Merge pull request #147 from bashclub/dev

Release
Update PHP version from 8.3 to 8.4
2026-06-21 15:51:30 +02:00 · 2026-04-09 18:04:02 +02:00 · 2026-03-02 15:46:36 +01:00 · 2026-02-22 11:55:05 +00:00 · 2026-02-21 20:15:06 +00:00 · 2026-01-28 19:40:21 +00:00
86 changed files with 2747 additions and 1480 deletions
@@ -153,10 +153,10 @@ ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
+### ZMB_SHARES
-Defines the name of your Zamba share
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>
@@ -99,19 +99,23 @@ LXC_TAGS="linux,debian,${service}"
 ############### Zamba-Server-Section ###############
-# Defines the REALM for the Active Directory (AD DC, AD member)
+# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
 ZMB_REALM="ZMB.ROCKS"
-# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
+# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_DOMAIN="ZMB"
-# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_ADMIN_USER="administrator"
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
 ZMB_ADMIN_PASS='Start!123'
-# Defines the name of your Zamba share
+# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
-ZMB_SHARE="share"
+ZMB_DOMAIN_ADMINS="domain admins"
 # Defines the names of your Zamba shares in a comma separated list
 ZMB_SHARES="share1,share2"
 ############### Mailpiler-Section ###############
@@ -161,18 +165,6 @@ CMK_ADMIN_PW='Start!123'
 # free = limited version of the enterprise edition (25 hosts, 1 instance)
 CMK_EDITION=raw
 ############### Kopano-Section ###############
 # Define the FQDN of your Nextcloud server
 KOPANO_FQDN="kopano.zmb.rocks"
 # Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
 KOPANO_MAILGW="192.168.100.254"
 # Kopano test- or subscription-key offerd from 
 # https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10
 KOPANO_REPKEY="1234567890abcdefghijklmno"
 ############### vaultwarden Section ###############
 # Enable/disable signups (true/false)
@@ -20,11 +20,12 @@ prog="$(basename $0)"
 usage() {
 	cat >&2 <<-EOF
-	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE]
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] [-p]
 	  installs a preconfigured lxc container on your proxmox server
    -i CTID      provide a container id instead of auto detection
    -s SERVICE   provide the service name and skip the selection dialog
    -c CFGFILE   use a different config file than 'zamba.conf'
    -p           preserve zamba.conf ans scripts inside container
    -d           Debug mode inside LXC container
    -h           displays this help text
  ---------------------------------------------------------------------------
@@ -39,13 +40,15 @@ ctid=0
 service=ask
 config=$PWD/conf/zamba.conf
 debug=0
 preserve_install_scripts=0
-while getopts "hi:s:c:d" opt; do
+while getopts "hi:s:c:dp" opt; do
  case $opt in
    h) usage 0 ;;
    i) ctid=$OPTARG ;;
    s) service=$OPTARG ;;
    c) config=$OPTARG ;;
    p) preserve_install_scripts=1 ;;
    d) debug=1 ;;
    *) usage 1 ;;
  esac
@@ -102,6 +105,15 @@ source "$config"
 source "$PWD/src/$service/constants-service.conf"
 if [[ $service == "zmb-ad-restore" ]]; then
  if find ./ | grep samba-backup*.tar.bz2 ; then
    sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
  else
    echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
    exit 1
  fi
 fi
 if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
  LXC_MEM=$LXC_MEM_MIN
 fi
@@ -119,8 +131,7 @@ if [ $ctid -gt 99 ]; then
  LXC_CHK=$ctid
 else
  # Get next free LXC-number
-  LXC_LST=$( lxc-ls -1 | tail -1 )
+  LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
  LXC_CHK=$((LXC_LST+1));
 fi
 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
@@ -142,10 +153,14 @@ fi
 # Create the container
 set +u
-pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
 set -u
 sleep 2;
 if [[ $SERVICE_TAGS == *"docker"* ]]; then
  echo "lxc.apparmor.profile: unconfined" >> /etc/pve/lxc/${LXC_NBR}.conf
 fi
 # Check vlan configuration
 if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
@@ -160,9 +175,11 @@ sleep 2
 if [ $LXC_MP -gt 0 ]; then
  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
  if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
    pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
    dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
    zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
  fi
 fi
 sleep 2;
@@ -175,13 +192,17 @@ sleep 5;
 pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
 pct push $LXC_NBR "$config" /root/zamba.conf
 for f in "$PWD/src/functions.sh" "$PWD/src/constants.conf" "$PWD/src/lxc-base.sh" "$PWD/src/$service/install-service.sh" "$PWD/src/$service/constants-service.conf"; do
  pct push $LXC_NBR $f /root/$(basename $f)
 done
 if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
  pct push $LXC_NBR scripts/zmb-ad_auto-map-root.sh /root/zmb-ad_auto-map-root.sh
  pct push $LXC_NBR scripts/create-service-account /usr/bin/create-service-account
 fi
 pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
 pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
 pct push $LXC_NBR "$PWD/src/functions.sh" /root/functions.sh
 pct push $LXC_NBR "$PWD/src/constants.conf" /root/constants.conf
 pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
@@ -194,6 +215,9 @@ pct shutdown $LXC_NBR
 if [[ $service == "zmb-ad" ]]; then
  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-restore" ]]; then
  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-join" ]]; then
  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
@@ -202,3 +226,9 @@ if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
  sleep 5
  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
 fi
 if [ $preserve_install_scripts -eq 0 ]; then
  for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do
    pct exec $LXC_NBR -- bash -c "if [ -f /root/$f ] ; then rm -f /root/${f} ; fi"
  done
 fi
@@ -0,0 +1,6 @@
 repos ohne debian trixie support
 - manticore (fixed via bashclub repo)
 - 45drives
 - mongodb
 - influxdb
 - zammad
@@ -0,0 +1,19 @@
 #!/bin/bash
 export LC_ALL=C
 ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
 if [[ -f "$ZAMBA_CONF" ]]; then
    # Prüfen, ob die Datei älter als 3 Tage ist
    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
        rm -f "$ZAMBA_CONF"
        exit 0
    else
        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
        exit 2
    fi
 else
    echo "✅ OK: zamba.conf ist nicht vorhanden"
    exit 0
 fi
@@ -0,0 +1,50 @@
 #!/usr/bin/env bash
 set -euo pipefail
 USER="$1"
 if [ -z "$USER" ]; then
  echo "Usage: $0 <username>"
  exit 1
 fi
 # Prüfen, ob ldbmodify verfügbar ist
 if ! command -v ldbmodify &> /dev/null; then
  echo "Fehler: 'ldbmodify' ist nicht installiert. Bitte installiere 'ldb-tools' mit:"
  echo "  sudo apt update && sudo apt install ldb-tools"
  exit 10
 fi
 # Sicheres Passwort generieren (32 Zeichen, alphanumerisch + Sonderzeichen)
 PASSWORD=$(openssl rand -base64 24)
 # Benutzer anlegen mit generiertem Passwort
 samba-tool user create "$USER" "$PASSWORD"
 echo "✅ Benutzer $USER erfolgreich erstellt."
 # DN des Benutzers ermitteln
 DN=$(ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=$USER)" dn | awk '/^dn: / {print $2}')
 if [ -z "$DN" ]; then
  echo "❌ Fehler: DN für $USER nicht gefunden." >&2
  exit 3
 fi
 # userWorkstations=NONE setzen
 ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
 dn: $DN
 changetype: modify
 replace: userWorkstations
 userWorkstations: "NOWORKSTATION"
 EOF
 echo
 echo "------------------------------------------"
 echo "BENUTZER ERSTELLT:"
 echo "Username: $USER"
 echo "Passwort: $PASSWORD"
 echo "Distinguished Name:"
 echo "$DN"
 echo "------------------------------------------"
 echo "Bitte notiere Benutzername, Passwort und DN sicher."
@@ -0,0 +1,67 @@
 #!/bin/bash
 # Konfiguration
 MAILCOW_PATH="/opt/mailcow-dockerized"
 SPOOL_DIR="/var/lib/check_mk_agent/spool"
 INTERVAL_SECONDS=87000  # z. B. alle 24 Stunden + Toleranz
 SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
 # Sicherstellen, dass das Spool-Verzeichnis existiert
 mkdir -p "$SPOOL_DIR"
 # Temporäre Datei vorbereiten
 TMP_FILE="$(mktemp)"
 # Header für Local Check
 echo "<<<local>>>" > "$TMP_FILE"
 # In das Mailcow-Verzeichnis wechseln
 if ! cd "$MAILCOW_PATH"; then
  echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
  echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
  mv "$TMP_FILE" "$SPOOL_FILE"
  exit 2
 fi
 # Aktuelle Uhrzeit für Log
 NOW="$(date '+%Y-%m-%d %H:%M:%S')"
 # Mailcow-Version auslesen
 GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
 GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
 if [[ -n "$GIT_TAG" ]]; then
  echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
 else
  echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
 fi
 # Auf Updates prüfen
 UPDATE_CHECK=$(./update.sh --check 2>&1)
 if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
  echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
  mv "$TMP_FILE" "$SPOOL_FILE"
  exit 0
 fi
 # Erstes Update versuchen
 UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
 EXIT_CODE=$?
 # Sonderfall: Skript wurde geändert und muss erneut ausgeführt werden
 if echo "$UPDATE_OUTPUT" | grep -q "update.sh changed, please run this script again"; then
  UPDATE_OUTPUT_2=$(./update.sh --force --skip-ping-check 2>&1)
  EXIT_CODE=$?
  UPDATE_OUTPUT="${UPDATE_OUTPUT}\n--- retry ---\n${UPDATE_OUTPUT_2}"
 fi
 if [ "$EXIT_CODE" -eq 0 ]; then
  echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
 else
  echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
  echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
 fi
 # Ergebnis schreiben
 mv "$TMP_FILE" "$SPOOL_FILE"
 exit "$EXIT_CODE"
@@ -0,0 +1,159 @@
 #!/bin/bash
 DEBUG_LOG="/tmp/mailcow_debug.log"
 echo "" > "$DEBUG_LOG"
 debug() {
    echo "[DEBUG] $1"
    echo "[DEBUG] $1" >> "$DEBUG_LOG"
 }
 debug "Starte Mailcow Check Script"
 MAILCOW_PATH="/opt/mailcow-dockerized"
 SPOOL_DIR="/var/lib/check_mk_agent/spool"
 INTERVAL_SECONDS=87000
 SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
 CERT_DIR="${MAILCOW_PATH}/data/assets/ssl"
 mkdir -p "$SPOOL_DIR"
 TMP_FILE="$(mktemp)"
 debug "Spool-Datei: $SPOOL_FILE"
 debug "Temporäre Datei: $TMP_FILE"
 # KORREKTER Header für Checkmk Local Checks
 echo "<<<local>>>" > "$TMP_FILE"
 debug "Wechsle ins Mailcow-Verzeichnis: $MAILCOW_PATH"
 if ! cd "$MAILCOW_PATH"; then
    echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
    echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
    mv "$TMP_FILE" "$SPOOL_FILE"
    exit 2
 fi
 NOW="$(date '+%Y-%m-%d %H:%M:%S')"
 debug "Aktuelle Zeit: $NOW"
 debug "Lese Mailcow Git-Version aus..."
 GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
 GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
 debug "GIT_TAG=$GIT_TAG"
 debug "GIT_COMMIT=$GIT_COMMIT"
 if [[ -n "$GIT_TAG" ]]; then
    echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
 else
    echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
 fi
 ###############################################################################
 # UPDATE-CHECK
 ###############################################################################
 debug "Führe update.sh --check aus..."
 UPDATE_CHECK=$(./update.sh --check 2>&1)
 RET=$?
 debug "Update Check Rückgabecode: $RET"
 EXIT_CODE=0
 if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
    debug "Kein Update verfügbar."
    echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
 else
    debug "Update verfügbar! Starte Update..."
    UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
    EXIT_CODE=$?
    if [ "$EXIT_CODE" -eq 0 ]; then
        debug "Update erfolgreich."
        echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
    else
        debug "Update fehlgeschlagen."
        echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
        echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
    fi
 fi
 ###############################################################################
 # SSL-ZERTIFIKATE PRÜFEN (mit SANs)
 ###############################################################################
 debug "Beginne SSL-Zertifikat-Scan unter: $CERT_DIR"
 debug "Ignoriere Verzeichnis: $CERT_DIR/backups"
 debug "Ignoriere Datei: $CERT_DIR/acme/account.pem"
 debug "Ignoriere Dateien: key.pem, dhparams.pem"
 if [ ! -d "$CERT_DIR" ]; then
    echo "3 Mailcow_Certificates - UNKNOWN: SSL-Verzeichnis fehlt" >> "$TMP_FILE"
 else
    while IFS= read -r -d '' CERT_FILE; do
        debug "Prüfe Zertifikat: $CERT_FILE"
        REL_PATH="${CERT_FILE#${CERT_DIR}/}"
        CERT_NAME="${REL_PATH//\//_}"
        # Ablaufdatum lesen
        END_DATE_RAW=$(openssl x509 -enddate -noout -in "$CERT_FILE" 2>/dev/null | cut -d= -f2)
        # SANs extrahieren
        SANS=$(openssl x509 -noout -text -in "$CERT_FILE" \
             | grep -A1 "Subject Alternative Name" \
             | tail -n1 \
             | sed 's/DNS://g' \
             | sed 's/, /,/g' \
             | xargs)
        debug "SANs: $SANS"
        if [ -z "$END_DATE_RAW" ]; then
            echo "3 Mailcow_Cert_${CERT_NAME} - UNKNOWN: Kein Ablaufdatum ($CERT_FILE)" >> "$TMP_FILE"
            continue
        fi
        END_EPOCH=$(date -d "$END_DATE_RAW" +%s 2>/dev/null)
        NOW_EPOCH=$(date +%s)
        SECONDS_LEFT=$((END_EPOCH - NOW_EPOCH))
        DAYS_LEFT=$((SECONDS_LEFT / 86400))
        debug "Noch $DAYS_LEFT Tage gültig"
        if [ "$SECONDS_LEFT" -le 0 ]; then
            STATE=2; STATE_TEXT="CRITICAL"; MSG="abgelaufen"
        elif [ "$DAYS_LEFT" -le 14 ]; then
            STATE=2; STATE_TEXT="CRITICAL"; MSG="läuft in <=14 Tagen ab"
        elif [ "$DAYS_LEFT" -le 30 ]; then
            STATE=1; STATE_TEXT="WARNING"; MSG="läuft bald ab"
        else
            STATE=0; STATE_TEXT="OK"; MSG="gültig"
        fi
        echo "${STATE} Mailcow_Cert_${CERT_NAME} - ${STATE_TEXT}: ${MSG}, Ablauf: ${END_DATE_RAW}, SANs: ${SANS}" >> "$TMP_FILE"
    done < <(
        find "$CERT_DIR" \
          -path "${CERT_DIR}/backups" -prune -o \
          -type f \
          ! -path "$CERT_DIR/acme/account.pem" \
          ! -name "key.pem" \
          ! -name "dhparams.pem" \
          \( -name "*.crt" -o -name "*.pem" -o -name "*.cert" \) \
          -print0
    )
 fi
 ###############################################################################
 # SPEICHERN
 ###############################################################################
 debug "Speichere Spool-Datei: $SPOOL_FILE"
 mv "$TMP_FILE" "$SPOOL_FILE"
 debug "Script fertig. Exit-Code: $EXIT_CODE"
 exit "$EXIT_CODE"
@@ -0,0 +1,44 @@
 server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.domain.tld;
    ssl_certificate     /etc/ssl/mail/cert.pem;
    ssl_certificate_key /etc/ssl/mail/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    # HTTP → HTTPS
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }
    location / {
        proxy_pass https://cloud.domain.tld;
        # Hostname & Forwarded-Header sauber durchreichen
        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
        proxy_set_header Referrer-Policy "no-referrer";
        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;
        client_max_body_size 10G;
    }
    # CalDAV/CardDAV Redirects
    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
 }
@@ -1,17 +1,47 @@
 #!/bin/bash
-#
+
-# Update nextcloud
+# Update Nextcloud
-# place in /etc/cron.daily and make executable with chmod +x  /etc/cron.daily/nextcloud-update
+# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
 user=www-data
-phpversion=php8.0
+phpversion=php8.4
 path=/var/www/nextcloud
 logfile="/var/log/nextcloud-update.log"
-alias ncc="sudo -u $user $phpversion $path/occ"
+ncc() {
-alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
+  sudo -u "$user" "$phpversion" "$path/occ" "$@"
 }
-updater --no-backup --no-interaction
+updater() {
  sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
 }
-subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
+{
-for cmd in ${subcommands[@]}; do
+  echo "===== $(date): Nextcloud Update Start ====="
  updater --no-backup --no-interaction
  subcommands=(
    "db:add-missing-primary-keys"
    "db:add-missing-indices"
    "db:add-missing-columns"
    "db:convert-filecache-bigint"
    "files:scan-app-data"
    "upgrade"
  )
  for cmd in "${subcommands[@]}"; do
    echo "Running: occ $cmd"
    ncc -n $cmd
-done
+  done
  # App Updates
  echo "Updating apps..."
  apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
  for app in $apps; do
    echo "Updating app: $app"
    ncc app:update "$app"
  done
  echo "===== $(date): Nextcloud Update Finished ====="
 } >> "$logfile" 2>&1
@@ -0,0 +1,103 @@
 #!/bin/bash
 set -e
 SMB_CONF="/etc/samba/smb.conf"
 USERMAP_FILE="/etc/samba/user.map"
 KEYTAB_PATH="/root/admin.keytab"
 SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
 SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
 BASH_PROFILE="/root/.bash_profile"
 # 1. Domain & Realm aus smb.conf auslesen
 DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
 REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
 if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
    echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
    exit 1
 fi
 echo "[INFO] Domain: $DOMAIN_NAME"
 echo "[INFO] Realm: $REALM_NAME"
 # 2. user.map schreiben
 echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
 echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
 # 3. smb.conf patchen
 if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
    sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
    echo "[OK] smb.conf wurde um 'username map' ergänzt."
 else
    echo "[INFO] 'username map' bereits gesetzt."
 fi
 # 4. Keytab erzeugen
 echo "[INFO] Erzeuge Keytab für Administrator..."
 samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
 chmod 600 "$KEYTAB_PATH"
 echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
 # 5. systemd-Service + Timer für automatisches kinit
 echo "[INFO] Erstelle systemd-Service & Timer..."
 cat > "$SYSTEMD_SERVICE" <<EOF
 [Unit]
 Description=Kerberos Kinit für Administrator
 After=network.target
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
 EOF
 cat > "$SYSTEMD_TIMER" <<EOF
 [Unit]
 Description=Kerberos Kinit für Administrator (Boot)
 [Timer]
 OnBootSec=10sec
 Unit=kinit-admin.service
 [Install]
 WantedBy=multi-user.target
 EOF
 # Aktivieren
 systemctl daemon-reexec
 systemctl daemon-reload
 systemctl enable --now kinit-admin.timer
 # 6. root-Login: .bash_profile anpassen
 echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
 mkdir -p "$(dirname "$BASH_PROFILE")"
 touch "$BASH_PROFILE"
 # Block nur hinzufügen, wenn er nicht bereits vorhanden ist
 if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
    cat >> "$BASH_PROFILE" <<EOF
 # Automatisches Kerberos-Ticket beim Login holen
 if ! klist -s; then
    echo "[INFO] Kein gültiges Kerberos-Ticket – führe kinit aus..."
    kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
 fi
 EOF
    echo "[OK] .bash_profile angepasst."
 else
    echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
 fi
 # 7. samba-ad-dc neu starten
 echo "[INFO] Starte samba-ad-dc neu..."
 systemctl restart samba-ad-dc
 # 8. Testausgaben
 echo "[INFO] getent passwd root:"
 getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
 echo
 echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
 samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,15 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+inst_nginx
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+inst_postgresql
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
@@ -32,7 +31,7 @@ curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | gre
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
 cat << EOF > /usr/local/bin/update-semaphore
-PATH="/bin:/usr/bin:/usr/local/bin"
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 echo "Checking github for new semaphore version"
 current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
 installed_version=\$(semaphore version)
@@ -42,7 +41,7 @@ if [ \$installed_version != \$current_version ]; then
  systemctl stop semaphore.service
  echo "Downloading semaphore version \$current_version..."
  curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
-  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical dpkg -i /opt/semaphore_linux_amd64.deb
  echo "Starting semaphore.service..."
  systemctl start semaphore.service
  echo "semaphore update finished!"
@@ -141,7 +140,7 @@ cat << EOF > /etc/semaphore/config.json
 	"slack_alert": false,
 	"ldap_enable": false,
 	"ldap_needtls": false,
- 	"ssh_config_path": "~/.ssh/",
+ 	"ssh_config_path": "/home/semaphore/.ssh/",
 	"demo_mode": false,
 	"git_client": ""
 }
@@ -1,273 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 source /etc/os-release
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq aptly python3-aptly nginx graphviz gnupg2 apt-transport-https bc
 # Create gpg key for apt repo signing
 gpg --batch --gen-key <<EOF
 Key-Type: 1
 Key-Length: 4096
 Subkey-Type: 1
 Subkey-Length: 4096
 Name-Real: ${AM_COMPANY_NAME}
 Name-Email: ${AM_COMPANY_EMAIL}
 Expire-Date: 0
 %no-protection
 EOF
 if [ -f /etc/nginx/sites-enabled/default ]; then
  unlink /etc/nginx/sites-enabled/default
 fi
 cat << EOF > /etc/aptly.conf
 {
  "rootDir": "/$LXC_SHAREFS_MOUNTPOINT",
  "downloadConcurrency": 4,
  "downloadSpeedLimit": 0,
  "architectures": [
        "amd64",
        "armhf"
  ],
  "dependencyFollowSuggests": false,
  "dependencyFollowRecommends": false,
  "dependencyFollowAllVariants": false,
  "dependencyFollowSource": false,
  "dependencyVerboseResolve": true,
  "gpgDisableSign": false,
  "gpgDisableVerify": false,
  "gpgProvider": "gpg",
  "downloadSourcePackages": false,
  "skipLegacyPool": true,
  "ppaDistributorID": "$AM_COMPANY_NAME",
  "ppaCodename": ""
 }
 EOF
 cat << EOF > /usr/local/bin/update-apt-mirrors
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 for m in $(aptly mirror list -raw); do
  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' \$m
 done
 EOF
 chmod +x /usr/local/bin/update-apt-mirrors
 cat << EOF > /etc/nginx/conf.d/default.conf
 server {
        listen 80 default_server;
        listen [::]:80 default_server;
        # Force HTTPS connection. This rules is domain agnostic
        if (\$scheme != "https") {
                rewrite ^ https://\$host\$uri permanent;
        }
        # SSL configuration
        #
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 15.137.208.11 15.137.209.11 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        root /var/www/html;
        index index.html index.htm;
        server_name _;
        location /gpg {
                autoindex on;
        }
        location /graph {
                autoindex on;
        }
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                #try_files \$uri \$uri/ =404;
                proxy_set_header Host \$host;
                proxy_set_header X-Real-IP \$remote_addr;
                proxy_pass http://localhost:8080;
        }
        location /api {
                proxy_pass http://localhost:8000/api;
        }
        location /api/graph {
                return 403;
        }
 }
 EOF
 cat << EOF > /etc/systemd/system/aptly.service
 [Unit]
 Description=Aptly Repository service
 [Service]
 User=root
 ExecStart=/usr/bin/aptly serve -listen="localhost:8080"
 KillSignal=SIGTERM
 KillMode=process
 TimeoutStopSec=15s
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /etc/systemd/system/aptly-api.service
 [Unit]
 Description=Aptly REST API service
 [Service]
 User=root
 ExecStart=/usr/bin/aptly api serve -listen=unix:///var/run/aptly-api.sock -no-lock
 KillSignal=SIGTERM
 KillMode=process
 TimeoutStopSec=15s
 [Install]
 WantedBy=multi-user.target
 EOF
 cat << EOF > /root/mirror-examples
 # import proxmox keyring
 wget -O - http://download.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
 # proxmox 8 no subscription mirror (about 11.5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription http://download.proxmox.com/debian/ bookworm pve-no-suscription
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg pve8.pve-no-subscription
 # import debian keyring
 cat /etc/apt/trusted.gpg.d/debian-archive* | gpg --no-default-keyring --keyring /$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg --import
 # debian 12 main mirror (about 87 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main http://deb.debian.org/debian/ bookworm main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main
 # debian 12 contrib mirror (about 600 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib http://deb.debian.org/debian/ bookworm contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib
 # debian 12 non-free mirror (about7,2 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free http://deb.debian.org/debian/ bookworm non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free
 # debian 12 non-free-firmware mirror (38 Packages)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware http://deb.debian.org/debian/ bookworm non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware
 # debian 12 update main mirror (about 2,5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update http://deb.debian.org/debian/ bookworm-updates main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.update
 # debian 12 update contrib mirror (currently empty)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates http://deb.debian.org/debian/ bookworm-updates contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.updates
 # debian 12 updates non-free mirror (about 900 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates http://deb.debian.org/debian/ bookworm-updates non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.updates
 # debian 12 updates non-free-firmware mirror (about 70 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates http://deb.debian.org/debian/ bookworm-updates non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.updates
 # debian 12 security main mirror (about 5,5 GB)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security http://security.debian.org/debian-security bookworm-security main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.security
 # debian 12 security contrib mirror (2 packages)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security http://security.debian.org/debian-security bookworm-security contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.security
 # debian 12 security non-free mirror (currently empty)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security http://security.debian.org/debian-security bookworm-security non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.security
 # debian 12 security non-free-firmware mirror (1 package)
 aptly mirror create -force-components -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security http://security.debian.org/debian-security bookworm-security non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.security
 # debian 12 backports main mirror (about 14,5 GB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports http://deb.debian.org/debian/ bookworm-backports main
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.main.backports
 # debian 12 backports contrib mirror (about 100 MB)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports http://deb.debian.org/debian/ bookworm-backports contrib
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.contrib.backports
 # debian 12 backports non-free mirror (2 packages)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports http://deb.debian.org/debian/ bookworm-backports non-free
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free.backports
 # debian 12 backports non-free-firmware mirror (currently empty)
 aptly mirror create -architectures="amd64" -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports http://deb.debian.org/debian/ bookworm-backports non-free-firmware
 aptly mirror update -keyring=/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg debian12.non-free-firmware.backports
 EOF
 cat << EOF > /usr/local/bin/update-apt-mirrors 
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 for m in \$(aptly mirror list -raw); do
  aptly mirror update -keyring='/$LXC_SHAREFS_MOUNTPOINT/trustedkeys.gpg' $m
 done
 EOF
 echo "0 4 * * * root /usr/local/bin/update-apt-mirrors" > /etc/cron.d/update-apt-mirrors
 chmod +x /usr/local/bin/update-apt-mirrors 
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT
 chown -R www-data:www-data /var/www
 # Create required webserver folders
 sudo -u www-data mkdir -p /var/www/html/{gpg,graph}
 # Export gpg key
 sudo -u www-data gpg --export --armor > /var/www/html/gpg/$AM_COMPANY_NAME.pub
 generate_dhparam
 systemctl daemon-reload
 systemctl enable --now aptly aptly-api
 systemctl restart nginx
 echo "Apt mirror installation complete. Please look into /root/mirror-examples for mirror examples."
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -5,19 +5,16 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # Add Docker's official GPG key:
-install -m 0755 -d /etc/apt/keyrings
+inst_docker
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
-# Add the repository to Apt sources:
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq pwgen
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
@@ -95,6 +92,7 @@ AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
 # Email address authentik will send from, should have a correct @domain
 AUTHENTIK_EMAIL__FROM=
 AUTHENTIK_REDIS__DB=1
 EOF
 docker compose pull
@@ -8,12 +8,13 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
-LXC_MP=0
+LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
+LXC_SHAREFS_MOUNTPOINT="var/lib/cmk-push-agent"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
@@ -26,28 +27,13 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
-# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+# checkmk version
-KOPANO_VERSION="latest"
+CMK_VERSION=2.4.0p19
-
+# build number of the debian package (needs to start with underscore)
-# Defines the php version to install
+CMK_BUILD=_0
 KOPANO_PHP_VERSION="7.4"
 # Defines Maria DB Version
 MARIA_DB_VERS="10.5"
 # Defines the name from the SQL database
 MARIA_DB_NAME="kopano"
 # Defines the name from the SQL user
 MARIA_DB_USER="kopano"
 # Build a strong password for the SQL user - could be overwritten with something fixed 
 MARIA_ROOT_PWD=$(random_password)
 MARIA_USER_PWD=$(random_password)
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=4096
+LXC_MEM_MIN=2048
 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,mariadb"
+SERVICE_TAGS="apache2"
@@ -0,0 +1,88 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/testing $(lsb_release -cs) main" > /etc/apt/sources.list.d/bashclub.list
 apt update
 cd /tmp
 wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
 omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
 cat << EOF > /etc/apache2/sites-available/000-default.conf
 <VirtualHost *:80>
 	RewriteEngine On
 	RewriteCond %{HTTPS} !=on
 	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
 </VirtualHost>
 EOF
 cat << EOF > /etc/apache2/sites-available/default-ssl.conf
 <VirtualHost *:443>
 	RewriteEngine On
 	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
 	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
 	ServerAdmin webmaster@localhost
 	DocumentRoot /var/www/html
 	ErrorLog \${APACHE_LOG_DIR}/error.log
 	CustomLog \${APACHE_LOG_DIR}/access.log combined
 	SSLEngine on
 	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
 	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
 	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
 	#SSLCACertificatePath /etc/ssl/certs/
 	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
 	#SSLCARevocationPath /etc/apache2/ssl.crl/
 	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
 	#SSLVerifyClient require
 	#SSLVerifyDepth  10
 	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
 		SSLOptions +StdEnvVars
 	</FilesMatch>
 	<Directory /usr/lib/cgi-bin>
 		SSLOptions +StdEnvVars
 	</Directory>
 </VirtualHost>
 EOF
 a2enmod ssl
 a2enmod rewrite
 a2ensite default-ssl
 systemctl restart apache2.service
 omd start $CMK_INSTANCE
 # install matrix notification plugin
 wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
 chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
 chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server
 cmk-push-setup
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -7,6 +7,8 @@ set -euo pipefail
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -14,9 +16,11 @@ source /root/constants-service.conf
 BOOKSTACK_DB_PWD=$(random_password)
 webroot=/var/www/bookstack/public
 inst_php cli,fpm,mysql,fpm,xml,mbstring,gd,tokenizer,curl,ldap,tidy,zip 8.5
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd php-tokenizer php-xml php-dompdf php-curl php-ldap php-tidy php-zip redis-server
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client redis-server
 curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
@@ -28,7 +28,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 # checkmk version
-CMK_VERSION=2.3.0p6
+CMK_VERSION=2.4.0p18
 # build number of the debian package (needs to start with underscore)
 CMK_BUILD=_0
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -0,0 +1,31 @@
 #!/bin/bash
 # Authors:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="home"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=2048
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -0,0 +1,13 @@
 #!/bin/bash
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source zamba.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
 DB_ENGINE=MARIADB_11.8 SWAP=false bash install.sh
@@ -8,4 +8,4 @@
 # This file contains the project constants on container level
 # Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gnupg2 apt-transport-https software-properties-common wget ssl-cert tmux"
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux jq"
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -5,19 +5,13 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-# Add Docker's official GPG key:
+inst_docker
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 SECRET=$(random_password)
 myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
@@ -26,8 +20,6 @@ install_portainer_full() {
    mkdir -p /opt/portainer/data
    cd /opt/portainer
    cat << EOF > /opt/portainer/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always
@@ -52,8 +44,6 @@ install_portainer_agent() {
    mkdir -p /opt/portainer-agent/data
    cd /opt/portainer-agent
    cat << EOF > /opt/portainer-agent/docker-compose.yml
 version: "3.4"
 services:
  portainer:
    restart: always  
@@ -1,21 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 echo "ecodmsserver ecodmsserver/language string german" | debconf-set-selections
 echo "ecodmsserver ecodmsserver/license string true" | debconf-set-selections
 echo -e "deb http://www.ecodms.de/${ECODMS_RELEASE}/$(lsb_release -cs) /" > /etc/apt/sources.list.d/ecodms.list
 wget -qO- http://www.ecodms.de/gpg/ecodms.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/ecodms.gpg
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ecodmsserver
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -29,5 +29,7 @@ LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 FS_PHP_VERSION=8.4
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -18,10 +18,12 @@ MYSQL_PASSWORD="$(random_password)"
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-zip php-curl php-intl php-fpm php-mysql php-imap php-xml php-mbstring php-gd ssl-cert git
+inst_php cli,zip,curl,intl,fpm,mysql,imap,xml,mbstring,gd $FS_PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client ssl-cert git
-echo ‘cgi.fix_pathinfo=0’ >> /etc/php/8.2/fpm/php.ini
+echo ‘cgi.fix_pathinfo=0’ >> /etc/php/$FS_PHP_VERSION/fpm/php.ini
 cat << EOF > /etc/nginx/sites-available/default
 server {
@@ -52,7 +54,7 @@ server {
    location ~ .php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php${FS_PHP_VERSION}-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    	include fastcgi_params;
@@ -104,10 +106,10 @@ GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD'
 CREATE DATABASE IF NOT EXISTS freescout;
 GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
-curl -s https://api.github.com/repos/freescout-helpdesk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
+curl -s https://api.github.com/repos/freescout-help-desk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
 cd $webroot
 tar -vxf freescout.tar.gz
-dir=$(ls -d freescout-helpdesk-freescout*)
+dir=$(ls -d freescout-help-desk-freescout*)
 mv -v $dir freescout
 chown -R www-data:www-data /var/www/html
 find /var/www/html -type f -exec chmod 664 {} \;    
@@ -125,8 +127,8 @@ cat << EOF > /etc/cron.d/freescout
 * * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
 EOF
-systemctl enable --now php8.2-fpm
+systemctl enable --now php${FS_PHP_VERSION}-fpm
-systemctl restart php8.2-fpm nginx
+systemctl restart php${FS_PHP_VERSION}-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
@@ -9,7 +9,7 @@ random_password() {
 }
 generate_dhparam() {
-    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
    cat << EOF > /etc/cron.monthly/generate-dhparams
 #!/bin/bash
 openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
@@ -22,10 +22,114 @@ EOF
 apt_repo() {
    apt_name=$1
    apt_key_url=$2
-    apt_key_path=/usr/share/keyrings/${apt_name}.gpg
+    apt_key_path=/usr/share/keyrings/${apt_name}-archive-keyring.gpg
    apt_repo_url=$3
    apt_suites=$4
    apt_components=$5
    tmp_key_file=$(mktemp)
    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
        echo "❌ Fehler beim Herunterladen des Schlüssels."
