctl restart samba-ad-dc
+
+# 8. Testausgaben
+echo "[INFO] getent passwd root:"
+getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
+
+echo
+echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
+samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"
+

src/ansible-semaphore/install-service.sh

@@ -32,7 +32,7 @@ curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | gre
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
 
 cat << EOF > /usr/local/bin/update-semaphore
-PATH="/bin:/usr/bin:/usr/local/bin"
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 echo "Checking github for new semaphore version"
 current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
 installed_version=\$(semaphore version)
@@ -42,7 +42,7 @@ if [ \$installed_version != \$current_version ]; then
   systemctl stop semaphore.service
   echo "Downloading semaphore version \$current_version..."
   curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
-  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical dpkg -i /opt/semaphore_linux_amd64.deb
   echo "Starting semaphore.service..."
   systemctl start semaphore.service
   echo "semaphore update finished!"
@@ -141,7 +141,7 @@ cat << EOF > /etc/semaphore/config.json
  	"slack_alert": false,
  	"ldap_enable": false,
  	"ldap_needtls": false,
- 	"ssh_config_path": "~/.ssh/",
+ 	"ssh_config_path": "/home/semaphore/.ssh/",
  	"demo_mode": false,
  	"git_client": ""
  }

src/authentik/install-service.sh

@@ -95,6 +95,7 @@ AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 # Email address authentik will send from, should have a correct @domain
 AUTHENTIK_EMAIL__FROM=
+AUTHENTIK_REDIS__DB=1
 EOF
 
 docker compose pull

src/cloudpanel/constants-service.conf

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="home"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"

src/cloudpanel/install-service.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
+echo "2aefee646f988877a31198e0d84ed30e2ef7a454857b606608a1f0b8eb6ec6b6 install.sh" | sha256sum -c
+DB_ENGINE=MARIADB_10.11 SWAP=false bash install.sh

src/functions.sh

@@ -9,7 +9,7 @@ random_password() {
 }
 
 generate_dhparam() {
-    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
     cat << EOF > /etc/cron.monthly/generate-dhparams
 #!/bin/bash
 openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
@@ -24,8 +24,71 @@ apt_repo() {
     apt_key_url=$2
     apt_key_path=/usr/share/keyrings/${apt_name}.gpg
     apt_repo_url=$3
+    apt_suites=$4
+    apt_components=$5
+    tmp_key_file=$(mktemp)
+    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
+        echo "❌ Fehler beim Herunterladen des Schlüssels."
+        rm -f "${tmp_key_file}"
+        exit 1
+    fi
+    if file "${tmp_key_file}" | grep -q "ASCII"; then
+        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
+        # Wenn es ASCII ist, konvertiere es mit --dearmor
+        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
+        else
+            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
+            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
+            exit 1
+        fi
+    else
+        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
+        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
+        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
+        else
+            echo "❌ Fehler beim Kopieren des binären Schlüssels."
+            rm -f "${tmp_key_file}"
+            exit 1
+        fi
+    fi
 
-    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
-    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
-
+Types: deb
+URIs: $apt_repo_url
+Suites: $apt_suites
+Components: $apt_components
+Enabled: yes
+Signed-By: $apt_key_path
+EOF
+    else
+        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
+    fi
+}
+
+#### Set repo and install Nginx ####
+inst_nginx() {
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
+}
+
+#### Set repo and install PHP ####
+inst_php() {
+    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
+}
+
+#### Set repo and install Postgresql ####
+inst_postgresql() {
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
+}
+
+#### Set repo and install Crowdsec ####
+inst_crowdsec() {
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }

src/icinga2/constants-service.conf

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
+
+CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
+
+PHP_VERSION=8.2