        rm -f "${tmp_key_file}"
        exit 1
    fi
    if file "${tmp_key_file}" | grep -q "ASCII"; then
        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
        # Wenn es ASCII ist, konvertiere es mit --dearmor
        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
            chmod 644 ${apt_key_path}
            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
        else
            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
            exit 1
        fi
    else
        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
            chmod 644 ${apt_key_path}
        else
            echo "❌ Fehler beim Kopieren des binären Schlüssels."
            rm -f "${tmp_key_file}"
            exit 1
        fi
    fi
-    wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
-    echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
-
+Types: deb
 URIs: $apt_repo_url
 Suites: $apt_suites
 Components: $apt_components
 Enabled: yes
 Signed-By: $apt_key_path
 EOF
    else
        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
    fi
 }
 #### Set repo and install Nginx ####
 inst_nginx() {
    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
 }
 #### Set repo and install PHP ####
 inst_php() {
    PHP_MODULES=${1}
    PHP_VERSION=${2:-8.4}
    IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES"
    PKGS=()
    for PHP_MODULE in "${MODULE_ARRAY[@]}"; do
        PKGS+=( "php${PHP_VERSION}-${PHP_MODULE}" )
    done
    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common "${PKGS[@]}"
 }
 #### Set repo and install Postgresql ####
 # First paramater is postgres version, default ist curren version postgres 18
 inst_postgresql() {
    POSTGRES_VERSION=${1:-18}
    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION}
 }
 #### Set repo and install Crowdsec ####
 inst_crowdsec() {
    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
 }
 #### Set repo and install 45drives (cockpit) ####
 inst_45drives() {
    apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main"
    apt update
 }
 #### Set repo and install Docker ####
 inst_docker() {
    apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
 }
 #### Set repo and install MongoDB ####
 inst_mongodb() {
    MONGODB_VERSION=${1:-8.0}
    apt_repo "mongodb" "https://www.mongodb.org/static/pgp/server-$MONGODB_VERSION.asc" "http://repo.mongodb.org/apt/debian" "bookworm/mongodb-org/$MONGODB_VERSION" "main"
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq mongodb-org
 }
 #### Set repo and install MongoDB ####
 inst_bashclub() {
    BASHCLUB_COMPONENT=${1:-release}
    apt_repo "bashclub-$BASHCLUB_COMPONENT" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main"
    apt update
 }
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -5,19 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
+inst_nginx
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
+inst_postgresql
 echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq git ssl-cert unzip zip
 systemctl enable --now postgresql
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -26,11 +26,12 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # set ecodms release version
 ECODMS_RELEASE=ecodms_230164
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=6144
+LXC_MEM_MIN=1024
 # service dependent meta tags
-SERVICE_TAGS="java,postgresql"
+SERVICE_TAGS="php-fpm,nginx,mariadb"
 CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
 PHP_VERSION=8.4
@@ -0,0 +1,536 @@
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 source /etc/os-release
 # --- Internal Helper Functions ---
 _generate_local_password() {
    openssl rand -base64 "$1"
 }
 curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list
 curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
 curl -fsSL https://repos.influxdata.com/influxdata-archive.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian bookworm stable" > /etc/apt/sources.list.d/influxdata.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
        icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
        mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \
        monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)
 DIRECTOR_DB_PASS=$(_generate_local_password 24)
 ICINGADB_PASS=$(_generate_local_password 24)
 ICINGA_X509_DB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
 NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
 INFLUX_ADMIN_PASS=$(_generate_local_password 16)
 INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
 systemctl start mariadb
 mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';"
 mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';"
 mysql -e "FLUSH PRIVILEGES;"
 systemctl start influxdb
 influx setup --skip-verify --username admin --password "$INFLUX_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
 INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
 if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
 mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
 {
    echo "# --- Icinga Monitoring Stack Credentials ---"
    echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
    echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
    echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
 } > "$CRED_FILE" && chmod 600 "$CRED_FILE"
 systemctl enable --now icingadb-redis
 cat > /etc/icinga2/features-available/icingadb.conf <<EOF
 library "icingadb"
 object IcingaDB "icingadb" {
  host = "127.0.0.1"
  port = 6380
 }
 EOF
 cat > /etc/icinga2/conf.d/api-users.conf <<EOF
 object ApiUser "director" {
  password = "${ICINGA_API_USER_PASS}"
  permissions = [ "*" ]
 }
 EOF
 cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
 object Influxdb2Writer "influxdb2" {
  host = "127.0.0.1"
  port = 8086
  organization = "icinga"
  bucket = "icinga"
  auth_token = "${INFLUX_ICINGA_TOKEN}"
  flush_threshold = 1024
  flush_interval = 10s
  host_template = {
    measurement = "\$host.check_command\$"
    tags = {
      hostname = "\$host.name\$"
    }
  }
  service_template = {
    measurement = "\$service.check_command\$"
    tags = {
      hostname = "\$host.name\$"
      service = "\$service.name\$"
    }
  }
 }
 EOF
 cat > /etc/icinga2/zones.conf <<EOF
 object Endpoint "$(hostname -f)" { host = "127.0.0.1" }
 object Zone "master" { endpoints = [ "$(hostname -f)" ] }
 object Zone "global-templates" { global = true }
 object Zone "director-global" { global = true }
 EOF
 cat > /etc/icingadb/config.yml <<EOF
 database:
  type: mysql
  host: localhost
  database: icingadb
  user: icingadb
  password: ${ICINGADB_PASS}
 redis:
  host: 127.0.0.1
  port: 6380
 logging:
  level: info
  output: systemd-journald
 EOF
 mkdir -p /etc/icingaweb2/modules/icingadb
 cat << EOF > /etc/icingaweb2/modules/icingadb/config.ini
 [icingadb]
 resource = icingadb
 EOF
 cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini
 [redis1]
 host = "localhost"
 EOF
 cat << EOF > /etc/icingaweb2/modules/icingadb/commandtransports.ini
 [$(hostname -f)]
 transport = "api"
 host = "$(hostname -f)"
 port = "5665"
 username = "director"
 password = "${ICINGA_API_USER_PASS}"
 EOF
 icinga2 feature enable icingadb
 mkdir -p /etc/icingaweb2
 cat > /etc/icingaweb2/resources.ini <<EOF
 [icingaweb_db]
 type = "db"
 db = "mysql"
 host = "localhost"
 dbname = "icingaweb2"
 username = "icingaweb2"
 password = "${ICINGAWEB_DB_PASS}"
 charset = "utf8mb4"
 [director_db]
 type = "db"
 db = "mysql"
 host = "localhost"
 dbname = "director"
 username = "director"
 password = "${DIRECTOR_DB_PASS}"
 charset = "utf8mb4"
 [icingadb]
 type = "db"
 db = "mysql"
 host = "localhost"
 dbname = "icingadb"
 username = "icingadb"
 password = "${ICINGADB_PASS}"
 charset = "utf8mb4"
 [notifications]
 type = "db"
 db = "mysql"
 host = "localhost"
 dbname = "notifications"
 username = "notifications"
 password = "${NOTIFICATIONS_DB_PASS}"
 charset = "utf8mb4"
 EOF
 cat << EOF > /etc/icinga2/conf.d/services.conf
 apply Service "ping4" {
  import "generic-service"
  check_command = "ping4"
  assign where host.address
 }
 apply Service "ping6" {
  import "generic-service"
  check_command = "ping6"
  assign where host.address6
 }
 apply Service "ssh" {
  import "generic-service"
  check_command = "ssh"
  assign where (host.address || host.address6) && host.vars.os == "Linux"
 }
 apply Service for (http_vhost => config in host.vars.http_vhosts) {
  import "generic-service"
  check_command = "http"
  vars += config
 }
 apply Service for (disk => config in host.vars.disks) {
  import "generic-service"
  check_command = "disk"
  vars += config
 }
 apply Service "icinga" {
  import "generic-service"
  check_command = "icinga"
  assign where host.name == NodeName
 }
 apply Service "load" {
  import "generic-service"
  check_command = "load"
  assign where host.name == NodeName
 }
 apply Service "procs" {
  import "generic-service"
  check_command = "procs"
  assign where host.name == NodeName
 }
 apply Service "users" {
  import "generic-service"
  check_command = "users"
  assign where host.name == NodeName
 }
 apply Service "ssl" {
  import "generic-service"
  check_command = "ssl"
  assign where host.name == NodeName
 }
 apply Service "smtp" {
  import "generic-service"
  check_command = "smtp"
  assign where host.name == NodeName
 }
 EOF
 mkdir -p /etc/nginx/ssl
 if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
    ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
    ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 fi
 cat > /etc/nginx/sites-available/icinga-stack <<EOF
 server {
    listen 80;
    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
    return 301 https://\$host\$request_uri;
 }
 server {
    listen 443 ssl http2;
    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    root /usr/share/icingaweb2/public;
    index index.php;
    location / { try_files \$uri \$uri/ /index.php\$is_args\$args; }
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
        fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    }
    #location /grafana {
    #    proxy_pass http://localhost:3000;
    #    proxy_set_header Host \$http_host;
    #}
    location /icingadb-web {
        proxy_pass http://localhost:8080/icingadb-web;
        proxy_set_header Host \$http_host;
    }
 }
 EOF
 cat << EOF > /etc/icinga-notifications/config.yml
 database:
  type: mysql
  host: localhost
  database: notifications
  user: notifications
  password: ${NOTIFICATIONS_DB_PASS}
 EOF
 mkdir -p /etc/icingaweb2/modules/notifications/
 cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
 [database]
 resource = "notifications"
 EOF
 mkdir -p /etc/icingaweb2/modules/pdfexport
 cat << EOF > /etc/icingaweb2/modules/pdfexport/config.ini 
 [chrome]
 binary = "/usr/bin/chromium"
 force_temp_storage = "0"
 EOF
 ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
 rm -f /etc/nginx/sites-enabled/default
 sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
 sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
 icinga2 api setup
 systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications
 systemctl start mariadb
 systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
 IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
 ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
 NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
 X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql"
 if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi
 if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
    echo "[INFO] Importiere IcingaWeb2-Schema..."
    mysql icingaweb2 < "$IWEB_SCHEMA"
 fi
 if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
    echo "[INFO] Importiere Icinga Director-Schema..."
    mysql director < "$DIRECTOR_SCHEMA"
 fi
 if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
    echo "[INFO] Importiere IcingaDB-Schema..."
    mysql icingadb < "$ICINGADB_SCHEMA"
 fi
 if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then
    echo "[INFO] Importiere Notifications-Schema..."
    mysql notifications < "$NOTIFICATIONS_SCHEMA"
 fi
 if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then
    echo "[INFO] Importiere x509-Schema..."
    mysql x509 < "$X509_SCHEMA"
 fi
 cat > /etc/icingaweb2/config.ini <<EOF
 [global]
 show_stacktraces = "0"
 config_backend = "db"
 config_resource = "icingaweb_db"
 [logging]
 log = "file"
 log_file = "/var/log/icingaweb2/icingaweb2.log"
 level = "ERROR"
 EOF
 cat > /etc/icingaweb2/authentication.ini <<EOF
 [icinga-web-admin]
 backend = "db"
 resource = "icingaweb_db"
 EOF
 cat > /etc/icingaweb2/roles.ini <<EOF
 [Administrators]
 users = "icingaadmin"
 permissions = "*"
 groups = "Administrators"
 EOF
 mkdir -p /etc/icingaweb2/modules/monitoring
 cat > /etc/icingaweb2/modules/monitoring/backends.ini <<EOF
 [icingadb]
 backend = "icingadb"
 resource = "icingadb"
 EOF
 mkdir -p /etc/icingaweb2/modules/director
 cat > /etc/icingaweb2/modules/director/config.ini <<EOF
 [db]
 resource = "director_db"
 EOF
 mkdir -p /etc/icingaweb2/modules/perfdatagraphs
 mkdir -p /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2
 cat > /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini <<EOF
 [influx]
 api_url = "http://127.0.0.1:8086"
 api_token = "${INFLUX_ICINGA_TOKEN}"
 api_org = "icinga"
 api_bucket = "icinga"
 api_tls_insecure = "1"
 EOF
 cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini << EOF
 [perfdatagraphs]
 default_timerange = "PT12H"
 default_backend = "InfluxDBv2"
 EOF
 icinga2 feature enable icingadb api influxdb2-writer perfdata
 #icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
 icingacli module enable incubator
 icingacli module enable director
 icingacli module enable icingadb
 icingacli module enable perfdatagraphs
 icingacli module enable perfdatagraphsinfluxdbv2
 icingacli module enable notifications
 echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
 systemctl restart mariadb
 systemctl restart php${PHP_VERSION}-fpm
 systemctl restart nginx
 systemctl restart icingadb
 systemctl restart icinga-notifications
 echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
 PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
 mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
 echo "[INFO] Warte auf Icinga Web 2 und API..."
 counter=0
 while ! icingacli director migration run >/dev/null 2>&1; do
    counter=$((counter + 1))
    if [ "$counter" -gt 15 ]; then
        echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
        exit 1
    fi
    echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
    sleep 2
 done
 echo "[INFO] Icinga Director ist bereit."
 echo "[INFO] Icinga Director Setup wird ausgeführt."
 cat > /etc/icingaweb2/modules/director/kickstart.ini <<EOF
 [config]
 endpoint = "$(hostname -f)"
 port = "5665"
 username = "director"
 password = "${ICINGA_API_USER_PASS}"
 EOF
 systemctl restart icinga2
 icingacli director kickstart run
 echo "[INFO] Director Konfiguration wird angewendet."
 icingacli director config deploy
 echo ""
 echo "================================================="
 echo "  Installation des Icinga Monitoring Stacks abgeschlossen"
 echo "================================================="
 echo ""
 echo "Die Konfiguration wurde erfolgreich abgeschlossen."
 echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
 echo ""
 echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
 echo "  ${CRED_FILE}"
 echo ""
 echo "Wichtige URLs:"
 echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
 echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
 echo ""
 cat ${CRED_FILE}
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 #KIMAI_VERSION="main"
 # Defines the php version to install
-KIMAI_PHP_VERSION="8.2"
+KIMAI_PHP_VERSION="8.4"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
@@ -14,12 +14,11 @@ source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
+inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client  
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
@@ -1,276 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 HOSTNAME=$(hostname -f)
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
 echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
 apt update
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 #php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 #timedatectl set-timezone Europe/Berlin
 #mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #### Secure Maria Instance ####
 mysqladmin -u root password "[$MARIA_ROOT_PWD]"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
 #mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 #### Create user and DB for Kopano ####
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 echo "root-password: $MARIA_ROOT_PWD,\
 db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
 cat > /etc/apt/sources.list.d/kopano.list << EOF
 # Kopano Core
 deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
 # Kopano WebApp
 deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
 # Kopano MobileDeviceManagement
 deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
 # Kopano Files
 deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
 # Z-Push
 deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
 EOF
 cat > /etc/apt/auth.conf.d/kopano.conf << EOF
 machine download.kopano.io
 login serial
 password $KOPANO_REPKEY
 EOF
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
 apt update && apt full-upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
 z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
 #### Adjust kopano settings ####
 cat > /etc/kopano/ldap.cfg << EOF
 !include /usr/share/kopano/ldap.active-directory.cfg
 ldap_uri = ldap://192.168.100.100:389
 ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
 ldap_bind_passwd = Start123!
 ldap_search_base = dc=zmb,dc=rocks
 #ldap_user_search_filter = (kopanoAccount=1)
 EOF
 cat > /etc/kopano/server.cfg << EOF
 server_listen = *:236
 local_admin_users = root kopano
 #database_engine = mysql
 #mysql_host = localhost
 #mysql_port = 3306
 mysql_user = $MARIA_DB_USER
 mysql_password = $MARIA_USER_PWD
 mysql_database = $MARIA_DB_NAME
 #user_plugin = ldap
 #user_plugin_config = /etc/kopano/ldap.cfg
 EOF
 #### Adjust php settings ####
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
 [webapp]
 listen = 127.0.0.1:9002
 user = www-data
 group = www-data
 listen.allowed_clients = 127.0.0.1
 pm = dynamic
 pm.max_children = 150
 pm.start_servers = 35
 pm.min_spare_servers = 20
 pm.max_spare_servers = 50
 pm.max_requests = 200
 listen.backlog = -1
 request_terminate_timeout = 120s
 rlimit_files = 131072
 rlimit_core = unlimited
 catch_workers_output = yes
 EOF
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 #### Adjust nginx settings ####
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
 generate_dhparam
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 cat > /etc/nginx/sites-available/webapp.conf << EOF
 upstream php-handler {
    #server 127.0.0.1:9002;
    #server unix:/var/run/php5-fpm.sock;
    server unix:/var/run/php/php7.4-fpm.sock;
 }
 server{
    listen 80;
    charset utf-8;
    listen [::]:80;
    server_name _;
    location / {
        rewrite   ^(.*)   https://\$server_name\$1 permanent;
    }  
 }
 server {
    charset utf-8;
    listen 443;
    listen [::]:443 ssl;
    server_name _;
    ssl on;
    client_max_body_size 1024m;
    ssl_certificate /etc/ssl/certs/kopano.crt;
    ssl_certificate_key /etc/ssl/private/kopano.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    ssl_dhparam /etc/nginx/dhparam.pem;
    #
    # add headers
    server_tokens off;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
    location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ \$1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade \$http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                }
    }
    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;
        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;
        }
        fastcgi_param PHP_VALUE "
            register_globals=off
            magic_quotes_gpc=off
            magic_quotes_runtime=off
            post_max_size=31M
            upload_max_filesize=30M
        ";
        fastcgi_param PHP_VALUE "post_max_size=31M
                 upload_max_filesize=30M
                 max_execution_time=3660
        ";
        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;
        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
        }
        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)\$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";
        }
        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;
        }
 }
 map \$http_upgrade \$connection_upgrade {
        default upgrade;
        '' close;
 }
 EOF
 ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
 phpenmod kopano
 systemctl restart php7.4-fpm nginx
@@ -24,29 +24,7 @@ EOF
 locale-gen $LXC_LOCALE 
 # Generate sources
-if [ "$LXC_TEMPLATE_VERSION" == "debian-10-standard" ] ; then
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ buster main contrib
 deb http://deb.debian.org/debian/ buster-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security buster/updates main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-11-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bullseye main contrib
 deb http://deb.debian.org/debian/ bullseye-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bullseye-security main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
 cat << EOF > /etc/apt/sources.list
 deb http://deb.debian.org/debian/ bookworm main contrib
@@ -56,6 +34,24 @@ deb http://deb.debian.org/debian/ bookworm-updates main contrib
 # security updates
 deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
 elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
 if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
 cat << EOF > /etc/apt/sources.list.d/debian.sources
 Types: deb deb-src
 URIs: https://deb.debian.org/debian
 Suites: trixie trixie-updates
 Components: main non-free-firmware contrib non-free
 Enabled: yes
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 Types: deb deb-src
 URIs: https://security.debian.org/debian-security
 Suites: trixie-security
 Components: main non-free-firmware contrib non-free
 Enabled: yes
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
 else echo "LXC Debian Version false. Please check configuration files!" ; exit
 fi
@@ -8,12 +8,12 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -17,7 +19,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
 SECRET=$(random_password)
@@ -73,6 +75,21 @@ EOF
 }
 # fix docker errors for slow machines
 cat << EOF > /etc/docker/daemon.json
 {
  "default-ulimits": {
    "nproc": {
      "Name": "nproc",
      "Soft": 4096,
      "Hard": 4096
    }
  }
 }
 EOF
 systemctl restart docker
 cd /opt
 git clone https://github.com/mailcow/mailcow-dockerized
 cd mailcow-dockerized
@@ -104,6 +121,8 @@ DBUSER=mailcow
 DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 # ------------------------------
 # HTTP/S Bindings
 # ------------------------------
@@ -139,7 +158,6 @@ POPS_PORT=995
 SIEVE_PORT=4190
 DOVEADM_PORT=127.0.0.1:19991
 SQL_PORT=127.0.0.1:13306
 SOLR_PORT=127.0.0.1:18983
 REDIS_PORT=127.0.0.1:7654
 # Your timezone
@@ -225,15 +243,6 @@ SKIP_CLAMD=n
 SKIP_SOGO=n
 # Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
 SKIP_SOLR=n
 # Solr heap size in MB, there is no recommendation, please see Solr docs.
 # Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
 SOLR_HEAP=1024
 # Allow admins to log into SOGo as email user (without any password)
 ALLOW_ADMIN_EMAIL_LOGIN=n
@@ -257,7 +266,7 @@ USE_WATCHDOG=y
 #WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # JSON body included in the webhook POST request. Needs to be in single quotes.
 # Following variables are available: SUBJECT, BODY
-#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**\${SUBJECT}**\n\${BODY}"}'
 # Notify about banned IP (includes whois lookup)
 WATCHDOG_NOTIFY_BAN=n
@@ -344,52 +353,45 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 # Otherwise it will work normally.
 SPAMHAUS_DQS_KEY=
-EOF
+# Obtain certificates for autodiscover.* and autoconfig.* domains.
 # This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
 # There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
 # between services. So acme-mailcow obtains for maildomains and all web-things get handled
 # in the reverse proxy.
 AUTODISCOVER_SAN=y
 # Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
 SKIP_UNBOUND_HEALTHCHECK=n
 # Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
 # CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
 DISABLE_NETFILTER_ISOLATION_RULE=n
 # ------------------------------
 # REDIS configuration
 # ------------------------------
 REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 # Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
 # Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
 # Please always monitor your Resource consumption!
 FTS_HEAP=128
 # Controls how many processes the Dovecot indexing process can spawn at max.
 # Too many indexing processes can use a lot of CPU and Disk I/O
 # Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
 FTS_PROCS=1
 # Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
 # Dovecot inside mailcow use Flatcurve as FTS Backend.
 SKIP_FTS=y
 # Redirect HTTP connections to HTTPS - y/n
 HTTP_REDIRECT=y
 cat << EOF > data/conf/nginx/redirect.conf
 server {
  root /web;
  listen 80 default_server;
  listen [::]:80 default_server;
  include /etc/nginx/conf.d/server_name.active;
  if ( \$request_uri ~* "%0A|%0D" ) { return 403; }
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://\$host\$uri\$is_args\$args;
  }
 }
 EOF
 cat << EOF > /etc/cron.daily/mailcowbackup
-#!/bin/sh
+#!/bin/bash
-
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-# Backup mailcow data
+25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
-# https://docs.mailcow.email/backup_restore/b_n_r-backup/
+40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
-
+5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
 set -e
 OUT="\$(mktemp)"
 export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
 SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
 PARAMETERS="backup all"
 OPTIONS="--delete-days 7"
 mkdir -p \$MAILCOW_BACKUP_LOCATION
 # run command
 set +e
 "\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
 RESULT=\$?
 if [ \$RESULT -ne 0 ]
    then
            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
            echo "RESULT=\$RESULT"
            echo "STDOUT / STDERR:"
            cat "\$OUT"
 fi
 EOF
 chmod +x /etc/cron.daily/mailcowbackup
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,10 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 #### Set repo and install matrix ####
 inst_matrix() {
    apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main"
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq matrix-synapse-py3 && systemctl enable matrix-synapse
 }
 MRX_PKE=$(random_password)
 ELE_DBNAME="synapse_db"
@@ -17,15 +26,10 @@ ELE_DBPASS=$(random_password)
 ELE_PATH=/var/www/element-web
 WEBROOT=/var/www
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx postgresql python3-psycopg2
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx python3-psycopg2
-wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+inst_postgresql
-echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
+inst_matrix
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq matrix-synapse-py3
 systemctl enable matrix-synapse
 ss -tulpen
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"
@@ -47,9 +51,9 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name $MATRIX_FQDN;
    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -62,9 +66,9 @@ server {
 server {
    listen 8448 ssl;
    listen [::]:8448 ssl;
    http2 on;
    server_name $MATRIX_FQDN;
    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -97,9 +101,9 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name $MATRIX_ELEMENT_FQDN;
    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;
@@ -154,6 +158,6 @@ systemctl restart matrix-synapse
 rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
-register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p \'$MATRIX_ADMIN_PASSWORD\' -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008
 echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -30,7 +30,10 @@ LXC_KEYCTL="0"
 NEXTCLOUD_VERSION="latest"
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.2"
+NEXTCLOUD_PHP_VERSION="8.4"
 # Defines the postgresql version to install
 POSTGRES_VERSION=17
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
@@ -5,130 +5,68 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 NEXTCLOUD_ADMIN_PWD=$(random_password)
 source /root/zamba.conf
 source /root/constants-service.conf
 NEXTCLOUD_ADMIN_PWD=$(random_password)
 NEXTCLOUD_REDIS_PWD=$(random_password)
 HOSTNAME=$(hostname -f)
 HOST_IP=$(hostname -i)
-wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
+#### Modify Nginx for Nextcloud ####
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
+mod_nginx() {
 wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
 echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
 postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #### Create database for nextcloud ####
 su - postgres <<EOF
 psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
 psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
 echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
 EOF
 #### Adjust php settings ####
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
 cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
 sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
 sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
 sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
 #### Adjust nginx settings ####
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
 generate_dhparam
 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 cat > /etc/nginx/nginx.conf <<EOF
 user www-data;
 worker_processes auto;
 pid /var/run/nginx.pid;
 events {
-worker_connections 1024;
+  worker_connections 2048;
-multi_accept on; use epoll;
+  multi_accept on;
  use epoll;
 }
 http {
-server_names_hash_bucket_size 64;
+  log_format bashclub escape=json
-access_log /var/log/nginx/access.log;
+  '{'
-error_log /var/log/nginx/error.log warn;
+    '"time_local":"\$time_local",'
-set_real_ip_from 127.0.0.1;
+    '"remote_addr":"\$remote_addr",'
-#optional, Sie können das eigene Subnetz ergänzen, bspw.:
+    '"remote_user":"\$remote_user",'
-# set_real_ip_from $LXC_IP;
+    '"request":"\$request",'
-real_ip_header X-Forwarded-For;
+    '"status": "\$status",'
-real_ip_recursive on;
+    '"body_bytes_sent":"\$body_bytes_sent",'
-include /etc/nginx/mime.types;
+    '"request_time":"\$request_time",'
-types {
+    '"http_referrer":"\$http_referer",'
-        text/javascript mjs;
+    '"http_user_agent":"\$http_user_agent"'
-    }
+  '}';
-default_type application/octet-stream;
+  server_names_hash_bucket_size 64;
-sendfile on;
+  access_log /var/log/nginx/access.log;
-send_timeout 3600;
+  error_log /var/log/nginx/error.log warn;
-tcp_nopush on;
+  set_real_ip_from 127.0.0.1;
-tcp_nodelay on;
+  # optional, set reverse proxy ip, if used:
-open_file_cache max=500 inactive=10m;
+  # set_real_ip_from $NEXTCLOUD_REVPROX;
-open_file_cache_errors on;
+  real_ip_header X-Forwarded-For;
-keepalive_timeout 65;
+  real_ip_recursive on;
-reset_timedout_connection on;
+  include /etc/nginx/mime.types;
-server_tokens off;
+  default_type application/octet-stream;
-resolver 127.0.0.53 valid=30s;
+  sendfile on;
-resolver_timeout 5s;
+  send_timeout 3600;
-include /etc/nginx/conf.d/*.conf;
+  tcp_nopush on;
  tcp_nodelay on;
  open_file_cache max=500 inactive=10m;
  open_file_cache_errors on;
  keepalive_timeout 65;
  reset_timedout_connection on;
  server_tokens off;
  resolver $NEXTCLOUD_REVPROX valid=30s;
  resolver_timeout 5s;
  include /etc/nginx/conf.d/*.conf;
 }
 EOF
@@ -137,170 +75,309 @@ touch /etc/nginx/conf.d/default.conf
 cat > /etc/nginx/conf.d/http.conf << EOF
 upstream php-handler {
-server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+  server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
 }
 map \$arg_v \$asset_immutable {
  "" "";
  default "immutable";
 }
 server {
-listen 80 default_server;
+  listen 80 default_server;
-listen [::]:80 default_server;
+  listen [::]:80 default_server;
-server_name $NEXTCLOUD_FQDN;
+  server_name $NEXTCLOUD_FQDN;
-root /var/www;
+  root /var/www;
-location / {
+  location ^~ /.well-known/acme-challenge {
-return 301 https://\$host\$request_uri;
+    default_type text/plain;
-}
+    root /var/www/letsencrypt;
  }
  location / {
    return 301 https://\$host\$request_uri;
  }  
 }
 EOF
 cat > /etc/nginx/conf.d/nextcloud.conf << EOF
 limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
 server {
-listen 443      ssl http2;
+  listen 443 ssl default_server;
-listen [::]:443 ssl http2;
+  listen [::]:443 ssl default_server;
-server_name $NEXTCLOUD_FQDN;
+  http2 on;
-ssl_certificate /etc/ssl/certs/nextcloud.crt;
+  #listen 443 quic reuseport;
-ssl_certificate_key /etc/ssl/private/nextcloud.key;
+  #listen [::]:443 quic reuseport;
-ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+  #http3 on;
-#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+  #http3_hq on;
-#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+  #quic_retry on;
-#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+  server_name $NEXTCLOUD_FQDN;
-#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+  ssl_certificate /etc/ssl/certs/nextcloud.crt;
-#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+  ssl_certificate_key /etc/ssl/private/nextcloud.key;
-ssl_dhparam /etc/nginx/dhparam.pem;
+  ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
-ssl_session_timeout 1d;
+  #ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
-ssl_session_cache shared:SSL:50m;
+  #ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
-ssl_session_tickets off;
+  #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
-ssl_protocols TLSv1.3 TLSv1.2;
+  #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
-ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+  #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
-ssl_ecdh_curve X448:secp521r1:secp384r1;
+  ssl_dhparam /etc/nginx/dhparam.pem;
-ssl_prefer_server_ciphers on;
+  ssl_session_timeout 1d;
-ssl_stapling on;
+  ssl_session_cache shared:SSL:50m;
-ssl_stapling_verify on;
+  ssl_session_tickets off;
-client_max_body_size 5120M;
+  ssl_protocols TLSv1.3 TLSv1.2;
-client_body_timeout 300s;
+  ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
-client_body_buffer_size 512k;
+  ssl_prefer_server_ciphers on;
-fastcgi_buffers 64 4K;
+  ssl_stapling on;
-gzip on;
+  ssl_stapling_verify on;
-gzip_vary on;
+  client_max_body_size 10G;
-gzip_comp_level 4;
+  client_body_timeout 3600s;
-gzip_min_length 256;
+  client_body_buffer_size 512k;
-gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  fastcgi_buffers 64 4K;
-gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  gzip on;
-add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+  gzip_vary on;
-add_header Permissions-Policy                   "interest-cohort=()";
+  gzip_comp_level 4;
-add_header Referrer-Policy                      "no-referrer"   always;
+  gzip_min_length 256;
-add_header X-Content-Type-Options               "nosniff"       always;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-add_header X-Download-Options                   "noopen"        always;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-add_header X-Frame-Options                      "SAMEORIGIN"    always;
+  add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
-add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+  add_header Permissions-Policy                   "interest-cohort=()";
-add_header X-Robots-Tag                         "noindex, nofollow"          always;
+  add_header Referrer-Policy                      "no-referrer"   always;
-add_header X-XSS-Protection                     "1; mode=block" always;
+  add_header X-Content-Type-Options               "nosniff"       always;
-fastcgi_hide_header X-Powered-By;
+  add_header X-Download-Options                   "noopen"        always;
-fastcgi_read_timeout 3600;
+  add_header X-Frame-Options                      "SAMEORIGIN"    always;
-fastcgi_send_timeout 3600;
+  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-fastcgi_connect_timeout 3600;
+  add_header X-Robots-Tag                         "noindex, nofollow" always;
-root /var/www/nextcloud;
+  add_header X-XSS-Protection                     "1; mode=block" always;
-index index.php index.html /index.php\$request_uri;
+  add_header Alt-Svc                              'h3=":\$server_port"; ma=86400';
-expires 1m;
+  add_header x-quic                               'h3';
-location = / {
+  add_header Alt-Svc                              'h3-29=":\$server_port"';
-if ( \$http_user_agent ~ ^DavClnt ) {
+  fastcgi_hide_header X-Powered-By;
-return 302 /remote.php/webdav/\$is_args\$args;
+  include mime.types;
-}
+  types {
-}
+    text/javascript mjs;
-location = /robots.txt {
+  }
-allow all;
+  root /var/www/nextcloud;
-log_not_found off;
+  index index.php index.html /index.php\$request_uri;