src/icinga2/install-service.sh

@@ -0,0 +1,533 @@
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+source /etc/os-release
+
+# --- Internal Helper Functions ---
+_generate_local_password() {
+    openssl rand -base64 "$1"
+}
+
+
+curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list
+
+curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
+
+curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
+        icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
+        mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \
+        monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
+
+
+
+ICINGAWEB_DB_PASS=$(_generate_local_password 24)
+DIRECTOR_DB_PASS=$(_generate_local_password 24)
+ICINGADB_PASS=$(_generate_local_password 24)
+ICINGA_X509_DB_PASS=$(_generate_local_password 24)
+ICINGA_API_USER_PASS=$(_generate_local_password 24)
+NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
+ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
+INFLUX_ADMIN_PASS=$(_generate_local_password 16)
+INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
+
+systemctl start mariadb
+
+mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+
+mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';"
+
+mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';"
+mysql -e "FLUSH PRIVILEGES;"
+
+systemctl start influxdb
+influx setup --skip-verify --username admin --password "$INFLUX_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
+if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
+
+
+mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
+{
+    echo "# --- Icinga Monitoring Stack Credentials ---"
+    echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
+    echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
+    echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
+} > "$CRED_FILE" && chmod 600 "$CRED_FILE"
+
+systemctl enable --now icingadb-redis
+
+cat > /etc/icinga2/features-available/icingadb.conf <<EOF
+library "icingadb"
+
+object IcingaDB "icingadb" {
+  host = "127.0.0.1"
+  port = 6380
+}
+EOF
+
+cat > /etc/icinga2/conf.d/api-users.conf <<EOF
+object ApiUser "director" {
+  password = "${ICINGA_API_USER_PASS}"
+  permissions = [ "*" ]
+}
+EOF
+
+cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
+object Influxdb2Writer "influxdb2" {
+  host = "127.0.0.1"
+  port = 8086
+  organization = "icinga"
+  bucket = "icinga"
+  auth_token = "${INFLUX_ICINGA_TOKEN}"
+  
+  flush_threshold = 1024
+  flush_interval = 10s
+
+  host_template = {
+    measurement = "\$host.check_command\$"
+    tags = {
+      hostname = "\$host.name\$"
+    }
+  }
+  service_template = {
+    measurement = "\$service.check_command\$"
+    tags = {
+      hostname = "\$host.name\$"
+      service = "\$service.name\$"
+    }
+  }
+}
+EOF
+cat > /etc/icinga2/zones.conf <<EOF
+object Endpoint "$(hostname -f)" { host = "127.0.0.1" }
+object Zone "master" { endpoints = [ "$(hostname -f)" ] }
+object Zone "global-templates" { global = true }
+object Zone "director-global" { global = true }
+EOF
+
+cat > /etc/icingadb/config.yml <<EOF
+database:
+  type: mysql
+  host: localhost
+  database: icingadb
+  user: icingadb
+  password: ${ICINGADB_PASS}
+redis:
+  host: 127.0.0.1
+  port: 6380
+logging:
+  level: info
+  output: systemd-journald
+EOF
+
+mkdir -p /etc/icingaweb2/modules/icingadb
+cat << EOF > /etc/icingaweb2/modules/icingadb/config.ini
+[icingadb]
+resource = icingadb
+EOF
+cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini
+[redis1]
+host = "localhost"
+EOF
+cat << EOF > /etc/icingaweb2/modules/icingadb/commandtransports.ini
+[$(hostname -f)]
+transport = "api"
+host = "$(hostname -f)"
+port = "5665"
+username = "director"
+password = "${ICINGA_API_USER_PASS}"
+EOF
+
+
+
+icinga2 feature enable icingadb
+
+mkdir -p /etc/icingaweb2
+
+cat > /etc/icingaweb2/resources.ini <<EOF
+[icingaweb_db]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "icingaweb2"
+username = "icingaweb2"
+password = "${ICINGAWEB_DB_PASS}"
+charset = "utf8mb4"
+
+[director_db]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "director"
+username = "director"
+password = "${DIRECTOR_DB_PASS}"
+charset = "utf8mb4"
+
+[icingadb]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "icingadb"
+username = "icingadb"
+password = "${ICINGADB_PASS}"
+charset = "utf8mb4"
+
+[notifications]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "notifications"
+username = "notifications"
+password = "${NOTIFICATIONS_DB_PASS}"
+charset = "utf8mb4"
+EOF
+
+cat << EOF > /etc/icinga2/conf.d/services.conf
+apply Service "ping4" {
+  import "generic-service"
+
+  check_command = "ping4"
+
+  assign where host.address
+}
+
+apply Service "ping6" {
+  import "generic-service"
+
+  check_command = "ping6"
+
+  assign where host.address6
+}
+
+apply Service "ssh" {
+  import "generic-service"
+
+  check_command = "ssh"
+
+  assign where (host.address || host.address6) && host.vars.os == "Linux"
+}
+
+
+
+apply Service for (http_vhost => config in host.vars.http_vhosts) {
+  import "generic-service"
+
+  check_command = "http"
+
+  vars += config
+}
+
+apply Service for (disk => config in host.vars.disks) {
+  import "generic-service"
+
+  check_command = "disk"
+
+  vars += config
+}
+
+apply Service "icinga" {
+  import "generic-service"
+
+  check_command = "icinga"
+
+  assign where host.name == NodeName
+}
+
+apply Service "load" {
+  import "generic-service"
+
+  check_command = "load"
+
+  assign where host.name == NodeName
+}
+
+apply Service "procs" {
+  import "generic-service"
+
+  check_command = "procs"
+
+  assign where host.name == NodeName
+}
+
+apply Service "users" {
+  import "generic-service"
+
+  check_command = "users"
+
+  assign where host.name == NodeName
+}
+
+apply Service "ssl" {
+  import "generic-service"
+
+  check_command = "ssl"
+
+  assign where host.name == NodeName
+}
+
+apply Service "smtp" {
+  import "generic-service"
+
+  check_command = "smtp"
+
+  assign where host.name == NodeName
+}
+
+EOF
+
+mkdir -p /etc/nginx/ssl
+if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
+    ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+    ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+fi
+
+cat > /etc/nginx/sites-available/icinga-stack <<EOF