-access_log off;
+  location = / {
-}
+    if ( \$http_user_agent ~ ^DavClnt ) {
-location ^~ /apps/rainloop/app/data {
+      return 302 /remote.php/webdav/\$is_args\$args;
-deny all;
+    }
-}
+  }
-location ^~ /.well-known {
+  location = /robots.txt {
-location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+    allow all;
-location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+    log_not_found off;
-location ^~ /.well-known            { return 301 /index.php/\$uri; }
+    access_log off;
-try_files \$uri \$uri/ =404;
+  }
-}
+  location ^~ /.well-known {
-location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
-location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-location ~ \.php(?:\$|/) {
+    location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
-rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+    location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
-fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
+    return 301 /index.php\$request_uri;
-set \$path_info \$fastcgi_path_info;
+  }
-try_files \$fastcgi_script_name =404;
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
-include fastcgi_params;
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+  location ~ \.php(?:$|/) {
-fastcgi_param PATH_INFO \$path_info;
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
-fastcgi_param HTTPS on;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-fastcgi_param modHeadersAvailable true;
+    set \$path_info \$fastcgi_path_info;
-fastcgi_param front_controller_active true;
+    try_files \$fastcgi_script_name =404;
-fastcgi_pass php-handler;
+    include fastcgi_params;
-fastcgi_intercept_errors on;
+    fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
-fastcgi_request_buffering off;
+    fastcgi_param PATH_INFO \$path_info;
-}
+    fastcgi_param HTTPS on;
-location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
+    fastcgi_param modHeadersAvailable true;
-try_files \$uri /index.php\$request_uri;
+    fastcgi_param front_controller_active true;
-expires 6M;
+    fastcgi_pass php-handler;
-access_log off;
+    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    fastcgi_read_timeout 3600;
    fastcgi_send_timeout 3600;
    fastcgi_connect_timeout 3600;
    fastcgi_max_temp_file_size 0;
  }
  location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
    try_files \$uri /index.php\$request_uri;
    add_header Cache-Control                     "public, max-age=15768000, \$asset_immutable";
    add_header Permissions-Policy                "interest-cohort=()";
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;
    add_header Alt-Svc                           'h3=":\$server_port"; ma=86400';
    add_header x-quic                            'h3';
    add_header Alt-Svc                           'h3-29=":\$server_port"';
    access_log off;
    expires 6M;
    access_log off;
    location ~ \.wasm$ {
      default_type application/wasm;
    }
-}
+  }
-location ~ \.woff2?\$ {
+  location ~ \.(otf|woff2?)$ {
-try_files \$uri /index.php\$request_uri;
+    try_files \$uri /index.php\$request_uri;
-expires 7d;
+    expires 7d;
-access_log off;
+    access_log off;
-}
+  }
-location / {
+  location /remote {
-try_files \$uri \$uri/ /index.php\$request_uri;
+    return 301 /remote.php\$request_uri;
-}
+  }
-location /push/ {
+  location /login {
-proxy_pass http://localhost:7867/;
+    limit_req zone=NextcloudRateLimit burst=5 nodelay;
-proxy_http_version 1.1;
+    limit_req_status 429;
-proxy_set_header Upgrade \$http_upgrade;
+    try_files \$uri \$uri/ /index.php\$request_uri;
-proxy_set_header Connection "Upgrade";
+  }
-proxy_set_header Host \$host;
+  location / {
-proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    try_files \$uri \$uri/ /index.php\$request_uri;
-}
+  }
  location ^~ /push/ {
    proxy_pass http://127.0.0.1:7867/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host \$host;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  }
 }
 EOF
 }
-systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+#### Modify php settings for Nextcloud ####
 mod_php() {
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
 cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
 cp /etc/ImageMagick-7/policy.xml /etc/ImageMagick-7/policy.xml.bak
-#### Adjust redis settings ####
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
 sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
 sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
 sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
 sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
 sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
 sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
 sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-7/policy.xml
 sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-7/policy.xml
 sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-7/policy.xml
 sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-7/policy.xml
 sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
 }
 #### Modify Postgresql for Nextcloud ####
 mod_postgresql() {
 su - postgres <<EOF
    psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
    psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
    echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
 EOF
    cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
    max_connections = 200
    shared_buffers = 1GB
    effective_cache_size = 3GB
    maintenance_work_mem = 256MB
    checkpoint_completion_target = 0.9
    wal_buffers = 16MB
    default_statistics_target = 100
    random_page_cost = 1.1
    effective_io_concurrency = 200
    work_mem = 2621kB
    min_wal_size = 1GB
    max_wal_size = 4GB
    max_worker_processes = 4
    max_parallel_workers_per_gather = 2
    max_parallel_workers = 4
    max_parallel_maintenance_workers = 2
 EOF
 }
 #### Install and modify Redis-server ####
 inst_redis() {
    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
 }
 mod_redis() {
 cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
 sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
 sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
 sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
-sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
 sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
 echo 'vm.overcommit_memory = 1' > /etc/sysctl.d/overcommit_memory.conf
 }
-#### Adjust sysctl.conf settings ####
+#### Install some more packages
-
+inst_packages() {
-cp /etc/sysctl.conf /etc/sysctl.conf.bak
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-7.q16-10-extra
-echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
+timedatectl set-timezone $LXC_TIMEZONE
-systemctl restart redis
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
-
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-#### HIER MÜSSTE EIN REBOOT REIN ####
+}
 #### Install nextcloud ####
 #### Install and modify Nextcloud ####
 inst_nextcloud() {
 cd /usr/local/src
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
-md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
+md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
-
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*
 tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
 cat > /root/permissions.sh << EOF
 #!/bin/bash
 find /var/www/ -type f -print0 | xargs -0 chmod 0640
 find /var/www/ -type d -print0 | xargs -0 chmod 0750
 if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
 chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
 fi
 chmod -R 770 /etc/letsencrypt 
 chown -R www-data:www-data /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 chmod 0644 /var/www/nextcloud/.htaccess
@@ -310,39 +387,14 @@ EOF
 chmod +x /root/permissions.sh
 /root/permissions.sh
-
+}
 #### install fail2ban ####
 cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
 [Definition]
 _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
 failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
 datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
 EOF
 cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
 [nextcloud]
 backend = auto
 enabled = true
 port = 80,443
 protocol = tcp
 filter = nextcloud
 maxretry = 5
 bantime = 3600
 findtime = 36000
 logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
 EOF
 systemctl restart fail2ban
 #### Create configuration script for nextcloud, which will be executet as user www-data
 mod_nextcloudconfig() {
-cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+systemctl stop nginx
-#!/bin/bash 
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
 php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --database-host $NEXTCLOUD_DB_IP \
 --database-port $NEXTCLOUD_DB_PORT \
 --database-name $NEXTCLOUD_DB_NAME \
@@ -352,110 +404,175 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --admin-pass $NEXTCLOUD_ADMIN_PWD \
 --data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
-php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
 cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i '/);/d' /var/www/nextcloud/config/config.php
 sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
 cat >> /var/www/nextcloud/config/config.php << EOF
-'activity_expire_days' => 14,
+  'activity_expire_days' => 14,
-'auth.bruteforce.protection.enabled' => true,
+  'allow_local_remote_servers' => true,
-'blacklisted_files' => 
+  'auth.bruteforce.protection.enabled' => true,
-array (
+  'forbidden_filenames' =>
-0 => '.htaccess',
+  array (
-1 => 'Thumbs.db',
+    0 => '.htaccess',
-2 => 'thumbs.db',
+    1 => 'Thumbs.db',
-),
+    2 => 'thumbs.db',
-'cron_log' => true,
+    ),
-'default_phone_region' => 'DE',
+  'cron_log' => true,
-'enable_previews' => true,
+  'default_phone_region' => 'DE',
-'enabledPreviewProviders' => 
+  'enable_previews' => true,
-array (
+  'enabledPreviewProviders' =>
-0 => 'OC\Preview\PNG',
+  array (
-1 => 'OC\Preview\JPEG',
+    0 => 'OC\\Preview\\PNG',
-2 => 'OC\Preview\GIF',
+    1 => 'OC\\Preview\\JPEG',
-3 => 'OC\Preview\BMP',
+    2 => 'OC\\Preview\\GIF',
-4 => 'OC\Preview\XBitmap',
+    3 => 'OC\\Preview\\BMP',
-5 => 'OC\Preview\Movie',
+    4 => 'OC\\Preview\\XBitmap',
-6 => 'OC\Preview\PDF',
+    5 => 'OC\\Preview\\Movie',
-7 => 'OC\Preview\MP3',
+    6 => 'OC\\Preview\\PDF',
-8 => 'OC\Preview\TXT',
+    7 => 'OC\\Preview\\MP3',
-9 => 'OC\Preview\MarkDown',
+    8 => 'OC\\Preview\\TXT',
-),
+    9 => 'OC\\Preview\\MarkDown',
-'filesystem_check_changes' => 0,
+    10 => 'OC\\Preview\\HEIC',
-'filelocking.enabled' => 'true',
+    11 => 'OC\\Preview\\Movie',
-'htaccess.RewriteBase' => '/',
+    12 => 'OC\\Preview\\MKV',
-'integrity.check.disabled' => false,
+    13 => 'OC\\Preview\\MP4',
-'knowledgebaseenabled' => false,
+    14 => 'OC\\Preview\\AVI',
-'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
+    ),
-'loglevel' => 2,
+  'filesystem_check_changes' => 0,
-'logtimezone' => '$LXC_TIMEZONE',
+  'filelocking.enabled' => 'true',
-'log_rotate_size' => 104857600,
+  'htaccess.RewriteBase' => '/',
-'maintenance' => false,
+  'integrity.check.disabled' => false,
-'memcache.local' => '\OC\Memcache\APCu',
+  'knowledgebaseenabled' => false,
-'memcache.locking' => '\OC\Memcache\Redis',
+  'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
-'overwriteprotocol' => 'https',
+  'loglevel' => 2,
-'preview_max_x' => 1024,
+  'logtimezone' => '$LXC_TIMEZONE',
-'preview_max_y' => 768,
+  'log_rotate_size' => 104857600,
-'preview_max_scale_factor' => 1,
+  'memcache.local' => '\OC\Memcache\APCu',
-'redis' => 
+  'memcache.locking' => '\OC\Memcache\Redis',
-array (
+  'overwriteprotocol' => 'https',
-'host' => '/var/run/redis/redis-server.sock',
+  'preview_max_x' => 1024,
-'port' => 0,
+  'preview_max_y' => 768,
-'timeout' => 0.0,
+  'preview_max_scale_factor' => 1,
-),
+  'profile.enabled' => false,
-'quota_include_external_storage' => false,
+  'redis' => 
-'share_folder' => '/Freigaben',
+  array (
-'skeletondirectory' => '',
+    'host' => '/run/redis/redis-server.sock',
-'theme' => '',
+    'port' => 0,
-'trashbin_retention_obligation' => 'auto, 7',
+    'password' => '$NEXTCLOUD_REDIS_PWD',
-'updater.release.channel' => 'stable',
+    'timeout' => 0.0,
-'trusted_proxies' => 
+  ),
-array (
+  'quota_include_external_storage' => false,
-'$NEXTCLOUD_REVPROX',
+  'share_folder' => '/Freigaben',
-'127.0.0.1',
+  'skeletondirectory' => '',
-'::1',
+  'theme' => '',
-),
+  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'maintenance_window_start' => 1,
  'maintenance' => false,
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
  'mail_domain' => '$NEXTCLOUD_FQDN',
  'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
  'overwritehost' => '$NEXTCLOUD_FQDN',
  'trusted_domains' => 
  array (
    0 => '$HOST_IP',
    1 => '$NEXTCLOUD_FQDN',
  ),
 );
 EOF
 sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
 php /var/www/nextcloud/occ app:disable survey_client
 php /var/www/nextcloud/occ app:disable firstrunwizard
 php /var/www/nextcloud/occ app:enable admin_audit
 php /var/www/nextcloud/occ app:enable notify_push
 php /var/www/nextcloud/occ app:enable files_pdfviewer
 php /var/www/nextcloud/occ background:cron
 DFOE
 /root/permissions.sh
-su -s /bin/bash www-data <<EOF
+sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
-EOF
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
 sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
 #sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
 sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
 sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
 sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
 sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
 sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
-#### Create file for high performance backend
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
 systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
 systemctl start nginx
 cat > /etc/systemd/system/notify_push.service << EOF
 [Unit]
 Description = Push daemon for Nextcloud clients
 After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
 [Service]
 Environment=PORT=7867
 Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
 Environment=ALLOW_SELF_SIGNED=true
 ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
 User=www-data
 [Install]
 WantedBy = multi-user.target
 EOF
 systemctl daemon-reload
-systemctl enable --now notify_push
+systemctl enable notify_push
 }
-echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+#### Modifying Crowdsec ####
 mod_crowdsec() {
 systemctl restart crowdsec
 cscli collections install crowdsecurity/nginx
 cscli collections install crowdsecurity/nextcloud
 cscli collections install crowdsecurity/sshd
 cat >> /etc/crowdsec/acquis.yaml << EOF
 filenames:
 - /var/log/nextcloud/nextcloud.log
 labels:
  type: Nextcloud
 ---
 EOF
 systemctl reload crowdsec
 }
 #### Install the system !####
 echo "=> Installing Nginx ..."
 inst_nginx
 echo "=> Modifying Nginx config for Nextcloud ..."
 mod_nginx
 echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
 inst_php fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline $NEXTCLOUD_PHP_VERSION
 echo "=> Modifying PHP config for Nextcloud ..."
 mod_php
 echo "=> Installing Postgresql $POSTGRES_VERSION ..."
 inst_postgresql
 echo "=> Modifying Postgresql config for Nextcloud ..."
 mod_postgresql
 echo "=> Installing Redis-server ..."
 inst_redis
 echo "=> Modifying Redis-server for Nextcloud ..."
 mod_redis
 echo "=> Installing some more packages ..."
 inst_packages
 echo "=> Installing Nextcloud ..."
 inst_nextcloud
 echo "=> Modifying Nextcloud ..."
 mod_nextcloudconfig
 echo "=> Installing Crowdsec ..."
 inst_crowdsec
 echo "=> Modifying Crowdsec ..."
 mod_crowdsec
 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
 shutdown -r now
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=2048
+LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="mongodb-server,java"
@@ -10,14 +10,11 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
 wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
 echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
 echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
-apt update
+inst_mongodb 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc
 inst_bashclub omada
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,24 +5,31 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 #### Set repo and install onlyoffice ####
 inst_onlyoffice() {
    apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main"
    apt update
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq ttf-mscorefonts-installer onlyoffice-documentserver
 }
 ONLYOFFICE_DB_PASS=$(random_password)
-curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --dearmor | tee /etc/apt/trusted.gpg.d/onlyoffice.gpg >/dev/null
+inst_postgresql
 echo "deb https://download.onlyoffice.com/repo/debian squeeze main" > /etc/apt/sources.list.d/onlyoffice.list
-cat > /etc/apt/preferences.d/onlyoffice << EOF
+#cat > /etc/apt/preferences.d/onlyoffice << EOF
-Package: onlyoffice-documentserver
+#Package: onlyoffice-documentserver
-Pin: version 7.1.1-23
+#Pin: version 7.1.1-23
-Pin-Priority: 900
+#Pin-Priority: 900
-EOF
+#EOF
 apt update 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql rabbitmq-server libstdc++6 supervisor
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq rabbitmq-server libstdc++6 supervisor
 su postgres <<EOF
 psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
@@ -36,7 +43,7 @@ echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | d
 echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
 echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ttf-mscorefonts-installer onlyoffice-documentserver
+inst_onlyoffice
 cat << EOF > /root/onlyoffice.credentials
 ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -13,10 +15,13 @@ webroot=/var/www/html
 LXC_RANDOMPWD=20
 MYSQL_PASSWORD="$(random_password)"
 PHP_VERSION=8.4
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client php php-cli php-fpm php-mysql php-xml php-mbstring php-gd
+inst_php cli,fpm,mysql,xml,mbstring,gd $PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client 
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
@@ -39,13 +44,12 @@ server {
    index index.php;
    ssl on;
    ssl_certificate /etc/nginx/ssl/open3a.crt;
    ssl_certificate_key /etc/nginx/ssl/open3a.key;
    location ~ .php$ {
        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php${PHP_VERSION}-fpm.sock;
    }
 }
@@ -76,8 +80,8 @@ localhost                               &%%%&open3a              &%%%&$MYSQL_PAS
 */ ?>
 EOF
-systemctl enable --now php8.2-fpm
+systemctl enable --now php${PHP_VERSION}-fpm
-systemctl restart php8.2-fpm nginx
+systemctl restart php${PHP_VERSION}-fpm nginx
 LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
@@ -6,7 +6,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -3,13 +3,14 @@
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
-source zamba.conf
+set -euo pipefail
-wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/manticore bookworm main" > /etc/apt/sources.list.d/bashclub-manticore.list
+inst_bashclub manticore
-echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/$PILER_BRANCH bookworm main" > /etc/apt/sources.list.d/bashclub-$PILER_BRANCH.list
+inst_bashclub $PILER_BRANCH
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
@@ -0,0 +1,111 @@
 # PMG-Integration des KI-Rspamd Filters
 Diese Anleitung beschreibt, wie das PMG als zentrale Filter-Instanz die Scores deines externen Rspamd-LXC abfragt, visualisiert und gewichtet, ohne die eigene Filterhoheit zu verlieren.