+server {
+    listen 80;
+    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
+    return 301 https://\$host\$request_uri;
+}
+server {
+    listen 443 ssl http2;
+    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    root /usr/share/icingaweb2/public;
+    index index.php;
+    location / { try_files \$uri \$uri/ /index.php\$is_args\$args; }
+    location ~ \.php$ {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+    }
+    #location /grafana {
+    #    proxy_pass http://localhost:3000;
+    #    proxy_set_header Host \$http_host;
+    #}
+    location /icingadb-web {
+        proxy_pass http://localhost:8080/icingadb-web;
+        proxy_set_header Host \$http_host;
+    }
+}
+EOF
+
+cat << EOF > /etc/icinga-notifications/config.yml
+database:
+  type: mysql
+
+  host: localhost
+  
+  database: notifications
+
+  user: notifications
+
+  password: ${NOTIFICATIONS_DB_PASS}
+EOF
+
+cat << EOF > /etc/icingaweb2/modules/notifications/config.ini 
+[database]
+resource = "notifications"
+EOF
+
+mkdir -p /etc/icingaweb2/modules/pdfexport
+cat << EOF > /etc/icingaweb2/modules/pdfexport/config.ini 
+[chrome]
+binary = "/usr/bin/chromium"
+force_temp_storage = "0"
+EOF
+
+
+
+ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
+rm -f /etc/nginx/sites-enabled/default
+
+sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
+sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
+
+icinga2 api setup
+systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications
+
+systemctl start mariadb
+systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
+
+IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
+DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
+ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
+NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
+X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql"
+
+if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi
+
+
+if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
+    echo "[INFO] Importiere IcingaWeb2-Schema..."
+    mysql icingaweb2 < "$IWEB_SCHEMA"
+fi
+
+if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
+    echo "[INFO] Importiere Icinga Director-Schema..."
+    mysql director < "$DIRECTOR_SCHEMA"
+fi
+
+if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
+    echo "[INFO] Importiere IcingaDB-Schema..."
+    mysql icingadb < "$ICINGADB_SCHEMA"
+fi
+
+if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then
+    echo "[INFO] Importiere Notifications-Schema..."
+    mysql notifications < "$NOTIFICATIONS_SCHEMA"
+fi
+
+if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then
+    echo "[INFO] Importiere x509-Schema..."
+    mysql x509 < "$X509_SCHEMA"
+fi
+
+
+cat > /etc/icingaweb2/config.ini <<EOF
+[global]
+show_stacktraces = "0"
+config_backend = "db"
+config_resource = "icingaweb_db"
+[logging]
+log = "file"
+log_file = "/var/log/icingaweb2/icingaweb2.log"
+level = "ERROR"
+EOF
+
+cat > /etc/icingaweb2/authentication.ini <<EOF
+[icinga-web-admin]
+backend = "db"
+resource = "icingaweb_db"
+EOF
+
+cat > /etc/icingaweb2/roles.ini <<EOF
+[Administrators]
+users = "icingaadmin"
+permissions = "*"
+groups = "Administrators"
+EOF
+    
+mkdir -p /etc/icingaweb2/modules/monitoring
+cat > /etc/icingaweb2/modules/monitoring/backends.ini <<EOF
+[icingadb]
+backend = "icingadb"
+resource = "icingadb"
+EOF
+    
+mkdir -p /etc/icingaweb2/modules/director
+cat > /etc/icingaweb2/modules/director/config.ini <<EOF
+[db]
+resource = "director_db"
+EOF
+
+mkdir -p /etc/icingaweb2/modules/perfdatagraphs
+mkdir -p /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2
+cat > /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini <<EOF
+[influx]
+api_url = "http://127.0.0.1:8086"
+api_token = "${INFLUX_ICINGA_TOKEN}"
+api_org = "icinga"
+api_bucket = "icinga"
+api_tls_insecure = "1"
+EOF
+
+cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini << EOF
+[perfdatagraphs]
+default_timerange = "PT12H"
+default_backend = "InfluxDBv2"
+EOF
+
+icinga2 feature enable icingadb api influxdb2-writer perfdata
+
+icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
+
+echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
+icingacli module enable reactbundle
+icingacli module enable incubator
+icingacli module enable director
+icingacli module enable icingadb
+icingacli module enable perfdatagraphs
+icingacli module enable perfdatagraphsinfluxdbv2
+icingacli module enable notifications
+
+echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
+systemctl restart mariadb
+systemctl restart php${PHP_VERSION}-fpm
+systemctl restart nginx
+systemctl restart icingadb
+systemctl restart icinga-notifications
+
+echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
+PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
+mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
+
+echo "[INFO] Warte auf Icinga Web 2 und API..."
+counter=0
+while ! icingacli director migration run >/dev/null 2>&1; do
+    counter=$((counter + 1))
+    if [ "$counter" -gt 15 ]; then
+        echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
+        exit 1
+    fi
+    echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
+    sleep 2
+done
+echo "[INFO] Icinga Director ist bereit."
+
+echo "[INFO] Icinga Director Setup wird ausgeführt."
+cat > /etc/icingaweb2/modules/director/kickstart.ini <<EOF
+[config]
+endpoint = "$(hostname -f)"
+port = "5665"
+username = "director"
+password = "${ICINGA_API_USER_PASS}"
+EOF
+systemctl restart icinga2
+icingacli director kickstart run
+
+echo "[INFO] Director Konfiguration wird angewendet."
+icingacli director config deploy
+
+echo ""
+echo "================================================="
+echo "  Installation des Icinga Monitoring Stacks abgeschlossen"
+echo "================================================="
+echo ""
+echo "Die Konfiguration wurde erfolgreich abgeschlossen."
+echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
+echo ""
+echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
+echo "  ${CRED_FILE}"
+echo ""
+echo "Wichtige URLs:"
+echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
+echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
+echo ""
+cat ${CRED_FILE}