 ## 1. Architektur-Übersicht
 Das PMG fungiert als SMTP-Relay. Der externe Rspamd wird als **Before-Queue Milter** eingebunden. Er verarbeitet die Mail, setzt Header-Attribute und das PMG wertet diese Header innerhalb seines eigenen Regelwerks aus.
 ---
 ## 2. Persistente Milter-Anbindung (Updatesicher)
 Damit Postfix den Rspamd-LXC anspricht, muss die Konfiguration über das PMG-Template-System erfolgen.
 1. **Template-Verzeichnis erstellen:**
   ```javascript
   mkdir -p /etc/pmg/templates
   cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
   ```
 2. **Milter in `main.cf.in` eintragen:** Öffne `/etc/pmg/templates/main.cf.in` und füge am Ende (vor den lokalen Overrides) folgende Zeilen hinzu:
   ```javascript
   smtpd_milters = inet:IP_DEINES_LXC:11332
   milter_default_action = accept
   milter_protocol = 6
   ```
 3. **Konfiguration generieren:**
   ```javascript
   pmgconfig sync
   ```
 ---
 ## 3. Score-Gewichtung (SpamAssassin-Integration)
 Da das PMG-UI keine direkte Punkte-Addition erlaubt, integrieren wir die Rspamd-Ergebnisse direkt in den internen Scan-Prozess. Dies stellt sicher, dass die Scores im **Tracking Center** namentlich auftauchen.
 1. **Konfigurationsdatei erstellen:** Erstelle auf dem PMG-Host: `/etc/mail/spamassassin/rspamd_scores.cf`
 2. **Regeln definieren:** Kopiere diesen Block in die Datei:
   ```javascript
   # Rspamd Medium (4 - 5.9)
   header RSPAMD_MEDIUM X-Rspamd-Score =~ /^([45]\.[0-9]+)/
   describe RSPAMD_MEDIUM Rspamd bewertet diese Mail als leicht verdaechtig (4-5.9)
   score RSPAMD_MEDIUM 1.5
   # Rspamd High (6 - 14.9)
   header RSPAMD_HIGH X-Rspamd-Score =~ /^([6-9]|1[0-4])\.[0-9]+/
   describe RSPAMD_HIGH Rspamd bewertet diese Mail als Spam (6-14.9)
   score RSPAMD_HIGH 4.0
   # Rspamd Critical (15+)
   header RSPAMD_CRITICAL X-Rspamd-Score =~ /^(1[5-9]|[2-9][0-9]|[1-9][0-9][0-9])\.[0-9]+/
   describe RSPAMD_CRITICAL Rspamd (KI/Llama) ist sich absolut sicher: Scam/Betrug (15+)
   score RSPAMD_CRITICAL 10.0
   ```
 3. **Dienst neu starten:**
   ```javascript
   systemctl restart pmg-smtp-filter
   ```
 ---
 ## 4. UI-Logik für harte Aktionen (Optional)
 Wenn du für extrem hohe Scores (`RSPAMD_CRITICAL`) eine sofortige Quarantäne erzwingen möchtest, kannst du dies im WebUI ergänzen:
 1. **What Object:** Erstelle unter *Mail Filter > What Objects* ein **Match Field**.
   * **Name:** `Rspamd-Critical-Header`
   * **Field:** `X-Rspamd-Score`
   * **Value:** `^(1[5-9]|[2-9][0-9])\..*`
 2. **Rule:** Erstelle eine Regel mit Priorität **99**.
   * **What:** `Rspamd-Critical-Header`
   * **Action:** `Quarantine`
 ---
 ## 5. Verifizierung & Monitoring
 Nach der Integration sollten eingehende E-Mails im PMG Tracking Center detailliert aufgeschlüsselt werden.
 * **Live-Log Prüfung:** Überwache die Auswertung der neuen Header live auf der Konsole:
  ```javascript
  tail -f /var/log/mail.log | grep -E "RSPAMD_(MEDIUM|HIGH|CRITICAL)"
  ```
 * **Tracking Center:** In der Detailansicht einer E-Mail unter **Spam Analysis** erscheint nun z. B. der Eintrag: `RSPAMD_HIGH (4.00)`
 ---
 ### Wartungshinweise
 * **Persistent:** Die `.cf`-Dateien unter `/etc/mail/spamassassin/` bleiben bei PMG-Updates erhalten.
 * **Anpassung:** Sollten zu viele False Positives auftreten, senke einfach die `score`-Werte in der `rspamd_scores.cf` und starte den `pmg-smtp-filter` neu.
@@ -8,14 +8,14 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
-LXC_MP=1
+LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="srv"
+LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
-LXC_MP_RECORDSIZE="16K"
+LXC_MP_RECORDSIZE="128K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
@@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=1024
+LXC_MEM_MIN=8192
 # service dependent meta tags
-SERVICE_TAGS="aptly,nginx"
+SERVICE_TAGS="rspamd,unbound,ollama"
@@ -0,0 +1,373 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 RSPAMD_PASSWORD=$(random_password)
 LLM=llama3.1:8b
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y redis-server unbound python3-venv rspamd zstd nginx ssl-cert
 # Eine abgeschottete Python-Umgebung in /opt/oletools erstellen
 python3 -m venv /opt/oletools
 # Oletools innerhalb dieser Umgebung installieren (berührt das System nicht!)
 /opt/oletools/bin/pip install oletools python-magic
 ln -s /opt/oletools/bin/olevba /usr/local/bin/olevba3
 # install olefy servvice
 curl -o /usr/local/bin/olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py
 chmod +x /usr/local/bin/olefy.py
 sed -i "s/addr_re = re.compile('\[\\\[\" \\\]\]')/addr_re = re.compile(r'\[\\\[\" \\\]\]')/g" /usr/local/bin/olefy.py
 # olefy Systemd-Service anlegen
 cat << 'EOF' > /etc/systemd/system/olefy.service
 [Unit]
 Description=Olefy Daemon for Rspamd
 After=network.target
 [Service]
 Type=simple
 User=nobody
 ExecStart=/opt/oletools/bin/python3 /usr/local/bin/olefy.py
 Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
 # oletools update
 cat << 'EOF' > /usr/local/bin/apt-hook-oletools.sh
 #!/bin/bash
 # Unterdrücke Standard-Ausgaben, fange aber das Ergebnis auf
 UPDATE_OUT=$(/opt/oletools/bin/pip install --upgrade oletools 2>&1)
 # Prüfen, ob der Text "Successfully installed" im Output vorkommt
 if echo "$UPDATE_OUT" | grep -q "Successfully installed"; then
    # Neues Update wurde gefunden und installiert! Dienst neu starten:
    systemctl restart olefy
    # Einen sauberen Eintrag ins System-Log (syslog) schreiben
    logger -t oletools-updater "Neues Oletools Update via APT-Hook installiert. Olefy Dienst neu gestartet."
 fi
 # Immer erfolgreich beenden (Exit Code 0), damit apt niemals blockiert wird
 exit 0
 EOF
 # Skript ausführbar machen
 chmod +x /usr/local/bin/apt-hook-oletools.sh
 # apt hook
 cat << EOF > /etc/apt/apt.conf.d/99oletools-update
 # Automatisches Update von Oletools nach jedem dpkg-Lauf
 DPkg::Post-Invoke { "/usr/local/bin/apt-hook-oletools.sh || true"; };
 EOF
 # download ollama
 curl -fsSL https://ollama.com/install.sh | bash 2>/dev/null
 # konfiguriere ollama, dass llm dauerhaft geladen bleibt
 mkdir -p /etc/systemd/system/ollama.service.d
 cat << 'EOF' > /etc/systemd/system/ollama.service.d/override.conf
 [Service]
 Environment="OLLAMA_KEEP_ALIVE=-1"
 EOF
 # qwen3 llm herunterladen
 ollama pull $LLM
 # ollama qwen3 preload service erstellen
 cat << EOF > /etc/systemd/system/ollama-preload.service
 [Unit]
 Description=Preload Qwen3 Model into Ollama
 After=ollama.service
 Requires=ollama.service
 [Service]
 Type=oneshot
 # Warteschleife: Prüfe im Sekundentakt, ob die API erreichbar ist, bevor wir weitermachen
 ExecStartPre=/bin/bash -c 'until curl -s http://127.0.0.1:11434/ > /dev/null; do sleep 1; done'
 # Erst wenn der Port antwortet, laden wir das Modell
 ExecStart=/usr/bin/curl -s -X POST http://127.0.0.1:11434/api/generate -d '{"model": "$LLM", "keep_alive": -1}'
 RemainAfterExit=yes
 [Install]
 WantedBy=multi-user.target
 EOF
 # milter socket für rspamd konfigurieren
 cat << EOF > /etc/rspamd/local.d/worker-proxy.inc
 # Lausche auf allen Schnittstellen (für das PMG)
 bind_socket = "${LXC_IP%/*}:11332";
 # Aktiviere explizit das Milter-Protokoll
 milter = yes;
 EOF
 # rspamd an redis anbinden
 cat << 'EOF' > /etc/rspamd/local.d/redis.conf
 servers = "127.0.0.1";
 write_servers = "127.0.0.1";
 EOF
 # lua script for llm integration
 cat << EOF > /etc/rspamd/lua.local.d/ollama_ai.lua
 local logger = require "rspamd_logger"
 local http = require "rspamd_http"
 local ucl = require "ucl"
 local function ollama_check(task)
    logger.errx(task, "KI-Check: ANALYSE START (Llama-3.1-8B)")
    local text_parts = task:get_text_parts()
    local email_text = ""
    if text_parts then
        for _, part in ipairs(text_parts) do
            email_text = email_text .. tostring(part:get_content() or "")
        end
    end
    -- Abbruch bei zu kurzen Mails
    if #email_text < 15 then 
        logger.errx(task, "KI-Check: Text zu kurz für Analyse")
        return 
    end
    local req_data = {
      model = "$LLM",
      messages = {
        {
          role = "system",
          content = "You are a cybersecurity analyst. Score the following email for fraud/phishing from 0 to 10. Output ONLY the integer number."
        },
        {
          role = "user",
          content = "Rate this content: " .. string.sub(email_text, 1, 1000)
        }
      },
      stream = false,
      options = {
        num_predict = 5,
        temperature = 0.0
      }
    }
    http.request({
      task = task,
      url = 'http://127.0.0.1:11434/api/chat',
      body = ucl.to_format(req_data, 'json'),
      timeout = 25.0,
      callback = function(err, code, body, headers)
        -- Falls der Dienst nicht erreichbar ist
        if err or code ~= 200 then
            logger.errx(task, "KI-Check: Ollama API Fehler oder Timeout")
            return 
        end
        local parser = ucl.parser()
        local res, _ = parser:parse_string(body)
        if res then
            local data = parser:get_object()
            local reply = data.message and data.message.content or ""
            local score_num = reply:match("%d+")
            if score_num then
                local score = tonumber(score_num)
                logger.errx(task, "KI-Check: Ergebnis erhalten: %s/10", score)
                -- 1. Header: Basis-Info (Wird immer gesetzt, wenn KI geantwortet hat)
                task:set_milter_reply({
                    ['add_header'] = {['X-AI-Scanner'] = 'Llama-3.1-8B-Verified'}
                })
                -- 2. Header & Symbol: Nur bei Verdacht (Score >= 7)
                if score >= 7 then
                    task:insert_result('OLLAMA_LLM_FRAUD', 1.0, "Score " .. score .. "/10")
                    task:set_milter_reply({
                        ['add_header'] = {['X-AI-Fraud-Rating'] = tostring(score) .. '/10'}
                    })
                    logger.errx(task, "KI-Check: Symbol und Header gesetzt (Betrugsverdacht)")
                end
            end
        end
      end
    })
 end
 rspamd_config:register_symbol({
  name = 'OLLAMA_LLM_FRAUD',
  callback = ollama_check,
  flags = 'async',
  score = 6.0,
  description = 'AI-based fraud detection using Llama-3.1-8B'
 })
 EOF
 # dns resolver konfigurieren
 cat << 'EOF' > /etc/rspamd/local.d/options.inc
 dns {
    nameserver = ["127.0.0.1"];
 }
 # Basis-Regeln, die immer gelten müssen
 local_addrs = "127.0.0.1";
 local_addrs = "::1";
 task_timeout = 59s;
 # Lade alle Server-spezifischen Dateien (*.conf)
 .include(try=true,glob=true) "$LOCAL_CONFDIR/local_addrs.d/*.conf"
 EOF
 PWHASH=$(rspamadm pw --password "$RSPAMD_PASSWORD")
 cat << EOF > /etc/rspamd/local.d/worker-controller.inc
 bind_socket = "127.0.0.1:11334";
 password = "$PWHASH"; 
 # Basis-Regeln (LXC-interner Zugriff)
 secure_ip = "127.0.0.1";
 secure_ip = "::1";
 secure_ip = "${LXC_IP%/*}";
 # Lade alle Server-spezifischen Dateien (*.conf)
 .include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf"
 EOF
 cat << EOF > /etc/rspamd/local.d/actions.conf
 # Alle Aktionen, die normalerweise ablehnen würden, auf null setzen
 reject = null;      # Niemals ablehnen
 add_header = 6.0;   # Ab diesem Score den X-Spam-Header setzen
 greylist = null;    # Greylisting deaktivieren (macht PMG schon besser)
 rewrite_subject = null;
 EOF
 cat << EOF > /etc/rspamd/local.d/milter_headers.conf
 # Diese Header werden für jede Mail geschrieben
 use = ["spam-header", "symbols", "score"];
 header_names {
    "spam-header" = "X-Spam-Flag";
    "symbols" = "X-Rspamd-Symbols";
    "score" = "X-Rspamd-Score";
 }
 # Fügt den Score immer hinzu, egal wie hoch er ist
 skip_local = false;
 extended_symbols = true;
 EOF
 # oletools aktivieren
 cat << 'EOF' > /etc/rspamd/local.d/oletools.conf
 enabled = true;
 servers = "127.0.0.1:10050"; # Standard-Port von olefy
 EOF
 # learning aktivieren
 cat << 'EOF' > /etc/rspamd/local.d/classifier-ham-spam.conf
 # Nutze Redis als Backend für gelerntes Wissen
 backend = "redis";
 # Erlaube das Lernen (wichtig für deine Mailcows!)
 autolearn = true;
 EOF
 # betreffzeilen anzeigen
 cat << 'EOF' > /etc/rspamd/local.d/history_redis.conf
 # Speichere die letzten Mail-Logs in Redis für die WebUI
 subject_privacy = false; # Zeigt Betreffzeilen im Dashboard an (hilfreich für MSPs)
 EOF
 # set include for local modules
 cat << 'EOF' > /etc/rspamd/local.d/groups.conf
 # Lade alle Symbol-Definitionen aus dem scores.d Verzeichnis
 .include(try=true,glob=true) "$LOCAL_CONFDIR/scores.d/*.conf"
 EOF
 # create folder for trusted addresses
 mkdir -p /etc/rspamd/local.d/local_addrs.d
 mkdir -p /etc/rspamd/local.d/secure_ips.d
 # persistenz in redis aktivieren
 sed -i 's/appendonly no/appendonly yes/g' /etc/redis/redis.conf
 sed -i 's/^#\? \?appendfsync .*/appendfsync everysec/g' /etc/redis/redis.conf
 # nginx konfigurieren
 mkdir -p /etc/nginx/ssl
 # Symlinks auf Snakeoil (Pfade ggf. anpassen, falls ssl-cert nicht installiert ist)
 ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 # Starke Diffie-Hellman Parameter generieren (wichtig!)