src/lxc-base.sh

@@ -24,29 +24,7 @@ EOF
 locale-gen $LXC_LOCALE 
 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ buster main contrib
-
-deb http://deb.debian.org/debian/ buster-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security buster/updates main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
-
-cat << EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian/ bullseye main contrib
-
-deb http://deb.debian.org/debian/ bullseye-updates main contrib
-
-# security updates
-deb http://security.debian.org/debian-security bullseye-security main contrib
-EOF
-
-elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
+
+if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
+cat << EOF > /etc/apt/sources.list.d/debian.sources
+Types: deb deb-src
+URIs: https://deb.debian.org/debian
+Suites: trixie trixie-updates
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security
+Suites: trixie-security
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+EOF
 
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi

src/mailcow/constants-service.conf

@@ -13,7 +13,7 @@ LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 

src/mailcow/install-service.sh

@@ -17,7 +17,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
 
 SECRET=$(random_password)
@@ -73,6 +73,21 @@ EOF
 
 }
 
+# fix docker errors for slow machines
+cat << EOF > /etc/docker/daemon.json
+{
+  "default-ulimits": {
+    "nproc": {
+      "name": "nproc",
+      "soft": -1,
+      "hard": -1
+    }
+  }
+}
+EOF
+systemctl restart docker
+
+
 cd /opt
 git clone https://github.com/mailcow/mailcow-dockerized
 cd mailcow-dockerized
@@ -104,6 +119,8 @@ DBUSER=mailcow
 DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
 # ------------------------------
 # HTTP/S Bindings
 # ------------------------------
@@ -139,7 +156,6 @@ POPS_PORT=995
 SIEVE_PORT=4190
 DOVEADM_PORT=127.0.0.1:19991
 SQL_PORT=127.0.0.1:13306
-SOLR_PORT=127.0.0.1:18983
 REDIS_PORT=127.0.0.1:7654
 
 # Your timezone
@@ -225,15 +241,6 @@ SKIP_CLAMD=n
 
 SKIP_SOGO=n
 
-# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
-
-SKIP_SOLR=n
-
-# Solr heap size in MB, there is no recommendation, please see Solr docs.
-# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
-
-SOLR_HEAP=1024
-
 # Allow admins to log into SOGo as email user (without any password)
 
 ALLOW_ADMIN_EMAIL_LOGIN=n
@@ -344,52 +351,45 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 # Otherwise it will work normally.
 SPAMHAUS_DQS_KEY=
 
-EOF
+# Obtain certificates for autodiscover.* and autoconfig.* domains.
+# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
+# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
+# between services. So acme-mailcow obtains for maildomains and all web-things get handled
+# in the reverse proxy.
+AUTODISCOVER_SAN=y
+# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
+SKIP_UNBOUND_HEALTHCHECK=n
+# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
+# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
+DISABLE_NETFILTER_ISOLATION_RULE=n
+
+# ------------------------------
+# REDIS configuration
+# ------------------------------
+
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
+# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
+# Please always monitor your Resource consumption!
+FTS_HEAP=128
+# Controls how many processes the Dovecot indexing process can spawn at max.
+# Too many indexing processes can use a lot of CPU and Disk I/O
+# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
+FTS_PROCS=1
+# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
+# Dovecot inside mailcow use Flatcurve as FTS Backend.
+SKIP_FTS=y
+# Redirect HTTP connections to HTTPS - y/n
+HTTP_REDIRECT=y
 
-cat << EOF > data/conf/nginx/redirect.conf
-server {
-  root /web;
-  listen 80 default_server;
-  listen [::]:80 default_server;
-  include /etc/nginx/conf.d/server_name.active;
-  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
-  location ^~ /.well-known/acme-challenge/ {
-    allow all;
-    default_type "text/plain";
-  }
-  location / {
-    return 301 https://\$host\$uri\$is_args\$args;
-  }
-}
 EOF
 
 cat << EOF > /etc/cron.daily/mailcowbackup
-#!/bin/sh
+#!/bin/bash
-
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-# Backup mailcow data
+25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
-# https://docs.mailcow.email/backup_restore/b_n_r-backup/
+40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
-
+5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
-set -e
-
-OUT="\$(mktemp)"
-export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
-SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
-PARAMETERS="backup all"
-OPTIONS="--delete-days 7"
-mkdir -p \$MAILCOW_BACKUP_LOCATION
-
-# run command
-set +e
-"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
-RESULT=\$?
-
-if [ \$RESULT -ne 0 ]
-    then
-            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
-            echo "RESULT=\$RESULT"
-            echo "STDOUT / STDERR:"
-            cat "\$OUT"
-fi
 EOF
 
 chmod +x /etc/cron.daily/mailcowbackup

src/matrix/install-service.sh

@@ -154,6 +154,6 @@ systemctl restart matrix-synapse
 
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
 
 echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"

src/nextcloud/constants-service.conf

@@ -30,7 +30,10 @@ LXC_KEYCTL="0"
 NEXTCLOUD_VERSION="latest"
 
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.2"
+NEXTCLOUD_PHP_VERSION="8.3"
+
+# Defines the postgresql version to install
+POSTGRES_VERSION=16 
 
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"

src/nextcloud/install-service.sh

@@ -5,117 +5,55 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
-
-NEXTCLOUD_ADMIN_PWD=$(random_password)
-
 source /root/zamba.conf
 source /root/constants-service.conf
 
+NEXTCLOUD_ADMIN_PWD=$(random_password)
+NEXTCLOUD_REDIS_PWD=$(random_password)
 HOSTNAME=$(hostname -f)
+HOST_IP=$(hostname -i)
 
-wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
+#### Modify Nginx for Nextcloud ####
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+mod_nginx() {
-
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
-echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
-echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
-
-apt update
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
-postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
-
-timedatectl set-timezone $LXC_TIMEZONE
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-
-#### Create database for nextcloud ####
-
-su - postgres <<EOF
-psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
-psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
-echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
-EOF
-
-#### Adjust php settings ####
-
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
-sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
-sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
-
-#### Adjust nginx settings ####
-
-mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
 generate_dhparam
 
 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 
-
 cat > /etc/nginx/nginx.conf <<EOF
 user www-data;
 worker_processes auto;
 pid /var/run/nginx.pid;
 events {
-worker_connections 1024;
+  worker_connections 2048;
-multi_accept on; use epoll;
+  multi_accept on;
+  use epoll;
 }
 http {
+  log_format bashclub escape=json
+  '{'
+    '"time_local":"\$time_local",'
+    '"remote_addr":"\$remote_addr",'
+    '"remote_user":"\$remote_user",'
+    '"request":"\$request",'
+    '"status": "\$status",'
+    '"body_bytes_sent":"\$body_bytes_sent",'
+    '"request_time":"\$request_time",'
+    '"http_referrer":"\$http_referer",'
+    '"http_user_agent":"\$http_user_agent"'
+  '}';
   server_names_hash_bucket_size 64;
   access_log /var/log/nginx/access.log;
   error_log /var/log/nginx/error.log warn;
   set_real_ip_from 127.0.0.1;
-#optional, Sie können das eigene Subnetz ergänzen, bspw.:
+  # optional, set reverse proxy ip, if used:
-# set_real_ip_from $LXC_IP;
+  # set_real_ip_from $NEXTCLOUD_REVPROX;
   real_ip_header X-Forwarded-For;
   real_ip_recursive on;
   include /etc/nginx/mime.types;
-types {
-        text/javascript mjs;
-    }
   default_type application/octet-stream;
   sendfile on;
   send_timeout 3600;
@@ -126,7 +64,7 @@ open_file_cache_errors on;
   keepalive_timeout 65;
   reset_timedout_connection on;
   server_tokens off;
-resolver 127.0.0.53 valid=30s;
+  resolver $NEXTCLOUD_REVPROX valid=30s;
   resolver_timeout 5s;
   include /etc/nginx/conf.d/*.conf;
 }
@@ -148,6 +86,10 @@ listen 80 default_server;
   listen [::]:80 default_server;
   server_name $NEXTCLOUD_FQDN;
   root /var/www;
+  location ^~ /.well-known/acme-challenge {
+    default_type text/plain;
+    root /var/www/letsencrypt;
+  }
   location / {
     return 301 https://\$host\$request_uri;
   }  
@@ -155,9 +97,16 @@ return 301 https://\$host\$request_uri;
 EOF
 
 cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
 server {
-listen 443      ssl http2;
+  listen 443 ssl default_server;
-listen [::]:443 ssl http2;
+  listen [::]:443 ssl default_server;
+  http2 on;
+  #listen 443 quic reuseport;
+  #listen [::]:443 quic reuseport;
+  #http3 on;
+  #http3_hq on;
+  #quic_retry on;
   server_name $NEXTCLOUD_FQDN;
   ssl_certificate /etc/ssl/certs/nextcloud.crt;
   ssl_certificate_key /etc/ssl/private/nextcloud.key;
@@ -173,12 +122,11 @@ ssl_session_cache shared:SSL:50m;
   ssl_session_tickets off;
   ssl_protocols TLSv1.3 TLSv1.2;
   ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
-ssl_ecdh_curve X448:secp521r1:secp384r1;
   ssl_prefer_server_ciphers on;
   ssl_stapling on;
   ssl_stapling_verify on;
-client_max_body_size 5120M;
+  client_max_body_size 10G;
-client_body_timeout 300s;
+  client_body_timeout 3600s;
   client_body_buffer_size 512k;
   fastcgi_buffers 64 4K;
   gzip on;
@@ -186,7 +134,7 @@ gzip_vary on;
   gzip_comp_level 4;
   gzip_min_length 256;
   gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
   add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
   add_header Permissions-Policy                   "interest-cohort=()";
   add_header Referrer-Policy                      "no-referrer"   always;
@@ -196,13 +144,16 @@ add_header X-Frame-Options                      "SAMEORIGIN"    always;
   add_header X-Permitted-Cross-Domain-Policies    "none"          always;
   add_header X-Robots-Tag                         "noindex, nofollow" always;
   add_header X-XSS-Protection                     "1; mode=block" always;
+  add_header Alt-Svc                              'h3=":\$server_port"; ma=86400';
+  add_header x-quic                               'h3';
+  add_header Alt-Svc                              'h3-29=":\$server_port"';
   fastcgi_hide_header X-Powered-By;
-fastcgi_read_timeout 3600;
+  include mime.types;
-fastcgi_send_timeout 3600;
+  types {
-fastcgi_connect_timeout 3600;
+    text/javascript mjs;
+  }
   root /var/www/nextcloud;
   index index.php index.html /index.php\$request_uri;
-expires 1m;
   location = / {
     if ( \$http_user_agent ~ ^DavClnt ) {
       return 302 /remote.php/webdav/\$is_args\$args;
@@ -213,20 +164,18 @@ allow all;
     log_not_found off;
     access_log off;
   }
-location ^~ /apps/rainloop/app/data {
-deny all;
-}
   location ^~ /.well-known {
     location = /.well-known/carddav { return 301 /remote.php/dav/; }
     location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-location ^~ /.well-known            { return 301 /index.php/\$uri; }
+    location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
-try_files \$uri \$uri/ =404;
+    location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
+    return 301 /index.php\$request_uri;
   }
-location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
   location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-location ~ \.php(?:\$|/) {
+  location ~ \.php(?:$|/) {
-rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
-fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
     set \$path_info \$fastcgi_path_info;
     try_files \$fastcgi_script_name =404;
     include fastcgi_params;
@@ -238,25 +187,49 @@ fastcgi_param front_controller_active true;
     fastcgi_pass php-handler;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+    fastcgi_max_temp_file_size 0;
   }
-location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
+  location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
     try_files \$uri /index.php\$request_uri;
+    add_header Cache-Control                     "public, max-age=15768000, \$asset_immutable";
+    add_header Permissions-Policy                "interest-cohort=()";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    add_header Alt-Svc                           'h3=":\$server_port"; ma=86400';
+    add_header x-quic                            'h3';
+    add_header Alt-Svc                           'h3-29=":\$server_port"';
+    access_log off;
     expires 6M;
     access_log off;
     location ~ \.wasm$ {
       default_type application/wasm;
     }
   }
-location ~ \.woff2?\$ {
+  location ~ \.(otf|woff2?)$ {
     try_files \$uri /index.php\$request_uri;
     expires 7d;
     access_log off;
   }
+  location /remote {
+    return 301 /remote.php\$request_uri;
+  }
+  location /login {
+    limit_req zone=NextcloudRateLimit burst=5 nodelay;
+    limit_req_status 429;
+    try_files \$uri \$uri/ /index.php\$request_uri;
+  }
   location / {
     try_files \$uri \$uri/ /index.php\$request_uri;
   }
-location /push/ {
+  location ^~ /push/ {
-proxy_pass http://localhost:7867/;
+    proxy_pass http://127.0.0.1:7867/;
     proxy_http_version 1.1;
     proxy_set_header Upgrade \$http_upgrade;
     proxy_set_header Connection "Upgrade";
@@ -265,42 +238,147 @@ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
   }
 }
 EOF
+}
 
-systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+#### Modify php settings for Nextcloud ####
+mod_php() {
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
+cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
 
-#### Adjust redis settings ####
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+
+sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+
+sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+
+sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+
+sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+
+sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+}
+
+#### Modify Postgresql for Nextcloud ####
+mod_postgresql() {
+su - postgres <<EOF
+    psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+    psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+    echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+    cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
+    max_connections = 200
+    shared_buffers = 1GB
+    effective_cache_size = 3GB
+    maintenance_work_mem = 256MB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 2621kB
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+    max_worker_processes = 4
+    max_parallel_workers_per_gather = 2
+    max_parallel_workers = 4
+    max_parallel_maintenance_workers = 2
+EOF
+}
+
+#### Install and modify Redis-server ####
+inst_redis() {
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
+}
+mod_redis() {
 cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
 sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
 sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
 sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
-sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
+sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
-
-#### Adjust sysctl.conf settings ####
-
 cp /etc/sysctl.conf /etc/sysctl.conf.bak
-echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
+sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
-systemctl restart redis
+}
 
-#### HIER MÜSSTE EIN REBOOT REIN ####
+#### Install some more packages
-
+inst_packages() {
-
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
-#### Install nextcloud ####
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+}
 
+#### Install and modify Nextcloud ####
+inst_nextcloud() {
 cd /usr/local/src
-
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
 
-md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
+md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
-
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*
-tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
 
 cat > /root/permissions.sh << EOF
 #!/bin/bash
 find /var/www/ -type f -print0 | xargs -0 chmod 0640
 find /var/www/ -type d -print0 | xargs -0 chmod 0750
+if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
+chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
+fi
+chmod -R 770 /etc/letsencrypt 
 chown -R www-data:www-data /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 chmod 0644 /var/www/nextcloud/.htaccess
@@ -310,39 +388,14 @@ EOF
 
 chmod +x /root/permissions.sh
 /root/permissions.sh
-
+}
-#### install fail2ban ####
-
-cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
-[Definition]
-_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-EOF
-
-cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
-[nextcloud]
-backend = auto
-enabled = true
-port = 80,443
-protocol = tcp
-filter = nextcloud
-maxretry = 5
-bantime = 3600
-findtime = 36000
-logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
-EOF
-
-systemctl restart fail2ban
 