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
 # generiere config
 cat << EOF > /etc/nginx/sites-available/rspamd_proxy
 # HTTP - Redirect auf HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    return 301 https://\$host\$request_uri;
 }
 # HTTPS - Sicherer Proxy
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
    # Zertifikate
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # TLS Sicherheit nach Stand der Technik (Modern)
    ssl_protocols TLSv1.3; # TLS 1.2 entfernt für maximale Sicherheit
    ssl_prefer_server_ciphers off;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
    # Proxy-Einstellungen
    location / {
        proxy_pass http://127.0.0.1:11334; # Dein Rspamd Controller/UI
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        # Wichtig für lange KI-Analysen
        proxy_read_timeout 120s;
        proxy_connect_timeout 120s;
        # Optional: Zusätzlicher Schutz auf Nginx-Ebene
        # allow 1.2.3.4; # Deine Admin IP
        # deny all;
    }
 }
 EOF
 ln -s /etc/nginx/sites-available/rspamd_proxy /etc/nginx/sites-enabled/
 nginx -t
 # dienste aktivieren
 systemctl daemon-reload
 systemctl enable --now unbound olefy ollama ollama-preload.service
 systemctl restart redis-server rspamd nginx
 echo "Your rspamd instance setup is finished!"
 echo "Please visit http://${LXC_IP%/*}:11334/"
 echo "rspamd password is: $RSPAMD_PASSWORD"
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -1,5 +1,7 @@
 #!/bin/bash
 set -euo pipefail
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
@@ -9,16 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-cat << EOF > /etc/apt/sources.list.d/pbs-no-subscription.list 
+#### Set repo and install onlyoffice ####
-# PBS pbs-no-subscription repository provided by proxmox.com,
+inst_pbs() {
-# NOT recommended for production use
+    apt_repo "proxmox" "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" "http://download.proxmox.com/debian/pbs" "trixie" "pbs-no-subscription"
 deb http://download.proxmox.com/debian/pbs $(lsb_release -cs) pbs-no-subscription
 EOF
 wget -q -O - https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg >/dev/null
 apt update && apt upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
 }
 inst_pbs
 proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -12,13 +14,12 @@ source /root/constants-service.conf
 mkdir /opt/rei3
 wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgres.gpg
+inst_postgresql
 echo "deb [signed-by=/usr/share/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql imagemagick ghostscript postgresql-client
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends imagemagick ghostscript
 timedatectl set-timezone ${LXC_TIMEZONE}
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -11,12 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -O - https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
+inst_unifi() {
-wget -O - https://dl.ubnt.com/unifi/unifi-repo.gpg | gpg --dearmor > /usr/share/keyrings/unifi.gpg
+    apt_repo "unifi" "https://dl.ubnt.com/unifi/unifi-repo.gpg" "http://www.ui.com/downloads/unifi/debian" "stable" "ubiquiti"
    apt update 
    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unifi
 }
-echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
+inst_mongodb
 echo "deb [ signed-by=/usr/share/keyrings/unifi.gpg ] http://www.ui.com/downloads/unifi/debian stable ubiquiti" > /etc/apt/sources.list.d/unifi.list 
-apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless unifi
+inst_unifi
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 URBACKUP_DATA="urbackup"
 # OS codename for opensuse / urbackup repo
-REPO_CODENAME="Debian_12"
+REPO_CODENAME="Debian_13"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
@@ -5,10 +5,14 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 set -euo pipefail
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
 mkdir -p /etc/urbackup
@@ -18,10 +22,11 @@ echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/
 curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" urbackup-server nginx
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" ssl-cert urbackup-server nginx
-mkdir -p /etc/nginx/ssl
+install -d -m 0750 -o root -g root /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/urbackup.key -out /etc/nginx/ssl/urbackup.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -s /usr/share/urbackup/www /var/www/urbackup
@@ -44,9 +49,8 @@ server {
    index index.htm;
-    ssl on;
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
-    ssl_certificate /etc/nginx/ssl/urbackup.crt;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_certificate_key /etc/nginx/ssl/urbackup.key;
    location /x {
        include /etc/nginx/fastcgi_params;
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,13 +5,17 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 admin_token=$(openssl rand -base64 48)
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
+inst_postgresql 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx git ssl-cert
 systemctl enable --now postgresql
@@ -149,6 +153,9 @@ server {
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8000;
        proxy_read_timeout 90;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
@@ -0,0 +1,31 @@
 #!/bin/bash
 # Authors:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="var/lib/opensearch"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=8192
 # service dependent meta tags
 SERVICE_TAGS="opensearch"
@@ -0,0 +1,24 @@
 #!/bin/bash
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 WAZUH_VERSION=4.14
 REG_PASS=$(random_password)
 curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null
 sed -i "s|<use_password>no</use_password>|<use_password>yes</use_password>|" /var/ossec/etc/ossec.conf
 echo "$REG_PASS" > /var/ossec/etc/authd.pass
 chmod 640 /var/ossec/etc/authd.pass
 chown root:wazuh /var/ossec/etc/authd.pass
 systemctl restart wazuh-manager
 echo "Please use the following password for agent registration: $REG_PASS"
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -42,8 +42,8 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
-ZABBIX_VERSION=7.0 #zabbix 7 beta
+ZABBIX_VERSION=7.4 #zabbix 7 beta
-POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
@@ -11,13 +11,14 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
 apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
 apt update
 inst_postgresql $POSTGRES_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION postgresql-client zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 timedatectl set-timezone ${LXC_TIMEZONE}
@@ -29,7 +30,7 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
-cat /usr/share/zabbix-sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+cat /usr/share/zabbix/sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
@@ -53,6 +54,8 @@ sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
 sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
 mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
 systemctl enable zabbix-proxy zabbix-agent2
 systemctl restart zabbix-proxy zabbix-agent2 
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -42,10 +42,10 @@ ZABBIX_DB_USR="zabbix"
 # Build a strong password for the SQL user - could be overwritten with something fixed
 ZABBIX_DB_PWD="$(random_password)"
-ZABBIX_VERSION=7.0 #zabbix 7 beta
+ZABBIX_VERSION=7.4 #zabbix 7 beta
-POSTGRES_VERSION=16 #postgres repo, latest release (2024-05-13) 
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
-PHP_VERSION=8.2 # debian 12 default
+PHP_VERSION=8.4 # debian 12 default
-TS_VERSION=2.14.2 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+TS_VERSION=2.23.0 # currently latest by zabbix supported version of timescaledb (2024-05-13)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
@@ -11,14 +11,15 @@ source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/debian/ $(lsb_release -cs) main"
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
-apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/" "$(lsb_release -cs)" "main"
-apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/ $(lsb_release -c -s) main"
+inst_postgresql ${POSTGRES_VERSION}
 inst_php pgsql,fpm $PHP_VERSION
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends postgresql-$POSTGRES_VERSION timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION postgresql-client timescaledb-tools nginx php$PHP_VERSION-pgsql php$PHP_VERSION-fpm zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION timescaledb-tools nginx  zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
 unlink /etc/nginx/sites-enabled/default
@@ -216,18 +217,20 @@ psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNE
 echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
 EOF
-sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+#sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
-zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
 timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
 systemctl restart postgresql
 echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
-cat /usr/share/zabbix-sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+cat /usr/share/zabbix/sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
-echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.conf
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.d/dbpassword.conf
 mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
 generate_dhparam
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -39,15 +41,16 @@ ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
 ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
-sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+echo "Customizing nginx configuration..."
- -e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
- -e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
- -e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
- -e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
 -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
 -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
 /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
-ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
+ ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
 # configure elasticsearch
 /usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
@@ -5,37 +5,21 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
      ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
      ZMB_DNS_BACKEND="BIND9_DLZ"
      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
      echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
@@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
 	  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
 [libdefaults]
@@ -124,9 +57,28 @@ cat > /etc/krb5.conf <<EOF
 EOF
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 echo "fixing samba service to wait for lxc being online"
 install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
 cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
 [Unit]
 After=networking.service
 Wants=networking.service
 [Service]
 # Wait up to 30s for eth0 to get an IPv4 address
 ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
 Restart=on-failure
 RestartSec=3
 EOF
 systemctl daemon-reload
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
@@ -160,7 +112,10 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
 bash /root/zmb-ad_auto-map-root.sh
 chmod +x /usr/bin/create-service-account
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
@@ -168,7 +123,7 @@ cat << EOF > /usr/local/bin/smb-backup
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
-keep=$1
+keep=\$1
 if \$1 ; then
  keep=\$1
 fi
@@ -205,7 +160,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
@@ -5,38 +5,20 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
    ZMB_DNS_BACKEND="BIND9_DLZ"
    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
    echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
-
+echo "configuring chrony"
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
@@ -61,72 +43,35 @@ server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
-
+echo "disabling services"
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
-# provision zamba domain
+echo "fixing samba service to wait for lxc being online"
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
 install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
 cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
 [Unit]
 After=networking.service
 Wants=networking.service
 [Service]
 # Wait up to 30s for eth0 to get an IPv4 address
 ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
 Restart=on-failure
 RestartSec=3
 EOF
 systemctl daemon-reload
 echo "provisioning domain"
 # provision zamba domain
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL
 echo "provosioning finished"
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 # disable password expiry for administrator
@@ -134,7 +79,10 @@ samba-tool user setexpiry Administrator --noexpiry
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
 bash /root/zmb-ad_auto-map-root.sh
 chmod +x /usr/bin/create-service-account
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
@@ -176,7 +124,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
@@ -14,7 +16,7 @@ source /root/constants-service.conf
 apt update
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd2
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -96,15 +98,15 @@ systemctl restart winbind nmbd
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
 cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
 chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
 systemctl disable --now cups-browsed.service
 cupsctl --remote-admin
-systemctl restart cups smbd nmbd winbind wsdd
+systemctl restart cups smbd nmbd winbind wsdd2
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -5,16 +5,15 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 # echo "deb http://ftp.halifax.rwth-aachen.de/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 apt update
-#DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -26,9 +25,6 @@ cat > /etc/krb5.conf <<EOF
 	renew_lifetime = 7d
 EOF
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 klist
 mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
 cat > /etc/samba/smb.conf <<EOF
 [global]
@@ -75,8 +71,12 @@ cat > /etc/samba/smb.conf <<EOF
 	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20
 EOF
 IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
 for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" ; do
    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
 	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
@@ -84,6 +84,10 @@ cat > /etc/samba/smb.conf <<EOF
 	inherit acls = Yes
 EOF
 done
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 klist
 systemctl restart smbd
@@ -96,12 +100,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+unset ZMB_SHARE
-# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
-chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+do
  mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-systemctl restart smbd nmbd winbind wsdd
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 done
 systemctl restart smbd nmbd winbind
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=1
@@ -5,26 +5,21 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
+inst_45drives
 echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
-# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd2
 apt update
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
 USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
 useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
 echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
+smbpasswd -x $USER || true
 (echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
 usermod -aG sudo $USER
@@ -65,14 +60,18 @@ EOF
 net conf import /etc/samba/import.template
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+do
    mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
    chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
    chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-net conf setparm $ZMB_SHARE readonly no