 #### Create configuration script for nextcloud, which will be executet as user www-data
+mod_nextcloudconfig() {
 
-cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+systemctl stop nginx
 
-#!/bin/bash 
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
-
-php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --database-host $NEXTCLOUD_DB_IP \
 --database-port $NEXTCLOUD_DB_PORT \
 --database-name $NEXTCLOUD_DB_NAME \
@@ -352,17 +405,17 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --admin-pass $NEXTCLOUD_ADMIN_PWD \
 --data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 
-php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
-
-cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i '/);/d' /var/www/nextcloud/config/config.php
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+
 
 cat >> /var/www/nextcloud/config/config.php << EOF
   'activity_expire_days' => 14,
+  'allow_local_remote_servers' => true,
   'auth.bruteforce.protection.enabled' => true,
-'blacklisted_files' => 
+  'forbidden_filenames' =>
   array (
     0 => '.htaccess',
     1 => 'Thumbs.db',
@@ -373,37 +426,43 @@ array (
   'enable_previews' => true,
   'enabledPreviewProviders' =>
   array (
-0 => 'OC\Preview\PNG',
+    0 => 'OC\\Preview\\PNG',
-1 => 'OC\Preview\JPEG',
+    1 => 'OC\\Preview\\JPEG',
-2 => 'OC\Preview\GIF',
+    2 => 'OC\\Preview\\GIF',
-3 => 'OC\Preview\BMP',
+    3 => 'OC\\Preview\\BMP',
-4 => 'OC\Preview\XBitmap',
+    4 => 'OC\\Preview\\XBitmap',
-5 => 'OC\Preview\Movie',
+    5 => 'OC\\Preview\\Movie',
-6 => 'OC\Preview\PDF',
+    6 => 'OC\\Preview\\PDF',
-7 => 'OC\Preview\MP3',
+    7 => 'OC\\Preview\\MP3',
-8 => 'OC\Preview\TXT',
+    8 => 'OC\\Preview\\TXT',
-9 => 'OC\Preview\MarkDown',
+    9 => 'OC\\Preview\\MarkDown',
+    10 => 'OC\\Preview\\HEIC',
+    11 => 'OC\\Preview\\Movie',
+    12 => 'OC\\Preview\\MKV',
+    13 => 'OC\\Preview\\MP4',
+    14 => 'OC\\Preview\\AVI',
     ),
   'filesystem_check_changes' => 0,
   'filelocking.enabled' => 'true',
   'htaccess.RewriteBase' => '/',
   'integrity.check.disabled' => false,
   'knowledgebaseenabled' => false,
-'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+  'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
   'loglevel' => 2,
   'logtimezone' => '$LXC_TIMEZONE',
   'log_rotate_size' => 104857600,
-'maintenance' => false,
   'memcache.local' => '\OC\Memcache\APCu',
   'memcache.locking' => '\OC\Memcache\Redis',
   'overwriteprotocol' => 'https',
   'preview_max_x' => 1024,
   'preview_max_y' => 768,
   'preview_max_scale_factor' => 1,
+  'profile.enabled' => false,
   'redis' => 
   array (
-'host' => '/var/run/redis/redis-server.sock',
+    'host' => '/run/redis/redis-server.sock',
     'port' => 0,
+    'password' => '$NEXTCLOUD_REDIS_PWD',
     'timeout' => 0.0,
   ),
   'quota_include_external_storage' => false,
@@ -412,50 +471,110 @@ array (
   'theme' => '',
   'trashbin_retention_obligation' => 'auto, 7',
   'updater.release.channel' => 'stable',
-'trusted_proxies' => 
+  'maintenance_window_start' => 1,
+  'maintenance' => false,
+  'mail_smtpmode' => 'sendmail',
+  'mail_sendmailmode' => 'smtp',
+  'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
+  'mail_domain' => '$NEXTCLOUD_FQDN',
+  'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
+  'overwritehost' => '$NEXTCLOUD_FQDN',
+  'trusted_domains' => 
   array (
-'$NEXTCLOUD_REVPROX',
+    0 => '$HOST_IP',
-'127.0.0.1',
+    1 => '$NEXTCLOUD_FQDN',
-'::1',
   ),
+
 );
 EOF
 
-sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
-php /var/www/nextcloud/occ app:disable survey_client
-php /var/www/nextcloud/occ app:disable firstrunwizard
-php /var/www/nextcloud/occ app:enable admin_audit
-php /var/www/nextcloud/occ app:enable notify_push
-php /var/www/nextcloud/occ app:enable files_pdfviewer
-php /var/www/nextcloud/occ background:cron
-DFOE
-
 /root/permissions.sh
 
-su -s /bin/bash www-data <<EOF
+sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
-EOF
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
+#sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
+sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
 
-#### Create file for high performance backend
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
+systemctl start nginx
 
 cat > /etc/systemd/system/notify_push.service << EOF
 [Unit]
 Description = Push daemon for Nextcloud clients
+After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
+
 [Service]
 Environment=PORT=7867
 Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
 Environment=ALLOW_SELF_SIGNED=true
 ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
 User=www-data
+
 [Install]
 WantedBy = multi-user.target
 EOF
 
 systemctl daemon-reload
-systemctl enable --now notify_push
+systemctl enable notify_push
+}
 
-echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+#### Modifying Crowdsec ####
+mod_crowdsec() {
+systemctl restart crowdsec
+cscli collections install crowdsecurity/nginx
+cscli collections install crowdsecurity/nextcloud
+cscli collections install crowdsecurity/sshd
+
+cat >> /etc/crowdsec/acquis.yaml << EOF
+filenames:
+ - /var/log/nextcloud/nextcloud.log
+labels:
+  type: Nextcloud
+---
+EOF
+systemctl reload crowdsec
+}
+#### Install the system !####
+echo "=> Installing Nginx ..."
+inst_nginx
+echo "=> Modifying Nginx config for Nextcloud ..."
+mod_nginx
+
+echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
+inst_php
+echo "=> Modifying PHP config for Nextcloud ..."
+mod_php
+
+echo "=> Installing Postgresql $POSTGRES_VERSION ..."
+inst_postgresql
+echo "=> Modifying Postgresql config for Nextcloud ..."
+mod_postgresql
+
+echo "=> Installing Redis-server ..."
+inst_redis
+echo "=> Modifying Redis-server for Nextcloud ..."
+mod_redis
+
+echo "=> Installing some more packages ..."
+inst_packages
+
+echo "=> Installing Nextcloud ..."
+inst_nextcloud
+echo "=> Modifying Nextcloud ..."
+mod_nextcloudconfig
+
+echo "=> Installing Crowdsec ..."
+inst_crowdsec
+echo "=> Modifying Crowdsec ..."
+mod_crowdsec
 
 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
-
 shutdown -r now

src/omada/constants-service.conf

@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=2048
+LXC_MEM_MIN=4096
 
 # service dependent meta tags
 SERVICE_TAGS="mongodb-server,java"

src/omada/install-service.sh

@@ -10,14 +10,14 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
+# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
-wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
+wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
-echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
+# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
-echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
+echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac

src/zabbix/constants-service.conf

@@ -45,7 +45,7 @@ ZABBIX_DB_PWD="$(random_password)"
 ZABBIX_VERSION=7.0 #zabbix 7 beta
 POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
 PHP_VERSION=8.2 # debian 12 default
-TS_VERSION=2.14.2 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+TS_VERSION=2.16.1 # currently latest by zabbix supported version of timescaledb (2024-05-13)
 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096

src/zabbix/install-service.sh

@@ -18,7 +18,7 @@ apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "h
 apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client-$POSTGRES_VERSION timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 
 unlink /etc/nginx/sites-enabled/default
 

src/zammad/install-service.sh

@@ -39,16 +39,17 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
 
-sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+echo "Customizing nginx configuration..."
- -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
- -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
- -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
- -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
+ -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
  /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
 
  ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
 
-
 # configure elasticsearch
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
 

src/zmb-ad-join/install-service.sh

@@ -35,7 +35,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
@@ -205,7 +205,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup
 
 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 
 cat << EOF > /etc/logrotate.d/smb-backup

src/zmb-ad-restore/constants-service.conf

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"

src/zmb-ad-restore/install-service.sh

@@ -0,0 +1,195 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+
+  forwarders {
+    $LXC_DNS;
+  };
+
+  allow-query {  any;};
+  dnssec-validation no;
+
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+rm -f /etc/krb5.conf
+
+rm -r /var/lib/samba/*
+
+backupfile=$(find /backup/online -name samba-backup* | tail -1)
+samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
+
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
+exit 0

src/zmb-ad/install-service.sh

@@ -35,7 +35,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
@@ -176,7 +176,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup
 
 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 
 cat << EOF > /etc/logrotate.d/smb-backup

src/zmb-cups/install-service.sh

@@ -96,13 +96,13 @@ systemctl restart winbind nmbd
 
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
 cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
 chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
 systemctl disable --now cups-browsed.service
 
 cupsctl --remote-admin

src/zmb-member/install-service.sh

@@ -75,8 +75,13 @@ cat > /etc/samba/smb.conf <<EOF
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 
+EOF
+
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
-	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
@@ -84,6 +89,7 @@ cat > /etc/samba/smb.conf <<EOF
 	inherit acls = Yes
 
 EOF
+done
 
 systemctl restart smbd
 
@@ -96,12 +102,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
 
+unset ZMB_SHARE
+
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
   mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
   # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+done
 
 systemctl restart smbd nmbd winbind wsdd

src/zmb-standalone/install-service.sh

@@ -65,6 +65,9 @@ EOF
 
 net conf import /etc/samba/import.template
 
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
     mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
     chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
     chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
@@ -74,5 +77,6 @@ net conf setparm $ZMB_SHARE readonly no
     net conf setparm $ZMB_SHARE browseable yes
     net conf setparm $ZMB_SHARE createmask 0660
     net conf setparm $ZMB_SHARE directorymask 0770
+done
 
 systemctl restart smbd nmbd wsdd