+    net conf setparm $ZMB_SHARE readonly no
-net conf setparm $ZMB_SHARE browseable yes
+    net conf setparm $ZMB_SHARE browseable yes
-net conf setparm $ZMB_SHARE createmask 0660
+    net conf setparm $ZMB_SHARE createmask 0660
-net conf setparm $ZMB_SHARE directorymask 0770
+    net conf setparm $ZMB_SHARE directorymask 0770
 done
-systemctl restart smbd nmbd wsdd
+systemctl restart smbd nmbd wsdd2
Author	SHA1	Message	Date
Thorsten Spille	b849b541a1	Merge pull request #147 from bashclub/dev Release	2026-04-09 18:04:02 +02:00
Chriz	639e8d6978	Update PHP version from 8.3 to 8.4	2026-03-02 15:46:36 +01:00
Thorsten Spille	d3060354f9	Update PMG Integration and rejecting behviour	2026-02-22 11:55:05 +00:00
Thorsten Spille	91f5296538	add rspamd ai container	2026-02-21 20:15:06 +00:00
Thorsten Spille	03bb6186f2	Add password for aggent registration	2026-01-28 19:40:21 +00:00
Thorsten Spille	1987dd29a7	add wazuh container	2026-01-28 19:15:22 +00:00
Thorsten Spille	90fa303761	Update constants.conf	2026-01-22 21:59:22 +01:00
Thorsten Spille	509abe150a	fix script deletion	2026-01-19 10:42:06 +00:00
Thorsten Spille	c70aac9493	dc anhancements, script removal parameter, list outaged repos with wrong codename	2026-01-19 09:12:08 +00:00
Thorsten Spille	c7f4cde980	move trmm script to scripts folder	2026-01-18 23:45:03 +00:00
Thorsten Spille	2ec3e75c90	fix multiple containers for debian 13	2026-01-18 23:42:39 +00:00
Markus	b8c3bb3438	Update unif & omada	2026-01-18 14:43:55 +01:00
Thorsten Spille	9b7ee21fae	fix mailcow	2026-01-18 13:33:10 +00:00
Thorsten Spille	6e009743f4	remove kopano, ad-restore, enable strict mode in all installers	2026-01-18 12:52:37 +00:00
Thorsten Spille	753243e444	Update to Debian 13	2026-01-18 12:38:39 +00:00
Markus	cbad641b1b	Update PBS to 4	2026-01-18 13:24:06 +01:00
Thorsten Spille	39a70db706	freesout fixes	2026-01-18 12:17:41 +00:00
Thorsten Spille	cdbc3093ea	Update freescout	2026-01-18 12:05:16 +00:00
Thorsten Spille	af08501258	remove ecodms	2026-01-18 12:05:06 +00:00
Thorsten Spille	0a0e1a2add	Remove ecodms	2026-01-18 12:04:58 +00:00
Thorsten Spille	9e5a779308	update docker	2026-01-18 12:04:48 +00:00
Thorsten Spille	0313a05f36	debian 13 for cloudpanel with mariadb 11.8	2026-01-18 11:40:34 +00:00
Markus	e6acbd25d4	fix repos of matrix, onlyoffice	2026-01-18 12:33:00 +01:00
Markus	6bb93c7c0e	add 45drives to functions	2026-01-18 12:30:15 +01:00
Markus	fc1ebd479a	onloyoffice, matrix, urbackup	2026-01-18 12:24:10 +01:00
Thorsten Spille	823bcaca58	fix zmb-ad	2026-01-17 22:37:14 +00:00
Thorsten Spille	dcceeb5a63	update multiple containers	2026-01-17 21:54:11 +00:00
Thorsten Spille	2f6658f0ae	update authentik	2026-01-17 20:14:32 +00:00
Thorsten Spille	a9780e6b7b	set postgres 17 for nextcloud	2026-01-17 19:45:31 +00:00
Thorsten Spille	eaa39e55bd	fix nextcloud	2026-01-17 19:29:53 +00:00
Thorsten Spille	f2f1beb8a5	fix gpg keys	2026-01-17 17:45:52 +00:00
Thorsten Spille	1c6ec8f73c	Debian 13 for nextcloud and semaphore	2026-01-17 17:15:54 +00:00
Thorsten Spille	2d55a1b222	fix urbackup nginx conf	2026-01-17 16:43:39 +00:00
Thorsten Spille	37f6bb940a	remove apt lxc	2026-01-17 16:43:04 +00:00
Thorsten Spille	4c9a0cd775	update debian containers	2026-01-11 20:39:24 +00:00
Thorsten Spille	44121d78c5	update urbackup	2026-01-11 20:39:05 +00:00
Thorsten Spille	95d04fd28c	fix docker settings	2026-01-06 12:50:40 +00:00
Thorsten Spille	bdcc74535d	fix lxc config if docker	2026-01-06 11:47:56 +00:00
Thorsten Spille	34b3938350	mailcow -> debian 13	2026-01-06 11:35:44 +00:00
Thorsten Spille	de06881a97	zmb-member debian 13	2025-12-21 20:08:33 +00:00
Thorsten Spille	9f779d3065	debian 13 for ad	2025-12-21 19:51:21 +00:00
Thorsten Spille	52312d6a58	fix ntpdate, remove wsdd	2025-12-21 19:49:20 +00:00
Thorsten Spille	cf5f0ca146	remove instance setup from postinst	2025-12-19 17:30:03 +00:00
Thorsten Spille	63e195849d	update checkmk to 2.4p18, debian 13	2025-12-19 13:34:50 +00:00
Thorsten Spille	94b18e8061	add bashclub-cmk	2025-12-19 13:33:54 +00:00
Thorsten Spille	4bc444fe1c	remove software-properties-common	2025-12-19 13:33:29 +00:00
Chriz	f146cb565a	Add Mailcow update check script put to cron.daily to upgrade mailcow and get additional check_mk output for updates and ssl certificates by acme	2025-12-09 15:41:42 +01:00
Thorsten Spille	75f67002fa	add websocket support for vaultwarden	2025-11-27 23:22:30 +01:00
Thorsten Spille	9a076c575a	prepare functions for debian 13	2025-10-18 19:02:40 +02:00
Thorsten Spille	9a644fd149	remove debian 10,11 sources, add debian 13 sources	2025-10-18 17:50:47 +02:00
Thorsten Spille	3e257d0534	fix folder creation	2025-10-17 23:22:46 +02:00
Thorsten Spille	3bf682657a	Merge pull request #138 from redhawk07/feature/zmb-member-multishares Allow multiple shares for ZMB-MEMBER	2025-10-16 21:34:46 +02:00
Stefan Rutzmoser	9537faaaab	Update README	2025-10-16 21:29:24 +02:00
Stefan Rutzmoser	f37757a08a	Also for standalone	2025-10-16 21:28:41 +02:00
Thorsten Spille	a31ebfb0e3	Fix dhparam and nginx cfg link	2025-10-16 19:31:35 +02:00
Thorsten Spille	85caaac848	Fix Matrix admin password	2025-10-16 19:16:11 +02:00
Thorsten Spille	818cbfc732	Fix nginx configuration	2025-10-15 18:36:18 +02:00
Thorsten Spille	664bc6ac5e	Fix zammad nginx configuration	2025-10-15 18:33:38 +02:00
Stefan Rutzmoser	54ef036b78	Allow multiple shares for ZMB-MEMBER	2025-10-08 18:49:48 +02:00
Chriz	0460e3e5a1	Update nextcloud-for-mailcow-dockerized.conf fixes	2025-10-02 12:55:23 +02:00
Chriz	5b263acbb2	Rename nextcloud.conf to nextcloud-for-mailcow-dockerized.conf This is an Example for Nextcloud Upstream with Mailcow Dockerized as Reverse Proxy	2025-10-02 12:47:05 +02:00
Chriz	3ee9538074	Create nextcloud.conf Upstream as Reverse Proxy	2025-10-02 12:45:52 +02:00
Thorsten Spille	75559ca34b	rename computername for service login	2025-09-29 20:40:22 +02:00
Thorsten Spille	a3bd70732f	Merge pull request #132 from bashclub/main Move fixes in main to dev	2025-09-29 20:37:23 +02:00
Thorsten Spille	2ae38a3340	Merge branch 'dev' into main	2025-09-29 20:37:01 +02:00
Thorsten Spille	7d4b85d83e	fix jq, redispass, redirect, docker on slow machines	2025-09-29 20:34:00 +02:00
Thorsten Spille	f4c3d6f6e1	Add x509 module (incomplete)	2025-08-13 00:18:56 +02:00
Thorsten Spille	64d9295b5e	Update install-service.sh add influxdb2-client	2025-08-12 23:50:06 +02:00
Thorsten Spille	8eb2e0d323	add commandtransports	2025-07-29 23:46:41 +02:00
Thorsten Spille	a6914a7252	Add pdfexport to icinga2	2025-07-29 18:36:46 +02:00
Thorsten Spille	3c80439391	i	2025-07-26 14:15:21 +02:00
Thorsten Spille	5609d57200	monitoring plugins	2025-07-25 23:09:41 +02:00
Thorsten Spille	524f0d3ada	f	2025-07-25 22:51:18 +02:00
Thorsten Spille	19d47088c9	n	2025-07-25 22:27:51 +02:00
Thorsten Spille	15acf5a2a5	f	2025-07-25 22:25:00 +02:00
Thorsten Spille	67490fb7a7	add notifications	2025-07-25 22:15:40 +02:00
Thorsten Spille	9a6e4d6f49	f	2025-07-25 22:02:29 +02:00
Thorsten Spille	8148cb7f07	f	2025-07-25 20:41:01 +02:00
Thorsten Spille	0cfd24e10d	f	2025-07-25 20:23:05 +02:00
Thorsten Spille	015a48fd92	f	2025-07-25 20:18:46 +02:00
Thorsten Spille	a8c0a7bdc1	remove grafana	2025-07-25 20:14:07 +02:00
Thorsten Spille	5f47110e34	f	2025-07-25 20:08:27 +02:00
Thorsten Spille	e68cb98a92	f	2025-07-25 19:06:49 +02:00
Thorsten Spille	161ffb7a2d	fix influxdb writer	2025-07-25 19:06:19 +02:00
Thorsten Spille	3a6711c850	create folder	2025-07-25 18:02:32 +02:00
Thorsten Spille	97b6fdeec9	f	2025-07-25 17:52:51 +02:00
Thorsten Spille	0e531d2982	f	2025-07-25 16:37:20 +02:00
Thorsten Spille	a3330544c1	f	2025-07-25 16:25:10 +02:00
Thorsten Spille	2744bd543f	f	2025-07-25 16:21:02 +02:00
Thorsten Spille	d9585b5940	f	2025-07-25 16:11:46 +02:00
Thorsten Spille	8bab934bdf	f	2025-07-25 16:09:56 +02:00
Thorsten Spille	69f934982b	f	2025-07-25 16:01:04 +02:00
Thorsten Spille	b77e488ec6	f	2025-07-25 15:44:33 +02:00
Thorsten Spille	d55c74f6f4	f	2025-07-25 15:41:00 +02:00
Thorsten Spille	3b84d905b1	fix grafana db	2025-07-25 15:30:20 +02:00
Thorsten Spille	fef7c7b11f	fix db conf	2025-07-25 15:16:15 +02:00
Thorsten Spille	9f637c0083	f	2025-07-25 15:07:06 +02:00
Thorsten Spille	ad800c5c1f	f	2025-07-25 15:01:12 +02:00
Thorsten Spille	d67281a7d8	fix	2025-07-25 14:55:55 +02:00
Thorsten Spille	b3f81a47e7	fix	2025-07-25 14:40:47 +02:00
Thorsten Spille	226f518d98	php version	2025-07-25 14:39:00 +02:00
Thorsten Spille	2770be3297	fix	2025-07-25 09:56:33 +02:00
Thorsten Spille	20e9eb0567	-ipl	2025-07-25 00:20:45 +02:00
Thorsten Spille	0b5990cec8	fix	2025-07-24 23:18:50 +02:00
Thorsten Spille	91eee428e5	fix	2025-07-24 23:06:07 +02:00
Thorsten Spille	20bdad8596	fix	2025-07-24 22:59:37 +02:00
Thorsten Spille	d15a44d93b	perfdatagraphs	2025-07-24 21:57:40 +02:00
Thorsten Spille	3671e5439b	fix redis	2025-07-24 21:53:01 +02:00
Thorsten Spille	75182cad2a	redis fix	2025-07-24 21:33:19 +02:00
Thorsten Spille	a5a533d649	icingadb	2025-07-24 21:17:12 +02:00
Thorsten Spille	cf19024277	fix	2025-07-24 20:51:13 +02:00
Thorsten Spille	a98469f6be	fix	2025-07-24 20:43:02 +02:00
Thorsten Spille	43a1863433	fix	2025-07-24 20:30:44 +02:00
Thorsten Spille	b3d991ff86	fix	2025-07-24 20:12:51 +02:00
Thorsten Spille	e39f81be4b	fix	2025-07-23 22:35:44 +02:00
Thorsten Spille	dc33f2bef8	fix	2025-07-23 22:00:50 +02:00
Thorsten Spille	9ca7170655	fix	2025-07-23 21:47:01 +02:00
Thorsten Spille	48e17da745	fix	2025-07-23 21:32:47 +02:00
Thorsten Spille	a3937b23a3	bug	2025-07-23 21:22:24 +02:00
Thorsten Spille	c597f1570b	bugfix	2025-07-23 21:11:19 +02:00
Thorsten Spille	2bf7ae3bec	bugfix	2025-07-23 21:00:52 +02:00
Thorsten Spille	6b1ec7c60a	next fix	2025-07-23 20:50:03 +02:00
Thorsten Spille	1c45ec96ec	fix user creation	2025-07-23 19:21:18 +02:00
Thorsten Spille	e58abab586	fix icinga user add error	2025-07-23 19:06:06 +02:00
Thorsten Spille	e5bae118a1	Fix icingacli error	2025-07-23 17:49:48 +02:00
Thorsten Spille	367fa63f4b	fix icingacli error	2025-07-23 17:34:23 +02:00
Thorsten Spille	8d89d61de3	Update install-service.sh	2025-07-23 17:18:32 +02:00
Thorsten Spille	f8e3fe0af2	Update install-service.sh	2025-07-23 17:10:09 +02:00
Thorsten Spille	ae3bccb8ed	Update install-service.sh	2025-07-23 17:00:18 +02:00
Thorsten Spille	eb0a084fe1	Update constants-service.conf	2025-07-23 16:59:59 +02:00
Thorsten Spille	f0bdf0ede8	Update install-service.sh	2025-07-23 15:59:51 +02:00
Thorsten Spille	5464e8cc6e	Update install-service.sh	2025-07-23 15:16:16 +02:00
Thorsten Spille	118bf3663c	Update install-service.sh	2025-07-23 14:49:19 +02:00
Thorsten Spille	5b225b8fc5	Update install-service.sh	2025-07-23 14:39:28 +02:00
Thorsten Spille	35f166ad21	Update install-service.sh	2025-07-23 14:28:34 +02:00
Thorsten Spille	6f1e4a94c9	Update install-service.sh	2025-07-23 14:12:56 +02:00
Thorsten Spille	b9c47b835a	Update install-service.sh	2025-07-23 13:38:16 +02:00
Thorsten Spille	035de4e296	Update install-service.sh	2025-07-23 13:15:39 +02:00
Thorsten Spille	0e6639ca3f	Update install-service.sh	2025-07-23 12:56:54 +02:00
Thorsten Spille	2aa944e9d0	Update install-service.sh	2025-07-23 12:43:19 +02:00
Thorsten Spille	301c1bc446	Update constants-service.conf	2025-07-23 12:33:27 +02:00
Thorsten Spille	94becd6d54	Update constants-service.conf	2025-07-23 12:04:42 +02:00
Thorsten Spille	af6ef532d9	Update constants-service.conf	2025-07-23 12:04:01 +02:00
Thorsten Spille	86d79f0ac2	Update constants-service.conf	2025-07-23 12:03:21 +02:00
Thorsten Spille	2b78abbd0e	Update install-service.sh	2025-07-23 11:53:36 +02:00
Thorsten Spille	e4fce2835f	Create constants-service.conf	2025-07-23 11:52:54 +02:00
Thorsten Spille	2de97ff2d6	Create install-service.sh add icinga2	2025-07-23 11:51:39 +02:00
Thorsten Spille	325747cf6d	Create mailcow-update	2025-07-18 15:17:43 +02:00
Thorsten Spille	0171a19b7c	Update nextcloud-update	2025-06-26 09:56:41 +02:00
Thorsten Spille	0141dc86ac	Update nextcloud-update	2025-06-26 09:55:58 +02:00
Thorsten Spille	cc46b53637	Create create-service-account	2025-06-23 18:20:11 +02:00
Chriz	49d96dd3eb	Update and rename check_zambaconf_trmm.sh to check_zambaconfonpve_trmm.sh	2025-06-05 22:32:26 +02:00
Chriz	c8c898f047	Update check_zambaconf_trmm.sh also recognizes forgotten zamba.confs in lxcs root	2025-06-05 22:05:15 +02:00
Chriz	c9fd96a681	Update check_zambaconf_trmm.sh delete after three days	2025-06-04 11:01:30 +02:00
Chriz	077735aa03	Create check_zambaconf_trmm.sh TRMM check if you forgot to delete your zamba.conf with Passwords!	2025-06-04 10:47:50 +02:00
Thorsten Spille	13834a0d2c	Create zmb-ad_auto-map-root.sh Das Script mappt den root user mit dem domain administrator und sorgt dafür dass samba-tool ohne angebe von zugangsdaten ausgeführt werden kann.	2025-05-23 19:23:55 +02:00
Chriz	8d22b06bd5	Update nextcloud-update updated tested version with php 8.2	2025-05-22 15:56:06 +02:00
Chriz	df45fc5e39	Update install-service.sh missing php-ldap	2025-05-21 19:10:30 +02:00
Thorsten Spille	e53a1854b3	Merge pull request #127 from bashclub/main merge semaphore changes to dev	2025-05-17 10:11:06 +02:00
Thorsten Spille	ce9f3f4a9c	Update install-service.sh	2025-05-07 14:13:40 +02:00
Thorsten Spille	6d4d70e74e	Update ansible-semaphore	2025-05-07 14:10:25 +02:00
thorstenspille	f0de34102b	replace backup cronjob	2025-04-28 13:09:55 +02:00
thorstenspille	203e4bdc28	fix description for variable	2025-04-28 12:44:27 +02:00
thorstenspille	8f182ac9f8	add permissions for domain admins group	2025-04-28 12:43:42 +02:00
thorstenspille	ab363d5793	mailcow: fis backup path	2025-04-28 12:43:14 +02:00
thorstenspille	d64a81b185	Fix permissions on zmb-cups	2025-04-28 12:42:37 +02:00
thorstenspille	73a70918d4	fix smb backup jobs for dcs	2025-04-28 12:41:58 +02:00
thorstenspille	3bbd1d98b5	update mailcow.conf, fix backup storage	2025-04-28 12:41:26 +02:00
DerFossiBaer	26cef69e6b	Update install-service.sh	2025-01-30 12:57:51 +01:00
DerFossiBaer	f481a7a7f4	Update install-service.sh	2025-01-29 18:11:54 +01:00
DerFossiBaer	472cb5b777	Update install-service.sh	2025-01-29 18:09:08 +01:00
DerFossiBaer	12a9c39873	Update functions.sh Added some functions for installations	2025-01-29 18:07:04 +01:00
DerFossiBaer	6876e6f459	Update install-service.sh nearly completely new installation is now generated in functions, witch are added at the end of the script.	2025-01-29 18:02:48 +01:00
DerFossiBaer	a10e16633a	Update constants-service.conf change php to 8.3 added postgresql version	2025-01-29 17:58:14 +01:00
DerFossiBaer	23c4166e18	Update constants-service.conf Due to oom-killers set MEM to 4096MB	2025-01-07 16:05:46 +01:00
DerFossiBaer	3fe94152cc	Update install-service.sh With Omada 5.15 mongodb 7.0 and default jre are possible.	2025-01-06 23:05:43 +01:00
Thorsten Spille	d50b7a93c2	Update constants-service.conf Change Omada to Debian bookworm	2025-01-06 21:32:36 +01:00
Thorsten Spille	8cf9c45f79	set domain admins group in zmb.conf, add zmb-ad-restore container	2024-11-28 21:27:56 +01:00
Thorsten Spille	0c91d48778	Merge pull request #121 from bashclub/dev Fix zabbix container	2024-11-14 22:19:50 +01:00
Thorsten Spille	c3eef2aed6	Update constants-service.conf Update timescaledb to 2.16.1	2024-11-14 22:01:10 +01:00
Thorsten Spille	34a9d7f0ab	Update install-service.sh Fix postgresql-client version	2024-11-14 21:36:45 +01:00
Thorsten Spille	415703ea5f	Merge pull request #116 from bashclub/dev Dev	2024-07-12 22:50:55 +02:00
thorstenspille	1a3d29953f	add cloudpanel container	2024-07-12 22:49:06 +02:00
thorstenspille	b9f92b610a	Change lxc id detection	2024-07-08 20:15:53 +02:00
Thorsten Spille	2892b7b416	Update install.sh Only set volblocksize if sharefs is zfspool	2024-07-05 18:33:52 +02:00
Thorsten Spille	c94b8c8a9a	Merge pull request #114 from bashclub/main Fix AD DC	2024-07-04 18:23:11 +02:00
Thorsten Spille	954dc0d27e	add samba-ad-dc package to zmb-ad and zmb-ad-join	2024-07-04 18:22:06 +02:00
Thorsten Spille	731e4563e7	Update install.sh Set acl=1 on every lxc rootfs	2024-07-04 18:20:03 +02:00
Thorsten Spille	250d828bc9	Merge pull request #113 from bashclub/dev Update install-service.sh	2024-06-29 14:54:36 +02:00
Thorsten Spille	e966260068	Update install-service.sh Fix initial setup of authentik (AUTHENTIK_REDIS__DB=1)	2024-06-29 14:27:21 +02:00